Banner General / Middle Tier Implementation Guide / 8.3

Banner General Middle Tier Implementation Guide Release 8.3 December 2009 Trademark, Publishing Statement and Copyright Notice SunGard or its subsidiaries in the U.S. and other countries is the owner of numerous marks, including “SunGard,” the SunGard logo, “Banner,” “PowerCAMPUS,” “Advance,” “Luminis,” “fsaATLAS,” “DegreeWorks,” “SEVIS Connection,” “SmartCall,” “PocketRecruiter,” “UDC,” and “Unified Digital Campus.” Other names and marks used in this material are owned by third parties. © 2005-2009 SunGard. All rights reserved. Contains confidential and proprietary information of SunGard and its subsidiaries. Use of these materials is limited to SunGard Higher Education licensees, and is subject to the terms and conditions of one or more written license agreements between SunGard Higher Education and the licensee in question. In preparing and providing this publication, SunGard Higher Education is not rendering legal, accounting, or other similar professional services. SunGard Higher Education makes no claims that an institution's use of this publication or the software for which it is provided will insure compliance with applicable federal or state laws, rules, or regulations. Each organization should seek legal, accounting and other similar professional services from competent providers of the organization’s own choosing. Prepared by: SunGard Higher Education 4 Country View Road Malvern, Pennsylvania 19355 United States of America (800) 522 - 4827 Customer Support Center Website http://connect.sungardhe.com Documentation Feedback http://education.sungardhe.com/survey/documentation.html Distribution Services E-mail Address distserv@sungardhe.com Revision History Log Publication Date Summary December 2009 New version that support Banner General 8.3 software. Banner General 8.3 Middle Tier Implementation Guide Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Single Sign-On through Banner Enterprise Identity Services . . . . . . . . . . . . 9 Oracle Database 11g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Chapter 1 Configuring Internet-Native Banner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Step 1 Change SEED Numbers and Regenerate Banner Forms. . . . . . . . . . 13 Step 2 Verify Oracle Environment for Forms Deployment . . . . . . . . . . . . . 14 Step 3 Transfer Jar Files to INB Server. . . . . . . . . . . . . . . . . . . . . . . 14 Step 4 Transfer bannerid.jar File to Reports Server . . . . . . . . . . . . . . . . 15 Step 5 Configure Default Settings for INB . . . . . . . . . . . . . . . . . . . . . 15 Step 6 Configure Oracle Environment for INB . . . . . . . . . . . . . . . . . . . 16 Step 7 Configure Banner Online Help . . . . . . . . . . . . . . . . . . . . . . . 16 Step 8 Modify INB Preferences for Online Help Files. . . . . . . . . . . . . . . . 17 Step 9 Modify Font for INB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Step 10 Set up Preferences for Banner ID Images . . . . . . . . . . . . . . . . . 17 Step 11 Verify Oracle Environment for Reports Deployment . . . . . . . . . . . . 19 Step 12 Set up Banner Data Extract . . . . . . . . . . . . . . . . . . . . . . . . 20 Step 13 Configure WebUtil for Saving Data Extract Output . . . . . . . . . . . . 22 Step 14 Configure Oracle Reports for INB . . . . . . . . . . . . . . . . . . . . . 23 Step 15 Modify INB Environment for Oracle Reports (UNIX Only) . . . . . . . . . 24 Step 16 Modify INB Preferences for Oracle Reports . . . . . . . . . . . . . . . . 25 Step 17 Modify the bannerid.jar File . . . . . . . . . . . . . . . . . . . . . . . . 28 Step 18 Modify the banorep.jar File (Optional) . . . . . . . . . . . . . . . . . . . 29 Step 19 Modify the bannerui.jar file (Optional) . . . . . . . . . . . . . . . . . . . 32 Step 20 Secure the Reports Server. . . . . . . . . . . . . . . . . . . . . . . . . 33 Step 21 Modify INB Preferences for Job Submission Output . . . . . . . . . . . . 34 December 2009 Banner General 8.3 Middle Tier Implementation Guide Contents 3 Step 22 Modify default.env . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Step 23 Set up for Case-Sensitive Passwords (Optional, 11g Only) . . . . . . . . 35 Step 24 Configure Multiple Environments (Optional) . . . . . . . . . . . . . . . . 35 Step 25 Configure Mac Environment (Optional) . . . . . . . . . . . . . . . . . . 36 Step 26 Customize the Color of Required Fields (Optional) . . . . . . . . . . . . 36 Step 27 Configure INB to Display Windows XP Themes (Optional) . . . . . . . . 37 Step 28 Customize Color Scheme for Disabled Text (Optional) . . . . . . . . . . 38 Step 29 Customize Color Scheme for Tabs (Optional) . . . . . . . . . . . . . . . 39 Chapter 2 Configuring Self-Service Banner Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 How to Create a DAD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Step 1 Set up Your Web Server Files. . . . . . . . . . . . . . . . . . . . . . . . 44 Step 2 Set Up Apache httpd.conf for Link Security (Optional) . . . . . . . . . . . 45 Step 3 Review and Customize Global Web Rules . . . . . . . . . . . . . . . . . 46 Step 4 Review and Customize Global User Interface Settings . . . . . . . . . . . 47 Step 5 Review and Customize Graphic Elements . . . . . . . . . . . . . . . . . 47 Step 6 Review and Customize Web Menus and Web Procedures . . . . . . . . . 48 Step 7 Review and Assign Web Roles to Web Menus and Procedures . . . . . . 50 Step 8 Review and Define Links on Menus . . . . . . . . . . . . . . . . . . . . . 51 Step 9 Review and Customize Information Text (Info Text) . . . . . . . . . . . . 53 Step 10 Add Credit Card Processing (Optional) . . . . . . . . . . . . . . . . . . 53 Step 11 Customize the Home Page . . . . . . . . . . . . . . . . . . . . . . . . 54 Step 12 Luminis Integration (Optional) . . . . . . . . . . . . . . . . . . . . . . . 54 Step 13 Configure Web Tailor for LDAP Server (Optional) . . . . . . . . . . . . . 54 Step 14 Assign View and Update Privileges for Addresses . . . . . . . . . . . . 56 Step 15 Establish Web User Parameters and Third Party History Information . . . 57 Step 16 Set Up Campus Directory Processing . . . . . . . . . . . . . . . . . . . 64 Step 17 Set Up Web E-Mail Address Options . . . . . . . . . . . . . . . . . . . 67 Step 18 Set Up Web Surveys . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4 Banner General 8.3 Middle Tier Implementation Guide Contents December 2009 Chapter 3 Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 About Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 ID Mappings Between Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Single Sign-On between Luminis and Banner . . . . . . . . . . . . . . . . . . . 73 Single Sign-On between Luminis and Self-Service Banner. . . . . . . . . . . . . 73 Single Sign-On between Luminis/Channels and Banner . . . . . . . . . . . . . . 74 Single Sign-On and Value-Based Security . . . . . . . . . . . . . . . . . . . . . 75 Luminis IV Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Implementation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Step 1 Create an Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Step 2 Create Entries in LDAP to Store Configuration Values . . . . . . . . . . . 76 Step 3 Configure Parameters using GUAUPRF . . . . . . . . . . . . . . . . . . 78 Chapter 4 Implementing Single Sign-On for Internet-Native Banner Step 1 Update New Entries in LDAP for INB . . . . . . . . . . . . . . . . . . . . 81 Step 2 Create DADs for Running SSO . . . . . . . . . . . . . . . . . . . . . . . 85 Step 3 Configure your INB Server . . . . . . . . . . . . . . . . . . . . . . . . . 86 Step 4 Verify Configuration Steps in Banner . . . . . . . . . . . . . . . . . . . . 87 Step 5 Configure your Luminis Server . . . . . . . . . . . . . . . . . . . . . . . 89 Step 6 Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Step 7 (Optional) Set up SSO INB on Macintosh . . . . . . . . . . . . . . . . . . 90 Chapter 5 Implementing Single Sign-On for Self-Service Banner Step 1 Create Entries in LDAP to Store Configuration Values . . . . . . . . . . . 93 Step 2 Update New Entries in LDAP for SSB. . . . . . . . . . . . . . . . . . . . 95 Step 3 Configure WebTailor for LDAP Server . . . . . . . . . . . . . . . . . . . 97 Step 4 Update WebTailor Parameters . . . . . . . . . . . . . . . . . . . . . . . 99 Step 5 Verify Configuration Steps in Self-Service . . . . . . . . . . . . . . . . . 99 Step 6 (Optional) Create DADs for Running SSO with VBS . . . . . . . . . . . . 101 Step 7 Configure your Luminis Server . . . . . . . . . . . . . . . . . . . . . . . 103 Step 8 Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 December 2009 Banner General 8.3 Middle Tier Implementation Guide Contents 5 Chapter 6 Implementing Luminis Channels for Banner Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Apply Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Set up Security on GSASECR . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Perform Required Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Architectural Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Preparing to Install Luminis Channels for Banner . . . . . . . . . . . . . . . 109 Step 1 Create the Home Directory for Luminis Channels for Banner . . . . . . . . 110 Step 2 Edit the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . 110 Step 3 Localize the Configuration File . . . . . . . . . . . . . . . . . . . . . . . 114 Step 4 Deploy the EAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Installing a Luminis Channel for Banner. . . . . . . . . . . . . . . . . . . . . 117 Step 5 Install CAR Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Step 6 Publish the Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Step 7 Check Your Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Locale-Specific URLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Example INB Test for the My Banner Channel . . . . . . . . . . . . . . . . . . . 119 Example SSB Test for Personal Information Channel . . . . . . . . . . . . . . . 122 Chapter 7 Implementing Banner HR Effort Reporting and Labor Redistribution Procedure to Deploy Effort Reporting and Labor Redistribution . . . . . . . 123 Deploy the ear File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Modify the Server Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Chapter 8 Implementing Banner Finance Travel and Expense Management Procedure to Deploy Travel and Expense . . . . . . . . . . . . . . . . . . . . 129 Deploy the ear File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Modify the Server Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Tips and Additional Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 6 Banner General 8.3 Middle Tier Implementation Guide Contents December 2009 Appendix A Self-Service Technical Information Third Party Access Form Table . . . . . . . . . . . . . . . . . . . . . . . . . . 135 GOBTPAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Third Party Access Audit Form Tables. . . . . . . . . . . . . . . . . . . . . . 