There’s a thread going on over at ITToolbox about remote access to using psadmin.
In a lot of cases though, it’s tough to sweet talk those overworked and underpaid system administrators into giving you access to the machine, especially when there is more than just the development environment on the machine.
If you just need access to start and stop application server and process scheduler domains there are some options though.
Let’s assume that you have a Unix shell account called
psft that is used for managing the PeopleSoft domains, but developers aren’t allowed direct access to this account. Instead, we’ll create a couple of simple shell scripts that certain developers will be able to run
We’ll start by creating a simple shell script for starting and stopping a particular domain.
psadmin -c boot -d HRDEV
Assuming that this file exists as
/home/psft/hrdev_boot.sh, the system administrator can use the
root account to edit the
/etc/sudoers file (done through the
visudo command – not a regular editor)
The following entry in the sudoers file would grant
chris the ability to run this script as psft without knowing the psft account password. As long as
chris does not have the ability to edit this shell script, then this is safe.
chris ALL = (psft) NOPASSWD: /home/psft/hrdev_boot.sh
From a shell prompt, user
chris could boot the HRDEV application server domain like this.
chris@psft-server:~$ sudo -u psft /home/psft/hrdev_boot.sh
Using the ability of SSH to start remote commands and certificate-based authentication, we can even run these commands remotely. The following command issued from my laptop will boot the HRDEV appserver on
chris@chris-laptop:~$ ssh psft-server 'sudo -u chris /home/chris/hrdev_boot.sh"
On Windows what we’d like to do is let a developer start and stop a service for the HRDEV application server and process scheduler, but not have access to anything else. Windows will let us accomplish this without the developer even having direct access to the box.
In the Windows Services applet on the developer’s own machine, they select
Action -> Connect to another Computer ...
Then the developer can manage the services on the remote server….except that the developer’s network account does not have access yet. Let’s fix that.
Windows does not provide direct access to the security for each service in the Services applet, but it can be set through Group Policy. An alternative to using Group Policy is to just use the subinacl command line tool (downloadable from Microsoft if it’s not already installed)
The server administrator would then run something like the following to grant the developer access to administer the service.
subinacl.exe /verbose /service \psft-serverHRDEV_appserv_e_hcm90 /grant=chrisheller=F
which gives the following output
HRDEV_appserv_e_hcm90 : new ace for greysparlingchrisheller
HRDEV_appserv_e_hcm90 : 1 change(s)
Elapsed Time: 00 00:00:15
Done: 1, Modified 1, Failed 0, Syntax errors 0
Last Done : HRDEV_appserv_e_hcm90
Note that the service name being used there is one that was built with our Services Manager for PeopleSoft product, but the concept of granting service level security works with the standard PeopleSoft services as well. You would just need to install separate PSHOME directories for each one that you want to secure separately.
You can do similar things for the WebLogic service and the database service (although typically developers don’t have much reason for restarting the database itself).
Labels: 2009, Process_Scheduler, Security, Sysadmin