CA SSO Agent for Oracle PeopleSoft Guide › Post-Installation Configuration

Post-Installation Configuration

This section contains the following topics:

Set Up a CA SSO Response

Create a DEFAULT_USER Account in PeopleSoft

Enable DEFAULT_USER on Web Server

How to Install the PeopleCode to the PeopleSoft Application Designer

Test the Installation

Disabling Existing Account Passwords

Replacing the signon.html File

Set Up a CA SSO Response

Within CA SSO, create a set of relevant objects to protect the PeopleSoft application.

The realm to be protected can be /psp/
A rule for *
An HTTP header response named PSUSERNAME containing the user’s PeopleSoft Username.
Note: The name of the HTTP header cannot be changed. Changing the name of this header requires changes to both the PeopleCode and the SmPSLoginLib library.
Configure the SessionLinker response mentioning the PeopleSoft cookie, PS_TOKEN and the WebLogic/WebSphere session cookie. For more information, see CA SSO SessionLinker Guide.
Note: The exact value of the WebLogic/WebSphere session cookie name should be the value for the portalServletSessionCookieName parameter in the configuration.properties file of the PIA installation.
A policy that grants access to an appropriate set of users and that links the rule described in this section to the correct CA SSO response.

For example, if the variable name is PSUSERNAME and the attribute name is PeoplesoftUsername, CA SSO protects the entire PeopleSoft environment and returns the user’s PeopleSoft username as an HTTP header, named HTTP_PSUSERNAME.

Create a DEFAULT_USER Account in PeopleSoft

The sole purpose of the default user account is for initial communication between PeopleSoft web server and PeopleSoft application server. The default user account enables execution of the Sign-On PeopleCode, which in turn enables the CA SSO integration and retrieves the CA SSO headers, verifies their content, and starts a session. For security reasons, configure this account so that it has no access to the system.

Follow these steps:

Invoke PeopleSoft, and navigate to User Profiles.
Select Add a New Value, and create a user.
In the User ID field, enter DEFAULT_USER.
In the Password field, enter the password.
Click the Add button.
On the ID and Roles tabs, make sure the user does not have access to any data in the system (no privileges and no roles).
Save your changes, and exit the PeopleSoft application.

Enable DEFAULT_USER on Web Server

To enable the DEFAULT_USER on PeopleTools version 8.5x onwards, modify the following properties on the security page of the web profile configuration:

Enable the Public Users—Allow public Access property by selecting the check box.
Set Public Users—User ID property to DEFAULT_USER
Set Public Users—Password property to a long string that will be difficult to enter again

Restart the WebLogic/WebSphere server to activate these changes.

How to Install the PeopleCode to the PeopleSoft Application Designer

To install PeopleCode to the PeopleSoft application designer, use the following process:

Install the PeopleCode to the PeopleSoft application designer.
Register the PeopleCode for authentication.

Install PeopleCode to PeopleSoft Application Designer

A file named peoplecode.txt is installed in the PeopleSoft Agent Installation Folder\peoplesoft\PeopleCode folder. The file includes the following:

Debugging entries, which you can remove before the code is used in a production system
Declarations for functions included in the Login Library, and a function called SITEMINDER_SSO that makes calls to the library

Follow these steps:

Start the PeopleSoft Application Designer program.
Log in as a privileged user with write permissions to the FUNCLIB_LDAP record.
Open the Open Object window and specify the following:
- Object Type: Record
- Name: FUNCLIB_LDAP
Click Open.
Select the LDAP Auth row, click the right mouse button, and select View PeopleCode.
Append the contents of the peoplecode.txt file to the end of the existing PeopleCode source code.
Click Save and exit from the Application Designer.

Register PeopleCode for Authentication

Registering PeopleCode enables the SITEMINDER_SSO function.

Follow these steps:

In the PeopleSoft program, navigate to SignOn PeopleCode.
Select the Invoke as user signing in radio button.
Add a new row and enter the specified information in the following fields:
- Enabled: checkmark
- Record: FUNCLIB_LDAP
- Field Name: LDAPAUTH
- Event Name: FieldDefault
- Function Name: SITEMINDER_SSO
- Exec Auth Fail: Leave blank (no checkmark)
Click Save, and log out of PeopleSoft.

More information:

Install PeopleCode to PeopleSoft Application Designer

Test the Installation

Access to PeopleSoft through the existing signon.html page should be blocked. Before replacing this page, test the integration (installation).

Follow these steps:

In UNIX, use the ca_peoplesoft_env.sh script located in the following directory to export the environment variables:
```
/<agent_install_dir>/
```
Restart the PeopleSoft application and web servers.
Access the PeopleSoft application through the startup page by using the command start.
Example:

For PeopleSoft 8.5x onwards:
```
http://peoplesoft.acme.com/psp/ps/?cmd=start
```
At the CA SSO login screen, enter the CA SSO user credentials.
After you login to CA SSO, access to PeopleSoft should immediately be granted.

If, at any time, PeopleSoft prompts for credentials, some portion of the integration is not operating correctly.

More information:

Troubleshooting and Messages

Disabling Existing Account Passwords

Because existing accounts are not blocked from logging into PeopleSoft in Tier 2 mode or through some other mechanism, you should lock out passwords for accounts accessing PeopleSoft through the web. See PeopleSoft documentation for assistance in this process.

Replacing the signon.html File

To prevent users from attempting to sign-on to PeopleSoft through existing bookmarks, replace the existing signon.html. Installer installs sample signon.html files in the following location:

<PeopleSoft_Agent_Installation_folder>\peoplesoft\Documentation

These files provide the existing warnings and error messages, while removing the username and password prompts.

Replace the existing file with the relevant sample sign-on file after renaming it signon.html or configure the system to use the new file.