135 GOBTPAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 GORPAUD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Campus Directory Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 GTVDIRO --- Directory Item Validation Table . . . . . . . . . . . . . . . . . . . . 136 GOBDIRO --- Directory Options Rule Table . . . . . . . . . . . . . . . . . . . . 137 GORDADD --- Directory Address Table. . . . . . . . . . . . . . . . . . . . . . . 138 GORDPRF -- Directory Profile Table . . . . . . . . . . . . . . . . . . . . . . . . 139 Appendix B Single Sign-On Connectivity Overview Accessing Banner from Luminis . . . . . . . . . . . . . . . . . . . . . . . . . 141 Accessing Self-Service Banner from Luminis . . . . . . . . . . . . . . . . . . 143 Appendix C Oracle Version-Specific Information Oracle Database 11g. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Required Versions for Banner in Database 11g. . . . . . . . . . . . . . . . . . . 145 Case-Sensitive Passwords in 11g . . . . . . . . . . . . . . . . . . . . . . . . . 146 Issues with Database 11g. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Platform Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Change in Default Role Behavior . . . . . . . . . . . . . . . . . . . . . . . . . 147 Oracle Database 10g and Application Server 10g . . . . . . . . . . . . . . . . 147 10g Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Example Init.ora For Oracle RDBMS 10.2.0 . . . . . . . . . . . . . . . . . . . . 148 Oracle 10.2 init.ora . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 December 2009 Banner General 8.3 Middle Tier Implementation Guide Contents 7 Troubleshooting Single Sign-On for INB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Single Sign-On for SSB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Luminis Channels for Banner. . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Index 8 Banner General 8.3 Middle Tier Implementation Guide Contents December 2009 Overview This document describes the steps you need to follow for the primary configuration of your Banner® middle tier server. Depending on the products you have licensed, you may need to skip some of the sections. You may also need to look for details in other documents. Warning You should work your way through this document in order, except for the sections you skip because you do not have a particular product. Do not move randomly through the steps. This document describes how to configure Internet-Native Banner (INB) with OAS10g, Self-Service Banner (SSB), Single Sign-On (SSO) with Luminis®, and Luminis Channels with Banner. The configurations you need depend on the products that you have licensed. You must still set up various preferences, etc., as described in the Banner product-specific user guides (such as the Banner General User Guide, Banner Student User Guide, and others). Single Sign-On through Banner Enterprise Identity Services Banner Enterprise Identity Services offers a new approach to single sign-on (SSO) and integration across a range of SunGard Higher Education products. This document does not cover SSO setup through Banner Enterprise Identity Services. If you are using Banner Enterprise Identity Services, please refer to the Banner Enterprise Identity Services Handbook. Oracle Database 11g Beginning with Banner General 8.2, Banner offers support for Oracle Database 11g for clients who wish to use it. Upgrading to Database 11g brings only a few changes to the Banner middle tier setup, and those are noted in this document where they occur. For more information on Database 11g issues and concerns, see “Oracle Database 11g” on page 145. December 2009 Banner General 8.3 Middle Tier Implementation Guide 9 10 Banner General 8.3 Middle Tier Implementation Guide December 2009 1 Configuring InternetNative Banner Overview This chapter describes how to configure Internet-Native Banner® (INB) with Oracle Application Server Release 2 (OAS10gR2). You will be guided through the following steps: 1. “Change SEED Numbers and Regenerate Banner Forms” on page 13 2. “Verify Oracle Environment for Forms Deployment” on page 14 3. “Transfer Jar Files to INB Server” on page 14 4. “Transfer bannerid.jar File to Reports Server” on page 15 5. “Configure Default Settings for INB” on page 15 6. “Configure Oracle Environment for INB” on page 16 7. “Configure Banner Online Help” on page 16 8. “Modify INB Preferences for Online Help Files” on page 17 9. “Modify Font for INB” on page 17 10. “Set up Preferences for Banner ID Images” on page 17 11. “Verify Oracle Environment for Reports Deployment” on page 19 12. “Set up Banner Data Extract” on page 20 13. “Configure WebUtil for Saving Data Extract Output” on page 22 14. “Configure Oracle Reports for INB” on page 23 15. “Modify INB Environment for Oracle Reports (UNIX Only)” on page 24 December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 11 16. “Modify INB Preferences for Oracle Reports” on page 25 17. “Modify the bannerid.jar File” on page 28 18. “Modify the banorep.jar File (Optional)” on page 29 19. “Modify the bannerui.jar file (Optional)” on page 32 20. “Secure the Reports Server” on page 33 21. “Modify INB Preferences for Job Submission Output” on page 34 22. “Modify default.env” on page 35 23. “Set up for Case-Sensitive Passwords (Optional, 11g Only)” on page 35 24. “Configure Multiple Environments (Optional)” on page 35 25. “Configure Mac Environment (Optional)” on page 36 26. “Customize the Color of Required Fields (Optional)” on page 36 27. “Configure INB to Display Windows XP Themes (Optional)” on page 37 28. “Customize Color Scheme for Disabled Text (Optional)” on page 38 29. “Customize Color Scheme for Tabs (Optional)” on page 39 The Windows Server 2000/2003 platforms are supported for Internet-Native Banner (INB), as well as the following Linux and UNIX platforms: • Sun Solaris 5.9 • IBM Aix 5.1 • HP-UX 11.11 • HP/Compaq Tru64 5.1 • Red Hat Linux Advanced Server Note The word UNIX in this chapter refers to all UNIX platforms. Any platform specific instructions are noted. 12 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 Configuration Steps Step 1 Change SEED Numbers and Regenerate Banner Forms You must change SEED numbers and regenerate forms using your site-specific SEED numbers. 1. Change your SEED numbers. For more information, see SEED Numbers in the Banner Security Technical Reference Manual. 2. Create a new directory on your forms server for the .fmb, .pll, and .mmb files. 3. Establish the appropriate security for this directory. 4. Use an FTP program in binary mode to copy all the .fmb, .pll, and .mmb files from the database host to the new directory on your forms server. Platform Host location of .fmb and .pll files UNIX/Linux $BANNER_HOME/product/forms Example: $BANNER_HOME/general/forms NT $banner_home\product\forms Example: $banner_home\general\forms Warning Make sure all source files are copied. Some FTP programs do not allow large transfers and may drop some files. Use the binary mode to perform FTP functions. 5. Modify the BANINST1 and BANSECR passwords in the following files. Use the appropriate .bat or .shl file to generate the .plx, .mmx, and .fmx files. For OAS10gR2: December 2009 Accounts Receivable tasform.bat tasform.shl Advancement aluform.bat aluform.shl Common comform.bat comform.shl Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 13 Finance finform.bat finform.shl General genform.bat genform1.bat genform.shl Payroll payform.bat payform.shl Position Control posform.bat posform.shl Student stuform.bat stuform.shl Step 2 Verify Oracle Environment for Forms Deployment After OAS10gR2 is installed, you must verify the forms installation. 1. Access the demonstrations on the OAS10gR2 homepage: http://yourservername:port. Port is the port number of your Oracle HTTP server, normally 7777 if this is your first installation of Oracle on your INB server. To verify your port number, refer to the portlist.ini file in the OAS10gR2 <ORACLE_HOME>/install directory. 2. Choose Business Intelligence and Forms. 3. Choose Forms Services. This link invokes the forms servlet, prompts you to install the Jinitiator on the client, and displays a test form. Note If you do not see the test form (Welcome to Oracle Application Server Forms Services Installed successfully!), check all log files for the OAS10gR2 installation to resolve the problem. Step 3 Transfer Jar Files to INB Server Use an FTP program in binary mode to copy the following JAR files from the database host $BANNER_HOME/general/java directory to the <ORACLE_HOME>/forms/java directory on your INB server: • banicons.jar–Contains GIF files used for Banner icons • bannerui.jar–Used to set the colors of screen elements such as tabs and disabled text • banspecial.jar–Contains a custom version of an Oracle graphic used in Banner • banorep.jar–Used for client-side Oracle Reports/Forms security integration 14 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 Step 4 Transfer bannerid.jar File to Reports Server Use an FTP program in binary mode to copy bannerid.jar from the database host $BANNER_HOME/general/java directory to a secure directory on your Reports server (C:\temp, for example). This JAR file is used for Middle Tier Oracle Reports/Forms security integration. Refer to Step 17, “Modify the bannerid.jar file,” for more information. Step 5 Configure Default Settings for INB SunGard® Higher Education recommends that you use Oracle Enterprise Manager for all configuration file changes. Use the sample formsweb.cfg file that is delivered with Banner as a reference for customizing your INB environment. 1. Access OEM on your INB server: http://yourservername:1810. 2. Choose Forms in the System Components section. 3. Choose Configuration. 4. Edit the following parameters in the default section. Note The default section applies to all environments that your INB server serves. December 2009 Parameter Value form guainit.fmx width 1040 height 738 separateFrame true lookAndFeel Oracle colorScheme blaf archive_jini banspecial.jar,frmall_jinit.jar,banicons.jar,b annerui.jar,banorep.jar archive banspecial.jar,frmall.jar,banicons.jar,banneru i.jar,banorep.jar imageBase codeBase logo ‘‘ Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 15 5. Choose Apply to save your changes. Step 6 Configure Oracle Environment for INB 1. Back up fmrpcweb.res, which is delivered in the $BANNER_HOME/install directory. Oracle provides this file as a sample key mapping resource file for Web-enabled forms. This file contains the key mappings that match the standard client/server keystrokes of Banner. The file is ASCII text and can be edited with any editor. 2. Rename fmrpcweb.res to fmrweb_utf8.res. 3. Move fmrweb_utf8.res to the <ORACLE_HOME>/forms/admin/resource/US directory on your OAS10g server. Step 7 Configure Banner Online Help Help files are contained in the bannerOHxx.war file (bannerOH80.war, for example) which is available on the Customer Support Center. 1. Download bannerOHxx.war from the software downloads section to a directory on your desktop. Note The bannerOH.war file that is located in the $BANNER_HOME/general/ help directory is only a placeholder file. You must always download the current version from the Customer Support Center. 2. Access OEM on your INB server. In most cases, OEM can be accessed using http:/ /yourservername:1810. 