Part 2: PeopleSoft SES Configuration

Previously in Part 1, I wrote about the steps to install Oracle Secure Enterprise Search for use with PeopleSoft and I reviewed some considerations for PeopleSoft Admins.  Part 2 covers the integration configuration required to have PeopleSoft communicate with SES.  On the PeopleSoft side we must setup Integration Broker properly.  On the SES side we need to configure Identity Management for PeopleSoft.

SES Configuration

First login to the Admin Console for SES.  Using the URL from the previous post which would be something similar to  http://psses.yourdomain.com:7777/search/admin/index.jsp.  As you will see the User Name is hard coded to eqsys and the password is what you provided during the installation.

SES Admin Console

Once logged in here is what the home screen looks like but there is nothing for us to do here.

SES Home

First we need to add a Federation Trusted Entity.  Navigate to the Global Settings tab

SES Global Settings

and click the Federation Trusted Entities link in the Search section.

SES Search Section

This Entity Name and password are configured for inbound connections to SES and will be configured on the PeopleSoft side.  Here is a screenshot after I had already entered and saved the data.  As you can see, I named the Entity DEVPS and it is using a password.  I entered a Description though one is not necessary.  The Identity Plug-in and Authentication Attribute options are left blank for this configuration.

SES Entity

Next we activate the Identity Plug-in which is used to access users in PeopleSoft.  An Identity Plug-in is

Identity plug-ins can obtain user and group information directly from any identity management system. An identity plug-in is Java code between Oracle SES and an identity management system, allowing Oracle SES to read user and group information.

Go back to the Global Settings tab and find the Identity Management Setup link in the System section.

sesc-6

This page has a long list of Identity Plug-in‘s.  You can select and only setup one though. Furthermore

The plug-in that you activate is responsible for all authentication and validation activity in Oracle SES.

sesc-7

So select the PeopleSoft Identity Plug-in and click the Activate button which is at the bottom of the page

sesc-7-small

Enter the HTTP endpoint of authentication:  Which will be the URL to the PeopleSoft Listening Connector on your PeopleSoft system.  The User ID and Password here is a PeopleSoft user that has the Search Framework Administrator role or permissions lists assigned.  As usual, I created a separate account in PeopleSoft for the sole purpose of providing this functionality.  This gives  allows me to determine the minimum required access this particular user needs and protects against impacting other functionality by using a shared account. It also usually pleases auditors and security teams to see, which keeps me on their good side.  This and buying them donuts or cookies of course!

sesc-8

Once setup you can see we have the option only to Deactivate the existing Identity Plug-in.  If you make a mistake, just deactivate the Plug-in and start over.

Note: The 8.53 install guide indicates there is a place to enter the ToolsRelease here, but as you can see, there is not.

sesc-9

Next we review the SES Authentication timeout settings.  Head back to the main Global Settings tab again and in the Search section click Query Configuration .  The PeopleSoft documentation recommends changing the Maximum number of results to be sent to PeopleSoft to 999999 (the default was 200).  That sounds excessive, so note that for something to come back and adjust later once we have it working, for now though I have done what the documentation has recommended.

sesc-10

Next go down to Query-time Authorization Configuration and set the Timeout Threshold to 120000 milliseconds (the default was 30000)

sesc-11-updated

Next scoll down to Secure Search Configuration and change the

  • Security Filter Lifespan to 60  (default was 1440)
  • Authentication Timeout to 1200000 (default was 30000)
  • Authorization Timeout to 180000 (default was 30000)

sesc-12-updated

I’m not sure why the Authentication Timeout should be 20 minutes. Seems excessive again for an auth timeout, but I will revisit it later with the other settings.  The help page states

Specify the authentication time-out period. This is the maximum wait for getting a response from an identity plug-in. If the threshold period expires, then the associated login operation will fail.

Apply the changes when you are done.

We have one step that is required at the OS level.  And that is to add AUTO_CHARSET_DETECTION to $ORACLE_HOME/search/data/config/crawler.dat to enable Character set auto detection.  This is important to properly handle Unicode files and pages that may be indexed.  So I added the following lines to the end of the crawler.dat file

# enable automatic character set detection
AUTO_CHARSET_DETECTION

When you finally crawl something you can validate this option is set properly by reviewing the log, you should find the following line.
21:07:06:313 INFO       main            Auto character set detection is on

That should conclude our setup on the SES side, we will return later though to just validate and look at some things.

