Environment Template Security in Cloud Manager

Now that Cloud Manager is here, we have self-service ability to create PeopleSoft environments in OCI. Cue Uncle Ben… “With great power comes great responsibility.” Having a self-service portal that allows for the creation of these environments is fantastic, but how do we put some controls around this awesome power? This is where Environment Template security comes in to play.

To create an Environment in Cloud Manager, you first need an Environment Template. This template is created using some General Details, a Topology, and finally Security. It is this security detail that will help us control who can use these templates to create environments in the future. When you are creating a template, you will see the following section 3 – Define Security in the wizard. Let’s break down what our options are.

Assign Template to Zone(s)

Templates can be assigned to a single or multiple Zones. As of Image 11, there are currently three zones to choose from:

  • Development
  • Test
  • Production

A Zone is just “a logical grouping of environments,” according to Oracle’s Cloud Manager FAQ. At this time, it doesn’t serve any other purpose outside of helping you organize your environments. I could see a level of security being added to Zones in the future. If not by Oracle, maybe a custom bolt-on?

Assign Template to Role(s)

Templates can also be assigned to PeopleSoft security Roles. Any user that has a Role specified in this section will have the ability to create an Environment based on this template. Cloud Manager delivers three roles intended to be used with templates:

  • Cloud Administrator (PACL_CAD)
  • Cloud PeopleSoft Administrator (PACL_PAD)
  • Self-Service User (PACL_SSC)

As you would expect with PeopleSoft security, you are free to create and use your custom roles here. I think the delivered roles make it clear how Oracle sees the breakdown of potential users. Users who admin OCI resources, users who admin PeopleSoft, and users of PeopleSoft who might want ad-hoc environments(thinking developers or maybe even business staff looking for demos). I could see the OCI and PS admin roles combined often. Also, the self-service user might be split out into a technical and functional role or disabled altogether. Each organization will have to review this for themselves and come up with a good policy. Just keep in mind, you can add multiple roles to each template.

Creating Environments

Once the security and other details are added to a template, it will be available to use when creating an Environment.

Only the templates the user has access to will be in the Template Name dropdown. The Zone dropdown will also be populated with available zones from the selected template. If a single zone were added, this would be auto-selected and read-only.

Overall, I feel that Environment Template security offers a lot of control. It gives us enough control to provide a level of self-service environment deployments if desired. I do look forward to seeing actual functionality added to Zones. It might be easier to manage this security if we could somehow control access by zone versus strictly individual template security.

Taking PeopleSoft Swimming in an OCI Instance Pool

I was recently studying for some OCI Certification exams when I came across the topic of Instance Pools. I’ve known about this OCI feature for a while but realized I somehow never thought seriously about using them with PeopleSoft. So, I decided to do a proof of concept and write about it. What I found was with a few changes to a traditional PeopleSoft topology and configuration, you can get this working!

Please keep in mind that this is a proof of concept. I know I didn’t touch on all PeopleSoft configuration and features, so there is likely more work to be done to make this setup viable. I will try to call out some “gotchas” that come to mind but feel free to call out potential issues in the comments. If we can turn this POC into something usable, it might even open the door for container exploration!

Getting Started

To get started, we first need to understand what an Instance Pool is, and what is required to create one. An Instance Pool is a feature that allows you to create and manage multiple compute instances that share the same configuration. What makes them powerful is the ability to scale instance count and attach to a Load Balancer. You can scale on a schedule, with metric based rules, with Terraform or a script using OCI CLI, or manually with the OCI Console. Adjusting the instance count will create or terminate instances automatically. Also, when the pool is attached to a load balancer, the instances are automatically added or removed from the load balancer’s backend set. As you can see, this type of functionality would be great in the PeopleSoft space, where the load on a system can vary day-to-day. Think “timesheet day,” open enrollment, course registration, etc.

To complete this POC, we first need a few things.

Load Balancer

We will leverage the Load Balancing service that OCI offers. This service’s integration with our Instance Pool will give us the automation that we need. Creating a Load Balancer is straight forward, but there are a few things to keep in mind for this POC.

  1. Select a visibility type of Public if you hope to access it from the internet.
  2. Don’t worry about adding Backends at the time of Load Balancer creation. This will be handled by the Instance Pool in the future.
  3. Make sure to enable Session Persistence on the Backend Set. This is needed for PeopleSoft to work correctly.

Custom Image

An Instance Pool uses an Instance Configuration to spin up new instances on demand. An Instance Configuration contains all the configuration details like network, OS, shape, and image needed to create an instance. The image can be an Oracle provided platform image( Oracle-Linux-7.x, etc.) or a custom image that you create.

This image marks the first real decision on how to approach this POC. What we are after is a server with PeopleSoft web and application domains fully deployed and running. I see two approaches to this. One, use a standard platform image and then use cloud-init to configure and deploy the domains using DPK at instance creation. Two, create a custom image with the domains already deployed. I chose to leverage the custom image approach for this POC. I felt this was the fastest, most reliable way to create these instances. With rule-based scaling, and maybe to a lesser extent scheduled scaling, we ideally want these instances created quickly, and DPK takes time.

