Exposing PeopleSoft portlets through WebCenter with WS-Security

Note: This post is an updated and extended version of this older post.

This post was produced jointly with Shawn Xin and Wellen Lau along with help and support from several other people.

1       Introduction

Often customers wish to expose a small part of PeopleSoft functionality to end users, without the need for those users to learn how to use the whole PeopleSoft user interface.  For example, there may be a desire to expose the absence request function in Employee Self Service through a staff intranet.

PeopleTools 8.48 and later releases allow you to expose PeopleSoft applications as “portlets” using the Web Service Remote Portlet (WSRP) standard, which is a convenient, code-free, way of integrating with portal platforms like Oracle WebCenter.

2       Requirements

The examples in this document were prepared using PeopleSoft HCM 9.1 with PeopleTools 8.50 and WebCenter

3       Establishing the basic integration

In this section we will establish the basic integration between WebCenter and PeopleSoft.  Later, we will look at additional steps that can be carried out to add automatic sign on to PeopleSoft.

3.1     Exposing PeopleSoft Functionality using WSRP

The first step is to log on to PeopleSoft and tell it to expose some functionality as a WSRP portlet. Here we log on to PeopleSoft using the PS user:

Now, navigate to the PeopleTools menu, then Portal, then Structure and Content.

Now, we select the area of functionality we want to expose.  In this example, I am going to choose Self Service.

We navigate down to the page we want, in this example, going into Time Reporting.

And then Report Time.

Now we click on the Edit link to the right of Timesheet, Absence Request, or whichever function you wish to expose.

In the administration page that is displayed, all we need to do is check the WSRP Producible checkbox, as shown, and then click on the Save button.

We can repeat these steps for any other functions that we want to expose as portlets.  In my example, I have also exposed Personal Information as you can see in the image below.  You can get to this page by navigating to the WSRP Production menu item underneath PeopleTools and then Portal.  When you have exposed all of the functions you want to, expand the Web Service Endpoint URL box as shown, and take a note of the URL listed there, you will need this later.

3.2     Modifying the behavior to work well in an external portal

Since we are going to be using this function from an external portal, it is important that it respects the portal framework, and does not try to “take over” the whole screen.

To do this, we go to PeopleSoft Application Designer and open the component object to the Request Details page that gets displayed in PeopleSoft.  In the Component Properties section, we need to check the box labeled WSRP Compliant.

3.3     Registering the PeopleSoft WSRP Provider in WebCenter

That’s all we need to do in PeopleSoft, now we go to the Enterprise Manager to register our portlet(s).  This is accessed at http://yourserver:7001/em in a default install.  Login using an administrative user (e.g. weblogic) and navigate to the webcenter item under the Farm_your_domain > WebCenter > WebCenter Spaces menu.  Then open the WebCenter drop down menu (as shown) and select Register Producer from the menu.

Here we just need to give our producer a name, I used PeopleSoft, and provide the URL we copied down earlier.  Then add ?wsdl to the end of the URL, as shown in the diagram.  This tells Enterprise Manager to read the definition of the portlet, not the actual portlet itself.  Enterprise Manager needs this information to register the portlet(s).

Click on OK to save that, and now we are ready to go and use our portlet!

3.4     Adding the PeopleSoft portlet to a WebCenter page

Log on to WebCenter Spaces as any user, and create a new page in your Personal Space, but clicking on Create Page… in the Page Actions menu as shown.

You need to provide a name for your page, I called mine PeopleSoft Page, and select a layout, I used Stretch.

Now click on the Add Content button in the area where you want to put your portlet.  I used the main (lower) area.  With the Stretch layout that I selected, this one will expand to fill all available space on the page.

Composer will appear, and you can navigate into the Portlets folder to find our new portlet.

Here you will see the name you gave to the producer, PeopleSoft in my case.  Click on this to drill down to the portlet(s).

Now we see the two portlets that I exposed in PeopleSoft.  I am going to add the Personal Information Summary to my page.  Click on the Add link to do this, then the Close button to close Composer and return to your page.

By now the portlet will have probably rendered in your page and will look a bit like the image below.  Click on Save and then Close to get out of page editing mode and back to normal user/view mode.

