HTML Compare Report Issue

The other day I ran into a situation where I needed to generate HTML compare reports. When I created the report though, all the support HTML files like the CompareViewer.html file were not generated. At first, I thought there might be a bug that was preventing the HTML compare reports from building. But I dug into the process and found that there was an easy fix. Before we get to that, let’s dig into the HTML compare reports and how App Designer builds them.

HTML compare reports are great for sharing with users who don’t have App Designer access. You can drop the HTML reports on a share and anyone you want to can view the reports. To view the reports, you open CompareViewer.html and you see all the information in the report. But if some of the HTML support files are missing, the reports won’t work.

Support Files

There are some base HTML, CSS and JavaScript files to support the HTML reports:

  • CompareViewer.html – Main HTML file. Open this one to view HTML Compare Reports.
  • projectHeader.html
  • projectList.html
  • projectList.xml – Contains all the HTML compare report projects in the directory.
  • projectList.xsl
  • source* – Support HTML, CSS, JS, images
  • projectName* – If you ran more than one HTML compare report to the same directory, each project will have it’s own folder. Each project folder will have any entry in the projectList.xml file.

UPGCOMPVIEWER Folder

In your PeopleTools client folder, you need to make sure the setupUPGCOMPVIEWER folder has the support files. When you generate the HTML compare reports, App Designer drops the HTML files into your output folder. Then, App Designer will add in your project and compare data to the output folder.

The UPGCOMPVIEWER folder has two sub directories:

  • report_files – The main HTML compare report files.
  • project_files – Used for each project in the HTML compare report.

If you wanted to customize your compare report output, you can make the HTML, CSS or image changes there.

Output Folder

You can’t change the output folder for compare reports in the Report Options tab (you should be able to though…). To change the output path, go to “Tools > Options > General” and change the “Report Output Directory”.

PeopleTools Client Install

If you haven’t figured it out yet, my problem was that the UPGCOMPVIEWER folder didn’t exist in the setup folder. I used the PeopleTools client install but it didn’t include the UPGCOMPVIEWER folder and files.

To make sure, I did a fresh client install with 8.53.24, 8.54.16 and 8.55.01. The 8.53 client installs did not contain the folder. The latest 8.54 and 8.55 client installers did include UPGCOMPVIWER in the setup folder.

8.55 – Reduce your Customizations!

In Episode 8 of the PeopleSoft Administrator Podcast, we dug into a new feature in PeopleTools 8.55. The Related Content Framework (RCF) gained the ability to map custom code to Component events. This change could drastically change how developers approach customizations. (Thanks to Chris Malek at the Cedar Hills Group blog for posting about this.) The Related Content Framework in 8.55 has the ability to insert custom code into the component processor. This means you can insert custom code without changing any delivered code. You map a custom app class to an existing Component or Component Record event and your custom code will execute before or after the event. You can code customizations and not touch any delivered code! Your app class has full access ot the the component buffer, so you can modify scrolls, page components and more. You can write any PeopleCode that is acceptable in a FieldChange event (no DoSave, etc). That still leaves a wide range of customization that could be removed from delivered code and dropped into a custom app class. Kyle made a great point in the podcast: You could organize your modifications in app packages. For example, group all of your HR modifications in an app packages and each customization could be it’s own class. That would make documentation and knowledge transfer substantially easier.  [Kyle] I was thinking about this more. I think something like this would be awesome. Overall package would be per module. Then sub packages would be per component, then the app class would be the PC for a certain event. You could create Component Record subclass under that as well, with their classes. That way, you group classes by component if those components have multiple events customized. For example:
* IO_RCF_HR
* JOB
* PreBuild_Pre
* PreBuild_Post
* SavePostChange_Pre
* JOB_JR
* InsertRow_Pre
* SaveEdit_Post [Dan] There are some limitations though. You can only insert code before or after a delivered event. With a little creativity I think many of the limitations can be worked around. This won’t replace all your customizations, but it’s a great start!

Update: We posted a demo of Event Mapping in action.

