Monday, November 21, 2022

"Find Definition References" for Page and Field Configurator

A student recently asked:

Is there an Edit | Find Definition References equivalent for Page and Field Configurator?

Great question! In Application Designer, we can open a field and choose Edit | Find Definition References to find all usages of that field. Unfortunately, Page and Field Configurator does not have an equivalent. The good news, however, is Page and Field Configurator is metadata driven. In other words, we can create our own "Find Definition References" equivalent by writing SQL. Here is a short example to get you started:

SELECT *
  FROM PS_EOCC_CONFIG_FLD
 WHERE FIELDNAME = 'DESCR'

The EOCC_CONFIG_FLD record contains the Component name, Record name, and Field name, allowing us to effectively "Find Definition References" for any of those three items.

At JSMpros, we teach PeopleTools Tips like this every week. Be sure to check our website to see what we are offering next!

Tuesday, November 08, 2022

TokenChpoken


Several years ago, ERPScan published a series of articles describing PeopleSoft security attack vectors. While reading the series, keep in mind it was written nearly a decade ago, and PeopleSoft has made changes to security to mitigate the issues raised by ERPScan. For example, their article about the Access Token ends with the note, "this vulnerability was patched in Oracle CPU for October 2014." Note to self: Apply CPUs! But the topic that keeps coming up is TokenChpoken.

What is TokenChpoken?

When you authenticate (log in) to PeopleSoft, PeopleSoft sends a cookie to your browser. Thereafter, PeopleSoft identifies you by that cookie. For every request, PeopleSoft asks, "who are you?" and that cookie supplies the answer. This cookie is critical to cross-product SSO for unified navigation, Interaction Hub, etc. TokenChpoken describes how to decrypt that cookie, change the OPRID, and assume the identity of someone else. Pretty scary! But is it legitimate? As described by the TokenChpoken write-up, someone leveraging this approach must know your user ID, the SSO node name, and the node password must be discoverable through a modern brute-force attack. If you renamed your nodes and use strong passwords, you are a long way from a TokenChpoken "vulnerability." But that doesn't eliminate the potential. It is now a risk calculation.

Is TokenChpoken still relevant for today's PeopleSoft? In PeopleTools 8.56, PeopleSoft implemented a "knock knock/callback" pattern with a check token. Dan Iverson has a great write-up on this 8.56 feature. Likewise, as of 8.56, if I restart my web server while browsing PeopleSoft, PeopleSoft renders the message "unauthorized token detected." It seems like PeopleSoft now keeps a list of issued tokens in memory, and a restart clears that list. These are fantastic safeguards against a potential TokenChpoken Switch User. My thought is,

"If PeopleSoft won't accept its own token after a restart, why would it accept a modified token?"

But is this enough?

A few years ago, Colton Fischer came up with a simple way to test functionality as a different user. You log into PeopleSoft as yourself, press a bookmark in your web browser, supply the node name, node password, and the target user ID, and instantly become someone else. You may find his project here. As a developer and tester, this sounds fantastic! Through a "master password," I can assume the identity of anyone for testing purposes, of course. How does it work? It is essentially TokenChpoken in the web browser. What does that mean? TokenChpoken is alive and well.

Mitigation

As documented by Dan Iverson, setting the Check Token and node password on your nodes, as well as changing node names from something other than the default PSFT_xx, is a great start. And that start may be enough. But you might want to try Colton's bookmarklet to see if you can become someone else. If so, here is another idea: Eliminate the PS_TOKEN cookie. Eliminating the PS_TOKEN is a bit controversial as this is the "key" to PeopleSoft SSO, and it may not be the right solution for you. But here is how it works: As a request leaves a load balancer or web server, the web server/load balancer replaces PS_TOKEN with a different, randomized cookie. On re-entry, the web server/load balancer maps that random cookie to the original PS_TOKEN. PeopleSoft is unaware and functions as usual. If all of your PeopleSoft instances are behind the same load balancer and use the same domain, then SSO may work as usual, and token replacement may be a great option. If you want an off-the-shelf solution, check out Pathlock's ERP Firewall, which has built-in TokenChpoken mitigation.

Since most PeopleTools classes involve nodes and security, we talk about TokenChpoken regularly. To learn more about this topic and other PeopleTools tips, check out our website to see what we are offering next!

Friday, October 28, 2022

Triggering FieldChange from JavaScript

We love a challenge, and we believe anything is possible with PeopleTools. It is never a question of "can you?" but "how?" A customer recently shared a challenge with us:

We use a handheld scanner to enter values into a text field of a Fluid Page. After scanning, we want FieldChange PeopleCode to load data into the remainder of the page. Our solution worked great in PeopleTools 8.58, but quit working after upgrading to 8.59.

Since many scanners act as automated keyboards, sending keystrokes derived from barcodes, there are several ways to handle this. The simplest way is to include a button immediately following the data entry field and use this button to trigger FieldChange. But this got us thinking about another scenario:

How do you trigger FieldChange if you use JavaScript to update a data entry field?

 The process involves three steps:

1. Use JavaScript to update a data entry field. The JavaScript might look something like this:

document.getElementById('MYRECORD_MYFIELD_ID').value = 'The new value';

2. Stage field changes by triggering the onchange handler

document.getElementById('MYRECORD_MYFIELD_ID').onchange();

3. Trigger PeopleSoft's Ajax processing

submitAction_win0(document.win0, id);

Notice the win0 in step 3? That is a system-generated name that reflects the current window ID. PeopleSoft uses the Meta-HTML %FormName at design time.