Since we have not set up any single sign on yet, the PeopleSoft portlet is asking us to sign on to PeopleSoft.  Here I am using one of my demo users to log in to PeopleSoft:

And now we see the PeopleSoft portlet presenting information to us.  It’s as easy as that!

Of course, you can add more portlets to the page, and resize the portlet, and so on.  All the normal WebCenter capabilities are available.

4       Adding security

It may be convenient to set up automatic sign on so that users who are logged on the WebCenter will not be required to log on again to PeopleSoft.  This can be done by configuring WS-Security on both the WebCenter and PeopleSoft servers.

4.1     Creating certificates for use with WS-Security

Both WebCenter and PeopleSoft will need to have X.509 certificates to enable use of WS-Security.  Certificates can be a little confusing, so let’s start with a diagram that describes what we want to achieve.

WebCenter will have a keystore containing its private key orakey, plus PeopleSoft’s public key rootCA, and the certificate that PeopleSoft will use as the WS-Security recipient when we set up the automatic sign on qe_local.   qe_local is trusted because it was signed by rootCA which is trusted.

PeopleSoft will have a keystore containing its private key rootCA, plus WebCenter’s public key orakey, and the certificate that PeopleSoft will use as the WS-Security recipient when we set up the automatic sign on qe_local.

4.1.1     Create keystores for WebCenter and PeopleSoft

To create the keystores for WebCenter and PeopleSoft, we will use the keytool included in the Java Development Kit (JDK).

First we create a directory in the Middleware Home to keep our keystore and related artefacts.

C:\> cd \Oracle\Middleware
C:\Oracle\Middleware> md keystore
C:\Oracle\Middleware> cd keystore

The first step is to create a new keystore and a RSA key pair.  Note that this whole command is entered on one line.  It is shown here on multiple lines for ease of reading only.  You need to add in the appropriate Common Name (CN) as shown in bold.  Here we have used the fully qualified hostname of the WebCenter server, with the hostname as a cn and each domain name component as a dc.  You also need to provide a password for the key (keypass) and for the keystore (storepass), as shown.

C:\Oracle\Middleware\keystore> ..\jdk160_14_R27.6.5-32\bin\keytool
-keyalg RSA
-dname "cn=webcenter,dc=au,dc=oracle,dc=com"
-alias orakey
-keypass welcome1
-keystore webcenter.jks
-storepass welcome1
-validity 1064

Now we will create a keystore and key pair for PeopleSoft, as shown. 

C:\Oracle\Middleware\keystore> ..\jdk160_14_R27.6.5-32\bin\keytool
-keyalg RSA
-dname "cn=peoplesoft,dc=au,dc=oracle,dc=com"
-alias rootCA
-keypass welcome1
-keystore peoplesoft.jks
-storepass welcome1
-validity 1064

4.1.2     Create certificates

In this example, we are going to use self signed certificates.  This is suitable for test or development systems, but in a production system you may wish to purchase certificates from a trusted external Certificate Authority.  Alternatively, you may have already purchased a signing certificate and have your own certificate authority.  In this case, you will need to get your certificates signed by the administrator of the certificate authority.

The following command is used to create a new certificate which we will call orakey.

-alias orakey
-keystore webcenter.jks
-storepass welcome1
-file orakey.cer
Certificate stored in file <orakey.cer>

Now we import that certificate into the WebCenter keystore with a new name, webcenter_spaces_ws.

C:\Oracle\Middleware\keystore> ../jdk160_14_R27.6.5-32/bin/keytool
-alias webcenter_spaces_ws
-file orakey.cer
-keystore webcenter.jks
-storepass welcome1
Certificate already exists in keystore under alias <orakey>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

The following command is used to create a new certificate which we will call qe_local.

-alias qe_local
-keystore peoplesoft.jks
-storepass welcome1
-file qe_local.cer
Certificate stored in file <qe_local.cer>

Now we import that certificate into the PeopleSoft keystore with a new name, qe_local.

C:\Oracle\Middleware\keystore> ../jdk160_14_R27.6.5-32/bin/keytool
-alias qe_local
-file qe_local.cer
-keystore peoplesoft.jks
-storepass welcome1
Certificate already exists in keystore under alias <rootCA>
Do you still want to add it? [no]:  yes
Certificate was added to keystore

4.1.3     Adding the certificates into the other party’s keystore

We also need to import this qe_local certificate into the WebCenter keystore, and the orakey certificate into the PeopleSoft keystore.