#8 – PeopleTools 8.55 Hands-on

Merry Christmas and Happy Holidays! We have an extra long and fun episode this week but you may want to listen to this it twice 🙂

In Episode 8, we dive into PeopleTools 8.55 and get hands-on! We talk about our first experiences with the PeopleTools DPK’s, changes to Change Assistant in 8.55 and Dan’s experiment with the Let’s Encrypt project. We also ask a big question about a new Related Content feature, and then answer it after the break. This feature has the potential to substantially reduce your customizations!

We want to make this podcast part of the community discussion on PeopleSoft administration. If you have comments, feedback, or topics you’d like us to talk about, we want to hear from you! You can email us at podcast@psadmin.io, tweet us at @psa_io, or use the Twitter hashtag #psadminpodcast.

You can listen to the podcast here on psadmin.io or subscribe with your favorite podcast player using the URL below, or subscribe in iTunes.

Podcast RSS Feed

Show Notes

Let’s Encrypt with PeopleSoft

Let’s Encrypt is a service provided by the Internet Security Research Group to provide free SSL certificates to anyone. The goal of the project is get the entire web encrypted. I mentioned the project in Episode 7 of The PeopleSoft Administrator Podcast and thought it would be a great exercise to try it with PeopleSoft.

Let’s Encrypt uses a client on the server to automate the certificate request process. The client will:

  • Validate that you own the web server
  • Generate a CSR
  • Download the certificate
  • Apply the certificate to the web server (limited support)
  • Automatically renew the certificate

There are a few requirements to use the Let’s Encrypt clients though:

  • The web server needs to accessible by the internet. The Let’s Encrypt site will validate that you own the server by checking for a specific file on the web server.
  • Not all operating systems are supported, yet.
  • Some web server’s have built-in support (IIS, Apache), but others do not (e.g, WebLogic). We can still generate certificates though, the automatic renewal won’t update the webserver though.

Install Let’s Encrypt Client for Windows

We’ll use the letsencrypt-win-simple command line client for Windows. Download the latest release from GitHub and extract the folder to a permanent location.

Generate a new certificate

  1. Run .letsencrypt.exe --accepttos[code lang=text]
    Let’s Encrypt (Simple Windows ACME Client)

    ACME Server: https://acme-v01.api.letsencrypt.org/
    Config Folder: C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.org
    Loading Signer from C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgSign
    er

    Getting AcmeServerDirectory
    Loading Registration from C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgRegistration

    Scanning IIS 7 Site Bindings for Hosts
    No IIS bindings with host names were found. Please add one using IIS Manager. A host name and site path are required to
    verify domain ownership.
    No targets found.

    M: Generate a certificate manually.
    A: Get certificates for all hosts
    Q: Quit
    Which host do you want to get a certificate for:
    [/code]

  2. Since we are not running IIS, we’ll generate a certificate manually.[code lang=text]
    Which host do you want to get a certificate for: M
    Enter a host name:
    [/code]
  3. Enter the DNS name for your web server.[code lang=text]
    Enter a host name: hr.psadmin.io
    Enter a site path (the web root of the host for http authentication):
    [/code]
  4. Next, enter the root path for your web server. If you are running WebLogic, that will be PORTAL.war directory on your web server.[code lang=text]
    Enter a site path (the web root of the host for http authentication): W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war
    [/code]
  5. Then, the Let’s Encrypt client will create a new file under PORTAL.war.well-knownacme-challenge. That file will be used to validate that you own the web server.[code lang=text]
    Authorizing Identifier ps92t855.psadmin.io Using Challenge Type http-01
    Writing challenge answer to W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war.well-known/acme-challenge
    /1c2yN7Y93sJwRUmRGaoG4kT-QynrIcGr4szre-3nTsQ
    Answer should now be browsable at http://ps92t855.psadmin.io/.well-known/acme-challenge/1c2yN7Y93sJwRUmRGaoG4kT-QynrIcG
    r4szre-3nTsQ
    Submitting answer
    Refreshing authorization
    Authorization Result: valid
    Deleting answer
    [/code]
  6. After the web server ownership is verfied, new certificates will generated and copied to your system. The certificates are copied to your %USERPROFILE%AppDataRoamingletsencrypt-win-simple folder in a few formats:
    • .der
    • .pem
    • .pfx

