#48 – User Security Automation w/ Mark Danielson

This week on the podcast we interview Mark Danielson and talk about automating user security in PeopleSoft. Mark shares how he removed manual security changes from HR and Time and Labor. We finish the podcast talking about what makes good Admin’s and Developers.

We want to make this podcast part of the community discussion on PeopleSoft administration. If you have comments, feedback, or topics you’d like us to talk about, we want to hear from you! You can email us at podcast@psadmin.io, tweet us at @psa_io, or use the Twitter hashtag #psadminpodcast.

You can listen to the podcast here on psadmin.io or subscribe with your favorite podcast player using the URL below, or subscribe in iTunes.

Podcast RSS Feed

Show Notes

  • User Security Automation Workflow @ 5:00
  • Reducing Security Requests and Issues @ 16:00
  • Reporting and Auditing Security Changes @ 20:00
  • Building Powerful Role Queries @ 22:15
  • Starting User Security Automation @ 24:00
  • Developer Perceptions of PS Admin’s @ 27:30
  • Every Environment is Production @ 31:30
  • What Makes a Good Developer @ 36:00

Chocolatey Package Manager for Windows

One advantage of Linux distributions is they include software package managers like yum or apt-get. Package managers make is easy to install software with a single command, like yum install vlc. There is a package manager for Windows that works well and integrates with Puppet: Chocolatey. Let’s explore how to use Chocolatey and how it works with Puppet.

Microsoft has a package manager, OneGet, but OneGet new enough that it’s not installed by default in PeopleSoft-certified versions of Windows.

Install Chocolatey via PowerShell

If you want to install Chocolatey with PowerShell, the Chocolatey installation page has example commands to do this. The scripts will download and execute a remotely signed PowerShell script which installs Chocolatey and configures it for you. I used:

iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex

to install Chocolatey on my server.

installchoco

Using Chocolatey

After installation, restart your PowerShell window. Installing software with Chocolatey is a simple as running this command:

choco install notepadplusplus

Chocolatey will install Notepad++ for you. Simple!

installnpp

Want to install git on your server?

choco install git

Done.

If you want to accept license agreements automatically, run this command to change Chocolatey’s global setting:

choco feature enable -n=allowGlobalConfirmation

I primarily use Chocolatey for server management, but you can use it to manager your workstation too. The library of chocolatey packages contains server and workstation software. To view the library, head over to the chocolatey website.

Install Chocolatey via Puppet

chocolatey can be used with Puppet to manage software package on your server. There is an official Puppet module for Chocolatey, so we can install the module and use it our own manifests.

puppet module install chocolatey-chocolatey

You may fine the the module install failed due because the Puppet Forge root certificate is not in the Windows keystore. You’ll also notice some warnings about the version number for the pt_xxx modules. You can ignore those warnings; the version numbers used by the PeopleTools team don’t follow the Puppet conventions.

installpuppetmodule1-sslfail

To install the root certificate for Puppet Forge:

  1. Save this certificate (GeoTrust Global CA) as GeoTrustCA.pem.
  2. Run certutil -v -addstore Root .\GeoTrustCa.pem to add the certificate
  3. Re-run puppet module install chocolatey-chocolatey

installpuppetmodule2

The Chocolatey module depends on three additional Puppet libraries, so the installation windows shows you the dependencies it installed.

└─┬ chocolatey-chocolatey 
  ├── badgerious-windows_env 
  ├── puppetlabs-powershell 
  └── puppetlabs-stdlib 

Use Chocolatey with Puppet

Now we can use Chocolatey in Puppet manfiests. This is great because we can standardize software packages on our servers the same way we standardize configurations.

On my Windows Servers, I use Process Explorer to troubleshoot issues. It’s a free tool from Microsoft and is great for finding processes that are locking access to files. Let’s write a Puppet manifest to install Process Explorer using chocolatey.