3. Click Home. 4. From System Components, select home instance and click Start to display the default page. 5. Choose Applications. 6. Click Deploy WAR file if this is the first time you are deploying online help. If you are replacing a previous version, undeploy the old version first. 7. Browse to the location of the bannerOHxx.war file on your INB server. 8. Enter bannerOH in the Application Name field. 9. Enter /bannerOH in the Map to URL field. 10. Choose Deploy to deploy the bannerOHxx.war file. The file is now listed under the home deployed Applications. 16 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 Step 8 Modify INB Preferences for Online Help Files You must specify the directory location where online help files will be stored. 1. Logon to Banner as the BASELINE user. 2. Go to the General User Preferences Maintenance Form (GUAUPRF). 3. Select Directory Options. 4. Navigate to the record for the online help for Web access. 5. In the User Value field, change the URL to the server address and virtual path used by your site. Delivered value: http://your.bannerOH.server/bannerOH/bannerOH Example: http://server45.sungardhe.com:7778/bannerOH/bannerOH Step 9 Modify Font for INB 1. Navigate to the OAS10gR2 <ORACLE_HOME>/forms/java/oracle/forms/registry directory. 2. Edit the Registry.dat file. 3. Comment out the following line: default.fontMap.defaultFontname=Dialog 4. Add the following line: default.fontMap.defaultFontname=Arial Unicode MS For more information on UNICODE fonts, see http://www.alanwood.net/unicode/fonts.html 5. Save the Registry.dat file. Step 10 Set up Preferences for Banner ID Images The capability to display an image file (.bmp, .gif, .tif, or .jpg) associated with an ID is available from the ID fields in Banner. In order to use this functionality, you must do the following: • Set up a directory to store the images. • Change the Banner images record on GUAUPRF to point to the directory. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 17 • (Optional) Configure the BAN_GUAIMGE_ID_RANGE and BAN_GUAIMGE_EXTENSION environment variables if you want to use a naming convention other than the DOS 8.3 standard with a file type of Windows Bitmap (.bmp). The “1,9” and “3,7” Image Name Conventions You can now choose to use the following convention for image names: • Nine characters of the ID, starting with position one. (for example, an ID of A01394287 would become A01394287). This is referred to as the 1,9 convention. • A file extension of .gif, .jpg, .tif, or .bmp (for example, A01394287.gif). Prior to the General 7.4 release, image files that were displayed on the Personal Image Form (GUAIMGE) were limited to the following convention: • Seven characters of the ID, starting with position three, and prefixed with the letter I (for example, an ID of A01394287 would become I1394287). This is referred to as the 3,7 convention, or the DOS 8.3 standard. • A file extension of .bmp (for example, I1394287.bmp). Set up a Directory for Banner ID Images 1. Create a directory on the INB server or a network directory where you want to store the images associated with Banner IDs. 2. Place the images in the directory, making sure that they are named correctly: • If you are using the “3,7” naming convention--Use seven characters of the ID, starting with position three, and prefixed with the letter I. Use a file extension of .bmp. For example, an ID of A01394287 would become I1394287.bmp. • If you want to use the “1,9” convention, or a different file extension--Use nine characters of the ID, starting with position one. Use a file extension of .gif, .jpg, .tif, or .bmp. For example, an ID of A01394287 would become A01394287.gif. Note If you want to use the 1,9 convention or a file extension other than .bmp, you must also configure the BAN_GUAIMGE_ID_RANGE and BAN_GUAIMGE_EXTENSION environment variables. Specify Directory for Banner ID Images The Banner ID Images record on the General User Preferences Maintenance Form (GUAUPRF) must point to the images directory you created. 1. Log in to Banner as the BASELINE user and go to GUAUPRF. 2. Go to the Directory Options tab. 18 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 3. For the Enter the location of your Banner ID images record, enter the directory name you created for your Banner images. • For Windows, you can use a network drive location, or a location local to the INB server. • For Solaris, the directory name needs to be on the INB server. Configure Environment Variables for Banner ID Images (Optional) If you are using the 1,9 convention, or a file extension other than .bmp, you must specify your preferences in the BAN_GUAIMGE_ID_RANGE and BAN_GUAIMGE_EXTENSION environment variables. Note If the variables are not present or do not have values, then Banner will use the 3,7 naming convention, with an extension of .bmp. 1. Edit the BAN_GUAIMGE_ID_RANGE variable. If you want to name all new files with the 1,9 format, but still use your existing 3,7 files, then specify 1,9 for this variable. Then, if Banner cannot fine an image file named with the 1,9 convention, it will search for one with the 3,7 format. Example: BAN_GUAIMGE_ID_RANGE=1,9 2. Edit the BAN_GUAIMGE_EXTENSION variable.You can specify a file extension of .gif, .jpg, .tif, or .bmp. The default value is .bmp, if this variable is not present, or if it does not have a value. Example: BAN_GUAIMGE_EXTENSION=TIF Step 11 Verify Oracle Environment for Reports Deployment After OAS10gR2 is installed, you must verify the Reports installation. 1. Access the demonstrations on the OAS10gR2 homepage: http://yourservername:port. Port is the port number of your Oracle HTTP server, normally 7777 if this is your first installation of Oracle on your INB server. To verify your port number, refer to the portlist.ini file in the OAS10g <ORACLE_HOME>/install directory. 2. Choose Business Intelligence and Forms. 3. Choose Reports Services. This link invokes the reports servlet. 4. Choose Test a Paper Report on the Web. This link invokes the test report demo. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 19 5. Enter your report server name and port number. 6. Choose Run Report. Note If you do not see the report output (Reports Server Test Report, The report ran successfully!), check all log files for the OAS10gR2 installation to resolve the problem. Step 12 Set up Banner Data Extract Use the following steps to set up Banner Data Extract functionality: • Enable Data Extract for forms • Choose default output format • Configure environment variable for Data Extract (optional) Enable the Data Extract Feature for a Form 1. Access the Object Maintenance Form (GUAOBJS). 2. Query for the form(s) you want to enable. Note Not all baseline forms have been tested for Data Extract functionality. For a list of tested forms, refer to chapter 3 of the Banner Getting Started Guide. Warning If you want to use the Data Extract feature on your institution’s local forms, you must test it on them first. 3. Select a value from the pull-down list in the Data Extract Option field for each form: • Key and Data Block–Enable the extract feature for both key and data blocks. • Data Block Only–Enable the extract feature for data blocks only. 4. Save. Choose the Default Output Format 1. Log on to Banner as the BASELINE user. 2. Access the General User Preferences Maintenance Form (GUAUPRF). 20 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 3. Go to the Directory Options window. Note For each record on this window except for Oracle Reports Root Subfolder, you can choose whether changes to BASELINE values are used as the default values for all current users by using the Propagate pull-down list: • Copy to All Users (default): The value you enter for the record will be copied into all user's individual user preference rows in the GURUPRF table. Any existing user value will be overwritten with this option. • Copy to No Users: The value you enter for the record will not be copied to any users. • Copy to Users having same value as BASELINE value: The system will compare the old BASELINE value with each user's individual row for this preference. If the value on the BASELINE row matches the value on the user's row, then the new BASELINE value will be copied into the user's row. If the user's current value is different than the current BASELINE value (prior to the change being made), then the user value will not be updated to match the BASELINE row. 4. Go to the record for Data extract format: FILE (.csv), TEXT, or WEBUTIL. 5. Make an entry in the User Value field. • If you want extracted data to be placed into a file in comma separated value format (with a .csv extension), enter FILE in the User Value field. When users extract data, they will be prompted to save it to their local drive. • If you want extracted data to be displayed in a separate browser window, enter TEXT. The information is display-only, but users can save it in a variety of formats. • If you want to use the WebUtil option, enter WEBUTIL to save the .csv file to users’ local drives using the General WebUtil File Extract Form (GUQWUTL). If you choose this option, you must also follow the steps to “Configure WebUtil for Saving Data Extract Output” on page 22. Note Even if you do not use WebUtil as the BASELINE option at your instutition, then be aware that individual users will still be able to select WEBUTIL as their value for the User Value field, although they will receive an error when they try to use the General WebUtil File Extract Form (GUQWUTL) to save their file. 6. (Optional) If you are using the WebUtil option, you can specify a different default directory to save users’ output in the record for Local directory for saving output. The default delivered value is C:\temp. 7. Save. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 21 Configure Environment Variable for Data Extract (Optional) You can use the BAN_DATA_EXTRACT_PAD_COLUMNS environment variable to specify whether you want the columns of extracted data to be padded with spaces. • If the variable is set to Y (Yes)--The Data Extract logic in the G$_WRITE_BLOCK will pad the columns with spaces. This option was the default prior to General Release 7.4. Example: BAN_DATA_EXTRACT_PAD_COLUMNS=Y • If the variable is set to N (No)--The columns will not be padded with spaces. The padding is not needed because the columns have a “wrapper” of double quotes around them. Example: BAN_DATA_EXTRACT_PAD_COLUMNS=N Note If the variable does not exist, then Banner assumes a value of N. Step 13 Configure WebUtil for Saving Data Extract Output WebUtil is an Oracle utility, portions of which SunGard Higher Education made available beginning with the General 7.3 release to assist with data transfer and web output. If configured, WebUtil provides a way to extract data from Banner to a user’s desktop, either by using Banner’s Data Extract feature, the GASB Parameter Form (FGAGASB), or the Saved Output Review Form (GJIREVO). Although it is primarily intended to provide a Data Extract solution for institutions with a RAC (Real Application Clusters) environment, SunGard Higher Education recommends that all institutions adopt this solution. To configure WebUtil at your institution, do the following: • Follow the instructions in the Oracle Forms Developer WebUtil User’s Guide, with the exception of the items listed below under the “Exceptions to the Standard WebUtil Configuration” heading. • Choose WEBUTIL as the output format in the step to “Choose the Default Output Format” on page 20. For more information about WebUtil, refer to the following page of Oracle’s web site: http://www.oracle.com/technology/products/forms/htdocs/webutil/readme.html Exceptions to the Standard WebUtil Configuration • SunGard Higher Education recommends that you install the webutil_db package in the baninst1 schema. In Banner General, the webutil_db package is delivered 22 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 split into gokwutl.sql (package specification) and gokwutl1.sql (package body), in order to comply with Banner standards. Note It is no longer necessary to use the banwebutil.jar file in place of Oracle’s native frmwebutil.jar. SunGard Higher Education now recommends that you follow Oracle’s WebUtil configuration instructions and install the appropriate version of Oracle’s frmwebutil.jar based on your version of Oracle Application Server. In particular, if you are using Oracle Application Server 10.1.2.3 or later; you may experience errors if using banwebutil.jar, and you should use Oracle’s frmwebutil.jar instead. Using WebUtil for Other Purposes SunGard Higher Education made a single form "WebUtil enabled" in support of the Data Extract features across Banner: the General WebUtil File Extract Form (GUQWUTL). If you want to use other features of WebUtil at your institution, you must make each relevant form WebUtil enabled; however, Oracle recommends that you only WebUtilenable forms which actually need the functionality. This is because each form that is WebUtil enabled generates a certain amount of network traffic and memory usage simply to instantiate the utility, regardless of whether any WebUtil functionality is used. Step 14 Configure Oracle Reports for INB Oracle Reports for Banner uses the RUN_REPORT_OBJECT Built-In function to run a report from the form. The Reports server may be customized by defining the defaultEnvId parameter in the Reports server configuration file. This file allows for the definition of environment variables specific to the Reports server engine. SunGard Higher Education recommends that you use OEM for all your configuration file changes. 1. Access OEM on your INB server: http://yourservername:1810. 2. Choose reportservername in the System Components section. 3. Choose Edit Configuration File in the Administration section. 4. Add the defaultEnvId parameter to the engine ID parameter. This parameter connects the user to a specific database. Example: In this example, defaultEnvId="test" is added to the end of the engine ID parameter: December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 23 <engine id="rwEng" class="oracle.reports.engine.EngineImpl" initEngine="1" maxEngine="1" minEngine="0" engLife="50" maxIdle="30" callbackTimeOut="60000" defaultEnvId="test"> 5. Add the LOCAL and REPORTS_PATH parameters. Example: <environment id="test"/> <envVariable name="LOCAL" value="test"/> <envVariable name="REPORTS_PATH" value="D:\links"/> </environment> Note If you use Oracle SSO and Oracle Portal, skip step 6. 6. Remove the Oracle SSO and Oracle Portal tags by commenting them out using  at the end of the security id and destination tags. Example:   7. Choose OK. 8. Choose Yes to restart the Reports server. Step 15 Modify INB Environment for Oracle Reports (UNIX Only) An enhancement was made to the Banner 7.1 release of Oracle Reports allowing the users to run a report without specifying the database name when logging in to INB. If you are running your Reports Server on UNIX, you must add the following to your .env file: local=<your database tns connect string> e.g local=test 24 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 Step 16 Modify INB Preferences for Oracle Reports 1. Logon to Banner as the BASELINE user. 2. Access the General User Preferences Maintenance Form (GUAUPRF). 3. Go to the Directory Options window. 4. Go to the Enter the name of your Oracle Reports Server record. In the Default Value field, change the URL to the report server used at your site. Delivered value: http://yourservername:port/reports/rwservlet? 5. Go to the Enter the name of your Oracle Reports Service Name record. In the Default Value field, change the reports server name to the name used at your site. Delivered value: rep_yourservername 6. Go to the Enter name of your Oracle Reports Root Subfolder record, which allows you to control the file name format and location of Oracle Reports output. With this record, you can control where users send their report output when the report Destination Type is set to File (DESTYPE=FILE). If you change nothing on the BASELINE row (i.e., where GURUPRF_USER_ID is equal to BASELINE), then the value DEFAULT_BEHAVIOR is used, and users send their output to the drive/folder/subfolder specified in the Destination Name field or to the default directory on the Reports server, if Destination Name is valued with only a file name. This is the same way this feature worked in previous releases. However, you have the option to enter the name of and Oracle Reports root-level folder/subfolder value (including an ending slash). To this root-level folder/subfolder value, you have the option to append: • An indication for including a timestamp in the report file name (date) • An indication for having the report file written to an oracle-usernamesubfolder (user) • Indications for both timestamp and username subfolder (user, date) Note If your institution chooses not to append the string date to the report file name, then you must otherwise ensure that duplicate file names are not overwritten. Tip If you use any of the new options, keep in mind that the methods you use to periodically purge the output on your Reports server may need to be adjusted. Also, when running the reports, users will enter just the file name (and extension) in the Destination Name field. The configured December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 25 options will be dynamically constructed into this entered Destination Name value. The delivered value for BASELINE is DEFAULT_BEHAVIOR. You may change this value to one of the following options: • A root-level folder • A root-level folder and the string user • A root-level folder and the string date • A root-level folder and the string user, date These options are detailed below. A root-level folder Enter a root-level folder (including an ending slash) to which all Oracle Reports output with a Destination Type of File will be sent. This root-level folder must exist and be writable by the Reports server. Windows Unix/Linux Example of the BASELINE row configuration f:\orep_root\ /u02/orep_root/ Example of what output might look like with this BASELINE row configuration f:\orep_root\ sample_report.pdf /u02/orep_root/ sample_report.pdf Note If you choose this option, make sure that all Oracle Reports users are configured to access files at this root location, and that the Windows share (or Unix security) is configured accordingly. Users need read access to this folder. Additionally, make sure that they do not send report output with sensitive data to this folder. Note If a value exists in the User Value field for this corresponding type of BASELINE row, it will be ignored. A root-level folder and user Enter a root-level folder and the string user . If desired, users may specify subfolders within their username folder by entering the name of the subfolder in the corresponding User Value field of GUAUPRF (including an ending slash). This specified subfolder must exist. 26 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 Windows Unix/Linux Example of the BASELINE row configuration f:\orep_root\user /u02/orep_root/user Example of what output might look like with this BASELINE row configuration f:\orep_root\jdoe\ sample_report.pdf /u02/orep_root/ jdoesample_report.pdf Example of what output might look like if a User Value subfolder of xyz\ (for Windows) or xyz/ (for Unix) is specified on the users GUAUPRF row f:\orep_root\jdoe\xyz\ sample_report.pdf /u02/orep_root/jdoe/xyz/ sample_report.pdf Note You must create user folders for Oracle user IDs, if you choose this option. If you do not, the Reports server will not be able to write the file to the specified location. It is recommended that you create Windows share (or Unix security) on these user folders. A root-level folder and date Enter a root-level folder and the string date. If you choose this option, then a unique time stamp will be appended to the end of the report name, so that files will not be overwritten. Windows Unix/Linux Example of the BASELINE row configuration f:\orep_root\date /u02/orep_root/date Example of what output might look like with this BASELINE row configuration f:\orep_root\ sample_report20061212081255 .pdf /u02/orep_root/ sample_report20061212081255 .pdf December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 27 A root-level folder and user,date Enter a root-level folder and the string user,date. Example of the BASELINE row configuration Windows Unix/Linux f:\orep_root\user,date /u02/orep_root/user,date f:\orep_root\jdoe\ /u02/orep_root/jdoe/ Example of what output might look like sample_report20061212081255 sample_report20061212081255 .pdf with this BASELINE .pdf row configuration Note You must create user folders for each Oracle user ID if you choose this option. If you do not, the Reports server will not be able to write the file to the specified location. It is recommended that you create Windows share (or Unix security) on these user folders. Step 17 Modify the bannerid.jar File The bannerid.jar file provides secured access for Oracle*Reports. 1. Create two temporary directories. (For example, C:\temp\jar\default and C:\temp\jar\new). 2. Place bannerid.jar into the C:\temp\jar\default directory. 3. Open a command prompt session at the C:\temp\jar\new directory. 4. Unpack the bannerid.jar file into the C:\temp\jar\new directory: jar -xvf c:\temp\jar\default\bannerid.jar 5. Navigate to the C:\temp\jar\new\com\sct\banner\reports directory. 6. Modify the SEED1 and SEED3 parameters in the bannerID.properties and bannerID_en.properties files. Note Information about changing SEED parameters is located in the Banner Security Technical Reference Manual. 7. Save your changes. 8. Repackage the bannerid.jar file in the C:\temp\jar\new directory using the jar command: jar -Mcvf bannerid.jar *.* 28 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 9. Create a secure directory on the server and copy the bannerid.jar file to this directory. 10. Modify the rep_<servername>.conf file in the following manner. SunGard Higher Education recommends that you use Oracle Enterprise Manager (OEM) for all configuration file changes. 10.1. Access OEM on your INB server: http://yourservername:1810. 10.2. Choose Reports Server Name in the System Components section. 