IB setup for Search Framework

The PeopleTools Install Documentation walks through setting up Integration Broker somewhat in Chapter 11 Configuring Integration Between PeopleSoft PeopleTools and Oracle (Tools 8.53).  Since this isn’t an Integration Broker write up and there are plenty of already existing good ones out there like On the Peoplesoft Road: Peopletools 8.52 Integration Network WorkCenter, I’ll cover the basics quickly and then touch on a few things I noticed.

  1. You need to have setup your Integration Gateway and load the connectors
  2. You should define your Gateway Default App Server and PeopleSoft Nodes in the Gateway Setup properties
  3. On the Advanced Properties Page for the Gateway Setup you should define a secureFileKeystorePasswd
  4. You Local Node should be active and when if you ping it, it should come back with Success
  5. PUBSUB processes should be running on your application server domain
  6. Verify that your Service Configuration is correct.
    1. Navigate to PeopleTools ->  Integration Broker ->  Configuration ->  Service Configuration
    2. Click Setup Target Locations
    3. Confirm the Web Services Target Location references the correct URL for your system.

This next requirement is something that is not always configured when simply using Integration Broker.  They want the Content URI and Portal URI text specified on the portal tab for the default Local Node you are working with. This is required, and you may get an error building your search index without it.  The error is pretty self explanatory, it is:
Content/Portal URL not defined for node PSFT_HR

You should also verify that the Service Operations needed for SES integration exist in your system. ADMINSERVICE and ORACLESEARCHSERVICE should both exist as Services.

sesc-14sesc-13

Continuing on, we are ready to define a search instance in PeopleSoft.  Navigate to:
PeopleTools –> Search Framework –> Administration –> Search Instance
Add a New Value, A default Search instance my have been delivered in your database depending on what your working in.  If it exists, you can try to add a new one, but I found I was unable to so I had to modify the existing one.  On 8.53.02 I was unable to save a new Search Instance under a different name.  See the attached error to the right.Save Error  When I tried to use my own Name a trace indicated it didn’t seem to matter and would use INSERT INTO PS_PTSF_SRCH_ENGN with the name being  PTSF_DEFAULT.  Interestingly enough in the SES 8.53 PeopleBook it says

You may not reuse a search instance entry for an entirely new instance of a search server

But in my case, that is exactly what I did.  So I changed the config as follows.
SSL Option: is set to Disable in my case for now.
Host Name: is just my system name psses.yourdomain.com
Port: is 7777 since I took the default

sesc-15

Provide your SES Admin Service Credentials:
eqsys/password

sesc-16

The Query Service Credentials are the actual Federated Identity name and password
DEVPS/password

sesc-17

Enter the Call Back Properties updating the URL accordingly and specifying a user with Search Server access.  I decided to reuse my RP_SES user which I had already created.

sesc-18

Be careful here, this value needs to match the setting in the Service Configuration Target Location we verified a few steps back.  If you specified the Default Local Node on the end of the Target Location then you need to specify it here.  I don’t use the Default Local Node on the Service Configuration Target Location.  When I replaced the existing text from the original setting it left the /LocalNode in the field but I wasn’t able to see it until I expanded the text area.

sesc-18-2
Save your Search Instance Properties and then try to run the the tests to validate.  All of them should pass.

sesc-20

sesc-21

sesc-22

sesc-23

Next go to PeopleTools –> Search Framework –> Utilities –> Diagnostics and run click Step 1: Ping Test.  This should also work if your previous tests worked.  Once the Ping Test comes back it should make Step 2: Deploy an active link. You should be able to continue through to Step 4: Search and everything should work.

sesc-24

Before clicking Cleanup you can go over the SES Admin Console and click on the Home tab, then on the left side click on Sources in the upper menu that is blue.  You should now see something similar to RNTRPTST_<DBNAME> listed under Sources and also you should see something similar under Schedules. After returning to PeopleSoft and clicking Cleanup these two entries should go away.  This has validated that you can successfully Deploy, Crawl, Search, and Undeploy search indexes to SES from PeopleSoft.

In Part 3 I’ll go over the Administration of the Search Framework, which includes Deploying and Building delivered indexes.

37 thoughts on “Part 2: PeopleSoft SES Configuration
  1. Thanks for the helpful guide. I’ve come across a problem where crawl fails when running diagnostics.

    Any help on that?

    Thanks!