On the Chocolatey Packages page, search for “Process Explorer”.

chocopackages

In the results, you’ll see the Chocolatey command to install Process Explorer. Copy the name of the package; we’ll use the name in our manifest.

Create windows_software.pp under puppet\etc\manifests. The first line of the manifest will be to include the “Chocolatey” library.

include chocolatey

Then, we need to define a Puppet resource. We use the package resource, give it the name of the Chocolatey package (from above), and set the ensure parameter.

package { 'procexp':
    ensure => present,
}

Finally, we tell Puppet to use Chocolatey as the package manager.

package { 'procexp':
  ensure => present ,
  provider => 'chocolatey',
}

Save windows_software.pp and run puppet apply:

puppet apply .\windows_software.pp

installprocexp

When the Puppet run is done, you’ll find Process Explorer installed into Chocolatey’s installation directory. The default directory is C:\ProgramData\chocolatey\lib\.

procexpinstall

Update: 9/27/2016

Andy from the psadmin.io Community and podcast episode 42 suggested this tip for using Chocolatey to install git:

choco install -y git -params "/GitAndUnixToolsOnPath"

This will install additional tools like SSH with Git. Thanks Andy!

#47 – Oracle OpenWorld 2016

This week on the podcast, Kyle and Dan talk about announcements from Oracle Open World. We hit the highlights for PeopleSoft Administrators and grade our predictions from last week. Dan also shares why Windows 95 was connecting to PeopleTools 8.55 environments.

We want to make this podcast part of the community discussion on PeopleSoft administration. If you have comments, feedback, or topics you’d like us to talk about, we want to hear from you! You can email us at podcast@psadmin.io, tweet us at @psa_io, or use the Twitter hashtag #psadminpodcast.

You can listen to the podcast here on psadmin.io or subscribe with your favorite podcast player using the URL below, or subscribe in iTunes.

Podcast RSS Feed

Show Notes

  • Windows 95 Users? @ 1:15
  • Elasticsearch/Kibana Graphs @ 6:00
  • psadmin Hidden Menu Follow-up @ 11:45
  • 8.56 Release Date @ 13:30
    • After recording the episode, we clarified that the PeopleTools 8.56 release date was not announced.
  • Classic Plus @ 16:30
  • Classic UI Support @ 21:15
  • Page Composer @ 28:00
  • Elasticsearch Updates @ 30:30
  • Re-delivering Mobile Expenses Module in Fluid @ 36:15
  • Oracle Cloud Manager @ 38:45
  • Oracle Cloud on Premise @ 39:30
  • Oracle Community Ideas @ 42:30
  • Grading Our OOW Predictions @ 44:00

Thanks to Graham Smith and Javier Delgado for their write-ups and everyone on Twitter who kept us up-to-date.

#46 – OpenWorld 2016 Predictions

This week, Dan and Kyle discuss decommissioning software that isn’t used, PeopleCode documentation pet-peeves and how to start using Puppet before upgrading to 8.55. We end the episode with predictions for OpenWorld 2016.

We want to make this podcast part of the community discussion on PeopleSoft administration. If you have comments, feedback, or topics you’d like us to talk about, we want to hear from you! You can email us at podcast@psadmin.io, tweet us at @psa_io, or use the Twitter hashtag #psadminpodcast.

You can listen to the podcast here on psadmin.io or subscribe with your favorite podcast player using the URL below, or subscribe in iTunes.

Podcast RSS Feed

Show Notes

  • OOW 2016 @ :30
  • psadmin.io Community Benefits @ 1:30
  • Hidden psadmin menu option @ 6:00
  • Elasticsearch Release Date Change @ 8:00
  • Missing Trace Files @ 10:45
  • PeopleTools Delta Projects @ 15:00
  • PeopleCode PeopleTools Check @ 27:15

    #If #ToolsRel >= "8.54" #Then
       import PTPN_PUBLISH:PublishToWindow;
    #End-If
    
