Restrict external access to PeopleSoft with Squid June 8, 2011
Posted by Tipster in Infrastructure, PeopleSoft.2 comments
I recently had to expose a client’s PeopleSoft installation to the outside world, which I did in the usual manner (additional PIA in the DMZ etc).
We wanted to use the “closed by default, open by exception” approach, so we would start by blocking access to everything and then open the areas we needed access to URL by URL. I suspected that the final ‘URL Whitelist’ might take many iterations to get right and as the Reverse Proxy in the DMZ was outside of my control I needed to trial it somewhere else first.
I commandeered one of our less frequently used environments and went about searching for a quick/free method of blocking access. After trying a few different approaches I settled on Squid, the open-source forward-proxy / web-caching server. Although it’s better known for running on Unix systems, there is a Windows implementation and it can operate perfectly well as a reverse-proxy.
Setting up Squid
Once I’d downloaded and unzipped the binaries, and installed it as a service (using this helpful write-up as a guide) it was just a case of setting the rules.
In the ACLs section I added my bad and good URLs:
acl bad_url urlpath_regex *DEV* acl good_url urlpath_regex "c:\squid\etc\good-urls.squid"
This would block any URL with DEV in (my chosen environment was DEV), but then allow any URLs in the ‘good-urls.squid’ file. I then had specify in the http_access section what to do with these ACL groups.
http_access allow good_url http_access deny bad_url http_access allow all
It took me a few goes to get this right as the last line confused me for a while, but luckily there are copious notes in the provided .conf file:
If none of the “access” lines cause a match, the default is the opposite of the last line in the list. If the last line was deny, the default is allow. Conversely, if the last line is allow, the default will be deny.
I was happy leaving my PeopleSoft environment on port 80 and Squid on 3128 as this is just a temporary setup for my testing. Obviously Squid would be on port 80 if this was a production setup.
I amended the default port line thus:
http_port 3128 defaultsite=xxx.yyy.com
(where xxx is the hostname and yyy is the domain name)
And finally I added this line:
cache_peer 127.0.0.1 parent 80 0 originserver default
I used 127.0.0.1 as Squid is on the same host as the PIA, and the rest is for forwarding.
Setup PeopleSoft
In the Web Profile ‘Virtual Addressing’ tab, add the reverse proxy details. This willensure that PeopleSoft uses the reverse-proxy port number. Bounce the PIA.
Custom Error Page
If you want a nice custom ‘Access Denied’ page instead of the default Squid one, they can be found in ‘C:\squid\share\errors\English’. They have no file extension, but they’re HTML so a cinch to amend.
Building up the good-urls.squid file
This is largely going to vary depending upon what you want to expose to the external users. A lot of what we opened up were custom pages so there isn’t a lot of value sharing the full file here. Having said that, here is a snippet of our file:
*login* *css */psp/ps/EMPLOYEE/HRMS/h/* */cs/ps/cache/* */ps/images/* */psc/ps/*viewattach* */psp/ps/EMPLOYEE/HRMS/c/ROLE_EMPLOYEE.GP_SS_EE_PSLP.GBL* */ps/ckeditor/* */psc/ps/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL* */psp/ps/EMPLOYEE/HRMS/c/HRS_HRAM.HRS_CE.GBL* */psc/ps/EMPLOYEE/HRMS/s/WEBLIB_TIMEOUT.PT_TIMEOUTWARNING.FieldFormula.IScript_TIMEOUTWARNING */psc/ps/EMPLOYEE/HRMS/\?cmd=expire */psp/ps/EMPLOYEE/HRMS/\?cmd=expire */psp/ps/EMPLOYEE/HRMS/\?cmd=logout
Lines 1 and 2 sort out the signon page.
Line 3 is the Employee Portal homepage.
Lines 4 and 5 are for images. Lines 6 and 8 are for viewing attachments and the Rich Text editor.
Lines 7, 9 and 10 are sample PeopleSoft pages/components.
The remainder deal with the timeout and signout links.
(Assuming that your PIA site is ‘ps’)
Gotchas
And you’re done. There are a few little quirks to note.