    • Samy,

      Hard to say what the problem is without more info. Have you looked at the crawler log yet? To find the path you can log into SES and go to global settings -> crawler configuration (top item in sources section which is top left hand). At the bottom it shows you the path to the logs and the level of detail, I believe the default is everything. Based on the install covered in my posts, my logs would be at $ORACLE_DATA/sesdev/log or /u01/app/oracle/product/11.1.2.2.0/oradata/sesdev/log/. Each crawl will generate a log file with a name something like: i1ds32.06250425.log. I would start by looking there.

  2. Hi

    I also struggled alot with the tests. Something which helped me in the end, was the errorLog.html file in the PSIGW.war folder on the PeopleSoft server.

  3. Hi,
    I found there is only one “HTTP endpoint for authentication” setting on ” Identity Management Setup”. Can I set up a SES Server shared for the DEV and PROD environments ?

    • It is possible to share a single SES server with multiple PeopleSoft environments. I cannot recommend sharing across different environment types like you mentioned in DEV and PROD though. If you had HCM and FIN PROD sharing between them would be ok, but not DEV and PROD. There are many reasons not to mix DEV and PROD of any application. In addition I believe in order for SES shared environments to work nodes all PeopleSoft nodes being used must be trusted. In this case that would require PeopleSoft SSO between DEV and PROD. Since the node names are the same for say HCMDEV and HCMPROD the node passwords would need to be the same. I’ve written an article about the dangers of this already . This type of misconfiguration can allow unauthorized access into production. I’ve seen developers use this misconfiguration to access production as different users. They were able to change the users password in DEV and then cross over to production without a password because of the node trust.

  4. Thanks your reply.
    I got another problem for test the setting.
    I go to the PeopleTools> Search Framework> Utilities> Diagnostics. I got this event log.
    ———————————————————————————————–
    Ping Test Result: Success. Oracle Secure Enterprise Search Admin Service Version 11.1.2.2.0
    ———————————————————————————————
    Undeploying. Cleaning up any data previous run
    Undeploy completed
    ———————————————————————————————
    Deploying search definition
    Exception caught while adding peoplesoft source SES Login Failed. (262,129)

  5. In order to enter ToolsRelease information as per 8.53 instllation guide you need to Apply suggested fixes, if implementing with PT 8.53 – Doc ID 1525165.1 PeopleTools Certifications – Suggested Fixes SES PT 8.53 on SES.

  6. Hi,
    I am getting below error when I click on Proxy Login; all other pings are working fine. I did setup as per your document. Please advise.
    Proxy login failed : Error with IdentityPlugin.validateUser:
    oracle.search.sdk.common.PluginException: javax.xml.soap.SOAPException: Message send failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at oracle.search.plugin.security.identity.psft.PsftIdentityPlugin.validateUser(PsftIdentityPlugin.java:334)
    at oracle.search.query.internal.AuthnTask.run(AuthnTask.java:136)
    (262,1317) (262,1318)

    • At first glance it sounds like you are having SSL cert problems. If you specified https URL’s for the connectivity on both the SES and PS sides and you are not using a public CA you most likely need to add the server cert to the keystore. If possible try the configuration without SSL first.

  7. Hi, thanks for the helpful guide , too. I have a problem at the 2. step at round trip step (deploy). The following error messages appeare:

    Ping Test Result: Success. Oracle Secure Enterprise Search Admin Service Version 11.2.2.2.0
    ———————————————————————————————
    Undeploying. Cleaning up any data previous run
    Undeploy completed
    ———————————————————————————————
    Deploying search definition
    Exception caught while adding peoplesoft source Service Exception: ns2:AdminAPIRuntimeFault : EQA-15011: The plug-in manager raised an unexpected error. (262,1018)

    I’ve searched for this error message, but did’nt found helpfull hints. I can sign in successfull at the middleware, there is no problem with datebase or signIn credencials ..
    thanks for help, Irina.

    • Review the SES logs in $SES_MIDDLETIER_HOME/user_projects/domains/search_domain/servers/search_server1/logs.

      It should point you in the right direction. I’ve seen host lookup problems and SSL problems. If it’s host lookup review config for the call back properties and confirm you can use the naming in your config at an OS level and resolve as needed. If it’s SSL you probably need to add your PS Gateway cert to the SES keystore which should be at $SES_MIDDLETIER/Oracle_SES1/jdk/jre/lib/security/cacerts. I’m not using 11.2.2.2 but I saw a note that recommends searching for additional cacerts files in the $SES_HOME and updating them as well.