Here is a short example I put together for the PeopleTools 8.59 Event Mapping configuration page, complete with HTML element IDs, that demonstrates using %FormName. The purpose of the fragment is to set the service name for an event and trigger PeopleSoft processing:

Please note: this is an unsupported example that worked for a specific use case but may not work for others. We provide it as an example of what's possible and as a starting point for your own solution.

Are you interested in learning more PeopleSoft Fluid tips and tricks? Be sure to enroll in one of our upcoming events!

Wednesday, October 26, 2022

Decustomization Strategies Free Webcast!

Join us Thursday, November 3, 2022, for a free 30-minute webcast describing PeopleSoft decustomization strategies such as:

  • When should you Decustomize?
  • What tools are available?
  • How do you use those tools?

Be sure to register immediately, as the webcast is next week! It all starts at 12:15 Central.


Tuesday, October 25, 2022

Announcing Configuration Day 2022!

Announcing PeopleSoft Configuration Day! Join me online Thursday, November 17th for a full day PeopleSoft education experience filled with tips and best practices. Space is limited so register now!

Register Now!

Here are some of the topics we will cover and questions we will answer:

Configuration versus Customization

  • Are Page and Field Configurator changes really configurations?
  • What about Event Mapping or Drop Zones?
  • Why does Oracle call these features "isolating customizations?"

PeopleSoft Test Framework

Isolated customizations do not appear on compare reports. But without compare reports, how do you know what to test and what to retrofit? Learn how to use PTF to regression test configurations and isolated customizations. Experience the new PTF Chrome-based recorder when you join us Thursday, November 17th.

Security

Learn about the data privacy framework and how it differs from Page and Field Configurator's Data Masking. Learn how functional business analysts may use roles to secure, hide, and mask fields.

Extending Oracle-delivered page Content

Learn how to use Related Content and Drop Zones to add more content to Oracle-delivered pages. Find out where these features are similar and where they differ. Learn when to use which tool.

HCM Application-Specific Configurations

What do My Team, Job Data, and Benefits have in common? HCM-specific configuration options. Should you use these options or the more generic PeopleTools configuration alternatives? Join us on Thursday, November 17th to find out!

Activity Guides

Should you use PeopleTools Activity Guides directly or Activity Guide Composer? Find out on Thursday, November 17th!


Register now to find the answers to these and many more questions on Thursday, November 17th.

The cost for this event is $447 per person. If you have a group of 10 or more, contact us at info@jsmpros.com for a quantity discount.

Register Now!

Saturday, October 22, 2022

REST Consumer Base URL Maintenance Idea

"Legacy" Integration Broker used nodes to identify endpoints, and we migrated nodes separately from Messages and modern Service Operations. This design offered the following benefits:

  • Reuse across 8.47- Messages and 8.48+ Service Operations,
  • Different endpoints between development and production, and
  • The ability to test node connectivity without invoking a live service.
Modern PeopleSoft REST consumption, however, requires us to specify the full endpoint URL on every Service Operation. Here is an example. Let's say I want to send absence requests to the Oracle HCM cloud. Since the current version is 11.13.18.05, I would post to a URL that looks something like: https://some.server.com/hcmRestApi/resources/11.13.18.05/absences. If I also wanted to create workers, I would post to https://some.server.com/hcmRestApi/resources/11.13.18.05/workers. Do you see the similarities? I would have two service operations pointing to the same URL base. And that is just for POST. There are also GET, PUT, and PATCH operations, which would result in further redundancy. Now, let's say I need to change my server domain name or service version. That would require me to locate and update every Service Operation that uses the old base URL.

My other concern with the current design relates to the separation between development and production. Since the full endpoint URL is stored with each Service Operation, a migration from development through to production may require an update to the endpoint URL. In a sense, this requires us to place untested configurations in production.

To work around the current design, many developers resort to code-only metadata-less integrations where they use simpler metadata constructs such as URL definitions, App Classes, and Message Catalog entries for shared reusable fragments.

We believe there is value in Integration Broker metadata, but I think we just need one change. I just proposed the following idea in the PeopleSoft IdeaLabs to simplify the maintenance of both REST Service Operations and the new 8.60 Application Services Framework consumer services. Please vote for this idea if you believe it would be beneficial.

Monday, October 17, 2022

What if Component App Classes Were Configurable?

With Fluid, PeopleSoft implemented an interesting design pattern: App Classes as Event Handlers. Properly implemented, there are some fantastic reasons to choose this pattern:

You can see Oracle's latest pattern on just about every Fluid component. A component that uses this pattern might have PreBuild PeopleCode that looks something like this:

import SOME_PACKAGE:SomeClass;
Component SOME_PACKAGE:SomeClass &handler;

&handler = create SOME_PACKAGE:SomeClass();
&handler.PreBuild();

But I had this idea... What if the code looked more like this:

import SOME_PACKAGE:SomeBaseClass;
Component SOME_PACKAGE:SomeBaseClass &handler;

Local string &className;

REM ** Select actual implementation of SomeBaseClass from a configuration table;
SQLExec("...", %Component, &className);

&handler = CreateObject(&className);
&handler.PreBuild();

Then we could override delivered behavior by subclassing and configuring our own handlers to override the delivered handlers. And I think this is the best reason to use App Classes as component event handlers. What would it take to implement this solution? Oracle would need to select the implementation class from SQL rather than hard-code its implementation into component PreBuild. But is it worth it? You know that is a fantastic question! You might say Event Mapping offers the same result but is more flexible. Let us know your thoughts in the comments!

At JSMpros, we teach PeopleTools and PeopleCode concepts like this regularly check out our website to see what we are offering next!