Firstly, every time you change your URLs file you’ll need to restart the Squid service, but it’s a quick process so doesn’t hold you up too much.
Secondly, PeopleSoft frequently uses the ‘?’ special character as a URL delimiter so Squid only matches against the characters before this point. There are several occasions when you need to match against the full URL which is why I’ve used url_path_regex in the ACL section above. This allowed me to escape the special characters so that the log-out, time-out and view attachment links work ok.
Service Start Up – Automatic (Delayed) July 15, 2009
Posted by Tipster in Administration, Infrastructure, Windows.1 comment so far
I’ve been spending a little time putting together a VM using Windows Server 2008 and was pleasantly surprised to see that there is a new start-up type when configuring the PIA, App Server and Process Scheduler to start as services.
As well as Automatic, Manual and Disabled, there is now an Automatic (Delayed) option.
David Kurtz has spoken about using service dependencies, but I just want my App Server and Process Scheduler to start after the intial flurry of start-up activity has finished and everything else has calmed down.
Services that have a delayed start still start automatically, they just wait until all the services that aren’t delayed to finish before firing up.
It works a treat!
REN Server Ports on Multi-App Installations February 7, 2008
Posted by Tipster in Administration, Infrastructure, Oracle, PeopleSoft, PeopleTools, PS Admin.2 comments
When you have more than one App Server on a single machine – and they both need to run a Ren Server process – you need to adjust the port number in the same way you do for other processes (although the REN Server is easy to miss – like I did – as it’s near the bottom away from the other port numbers).
If you do boot the App Server without changing the port you’ll get an error message:
exec PSRENSRV -A -- -C psappsrv.cfg -D PADMO -S PSRENSRV : CMDTUX_CAT:1685: ERROR: Application initialization failure
tmboot: CMDTUX_CAT:827: ERROR: Fatal error encountered; initiating user error handler
tmshutdown -qy
OK, you think. I know what that is, it must be a port clash. So you reconfigure the port in PSADMIN and then try to boot it again. Same error. Checking the REN Server log gives the following clue:
(ERROR) nssock: Cannot listen on port 7180. The port may already be in use.
It’s still looking on port 7180, not the new port!
The missing step is to update the database, as the port is stored there also:
UPDATE PSREN SET PORT_NUM = 7185, SSLPORT_NUM = 7148
You should then find you App Server and Ren Server boot fine.
Tolerance of slow App Server boot January 22, 2008
Posted by Tipster in Infrastructure, Oracle, PeopleSoft, PeopleTools, PS Admin, Tuxedo.8 comments
In one of the more recent versions of Tools (8.49 is the first time I’ve noticed it, but that doesn’t mean it hasn’t been around in prior versions) I’ve noticed that occasionally the boot of an Application Server will fail with an error.
Booting admin processes ...
exec BBL -A :
CMDTUX_CAT:1863: INFO: Process ID=2636 Assume failed (timeout).
At the time of writing, there is nothing in Customer Connection for this, and a google search wasn’t particularly helpful either. So I had to resort to a technique from pre-Google days – i.e. work it out myself. Thankfully it wasn’t too difficult. (more…)
Get up and running with the Tuxedo Administration Console April 2, 2007
Posted by Tipster in Administration, Infrastructure, PeopleSoft, PS Admin, Tuxedo.24 comments
I think I’ve stumbled across a better way of remotely administering servers than using remote control software and PSADMIN. There’s a tool called the ‘Tuxedo Administration Console’ (or sometimes ‘WebGUI’) which does the job also.
It looks like this:
Once you’ve done a little bit of config (no more than 15 minutes, and it’s just config, there’s nothing additional to install) you just point the web browser on your client PC to a URL and it loads up the above screen.
You drop down the Domain menu to choose which App Server or Process Scheduler to administer, then use it to start and stop the domain, or you can do individual processes if you prefer. (For example, on my current client site we have a developer who frequently hangs the domain by using all of the PSAPPSERV processes during debugging. Using this tool, we could change the Max App Servers setting and then boot a couple of extra App Servers, all in a few clicks and without rebooting the domain.)