C:\Oracle\Middleware\keystore> ../jdk160_14_R27.6.5-32/bin/keytool
-alias qe_local
-file qe_local.cer
-keystore webcenter.jks
-storepass welcome1
C:\Oracle\Middleware\keystore> ../jdk160_14_R27.6.5-32/bin/keytool
-alias orakey
-file orakey.cer
-keystore peoplesoft.jks
-storepass welcome1

4.1.4     Copying the keystores into the correct locations

The WebCenter keystore can be copied into place using the following command:

C:\Oracle\Middleware\keystore> copy webcenter.jks

As for PeopleSoft, the keystore can be copied into place using the following command:

C:\Oracle\Middleware\keystore> copy webcenter.jks 

4.2     Installing certificates in WebCenter

Once the file is in place, you need to login to Enterprise Manager to configure it.  This will be at http://your.webcenter.server:7001/em.  You need to login as an administrator, like the weblogic user for example.

Navigate to Farm_base_domain -> WebLogic Domain -> base_domain

From the context menu select Security -> Security Provider Configuration

Scroll down to Keystore, expand it, and click Configure

It is good practice to reset the configuration first.  To do this, uncheck the box Configure Keystore Management and click OK.  Then go back to Keystore, and click Configure again.

This time, check the box Configure Keystore Management and enter the following information as shown in the image below.

Keystore Path                  ./webcenter.jks
Password                       welcome1
Signature Key Alias            orakey
Signature Password             welcome1
Encryption Key Crypt Alias     orakey
Crypt Password                 welcome1

After you click on OK to save these settings, you will need to restart the WebLogic Admin Server (and the managed servers).

4.3     Installing certificates in PeopleSoft

To install the certificates in PeopleSoft, we first log in to PeopleSoft as the PS administrative user and navigate to PeopleTools -> Security -> Security Objects -> Digital Certificates.

Click on the + to add a new Root CA.  Choose the orakey.cer file we created earlier.  The alias must be orakey too – it needs to be exactly the same as on the WebCenter system.  Then click on the + again and add a Remote certificate, again choosing orakey.cer and using the alias orakey.

Once these steps are completed, you should see the certificates listed as in the example below.

4.4     Updating the WebCenter WSRP Producer registration with WS-Security information

We need to add some additional information to the WSRP Producer in WebCenter to tell it how about the security information to use with PeopleSoft.  Return to the WSRP Producer configuration screen (as described earlier) by logging on to Enterprise Manager and navigating to Farm_base_domain -> WebCenter -> WebCenter Spaces -> WebCenter and then in the popup WebCenter context menu to Settings -> Service Configuration.  Select Portlet Producers from the list on the left and then highlight your PeopleSoft WSRP Producer and click on the Edit button.

You need to fill in the security details as shown in the diagram below.

First, select WSS 1.0 SAML Token with Message Integrity in the Token Profile field, then select Custom for the Configuration field.  This will make the other fields available for editing.  You need to set the as follows (note that the values may be different for your environment):

Issuer Name              = www.oracle.com
Store Path               = c:/oracle/middleware/keystore/webcenter.jks
Password                 = welcome1
Signature Key Alias      = orakey
Signature Key Password   = welcome1
Encryption Key Alias     = orakey
Encryption Key Password  = welcome1

Note that we will make similar setting in PeopleSoft later and it is important that values you set in the two environments are identical.

4.5     Updating the PeopleSoft WSRP security options

To set the WS-Security configuration for PeopleSoft, we use the redeployWSRP batch file located in %PS_HOME%\webserv\%DOMAIN_NAME%\bin.

> redeployWSRP 5

In this case, we choose option 5 which redeploy the WSRPBaseService in PeopleSoft and set the security mode to WS-Security SAML Token with encryption.

4.6     Mapping users in PeopleSoft

If the usernames (SAML subject names) in WebCenter and PeopleSoft do not match, you may need to create mappings in PeopleSoft.

To do this, we log into PeopleSoft application as PS, and navigate to PeopleTools -> Security ->SAML Administration Setup -> SAML Inbound Setup.