10.3. Choose Edit Configuration File. 10.4. Add classPath="C:\temp\bannerid.jar" to the end of the engine id parameter. Note <engine id="rwEng" class="oracle.reports.engine.EngineImpl" initEngine="1" maxEngine="5" minEngine="0" engLife="50" maxIdle="30" callbackTimeOut="60000" defaultEnvId=”test” classPath="C:\temp\bannerid.jar"> </engine> Step 18 Modify the banorep.jar File (Optional) Banner is delivered with the banorep.jar file to control advanced Oracle Reports Security. To avoid exposing the userid parameter, the userid connect string can be encrypted and stored in a temporary cookie on the client browser. This means the following for Reports to run: • The userid parameter is left empty in the Reports HTML parameter form and does not show in the requested URL. • The userid connect string is encrypted and stored as a temporary cookie. The cookie is deleted immediately when closing the browser. • The cookie expires after 30 minutes even if the browser was not closed. • The default cookie domain is derived from the host running Forms Services. This secures the cookie from applications hosted by other servers accessing this information. The Reports userid cookie can be set from Forms using a Java Bean in Forms. The file handles setting the userid parameter in a cookie. banorep.jar • maxAge –This property allows to specify a time in minutes for which the Reports userid cookie is valid. The cookie expiration is determined on the Reports Server. The default value is 30 minutes. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 29 • cookieDomain –This property defines the scope of servers, the location from which hosted applications can access the cookie information. The minimum requirement is a domain that has a least two '.' in it. The domain can be set to a complete server name, therefore ensuring that only applications started on this server can access the cookie. Example: cookieDomain=.yourserver.com is a valid domain, while cookieDomain=yourserver.com is not a valid domain • cookiePath –This property defines the virtual path that an application needs in order to access the client side cookie. By default, the path is set to '/', which means that applications downloaded from any virtual path in the cookie's domain can access the cookie. To restrict access to only those applications downloaded from a specific virtual path, like "reports," use the following settings '/reports/'. 1. Create two temporary directories. (For example, C:\temp\jar\default and C:\temp\jar\new). 2. Place banorep.jar into the C:\temp\jar\default directory. 3. Open a command prompt session at the C:\temp\jar\new directory. 4. Unpack the banorep.jar file into the C:\temp\jar\new directory: jar -xvf c:\temp\jar\default\banorep.jar 5. Navigate to the C:\temp\jar\new\oracle\reports\utility directory. 6. Access the conf.properties and conf_en.properties files. 7. Change the value for each property. 8. Save your changes. 9. Repackage the banorep.jar file in the C:\temp\jar\new directory using the jar command: jar -Mcvf banorep.jar *.* Forms Services Configuration 10. Copy the new banorep.jar file to the <ORACLE_HOME>/forms/java directory. formsweb.cfg File 11. Add the following line to the named configuration section for your application in the formsweb.cfg 30 file: Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 Archive_jini= banspecial.jar,frmall_jinit.jar,banicons.jar,bannerui.jar, banorep.jar Archive= banspecial.jar,frmall.jar,banicons.jar,bannerui.jar, banorep.jar Basejini.htm File 12. In order for the Forms Applet to get permissions for setting the temporary authentication cookie, the MAYSCRIPT parameter needs to be set in basejini.htm template. Internet Explorer section of basejini.htm: <PARAM NAME="MAYSCRIPT" VALUE="true"> Netscape section of basejini.htm: MAYSCRIPT=”true” Warning There is a known issue with the combination of Netscape 7.1, JInitiator 1.3.1.x, and the JSOBject class from Netscape. Forms that run in Netscape 7.1 must use the certified version of the Java Plug-In 1.4. Note If you are using the Java Plug-In, you must change baseHTMLJInitiator= and baseHTMLie= parameters to point to just basejpi.htm. Add the banner jar files to the archive parameter. Example: # System parameter: base HTML file for use with JInitiator client baseHTMLjinitiator=basejpi.htm # System parameter: base HTML file for use with Microsoft Internet Explorer # (when using the native JVM) baseHTMLie=basejpi.htm # Forms applet archive setting for other clients (Sun Java Plugin, Appletviewer, etc) archive=banicons.jar,bannerui.jar,banspecial.jar,frmall.jar, banorep.jar 13. Modify the REPORTS_ENCRYPTION_KEY: Key Environment variables and Servlet Parameters The REPORTS_ENCRYPTION_KEY specifies the encryption key used to encrypt the user name and password for the Authid & Userid Cookies. Because these cookies are sent back to the user's browser, there is a need to encrypt these values. The encryption key can be any character string. The default value is reports9.0. A change of the encryption key would change the final encrypted values of these cookies. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 31 In order to secure your Oracle Reports Server environment, it is recommended you change the REPORTS_ENCRYPTION_KEY from the default value of "reports9.0" to some custom value. You can find more information about changing the key in the document Oracle Forms Services - Secure Web.Show_Document() calls to Oracle Reports. The SET_<nn>ENCRYPTION_KEY property allows the application developer to issue another key for encrypting the Reports cookie other than the default. Before changing the key in the cookie, make sure that the key is also changed in the Reports Server rwservlet.properties file (Reports9i and Reports 10g). Examples: set_custom_property('control.userid_bean',1,'SET_9iENCRYPTION_KEY', 'myOwnKeyFor9i'); set_custom_property(¿control.userid_bean¿,1,¿SET_10gENCRYPTION_KEY¿, ¿myOwnKeyFor10g¿);" For more information, refer to Oracle Metalink Note222332.1, A Detailed Explanation of Oracle 9i Reports Security, and the whitepaper Oracle Forms Services - Secure Web.Show_Document() calls to Oracle Reports. Step 19 Modify the bannerui.jar file (Optional) If you are setting up an Arabic-language implementation of Banner, you must make two changes to default settings stored in the bannerui.jar file. • The text alignment must be changed from LTR (left to right, the default value), to RTL (right to left), so that certain Banner text items will be correctly aligned. • The default font must be changed from Verdana to a font that properly supports Unicode characters for Arabic, such as MS Sans Serif. To make these changes, perform the following steps: 1. Create a temporary directory, C:\temp\jar\ui. 2. Copy bannerui.jar into the C:\temp\jar\ui directory. 3. Open a command prompt session at the C:\temp\jar\ui directory. 4. Unpack the bannerui.jar file: jar xf c:\temp\jar\ui\bannerui.jar 5. In the com/sct/banner/forms/ui directory, locate the fontName.properties file and the banAlignment.properties file. 6. Edit fontName.properties. 32 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 Open fontName.properties in a text editor and change the default value Verdana to MS Sans Serif. Save and close the file. 7. Edit banAlignment.properties. Open banAlignment.properties in a text editor and change the default value LTR to RTL. Save and close the file. 8. Repackage the bannerui.jar file in the C:\temp\jar\ui directory: jar cf bannerui.jar com 9. Copy the edited bannerui.jar file to the <ORACLE_HOME>/forms/java directory. Step 20 Secure the Reports Server 1. Modify the ServerName directive in your Apache httpd.conf file to contain the full domain name: ServerName <yourservername>.<yourdomainname> Note Ensure that the server name is the full DNS name. Be cautious if you accept the defaults during installation. 2. Any of the valid Reports Servlet commands listed on the Reports Servlet help page can be restricted. The list of help commands can be viewed at http:// yourservername:port/reports/rwservlet/help. To restrict Oracle Reports commands, add Location directives to your httpd.conf file after the default Location directive for /server-status: # # Allow server status reports, with the URL of http://servername/server-status # Change the ".your_domain.com" to match your domain to enable. # <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from localhost yourservername </Location> The following example disables the showmap command from the users and allows the call to rwservlet/showmap issued on the server yourserver.com for testing purposes: <Location /reports/rwservlet/showmap*> Order deny,allow Deny from all Allow from localhost yourserver.com </Location> December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 33 The following example disables the upper, lower, or mixed case use of the showjobs command from the users and allows the call to rwservlet/showjobs issued from a PC with a certain IP address for testing purposes: <Location /reports/rwservlet/[Ss][Hh][Oo][Ww][Jj][Oo][Bb][Ss]*> Order deny,allow Deny from all Allow from localhost 111.22.33.444 </Location> The following example disables the upper, lower, or mixed case use of the showjobid command from the users and allows the call to rwservelt/showjobid issued from the localhost: <Location /reports/rwservlet/[Ss][Hh][Oo][Ww][Jj][Oo][Bb][Ii][Dd]*> Order deny,allow Deny from all Allow from localhost 111.22.33.444 </Location> 3. If you installed the OAS10g Infrastructure and Middle Tier software, the WebCache software is automatically installed. The Web Cache software is a front end to the Apache HTTP server. The client IP does not get passed through to the Apache HTTP server. Therefore, Allow/Deny directives in httpd.conf will not work. You must add the following line to your httpd.conf file: Locate and uncomment to "UseWebCacheIp On" directive in the httpd.conf file Restart the Apache HTTP server Note If you installed the Oracle Forms and Reports StandAlone Services, then you do not have WebCache installed and may skip this step. Step 21 Modify INB Preferences for Job Submission Output Job Submission output can be viewed on the Web from the Saved Output Review Form (GJIREVO). When you select Options--Show Document (Save and Print File), the Job Submission output is displayed in a browser window. You can then save the output to a local file or print it. To view Job Submission or Data Extract output on the Web, a Database Descriptor (DAD) must be added in OAS10g. Refer to chapter 2 for basic information about creating a DAD. If you have separate INB and SSB web servers, you should configure a DAD on your INB web server for Job Submission output. 1. Log on to Banner as the BASELINE user. 2. Access the General User Preferences Maintenance Form (GUAUPRF). 