      Hope that helps

  8. Do you need to open firewall between peoplesoft app server and SES?
    I have firewall between peoplesoft web server and SES and still have HTTP connection issue.

    • No, I don’t think you should need firewall rules to the app server. The only rules needed should be between the IB gateway and SES servers. If you are still having issues and want to post your error/scenario I will try to help further.

  9. Hi Randy,

    PeopleTools -> Search Framework -> Administration -> Search Instance

    at Search Engine Details ping is not working (hostname and port are correct and server is up)

    getting below error.

    Integration Gateway – External System Contact Error (158,10721)

    Integration Gateway was not able to contact the external system. The network location specified may be incorrect, or the site is permanently or temporarily down.

    Ping Test Result: Failure. Exception caught Integration Broker encountered an error (262,1020) PT_SEARCH.SESIMPL.MESSAGE.SESRequest.OnExecute Name:Send PCPC:688 Statement:16
    Called from:PT_SEARCH.SESIMPL.AdminService.OnExecute Name:doService Statement:848
    Called from:PT_SEARCH.SESIMPL.AdminService.OnExecute Name:getApiVersion Statement:807
    Called from:PT_SEARCH.SESIMPL.AdminService.OnExecute Name:Ping Statement:318
    Called from:PTSF_RNDTRP_WRK.PTSF_RNDTRIP_PING.FieldChange Statement:28 (262,612)

    Requesting help.

    • Start by reviewing your Integration Broker configuration and confirming it’s working. Can you ping your local node? Check the IB error log http://server:port/PSIGW/errorLog.html and see if there is any hint to what the problem is there. Validate you can actually ping the SES server from the IB server from the command line on the IB server using the hostname in your configuration.

  10. Hi Randy,

    I uninstalled 11.1.2.2, I am going with 11.2.2.2 whis is recomemded by Oracle guys.

    I will post if any issues.

  11. Thanks for the helpful guide. Very easy to use. I’ve run across a problem when testing the setting.

    I go to the PeopleTools> Search Framework> Utilities> Diagnostics and got the following:

    Ping Test Result: Success. Oracle Secure Enterprise Search Admin Service Version 11.2.2.2.0
    ———————————————————————————————
    Undeploying. Cleaning up any data previous run
    Undeploy completed
    ———————————————————————————————
    Deploying search definition
    Exception caught while adding peoplesoft source Service Exception: ns2:AdminAPIRuntimeFault : EQA-15011: The plug-in manager raised an unexpected error. (262,1018)

    The SES Middle tier log “search_server1_yyyy_MM_dd_hh_mm.log” (located in SES_MIDDLETIER_HOME>/ user_projects/domains/search_domain/servers/search_server1/logs ) shows oracle.search.sdk.common.PluginException: Error while reading the configuration file for retrieving the security attributes: null.

    I’ve checked my configuration several times and MOS but have found nothing that helps. Thanks.

    • This is usually where I’ve seen host look-up and SSL problems, but your error is a bit different. You mentioned you’ve reviewed your config and looked on MOS, so I assume you saw Doc ID1600716.1 which reviews some typo’s in the IB config. The “null” reference is interesting, there should be a more detailed error message there I believe. If you provide more lines of the log on both sides of the error, I might be able to help. Do you have a line that reads “URIHandler initialized for the URI” near the error? You may also want to try putting the system into debug mode. It’s detailed in Doc ID 737515.1. I don’t see specific reference to the Admin Tool for 11.2.2.2 but I would assume it’s similar to 11.1.2.2 which is to add debug=true to search.properties in the $ORACLE_HOME/search/webapp/directory. If you want to send me a note via the contact form on the about page I can give you an email address to send the logs to. If you find a resolution, I’d love to have a follow-up comment to help future readers.

  12. Greg/Randy,

    I have this exact same EQA-15011 issue and have yet to find a solution. My apps are hosted at Oracle OnDemand and the same SES instance is configured to work with more than 1 of my test instances. This SES instance is working just fine for all but 1 of my test instances, so I can’t help think that the issue is on the PeopleSoft app side versus the SES side.

    If you guys are able to identify a solution please share, and I’ll do the same if I come up with one first.

    Regards,
    Mark

  13. As it turns out the userid I was using had some problem in the security so what I did was clone the PS userid to make a custom PS one and tried it again and it worked. I didn’t research it to determine what the problem with security was though. I was happy just to get by the problem.