If startup time at creation isn’t a concern, then an approach using cloud-init probably is the way to go. One thought I had was to keep all middleware installations on FSS. The cloud-init script could just mount that and have DPK just focus on deploying PS_CFG_HOME. That would really speed things up. Maybe something to try in a future blog post!

Create Base Instance

I found a few things that were needed when prepping a PeopleSoft webapp server for Custom Image creation. I started by creating a new instance using the latest Linux 7 platform image. Next, I downloaded the latest PeopleTools 8.58 DPK to the instance and ran the psft-dpk-setup.sh setup script, passing the --env_type midtier --domain_type all options. This gave me a server with working web and application domains.

Update PeopleSoft Configuration

If we stopped here and created a Custom Image from this base instance, we might have some success. However, every future instance created from this image would have the exact same PeopleSoft domain configuration. There are some parts of a PeopleSoft domain configuration that are required to be unique. Also, some parts of the configuration will have a hostname “hardcoded,” etc. Here is a list of changes I made to address these concerns before I created a Custom Image. As mentioned before, there are likely more changes needed. However, these were enough to get this POC working.

  1. Update Cookie Configuration
    • Make sure your cookie configuration in the weblogic.xml file is set not to include a hostname.
    • <cookie-name>DBNAME-PORTAL-PSJSESSIONID</cookie-name>
  2. Update configuration.properties
    • Set the psserver= value to use localhost, since we are using a webapp deployment approach.
    • This will pin each web domain to use its local app domain, with load balancing and failover handled strictly by the OCI Load Balancer.
  3. Update setEnv.sh
    • By default, the ADMINSERVER_HOSTNAME variable is set to the hostname the domain was installed on.
    • Change this to be a dynamic value, driving off of the $HOSTNAME environment variable.
      • ADMINSERVER_HOSTNAME=${HOSTNAME}
  4. Update psappsrv.cfg
    • The [Domain Settings]\Domain ID value should be unique across all your PeopleSoft domains.
    • It is common for domain ids to follow a sequence number pattern. Example: APPDOM1, APPDOM2, etc.
    • Update the value to use an environment variable for the sequence number, ensuring a unique ID.
      • Domain ID=APPDOM%PS_DOMAIN_NBR%
      • We will discuss ideas on how to set this %PS_DOMAIN_NBR% variable later.
  5. Update psft-appserver service script
    • To ensure our domain configurations are correct and domains start properly, we should enforce a domain configure during instance creation and boot.
    • For this POC, I simply added a psadmin configure command to the domain service script.
    • For each application domain installed by the DPK, there is a service setup using a script found here:
      • $PS_CFG_HOME/appserv/APPDOM/psft-appserver-APPDOM-domain-appdom.sh
    • Update this script in the start_application_server function and add the following configure command before the start command.
      • su - $APPSRV_ADMIN -c "$APPSRV_PS_HOME/bin/psadmin -c configure -d $APPSRVDOM" 1>>$LOG_FILE 2>&1
  6. Create $PS_DOMAIN_NBR
    • In the psadm2 ~/.bashrc file, export a $PS_DOMAIN_NBR variable.
    • The goal for this is to generate a unique number that can be used in your domain configuration.
    • When an Instance Pool creates an instance, a random number is appended to the hostname.
      • Example: webapp-634836, webapp-973369, etc.
    • To leverage this appended number for $PS_DOMAIN_NBR, you can use something like this:
      • export PS_DOMAIN_NBR=$(hostname | rev | cut -d- -f1 | rev)

Create a Custom Image

Before creating the custom image, there are a few more things to clean up. First, remove any unwanted domains or software. Depending on your DPK deployment, a process scheduler domain may have been created. We won’t be needing this, so it can be manually removed using psadmin. Next, remove any unwanted entries in /etc/hosts file. For this POC, I stripped down to just the “localhost” entries. New entries will be added when instances are created with new hostnames. Last, stop all running PeopleSoft domains. This step is just to ensure a clean configuration.

Now we are ready to create the Custom Image. In the OCI Console, find your base instance. Under More Actions, select Create Custom Image.

Instance Configuration

After the Custom Image is done provisioning, we are ready to create our Instance Configuration. To start, we need to create an instance based on our new Custom Image. In the OCI Console, navigate to Compute > Custom Image and find the new image. Click on Create Instance. Enter a name, shape, networking, and other details we want to be used in our future Instance Configuration. Select Create and wait for the instance to provision.

Once provisioned, go ahead and validate that the instance looks good. Login to the PIA, make sure the domains started correctly, etc. If all looks well, go back to your newly created instance in the OCI Console. Under More Actions, select Create Instance Configuration. Select a compartment, name, and optional tags, then click Create Instance Configuration.

Instance Pool

Now that we have our Instance Configuration, we can finally create our Instance Pool. In OCI Console, navigate to the newly created Instance Configuration and click on Create Instance Pool. Select a name, the instance configuration, and the number of instances you would like in the pool. Next, we will configure the pool placement with Availability Domain details. Also, make sure to select Attach a Load Balancer. Select the Load Balancer details we created earlier. Lastly, review the details and click Create. You can now follow the provisioning steps under Work Requests.