  • PeopleCode Documentation Pet-Peeve @ 31:45

  • Two Roles for Applying PUM Maintenance @ 35:45

  • Adventures in MOS: UPK Support with 8.55 @ 37:00

  • Decomissioning Software @ 39:00
  • SR to Bug @ 41:30
  • Getting Started with Rundeck and PeopleSoft @ 43:00
  • Getting Started with Puppet before Upgrading to 8.55 @ 44:45
  • OOW 2016 Predictions @ 52:30

#45 – Go-Live Weekends

This week Dan talks about his 8.55 Go-Live weekend, simplifying patch download with getMOSPatch, and using Kyle’s Maintenance Backdoor. Then Kyle and Dan discuss strategies and tips to make Go-Live weekends successful.

We want to make this podcast part of the community discussion on PeopleSoft administration. If you have comments, feedback, or topics you’d like us to talk about, we want to hear from you! You can email us at podcast@psadmin.io, tweet us at @psa_io, or use the Twitter hashtag #psadminpodcast.

You can listen to the podcast here on psadmin.io or subscribe with your favorite podcast player using the URL below, or subscribe in iTunes.

Podcast RSS Feed

Show Notes

Advanced DPK: Building a PIA Domain

With the DPK, you can build many configurations: full systems like the PeopleSoft Images, a web server, a combination of domains, or deploy the middleware software only. The goal of the DPK is to build you a server for you from a single set of configuration files.

But, what if you want to spin up a temporary web domain and test something without impacting your standard configuration? You can add the temporary domain to the psft_customizations.yaml file, but the DPK will shut down every domain on the server before it builds the new domain. That’s not a good solution.

Behind the DPK are new Puppet types that provide interfaces to create domains using Puppet. If you look in the file puppet\etc\modules\pt_config\tests\test_pia_create.pp, you can see this in action. The test creates variables and array’s to pass into the pt_webserver_domain Puppet type. Calling pt_webserver_domain will create a new PIA domain. Let’s explore this Puppet type and see how we can use it to create temporary domain

I want to say, use this method only if you have a good understanding of Puppet. This post is showing how to build PIA domains directly so we can better understand how the DPK works.

Custom YAML files

In the test_pia_create.pp manifest, the arrays are created in the manifest. We’ll use a YAML file to store our data instead. I find writing arrays in Puppet to be tedious and can break easily. Hiera and YAML files are much easier to work with, and we can use this manfiest for more domains in the future.

hrdev.yaml

hrdev.yaml is a small YAML file that stores data for a single PIA domain. It is important to keep the structure of the pia_domain_list section so we can easily take the YAML data and pass it into the pt_webserver_domain type. In the hrdev.yaml file, you can update any settings you want to configure the domain the way you want.

pia_domain_list:
  hrdev:
    os_user:            psadm
    ps_cfg_home_dir:    e:/psoft/hrdev-8.55.06
    gateway_user:       administrator
    gateway_user_pwd:   'Passw0rd'
    auth_token_domain:  .psadmin.io

    webserver_settings:
      webserver_type:           weblogic
      webserver_home:           e:/psoft/pt/bea
      webserver_admin_user:     system
      webserver_admin_user_pwd: 'Passw0rd'
      webserver_admin_port:     10020
      webserver_http_port:      10020
      webserver_https_port:     10030

    config_settings:
      Servers/PIA/WebServer/PIA/WebServerLog/PIA: 
        LoggingEnabled:         true

    site_list:
      hrdev:
        appserver_connections: app-d1:10010
        domain_conn_pwd:       'Passw0rd'

        webprofile_settings:
          profile_name:        DEV
          profile_user:        PTWEBSERVER
          profile_user_pwd:    'Passw0rd'
        report_repository_dir: e:/psreports

YAML Hashes and Arrays

YAML files can store data in various ways. The two common types the DPK uses are hashes and arrays. Hashes are key: value pairs, and can also contain nested hashes. The config_settings and pia_site_list sections are an example of a nested hash.