    The client will also add the certificates to the Windows Certificate Store for you. To add the certificates to WebLogic, we’ll use the .pem

    [code lang=text]
    Requesting Certificate
    Request Status: Created
    Saving Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orghr.psadmin.io-crt.der
    Saving Issuer Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgca-009813F47513E5750B43E7431E971E44BD-crt.pem
    Saving Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orghr.psadmin.io-all.pfx (with no password set)
    Opened Certificate Store “WebHosting”
    Adding Certificate to Store
    Closing Certificate Store
    WARNING: Unable to configure server software.
    Creating Task letsencrypt-win-simple httpsacme-v01.api.letsencrypt.org with Windows Task Scheduler at 9am every day.
    Renewal Scheduled Manual hr.psadmin.io (W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war) Renew A
    fter 2/9/2016
    Press enter to continue.
    [/code]

Create a New pskey Keystore

Now that we have certificates, let’s create a new pskey file with the certificates. We’ll use Keystore Explorer to quickly generate the file.

  1. Open Keystore Explorer. (If it’s first time you’ve used it, follow the instructions to download the Unlimited Strength files).
  2. Create a new keystore file.
  3. Select the file type of “JKS”.
  4. Select “Tools > Import Key Pair”.
  5. Select the “OpenSSL” option.
  6. Deselect “Encrypted Private Key”.
  7. For the “OpenSSL Private Key File”, select the file hr.psadmin.io-key.pem.
  8. For the “Certificate(s) File”, select hr.psadmin.io-cert.pem
  9. Click “Import”.
  10. Enter an alias name that is descriptive. I used hr.psadmin.io-2015-12.
  11. Since the prive key was delivered without a password, we’ll want to enter one. Enter a password for the key pair.

Now you have the private and public key for your DNS entry in the keystore. Next, we need to add the root (and intermediate) certificates so that a chain of trust is established.

  1. In Keystore Explorer in our new keystore file, right-click on our certificate. Select “Edit Certificate Chain > Append Certificate”.
  2. Select the file ca-GUID-crt.pem and click “Append”.
  3. Save the file, give the keystore a password, and name the file pskey-2015-12.

Load Keystore into WebLogic

After importing the certificates into pskey-2015-12, we need to copy the file to the web server and tell WebLogic to use the new file. The integrationGateway.properties file will need to know about the new keystore as well.

  1. Copy the pskey-2015-12 file to your web server directory %PS_CFG_HOME%webservpeoplesoftpiaconfigkeystore.
  2. Log into the WebLogic console.
  3. Navigate to “Environment > Servers > PIA > Keystores”.
  4. Click the “Lock & Edit” button to allow editing.
  5. Click the “Change” button for the Keystores option.
  6. Select “Custom Identity and Custom Trust” and “Save”.
  7. In the “Custom Identity Keystore” box, change the file name to piaconfig/keystore/pskey-2015-12.
  8. In the “Custom Identity Keystore Passphrase” boxes, enter the keystore password you entered when saving the file in Keystore Explorer.
  9. In the “Custom Trust Keystore” box, change the file name to piaconfig/keystore/pskey-2015-12.
  10. In the “Custom Trust Keystore Passphrase” boxes, enter the keystore password you entered when saving the file in Keystore Explorer.
  11. Click Save.

WebLogic will look at the new keystore file. Next, we need to tell WebLogic certificate it should serve to users.

  1. Click on the “SSL” tab.
  2. Change the “Private Key Alias” to hr.psadmin.io-2015-12.
  3. In the “Private Key Passphrase” boxes, enter the password you gave the hr-psadmin.io-2015-12 keypair.
  4. Click Save.
  5. Click the “Activate Changes” button.

Update integrationGateway.properties

Before we reboot the WebLogic domain, we need to update the integrationGateway.properties file.