  14. currently Oracle Content Server identity plugin is enabled in my scenario which is helping to Search documents from UCM , At the same time I want to integrate it with PeopleSoft also to people detail from there which activating identity plugin for PeopleSoft activate button is not enabled since one identity plugin is already activated. What to do. Kindly help. We have go live dates next month.

    Thanks in advance,
    Hemant

  15. Hi,

    My setup is working with http and not with https.

    We have Load balancer between Integration gateway and SES and it acceps https. So if Iconfigure https URL in target locations and search instance, search is giving no results..in ses log I see message not send error.

    IfI change my IB and SES configuration to mydirect webserver URL http (bypassing my load balancer URL) search is giving results.

    please advice mewhat is difference with load balancer in betweenand what actions must doto make it work..we are using F5 loadbalancer

  16. I have a similar scenario in SSL-enabled Integration gateway and Non-SSL SES.
    We have SSL implemented on integration gateway and SES used non-SSL.

    It returns results when we use HTTP in Integration gateway, Service Target Location and call back URL. However, when we switch to use SSL in Integration gateway including Gateway URL, Service Target Location, Call back URL and connection end point in SES, it returns no result.

    We have checked many docs on MOS and support recommendation but no luck.
    Please advice and thank you in advance.

  17. There are two scenarios where we get into troubles
    Cause 1 :
    Our SSL enabled Integration gateway is using Wild card certificates, By default, WebLogic doesn’t recognize the wildcard certificate. Weblogic checks the subject of certificate for host name to connect..If we use wild card certificate , then it cannot identify the host name ” *.domain.com”.

    Solution: Go to weblogic domains of SES , go to SSL tab-> Advance settings->Disable the host name verification by choosing the NONE in drop down list and save , bounce all the domains. or you can also use “custom verification”

    If it still does not solve the problem, we are into 2nd cause

    From weblogic 10.3.3 onwards ,IF certificate algoritham is using SHA256, we must enable WebLogic to use the JSSE SSL.

    Solution: Go to weblogic domains of SES , SSL tab->Advance settings->enable JSSE SSL, save and bounce all the domains..

    redeply the search definitions and crawl them.. it should work

    • I’m having the same issue as Kim with SSL-enabled Integration gateway and Non-SSL SES not returning results. Can you clarify the above solution? I tried changing the host name verification to none and also changed enable JSSE SSL on AdminServer, ess_server1 and search_server1. We are still not getting any results on the menu search.Thanks.

    • I don’t have a copy of that image, but all the images I have used prompt for the sesadmin user password and use that for all SES passwords. If you don’t know the password, you could possibly cheat and use the page source from the Search Instance Administration page. The password is displayed in the source unencrypted.

  18. Could some one share what are the roles that needed for Callback user to have successful SES. we gave below roles as per Oracle. But wondering does it work with out PeopleSoft Administrator role to call backuser.
    PeopleSoft Administrator
    Search Server
    Search Query Administrator
    Search Administrator
    PeopleSoft User

  19. This was very helpful. I ran the PTPORTALREGISTRY search process and all seems to work, however, I am still not able to do the menu searches I used to do in PT8.50 after building the Portal Registry Index. What am I missing?

    • Norali,
      It’s hard to say, there are many reasons this can happen. Have you looked at doc id 1592353.1 on Oracle support? i would start there. I’ve not really done anything with SES recently. I am going to take a look at the new Elasticsearch soon. I read it will be released with PeopleTools 8.55.10. I’ve been avoiding SES since it was announced it was going the way of the Dodo bird. If you keep relatively current on maintenance, I would suggest holding off for Elastic. Oracle has already announced SES would not be supported in PeopleTools 8.56

  20. For this issue:The SES Middle tier log “search_server1_yyyy_MM_dd_hh_mm.log” (located in SES_MIDDLETIER_HOME>/ user_projects/domains/search_domain/servers/search_server1/logs ) shows oracle.search.sdk.common.PluginException: Error while reading the configuration file for retrieving the security attributes: null.

    Make sure that the path to the RSS Crawler xml file contains double slashes. OSES is Java-based and a single slash can be interpreted as an escapc character. If using a UNC path it should be “file:////directory//subdirectory//RSSCrawler.xml”

Leave a Reply

Your email address will not be published. Required fields are marked *