The DPK types use Arrays but the psft_customizations.yaml file (other others) use hashes. Hashes are often easier to work with because they are more descriptive. Thankfully, the DPK comes with some helper functions to convert a nested hash into a nested array.

Custom PIA Manifest

Next, we’ll start writing a Puppet manifest that will load hrdev.yaml and prepare our PIA domain. To start, let’s load our data and get the pia_domain_list hash into a variable:

$tempWebServer = loadyaml('c:\temp\hrdev.yaml')
$pia_domain_list = $tempWebServer['pia_domain_list']

Next, we’ll loop through the pia_domain_list hash and prepare the pt_webserver_domain DPK type to create our PIA domain.

$pia_domain_list.each |$domain_name, $pia_domain_info| {

The $domain_name value is the key of the hash, and $pia_domain_info is the nested hash. Those values will be accessible inside our loop. Next, we’ll take the webserver_settings, pia_site_list, and config_settings (if it exists in the YAML file) sections and turn them into nested arrays. The PeopleTools team delivers an excellent function hash_of_hash_to_array_of_array() function that does the heavy lifting.

$webserver_settings = $pia_domain_info['webserver_settings']
  $webserver_settings_array  = join_keys_to_values($webserver_settings, '=')

  $pia_site_list         = $pia_domain_info['site_list']
  $pia_site_list_array   = hash_of_hash_to_array_of_array($pia_site_list)

  $config_settings = $pia_domain_info['config_settings']
  if $config_settings {
    $config_settings_array = hash_of_hash_to_array_of_array($config_settings)
  }

Last, we’ll instantiate the pt_webserver_domain Puppet type with our configuration data.

pt_webserver_domain { "${domain_name}":
  ensure                => hiera('ensure'),
  ps_home_dir           => hiera('ps_home_location'),
  os_user               => hiera('domain_user'),
  ps_cfg_home_dir       => $pia_domain_info['ps_cfg_home_dir'],
  webserver_settings    => $webserver_settings_array,
  config_settings       => $config_settings_array,
  gateway_user          => $pia_domain_info['gateway_user'],
  gateway_user_pwd      => $pia_domain_info['gateway_user_pwd'],
  auth_token_domain     => $pia_domain_info['auth_token_domain'],
  site_list             => $pia_site_list_array,
}

Running the Manifest

Save the piaDomain.pp manifest to your c:\programdata\puppetlabs\puppet\etc\manifests folder, and the hrdev.yaml file to c:\temp folder. From the puppet\etc\manfiests folder, run puppet apply piaDomain.pp --trace --debug. The PIA build process can take 5-10 minutes to run, but at the end you’ll have a PIA domain built using the DPK and Puppet.

Both hrdev.yaml and piaDomain.pp are on Github if you want to download the files and test.

Building Blocks

If you want to spin up a single PIA domain, this may feel like overkill. The value in learning Puppet and the DPK isn’t to build a single domain, it’s a building block to quickly (and consistently) build many domains. The piaDomains.pp manifest can scale to multiple domains and all you have to do is update the YAML file.

Not everyone may need (or want) to dig into the DPK this deep. But for anyone who wants more control over their environment build with the DPK, using the Puppet types that come with the DPK will be an invaluable skill.

If you are building an app server domain with this method, use this bug fix to ensure the app server features are correctly enabled.

#44 – Changing Operating Systems

This week on The PeopleSoft Administrator Podcast, Dan and Kyle talk about the psadmin.io Stylesheets, Enterprise Manager 13c, and new portal behavior in recent PeopleTools patches. Then, Kyle shares his thoughts about possibly changing Operating Systems.

We want to make this podcast part of the community discussion on PeopleSoft administration. If you have comments, feedback, or topics you’d like us to talk about, we want to hear from you! You can email us at podcast@psadmin.io, tweet us at @psa_io, or use the Twitter hashtag #psadminpodcast.

You can listen to the podcast here on psadmin.io or subscribe with your favorite podcast player using the URL below, or subscribe in iTunes.

Podcast RSS Feed

Show Notes