  1. On your web server, open the integrationGateway.properties file under %PS_CFG_HOME%webservpeoplesoftapplicationspeoplesoftPSIGW.warWEB-INF.
  2. Find the line secureFileKeystorePath and change file name to pskey-2015-12.
  3. If the password you gave the keystore is different than the previous file, you’ll need to update that parameter in the file.
    1. Open a command prompt and go to %PS_CFG_HOME%webservpeoplesoftbin.
    2. Run the command setEnv.cmd to set the environment variables.
    3. Go to the folder piabin.
    4. Run the command PSCipher to get the encrypted text.
  4. Restart your WebLogic domain.

Test your HTTPS Connection

As WebLogic is starting up, make sure to check the logs to verify that the server started with your new certificate. Once the server has started, open a browser and go test the site. You should see a secure connection in the browser to your site.

#7 – Load Balancers

In Episode 7, we talk all about Load Balancers and PeopleSoft. We also clarify PeopleTools updates with Selective Adoption, why you may not need PSAESRV, a funny Chrome extension and more!

We want to make this podcast part of the community discussion on PeopleSoft administration. If you have comments, feedback, or topics you’d like us to talk about, we want to hear from you! You can email us at podcast@psadmin.io, tweet us at @psa_io, or use the Twitter hashtag #psadminpodcast.

You can listen to the podcast here on psadmin.io or subscribe with your favorite podcast player using the URL below, or subscribe in iTunes.

Podcast RSS Feed

Show Notes

How to Apply WebLogic Patches – Part 2

In Part 1, I showed how to use Smart Update to patch WebLogic. Starting with WebLogic 12.1.2, OPatch handles all the pacthing. Let’s walk though using OPatch to update WebLogic to fix the latest vulnerability. OPatch is included in the WebLogic install, so everything you need to apply patches is ready to go.

Windows Path Limit

If you are on Windows and applying patches 21370953 and 22250567, you may run into an error The file name(s) would be too long for the destination folder. The patch contains so may folders that they conflict with the Windows limit of 260 characters for a file name. The work around is to use the jar utility that comes with the JDK to unzip the patch. jar -xvf p21370953_121300_Generic.zip

Set OPatch Environment

OPatch needs to know what ORACLE_HOME you are applying the patch to. Depending on your server configuration, you may need to set ORACLE_HOME to the directory that contains WebLogic.

set ORACLE_HOME=e:\middleware-854

Let’s Fix CVE-2015-4852

Since we have new patches to fix CVE-2015-4852 (T3/Java Deserialization), let’s use those as our example.Go to this page to find the applicable patch (or patches if you are on 10.3.6) to apply.

Extract Patches

Download the patches you need and unzip them. I put the patch files under

e:\patches\cve-2015-4852

on the web server.

set PATCH_TOP=e:\patches\cve-2015-4852
unzip -d %PATCH_TOP p21370953_121300_Generic.zip
unzip -d %PATCH_TOP p22250567_121300_Generic.zip

Apply Patches

Make sure all of your web server instances are shut down. Then, move into the first patch folder so it is your current directory. Once you are in the patch folder, we call OPatch.

cd patches\cve-2015-485221370953
e:\middleware-854\OPatch\opatch apply

At the end of the patch, you should see a OPatch succeeded message. Let’s apply the second patch.

cd patches\cve-2015-485222250567
e:\middleware-854\OPatch\opatch apply 

At the end of the patch, you should see a OPatch succeeded message.

Verify WebLogic Version

To verify WebLogic has the new patches, we use OPatch’s lsinventory command.

e:\middleware-854\OPatch\opatch lsinventory

The output will look similar to this:

Interim patches (2) : Patch 22250567 : applied on Fri Dec 11 07:46:45 CST 2015 
Unique Patch ID: 19584835 
Patch description: "One-off" Created on 22 Nov 2015, 01:36:21 hrs PST8PDT 
Bugs fixed: 22175246, 22200449, 22247869, 21495475 
This patch overlays patches: 21370953 
This patch needs patches: 21370953 as prerequisites 
Patch 21370953 : applied on Fri Dec 11 07:46:45 CST 2015 
Unique Patch ID: 19198495 
Patch description: "WebLogic Server 12.1.3.0.5 PSU Patch for BUG21370953 October 2015" 

The output shows that we have applied the CVE patches. Now, restart all your web servers and start testing!