Once the provisioning work requests are completed, you can validate everything worked as expected. Under Instance Pool Details, you can navigate to Created Instances. You should see the newly created instances listed here. Also, you can navigate to Load Balancers. You will see the attached load balancer. Click into this to review that the Backend Set was updated with the newly created instances.

After validating the initial deployment, you can play around with the instance count. Navigate back to your Instance Pool and click on Edit. Try adding or subtracting to the Number of Instances. Monitor the work requests then validate instances were added or subtracted correctly.

Conclusion

This blog post was a quick, high-level walkthrough of using Instance Pools with PeopleSoft on OCI. My goal was mainly to prove that this was possible in a POC. However, I also wanted to help start a conversation about how this might look in a Production setting. I listed out a few things that could be done to get a custom image approach to work. What other configuration values did I not mention? What ideas do you have for a more dynamic approach, using DPK installs at creation time? As the feature set of OCI grows relating to Load Balancers and Instance Pools, I think we will be more and more motivated to get a deployment like this working outside of the lab!

#243 – Leaky Roofs


This week on the podcast, Dan shares a lesson learned when applying PRPs and using Puppet with OCI resources. The Kyle and Dan discuss upcoming Cloud Manager features and the Leaky Roof analogy.

Show Notes

#225 – PeopleSoft Security Insights w/ Greg Wendt


This week on the podcast, Greg Wendt from Appsian joins us to talk about IDP-based authentication, Zero Trust security with PeopleSoft, and some of the creative ways you can use Appsian.

Show Notes

  • Introducing Greg Wendt @ 1:30
  • IDP-based Authentication @ 3:30
  • Kiosk Security and BYOD @ 9:00
  • Zero Trust and PeopleSoft @ 11:30
  • Security Implications with Cloud Migrations @ 18:00
  • How do privacy laws affect PS Admins? @ 21:30
  • Creative uses with Appsian @ 34:00

#217 – PeopleTools 8.58 is Here!


This week on the podcast we talk about PeopleTools 8.58 and some of the new features we are most excited about. Dan also shares his experience with using Cloud Manager to auto-upgrade an environment to 8.58.

Show Notes

  • PeopleTools 8.58 is Out @ 1:30
  • Automatic PeopleTools Upgrade @ 4:30
  • New User Interface @ 6:45
  • Config/Customization Improvements @ 12:30
  • Reporting and Kibana! @ 18:45
  • Health Center and Logstash @ 22:00
  • Machine Learning Framework @ 30:00

#147 – Federation and Clustered Apps


This week on the podcast, Dan and Kyle talk about running PeopleSoft applications in a cluster and with federated approval and push notifications. We discuss some of the configurations needed for federations and our lessons learned.

Show Notes

  • Presence of IT Cloud White Paper @ 1:00
  • Fluid Home Button URL @ 5:30
  • Federated Push Notifications Bug @ 11:00
  • Clustered Application Concerns and Testing @ 17:00
  • Federated Approvals @ 21:45

#145 – Terraform and OCI Classic


This week on the podcast, Dan shares a VisualStudio Code plugin that edits files using SSHFS and some lessons learned from a recent PeopleTools 8.56 upgrade. Dan and Kyle also talk about using Terraform to build and create servers on Oracle Cloud Infrastructure Classic.

Show Notes

#116 – ps-terraform


This week on the podcast, Dan shares a new project called ps-terraform to help you build PeopleSoft Images on AWS. Kyle tries to resolve a Friday Night Ghost issue and Dan follows up on his love for Continuous Integration and the DPK.

Show Notes

  • Elasticsearch DPK Install Methods @ 1:00
  • GitLab Continuous Integration Follow-up @ 5:30
  • Friday Night Ghost @ 19:00
  • Ps-terraform @ 31:00

#78 – Cloud Manager and Certifications w/ Mark Hoernemann

This week Mark Hoernemann joins us to talk about platform certifications with PeopleTools. Mark explains how the PeopleTools team determines what platforms to support and how the support policies work. Then Mark gives us more details on the PeopleSoft Cloud Manager.

Show Notes

  • Bringing App Engine to an SQR Discussion @ :45
  • Overriding Facter Facts @ 5:00
  • COBOL DPK and Unicode @ 7:45
  • Mark Hoernemann Interview @ 9:30
    • Deciding what platforms to support @ 11:45
    • SQL Server 2016 certification @ 15:30
    • Why platforms are dropped from support @ 18:00
    • Supporting frequent browser releases @ 20:00
    • 8.56 certification changes @ 24:00
    • Cloud Manager @ 24:45
    • Self Service Environment Administration @ 28:30
    • Getting Started with Cloud Manager @ 29:45
    • Building environments with Cloud Manager @ 37:00
    • Applying PeopleTools patches when provisioning environments @ 40:15
    • New PeopleTools features between releases @ 43:30