Next we click on Add a New Value and enter the information required.  An example is shown below that maps the WebCenter user PAT to PeopleSoft user HCRAUS_KA0003.  Note that the Issuer must match the one that was specified in the WebCenter WSRP Producer registration’s security configuration.  The Qualifier should also be set to this value.

The values are set as follows:

  • Certificate Alias: The same name as the Root CA certificate
  • Issuer:  WWW.ORACLE.COM
  • SubjectName: The WebCenter user ID
  • QualifierName: WWW.ORACLE.COM
  • Mapping PeopleSoft UserID: The PeopleSoft user that WebCenter user is mapped to.

4.7     Validate Local Node Definition in PeopleSoft

We also need to make sure the Local Node Definition in PeopleSoft is set up with the correct authentication option.

To do this, we log on to PeopleSoft as the PS user and navigate to PeopleTools -> Portal -> Node Definitions, then click Search button to find the local node.

In the node definition page of the local node (in this case PSFT_HR), select Password from the drop-down list for Authentication Option and click on Save.

4.8     A final important consideration

When using WS-Security for automatic sign on to PeopleSoft, in order for the SAML assertion to be valid, the date/time on the PeopleSoft and WebCenter servers must be synchronized.  If this is problematic, then the PeopleSoft web server’s time may be set to be slightly ahead of WebCenter server.

About Mark Nelson

Mark Nelson is an Architect ("IC6") in the Platform Architecture Team in Oracle Development. Mark's focus area is continuous delivery, configuration management and provisioning - making it simple to manage the configuration of complex environments and applications built with Oracle Database, Fusion Middleware and Fusion Applications, on-premise and in the cloud. Before joining the Platform Architecture team, Mark was a senior member of the A-Team since 2010, and worked in Sales Consulting at Oracle since 2006 and various roles at IBM since 1994.
This entry was posted in Uncategorized and tagged , , , , . Bookmark the permalink.

5 Responses to Exposing PeopleSoft portlets through WebCenter with WS-Security

  1. lnandan12 says:

    Mark – This process works great. I have tried this with Peoplesoft 9.1 (tools 8.51) and webcenter…

    Have you tried consuming Peoplesoft WSRP using jDeveloper with webcenter extension.
    I am getting the following error.

    at oracle.adfinternal.model.portlet.manager.ProducerConnectionManager.setNoAuthPolicy(ProducerConnectionManager.java:923)
    at oracle.adfinternal.model.portlet.manager.ProducerConnectionManager.createWSRPProducerConnection(ProducerConnectionManager.java:372)
    at oracle.adfdtinternal.model.portlet.wizards.registration.wsrp.WSRPProducerRegistrationWizard$4$1.doWork(WSRPProducerRegistrationWizard.java:1618)
    at oracle.ide.dialogs.ProgressRunnable.run(ProgressRunnable.java:161)
    at oracle.ide.dialogs.ProgressBar.run(ProgressBar.java:655)
    at java.lang.Thread.run(Thread.java:662)

    • Mark Nelson says:

      Hi, Thanks for taking the time to comment and confirm that the process works for you. I know some folks have had some challenges with it, but it seems to work for many people too. I have not tried consuming the portlets in JDev unfortunately. Good luck!

  2. lnandan12 says:

    Thakns Mark. I am not sure if we can consume PS WSRP in jdeveloper. See below comments from Oracle support.
    PeopleSoft has not certified WSRP for JDeveloper. We do not support WSRP 2.0 and not all provisions of the 1.0 are required so we do not support them all, and the registration service is one of those options. Instead, we suggest to use Web Centre.

  3. Sarita Singh says:

    A very good, elaborate article! and it works…. thanks!

  4. Alfred Zou says:

    Hi Mark,
    It’s a excellent post! I tried and it worked. One small mistake I think?
    The command in 4.1.2 should be:
    keytool -exportcert -v -alias rootCA -keystore peoplesoft.jks -storepass welcome1 -rfc -file rootCA.cer
    The original one is:
    keytool -exportcert -v -alias qe_local -keystore peoplesoft.jks -storepass welcome1 -rfc -file qe_local.cer
    Alias qe_local is not exist in peoplesoft keystore.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s