8.55 – Default Navigation

Before PeopleTools 8.55 was released, Oracle announced that Fluid would be the default navigation. After setting up an 8.55 demo system, I wanted to play around and “kick the tires”. Well, Oracle is quite serious. There is no other navigation option for 8.55. In the past, you could choose between navigation options on the “PeopleTools Options” page.

Update 2/8/2016 – You can use the drop-down navigation style with PeopleTools 8.55. – Dan

Screen Shot 2015-12-10 at 8.49.10 AM

 

#6 – TokenChpoken and Other Security Issues

In Episode 6 of The PeopleSoft Administrator Podcast, Dan and Kyle talk about the TokenChpoken (or PS_TOKEN) vulnerability. We explain how the vulnerability works and how to mitigate it, Oracle CPU’s and Java Patching. Kyle shares a handy tip to clear end-user cache from the web profile.

We want to make this podcast part of the community discussion on PeopleSoft administration. If you have comments, feedback, or topics you’d like us to talk about, we want to hear from you! You can email us at podcast@psadmin.io, tweet us at @psa_io, or use the Twitter hashtag #psadminpodcast.

You can listen to the podcast here on psadmin.io or subscribe with your favorite podcast player using the URL below, or subscribe in iTunes.

Podcast RSS Feed

Show Notes

How to Patch Java in WebLogic

With the recent attacks on SSL, WebLogic and Java, I wanted to give an overview on how you patch Java for your WebLogic instances.

When you install WebLogic, it asks you for the location of your Java Home. Then, every web server instance you create uses that Java Home. Unless you have patched Java in the past, all of the WebLogic instances on that server will be using the old Java Home.

Download the New JDK

Go to Oracle’s Java Download page and download the latest JDK. Make sure to select the correct codeline that your version of PeopleTools supports.

PeopleTools 8.53-8.55 support Java 1.7 (aka Java 7). It will implicity support any patch on the 1.7 codeline. So, you can install the latest 1.7.0_xx patch and use it with WebLogic and PeopleTools.

Install the new JDK (you don’t need the JRE) to a common location. We use the folder convention e:javajdk-1.7.0_xx to install the JDK.

Update the commEnv Script

By default, the Java Home parameter is set in the %WL_HOME%commEnv script. This script configures environment variables that are common to all WebLogic instances on the server.

You can update the JAVA_HOME in the commEnv script, but it will affect ALL the WebLogic instances on that machine. This might be what you are looking for. But, if you run more that one web server you might want to try the next option.

Update the setEnv Script

In each WebLogic instance you create (hr92dmo, hr92dev, etc), the file %PIA_HOMEbinsetEnv will set the configuration that applies only to a specific domain. This is where I prefer to set JAVA_HOME. In the file, you will find a line that says:

@REM JAVA_HOME is set via commEnv.sh, to override set it here.

Simply add this line to set a JAVA_HOME for a specific web server:

set JAVA_HOME=e:javajdk-1.7.0_79

Now, you can patch your Demo environment and test without affecting other web servers on the server.

Update the Windows Service

If you are on Windows and installed a service for your web server, you will need to change the JAVA_HOME value for the service. You could re-create the service but there is an easier way.

Open the Registry Editor (regedit) and navigate to:

HKLM:SYSTEMCurrentControlSetserviceshr92dmo-PIAParameters 

Under this registry folder, you’ll see a Key name “JavaHome”. Update the value’s path to match your new JAVA_HOME. Restart the service for the change to take affect.

Patching Java for WebLogic is pretty simple. The next step (and upcoming blog post) will be to script these changes, and WebLogic patches, so you can automate your web server patching.

How to Apply WebLogic Patches

Oracle has released a patch for the latest CVE against WebLogic, so I wanted to walk though the steps to apply the patch to WebLogic and show how to use Smart Update. Smart Update is the utility used by WebLogic to apply patches to your installation.

UPDATE 12/8/2015 Thanks to Matt Tremblay for pointing out, WebLogic 12.1.2+ is now using OPatch for WebLogic patching. Look for an second WebLogic patching post soon about using OPatch with WebLogic.

Smart Update 3.3.0

Version 3.3.0 is the latest version and is included with WebLogic 10.3.5 and later. If you launch Smart Update and find that its an older version, go grab version 3.3.0 (Patch 12426828).

Launching Smart Update

On Windows, if you chose to create a Program Group, you can launch Smart Update from the Start Menu under the “Oracle WebLogic” folder. Or, you can launch it from the command line:

%BEA_HOME%utilsbsubsu.cmd

The first time you run Smart Update, it may ask you to provide a %BEA_HOME% path. Give the path to your BEA Home (e.g, e:oracle).

If you receive an error: “Unable to locate any supported product installations” or “The BEA Home directory selected does not contain any supported patch targets”, check out MOS Documents 946541.1 or 1063605.1 for the fix.

Applying Patches

In the Smart Update window, you will see the installed applications in the left pane. Make sure “WebLogic” is selected. On the right, the top pane shows you patches that have been applied. The lower pane displays patches in your download directory that are waiting to be applied.

By default, Smart Update will look for patches under %BEA_HOME%utilsbsucache_dir for patches. To start Smart update and have it look at a different path, use the -patch_download_dir=[path] flag or select File > Preferences to change the directory.

To apply a patch, click the green arrow in the “Downloaded Patches” pane for the patch. Smart Update will check for patch conflicts and the apply the patch.

Command Line

You can also run Smart Update from the command line. This is great when you have multiple servers to patch. Running bsu.cmd -help will give you all the options you need when scripting.

Let’s Fix CVE-2015-4852

Since we have new patches to fix CVE-2015-4852 (T3/Java Deserialization), let’s use those as our example. Go to this page to find the applicable patch (or patches if you are on 10.3.6) to apply.

Extract Patches

Download the patches you need and unzip them. Copy the .jar and .xml files from the patch folders to your web server. I put the patch files under e:patchescve-2015-4852 on the web server. We will tell Smart Update to use this directory. (Since we are running WebLogic 10.3.6, there are two patches to install in our example.).

Apply Patches

Before you apply any patches, make sure to stop any web servers running on the server. If don’t, Smart Update won’t be able to patch .jar files that are in use.

Let’s run Smart Update from the command line. Open a command prompt and navigate to %BEA_HOME%utilsbsu. We need to pass these values to the bsu program:

  • -install
  • -patch_download_dir=e:patchescve-2015-4852
  • -patchlist=EJUW (note, this is not the patch number, but the PSU Patch ID)
  • -prod_dir=e:oraclewlserver_10.3
  • -verbose

So, my command to apply the first CVE patch looks like this:

bsu -install -patch_download_dir=e:patchescve-2015-4852 -patchlist=EJUW -prod_dir=e:oraclewlserver_10.3 -verbose

I had to change the memory settings for Smart Update. In the bsu.cmd file, I modified the set MEM_ARGS line:

set MEM_ARGS=-Xms512m -Xmx1024m -XX:PermSize=64m -XX:MaxPermSize=128m -Xss512k

Smart Update will give you a “Success” message, or an error message. Next, let’s apply the second CVE patch:

bsu -install -patch_download_dir=e:patchescve-2015-4852 -patchlist=ZLNA -prod_dir=e:oraclewlserver_10.3 -verbose

Verify WebLogic Version

To verify WebLogic has the new patches, we can run two commands. The first command is to set the environment with:

%WL_HOME%serverbinsetWLSEnv.cmd

Then, run the command:

java weblogic.version

The output will look similar to this:

[code lang=”text”]
WebLogic Server Temporary Patch for BUG22248372 Tue Nov 24 00:35:04 MST 2015
WebLogic Server 10.3.6.0.12 PSU Patch for BUG20780171 THU JUN 18 15:54:42 IST2015
WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050
[/code]

Another option to check the version of WebLogic is using the Smart Update utility:

bsu -prod_dir=e:oraclewlserver_10.3 -status=applied -verbose -view

The output shows that we have applied the 10.3.6.0.12 and CVE patch. Now, restart all your web servers and start testing!