3. Go to the Directory Options tab. 34 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 4. Navigate to the record for the Web Output URL. 5. In the Default Value field, change the URL to the server address and virtual path used by your site. Example: Delivered value: http://yourserver.com/directory/ New value: http://yourserver.com/<dad name>/ Note OAS10g no longer requires that you include /pls/ in the URL, although you can include it, if desired. Non-OAS10g users must include it, so your value would be: New value: http://yourserver.com/pls/<dad name>/ Step 22 Modify default.env In default.env, add this new environment variable: NLS_LANG=AMERICAN_AMERICA.AL32UTF8 Step 23 Set up for Case-Sensitive Passwords (Optional, 11g Only) Case-sensitive passwords are an option available in Banner only for institutions using Oracle Database 11g. If you are using 11g, and you want to take advantage of case-sensitive passwords in Banner, add this environment variable: FORMS_USERNAME_CASESENSITIVE=1 Note Environment variable FORMS_USERNAME_CASESENSITIVE is available only when using Application Server version 10.1.2.2 or higher. To enable case-sensitive passwords in Banner, you must also set the database initialization parameter SEC_CASE_SENSITIVE_LOGIN to TRUE. For more information specific to Database 11g, see “Oracle Database 11g” on page 145. Step 24 Configure Multiple Environments (Optional) Use these steps if you need to configure multiple environments. The steps will create new sections in your formsweb.cfg file. 1. Copy default.env to test.env. 2. Access OEM on your INB server: http://yourservername:1810. 3. Choose Forms in the System Components section. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 35 4. Choose the Configuration tab. 5. Select the default configuration and choose Duplicate. 6. Enter test and click OK. 7. Edit the new test section and change value from: envFile = default.env to: envFile = test.env 8. Choose the Environment tab. 9. Edit the new test.env and change values as needed. Example: FORMS_PATH - to the path of FMX/PLX/MMXs TWO_TASK(Unix) or LOCAL (Windows) - to the default database TNS_CONNECT_STRING 10. Append the new section name to the URL: http://yourservername:port/forms/frmservlet?config=test Step 25 Configure Mac Environment (Optional) Use these steps if you need to configure a Mac environment. 1. Download MRJ from the Apple Web site. Jinitiator is a Windows-only plug in. 2. Add client DPI=95 to the base.htm located in the OAS10g <ORACLE_HOME>/forms/ server directory. Example: <PARAM NAME="clientDPI" VALUE="95"> Step 26 Customize the Color of Required Fields (Optional) Follow these steps if you want to display required fields in a different color. 1. Navigate to the OAS10g <ORACLE_HOME>/forms/java/oracle/forms/ registry. 2. Edit the registry.dat file. 3. Change the following line from false to true: app.ui.requiredFieldVA=true 4. Add a line such as the following, which turns required fields red: 36 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 app.ui.requiredFieldVABGColor=255,0,0 Note The value for green is: app.ui.requiredFieldVABGColor=0,255,0 Note The value for blue is: app.ui.requiredFieldVABGColor=0,0,255 5. Save the registry.dat file. 6. Test: 6.1. Login to INB. 6.2. Go to GTVEMAL. The Required Description field should be red. Step 27 Configure INB to Display Windows XP Themes (Optional) Perform the following steps if your users prefer the XP theme display style. This change prevents scroll bars from appearing on the INB forms. 1. Edit the ORACLE_HOME\forms\server\basejini.htm file: 1.1. Find this line: <PARAM NAME="recordFileName" VALUE="%recordFileName%"> 1.2. Change it to: <PARAM NAME="recordFileName" VALUE="%recordFileName%"> <PARAM NAME="clientDPI" VALUE="%clientDPI%"> 1.3. Find this line: recordFileName="%recordFileName%" 1.4. Change it to: recordFileName="%recordFileName%" clientDPI="%clientDPI%"> 2. Access OEM on your INB server. http://yourservername:1810 3. In the System Components section, choose Forms. 4. Choose Configuration. 5. Add the following parameter to the default section: Parameter ClientDPI December 2009 Value 95 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 37 6. Save your changes. Step 28 Customize Color Scheme for Disabled Text (Optional) Banner is delivered with the following R, G, and B codes for disabled text: R=0 G=0 B=0 If your site uses the OracleLookAndFeel parameter and colorScheme BLAF, disabled text is the same color (black) as regular text. If you want disabled text to be a different color, use the following steps to change the R, G, and B codes. 1. Create two temporary directories (for example, C:\temp\jar\default and C:\temp\jar\new). 2. Place bannerui.jar into the C:\temp\jar\default directory. 3. Open a command prompt session at the C:\temp\jar\new directory. 4. Unpack the bannerui.jar file into the C:\temp\jar\new directory: jar -xvf c:\temp\jar\default\bannerui.jar 5. Navigate to the C:\temp\jar\new\com\sct\banner\forms\ui directory. 6. Access the disabledTextColor.properties and disabledTextColor_en.properties files. 7. Search for the OracleLookAndFeel parameter in the following heading: ################################################## # # RGB settings to color Disabled Field Text (OracleLookAndFeel) # ################################################### The delivered values for R, G, and B are: R=0 G=0 B=0 8. Change the value for each code to produce the color you prefer. 9. Save your changes. 10. Repackage the bannerui.jar file in the C:\temp\jar\new directory using the jar command: 38 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 jar -Mcvf bannerui.jar *.* 11. Copy the new .jar file to the <ORACLE_HOME>/forms/java directory on the OAS10g server for deployment. Step 29 Customize Color Scheme for Tabs (Optional) You can customize the color of the forms’ tabs, if you wish. The tab color is determined by the tabPagesColor.properties and tabPagesColor_en.properties files, which are contained in the bannerui.jar file. Banner is delivered with the following settings for tabs: • For the active tab (only one tab can be active at one time): • RCurrentTab=0 • GCurrentTab=51 • BCurrentTab=102 • For the other tabs that are available to the user but not currently in use: • REnabledTab=204 • GEnabledTab=204 • BEnabledTab=204 • For the other tabs that are disabled and cannot be selected by the user: • RDisabledTab=204 • GDisabledTab=204 • BDisabledTab=204 To change the tab colors, perform the following steps: 1. Create two temporary directories (for example, C:\temp\jar\default and C:\temp\jar\new). 2. Place bannerui.jar into the C:\temp\jar\default directory. 3. Open a command prompt session at the C:\temp\jar\new directory. 4. Unpack the bannerui.jar file into the C:\temp\jar\new directory: jar -xvf c:\temp\jar\default\bannerui.jar 5. Navigate to the C:\temp\jar\new\com\sct\banner\forms\ui directory. 6. Access the tabPagesColor.properties and tabPagesColor_en.properties files. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner 39 7. Search for the OracleLookAndFeel parameter in the following heading: ####################################################### # # RGB settings to color Tab Pages (OracleLookAndFeel) # ########################################################## 8. Change the value for each code to produce the color you prefer. 9. Save your changes. 10. Repackage the bannerui.jar file in the C:\temp\jar\new directory using the jar command: jar -Mcvf bannerui.jar *.* 11. Copy the new .jar file to the <ORACLE_HOME>/forms/java directory on the OAS10g server for deployment. 40 Banner General 8.3 Middle Tier Implementation Guide Configuring Internet-Native Banner December 2009 2 Configuring Self-Service Banner Overview This chapter describes the steps to install Web Tailor and Web General and to configure Self-Service Banner® (SSB). You will be guided through the following steps: 1. “Set up Your Web Server Files” on page 44 2. “Set Up Apache httpd.conf for Link Security (Optional)” on page 45 3. “Review and Customize Global Web Rules” on page 46 4. “Review and Customize Global User Interface Settings” on page 47 5. “Review and Customize Graphic Elements” on page 47 6. “Review and Customize Web Menus and Web Procedures” on page 48 7. “Review and Assign Web Roles to Web Menus and Procedures” on page 50 8. “Review and Define Links on Menus” on page 51 9. “Review and Customize Information Text (Info Text)” on page 53 10. “Add Credit Card Processing (Optional)” on page 53 11. “Customize the Home Page” on page 54 12. “Luminis Integration (Optional)” on page 54 13. “Configure Web Tailor for LDAP Server (Optional)” on page 54 14. “Assign View and Update Privileges for Addresses” on page 56 15. “Establish Web User Parameters and Third Party History Information” on page 57 16. “Set Up Campus Directory Processing” on page 64 December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 41 17. “Set Up Web E-Mail Address Options” on page 67 18. “Set Up Web Surveys” on page 69 Tip You cannot implement any of the other self-service applications until you have implemented Web Tailor and Web General. After you perform these steps, you must also set up various preferences, etc., as described in the Banner product-specific user guides (e.g., General, Student, Advancement). In addition, you need to set up the rest of your Self-Service Banner products using the product-specific implementation guides. Note You do not need to perform the steps in this chapter if your institution has not licensed Self-Service Banner. Keep in mind that there are three levels of settings maintained in Web Tailor: • Global - applies to all the self-service products • Module - applies to a single module, e.g., Student Self-Service • Procedure - applies to a single procedure, e.g., bwgkomar.P_SelectMtypUpdate (Update Marital Status) For technical information, please refer to the Banner Web Tailor User Guide. Prerequisites • You must already have implemented Banner General. • You must be a Web Tailor administrator in order to perform the steps in this chapter. Note TWADMINU.SQL has been delivered with Web Tailor and migrated to the production wtlweb/plus/ directory. This script can be used to assign the WEBTAILOR ADMINISTRATOR role to an existing Banner ID via SQL*Plus. 42 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 How to Create a DAD SunGard® Higher Education recommends that you use Oracle Enterprise Manager (OEM) for all configuration file changes. Note The Oracle Web Packages must be installed in the database prior to following these steps. Installation of the Web Packages should have been completed as part of your Banner installation or upgrade process. 1. Access OEM on your SSB server: http://yourservername:1810 . 2. Choose HTTP Server. 3. Choose Administration. 4. Choose PL/SQL Properties. 5. Choose DADs. 6. Choose Create. 7. Choose General. Choose Next. 8. Enter the DAD name in the DAD Name or Location field. 9. Enter the Banner OAS10g username in the Username field (e.g. OAS_PUBLIC). 10. Enter the password in the Password field. 11. Enter TNS connect string information in the Connect String Format field. 12. Enter the name of your default home page in the Default Page field (for example, homepage.htm). Choose Next. 13. Choose Next. 14. (Optional, if you plan to configure user-friendly error messages). In the CGI Environment List section, enter REDIRECT_STATUS, REDIRECT_ERROR_NOTES. Select Apache Style from the drop-down list for the Error Style check box. 15. Enter twbklist.p_main for the Before Procedure value. Choose OK. After your DAD has been created, use the following steps if you plan to configure userfriendly error messages. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 43 16. Edit the dads.conf file on your OAS server and add the following line to the end of your DAD Location directive: ErrorDocument 404 /<DAD name>/twbkserr.p_system_error 17. To support the UTF8 character set, set the NLS_LANG parameter. NLS_LANG=AMERICAN_AMERICA.AL32UTF8 18. Save the dads.conf file. Configuration Steps Step 1 Set up Your Web Server Files Use the following steps to set up your Web server files: 1. Create a subdirectory called wtlhelp under the Web server's document root directory tree. This is the root directory defined during the Oracle Apache HTTP Listener configuration. 2. Transfer any Web Tailor installed HTML files (if they exist) from your Banner host machine to the Web server wtlhelp directory. The HTML files reside in the following Banner directories. • UNIX: $BANNER_HOME/wtlweb/htm • VMS: BAN_HOME:[wtlweb.htm] • NT: drive letter:\${banner_home}\wtlweb\htm You can transfer the text files to your Web server machine by using your site’s preferred file transfer utility (for example, ftp). Transfer the files in ASCII mode. 3. Transfer any Web Tailor-installed GIF files (if they exist) from your Banner host machine to the Web server wtlgifs directory. The GIF files will reside in the following Banner directories: • UNIX: $BANNER_HOME/wtlweb/gif • VMS: BAN_HOME:[wtlweb.gif] • NT: drive letter:\${banner_home}\wtlweb\gif You can transfer the graphic files to your Web server machine by using your site’s preferred binary file transfer utility. Transfer the files in BINARY mode. 4. Transfer any Web Tailor help GIF files (if they exist) from your Banner host machine to the Web server wtlhelp/images directory. The GIF files will reside in the following Banner directories: • UNIX: $BANNER_HOME/wtlweb/htm/gif 44 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 • VMS: BAN_HOME:[wtlweb.htm.gif] • NT: drive letter:\${banner_home}\wtlweb\htm\gif You can transfer the graphic files to your Web server machine by using your site’s preferred binary file transfer utility. Transfer the files in BINARY mode. 5. Copy homepage.htm in the wtlhelp directory to the document root directory on the Web server machine. The file homepage.htm can be found in wtlweb/htm. Note The homepage.htm file contains only an HTML redirect command to call a menu that is generated by Web Tailor. 6. In the homepage.htm file, change all occurrences of /test/owa to the DAD name created during the Oracle Apache HTTP Listener configuration. This is the Oracle Apache HTTP Listener that was configured to connect to your Banner host machine. Note The file homefram.htm is no longer necessary since Web Tailor does not use framesets now. 7. Create a subdirectory called css (if it doesn’t already exist) under the Web server’s document tree. This is the root directory defined during the Oracle Apache HTTP Listener configuration. 8. Copy the .css files in the htm directory to the /css directory on the Web server. They are: • web_defaulthome.css • web_defaultmenu.css • web_defaultapp.css • web_defer.css • web_color.css • web_defaultprint.css • web_defaulthelp.css 9. The Oracle Apache HTTP Listener component needs to be restarted to recognize the new files. Refer to the Oracle Apache HTTP Server Installation Guide for instructions on restarting the Oracle Apache HTTP Listener. 10. The SunGard Higher Education example home page is now accessible via the URL: http://yourservername:port Step 2 Set Up Apache httpd.conf for Link Security (Optional) You can configure the Apache server for extra security against a certain kind of script injection attack. This setup, described in detail in FAQ 1-2PE6V7, involves prohibiting December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 45 links from Self-Service to any URL that is not specifically allowed in the server’s httpd.conf file. If you use this security feature, you may need to update the list of links in httpd.conf when new Self-Service pages are added. In general, three kinds of pages must be listed: • Pages that are an initial entry point to SSB • Pages that are called from a redirect in the code • Pages that are opened in a popup window See FAQ 1-2PE6V7 for detailed instructions. Step 3 Review and Customize Global Web Rules Web rules are global settings. They affect the look and feel of all your self-service pages and specify how the pages function. You will want to review the SunGard Higher Education-delivered rules to make sure they are appropriate for your institution. To define and customize Web rules, select Web Rules from the Web Tailor Administration Menu. The Customize Web Rules page (twbkrul.P_ModifyPg_WebRules) appears. It allows you to specify settings such as: • The number of minutes the system will allow the user to be inactive before timing out the session • The formats that will be used for date and time information • How many days PINs are valid before they must be reset • If users should see a Terms of Usage page when they first log on Note The Java Classpath field is now obsolete. Note If your institution is using an LDAP server to authenticate user logons, the Maximum Number of Login Attempts field and the PIN Expiration in days field will not be used. For detailed information about the Customize Web Rules page, refer to the Web Tailor User Guide. 46 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 Step 4 Review and Customize Global User Interface Settings Examine the basic look and feel of your Web site. You will want to make sure it is appropriate for your institution. 1. From the Web Tailor Administration Menu in Web Tailor, select Global User Interface Settings. The changes you make here will affect all the dynamic pages in your self-service products. These changes include: • The name of your institution as you would like it displayed on the Web site • (Optional) A header image that will overlay the background image at the top of the screen (defined in the CSS) • The URL that points to the system-level Cascading Style Sheet (CSS) for application pages • The URL that points to the system-level HTML Help text • The URL that points to the CSS that controls how your dynamic Help text is displayed (Information Text with the label HELP) Note Exit Image, Back Image, and Menu Image are obsolete. 2. To use an image of your own to designate error messages, warning messages, or required fields (optional): 2.1. Follow the instructions in this step to define a new image. 2.2. Return to the Customize Global User Interface Settings page (twbkglui.P_ModifyPgGlobalUI) and select the new image from the appropriate pull-down menu. Step 5 Review and Customize Graphic Elements Graphic elements are images that can be customized to display at various places in SelfService Banner. They can be placed next to menu items, error and warning messages, links, Info Text, and the like. You will want to review the SunGard Higher Educationdelivered graphic elements to make sure they are appropriate for your institution. You can use Web Tailor to customize the graphics and icons that appear on your Web pages, or to define new ones. To do that, use the following steps: 1. Select Graphic Elements from the Web Tailor Administration Menu. Select the Create button to create a new element, or choose one from the pull-down menu. The Customize the Selected Graphic Element page appears. 2. Enter information about the graphic element, including: December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 47 • The name of the element. If you are customizing one that has been delivered by SunGard Higher Education, you may want to rename it to something unique to your institution • The URL that points to the element • The image’s width and height • Any alternate text to be processed by a user agent such as a screen reader. This will help a visually-impaired user understand how the graphic element is used Step 6 Review and Customize Web Menus and Web Procedures Review the SunGard Higher Education-delivered menus and Web procedures, and customize them if necessary. The TWGBWMNU table stores the basic information for all menus and procedures. Note SunGard Higher Education-delivered data has the source BASELINE. You cannot change it. You can only change Local data. Select Copy Baseline entries to Local to make a copy of the BASELINE entries with the source Local. Data delivered by SunGard Higher Education in future releases will be delivered as BASELINE so the customizations you make will not be overwritten. This is true for the following four tables: • TWGBWMNU--Web Tailor menus and procedures • TWGRWMRL--Web Tailor roles • TWGRINFO--Web Tailor Information Text • TWGRMENU--Web Tailor menu items and links The menus in the self-service products are dynamic, containing a series of links to other Web pages. Procedures generate Web pages, and can appear as bottom-of-the-page links on menus. The names of Web pages are defined as package.procedure combinations, e.g., bwgksrvy.P_ShowSurveys. All dynamically-generated menus and interface procedures that are called from the Oracle Apache PL/SQL Agent must be defined in Web Tailor. Menu items defined for a menu appear on the normal Web Tailor-generated menus. Menu items that are defined to appear on a procedure (an application Web page) will appear as a set of links on the bottom of the page. The TWGBWMNU table stores the basic information for all menus and package.procedures. 48 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 Customizing Your Institution’s Menus and Procedures To use Web Tailor to customize your institution’s menus, access Web Menus and Procedures from the Web Tailor Administration menu. On the Customize a Web Menu or Procedure page (twbkwmnu.P_ModifyPgWebMain), choose an existing menu or procedure from the pull-down menu. For example, to customize the home page provided by SunGard Higher Education, select homepage from the pull-down list. Use these steps to enter or change the following information: 1. Create a local row by selecting the Copy Baseline to Local button. 2. Change any of the following: • The page’s name and description • The name of the self-service product to which the page belongs, e.g., Student Self-Service, Finance Self-Service, etc. • Any comments about the page 3. Select the Enabled check box if you want the Web page to be available to menus and to other pages. Otherwise, leave it cleared. This is helpful if you are creating a new page and you have not finished yet; do not select the check box until the page is ready. 4. Select the Non Secured Access Allowed if you want to allow users to access your page without having them enter a user ID and PIN. Otherwise, leave it cleared. Note Non-secured items must appear on non-secured menus to be visible. 5. Set the caching method (if the browser supports caching). Select one of the following from the pull-down menu: • Use System Setting • Allow Caching • Do Not Allow Caching Note You will not usually change this setting. 6. (Optional) Change the page title. 7. (Optional) Change the page header. 8. (Optional) Change the name of the graphic you want displayed at the top of the page. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 49 9. Change the location of the cascading style sheet you want to use for the Web page if you want to override the system-level style sheet and apply a custom style sheet to just this page Note The Exit Link Image, Menu Link Image, Help Link Image, and Back Link Image fields are obsolete. The self-service applications use text links now instead of images. Note You will make your Web pages available to a specific role or roles using Web Tailor. Step 7 Review and Assign Web Roles to Web Menus and Procedures A Web role is a SunGard Higher Education-assigned name for the access privileges that an end-user can have, based on specific records that exist in the Banner database. In addition, some roles can be assigned to specific individuals. These are usually administrative roles. The roles identify the characteristics of the individual ID that logs on to the Web. They identify main functional areas of Banner that contain information about the person. A person may have more than one role. Note A local TWGRWMRL row is automatically created when a local TWGBWMNU row is created. Menu Authorization Roles determine what menus are displayed after logging on and what a person has access to. In addition, users can only see items on those menus that their roles authorize them to see. Note Web user roles should not be confused with Banner security roles. Banner security roles are an element of Banner system security enforced above the application level. For information about Banner security roles, see the Banner Security Technical Reference Manual. The system uses additional criteria and enforces secure access to additional Web pages the individual can access. For example, a student cannot register for classes if his current general student record is not active. Refer to each self-service product’s implementation guide for the rules that control a user’s access and update privileges. 50 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 At the bottom of the Customize a Web Menu or Procedure page (twbkwmnu.P_ModifyPgWebMain), you can identify the roles that can access the pages. The roles apply equally to menus and procedures. 1. Review the delivered roles to make sure they are appropriate for your institution. 2. If you add a new procedure, assign at least one Web role to it, or else no users will be able to access it. Step 8 Review and Define Links on Menus Now you should review the SunGard Higher Education-delivered links that appear on your menus. The TWGRMENU table stores the detail information about how to display individual menu items (menus or procedures). There are three types: • Menu item - a procedure or menu associated with (defined on) a menu. These are what you see on the full-page menus. • Bottom-of-the-page link - a procedure or menu defined as a menu item on a procedure that generates a Web page. These links are navigation aids. For example, bottom-of-the-page links could be used to move back and forth between two associated Web pages. Bottom-of-the-page links cannot have a graphic in front of them; they are only text. • Global menu bottom link - a menu that it has been selected to be at the bottom of every page in the a module via Customize a Module in Web Tailor. Note SunGard Higher Education has removed all graphics associated with menu items, in order to conform to the W3C’s accessibility guidelines. You can still associate graphics with menu items, but SunGard Higher Education does not deliver them that way. All these items will be displayed to the user based on three criteria: • Is the menu item enabled for the current Web page? • Is the page to which you want to link enabled in your system? • Does the user’s role allow them to access the Web page where the link would take them? All three questions must be answered yes for the item to appear. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 51 Changing the Delivered Links To change the delivered links, perform the following steps: 1. Select Menu Items from the Web Tailor Administration Menu. 2. Choose the menu that your links will appear on. 3. Make a local row by selecting the Copy Baseline to Local button. 4. Select Customize Menu Items. • You can change the order that the items appear in by selecting the appropriate number from the pull-down menu, then selecting Reorder these Elements. • You can change the URL, description, status bar text, etc., by selecting the link and entering the changes on the Customize the selected Menu Item page. • You can add a menu item by selecting Add a New Menu Item and entering the information on the Customize the selected Menu Item page. There are two check boxes when you add a new menu item: • Submenu indicator - specifies that the object is a Web Tailor menu, not a package name. When you select it, its name is passed to twbkwbis.p_genmenu to display a menu of links. • DB Procedure - if this check box is selected and the Submenu indicator is not, the object is an application page; a link is constructed to call the package.procedure directly to generate a Web page. If neither check box is selected, the link is considered an external link to an outside site. • You can add a bottom-of-the-page link by adding the item to the procedure as if it was a menu itself. 5. Implement optional menu changes. • You can add a global menu bottom link by selecting Web Modules from the Web Tailor Administrator menu. Select the appropriate module from the pull-down menu, and select Customize Module. Expand the pull-down menu next to Global Menu Bottom Links, and select the appropriate item. Save your changes. • Menu items may be temporarily disabled without deleting them. This may be very useful for pages which allow student registration or employee open enrollment. When these functions are not allowed by your institution, simply clear the Enabled indicators. Your menu item information will be preserved for the next time the function should be available. • Whenever you enable or disable menu items, make sure you find all the occurrences of the link. For example, View Addresses and Phones is available 52 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 from the Personal Information menu and the Update Addresses and Phones page. For more information, refer to the Web Tailor User Guide. Step 9 Review and Customize Information Text (Info Text) Now you should review the delivered Info Text and customize it if necessary. Info Text is described in detail in the Web Tailor User Guide. Customizing Info Text To create or modify Info Text: 1. Select Information Text from the Web Tailor Administration Menu. 2. Choose a package.procedure combination from the pull-down list. 3. Create a local row by selecting the Copy Baseline to Local button. 4. Select Customize Info Text. The Reorder or Customize Information Text page appears. 5. Select the label of the text you want to change, and the Customize the selected Information Text Entry page (twbkwinf.P_ReorderPgInfoText) appears. You can alter the Info Text and save your changes. You can also include a graphic with it by selecting the graphic from the Image pull-down menu. The image will appear to the left of the Info Text when it is displayed. The delivered Info Text has been written to be used with all of Self-Service Banner. If your institution has not licensed all the products, you may want to customize some of the messages to refer to only those which you have. Warning It is very easy to affect the entire page’s appearance by making an error in any of the embedded HTML in the Info Text. Please test your changes thoroughly. Step 10 Add Credit Card Processing (Optional) Generic Web Credit Card Payment logic exists in several Web General and Web Tailor packages. These packages let you populate, accept, validate, store, and verify or change address information. Any of your Web applications may take advantage of Web Credit Card Payment processing. There are several aspects of the processing which you will want to evaluate and, perhaps, implement. For details, refer to Web Credit Card Payments Handbook. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 53 Step 11 Customize the Home Page To customize the content of the homepage that will be seen by the Web user: 1. Select Menu Items from the Web Tailor Administration Menu. 2. Select homepage from the pull-down list and select the Customize Menu Items button. 3. Create a local row by selecting the Copy Baseline to Local button. 4. Make your changes and save them. Step 12 Luminis Integration (Optional) To integrate Self-Service Banner with Luminis®, refer to LDI for e-Learning Banner Implementation Guide, Volume 1. Step 13 Configure Web Tailor for LDAP Server (Optional) You can use the Lightweight Directory Access Protocol (LDAP) authentication process to authenticate your users’ IDs and passwords for Self-Service Banner. Users can use their LDAP user IDs and passwords to logon to all the self-service applications they need to use. Note Admissions Self-Service (part of Student Self-Service) and Advancement Self-Service allow users to create logon IDs that are temporary (and are not stored in the SPRIDEN table). LDAP does not authenticate these users’ credentials. The mapping between the LDAP user and the self-service user can be stored on the LDAP server as an attribute, or it can be stored on the Third Party Access Table (GOBTPAC) in Banner General. Note Authentication in Self-Service Banner is accomplished either through a proprietary ID/PIN mechanism, or through an LDAP bind. These options are system-wide, and only one can be chosen. If you choose the LDAP option, the PIN field in the Banner database and all functions in SelfService that deal with maintaining the PIN become irrelevant and are not used. These functions would need to be performed using features of your LDAP server. You can set the LDAP authentication process to use Single Socket Layer (SSL). 54 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 You must perform the following steps to configure Web Tailor for use with your LDAP server: 1. Set up the LDAP options on the new LDAP Administration page (twbkldap.P_ModifyPgLDAP) in Web Tailor. 1.1. LDAP Protocol - Specifies the protocol to be used with self-service. Select LDAP_S if you are using LDAP with SSL at your institution 1.2. SSL Wallet Location - Specifies the wallet location. This is required if you are using a one-way or two-way SSL connection. 1.3. SSL Wallet Password - Specifies the wallet password. This is required if you are using a one-way or two-way SSL connection. 1.4. SSL Authentication Mode - Specifies the Authentication Mode. These options are described in detail later in this chapter. 2. Set up the Web Tailor parameters on the existing Web Tailor Parameters page. 2.1. LDAPFUNCTION - the package.procedure combination that will perform the mapping between the LDAP user and self-service ID. 2.2. LDAPPWDLENGTH - the maximum number of characters for the password. 2.3. PINNAME - the PIN’s label on the LDAP logon page. You can customize this for your institution. Note The PIN characteristics set up on the Enterprise PIN Preferences Form (GUAPPRF) in Banner General are ignored when you are using LDAP to authenticate your users. 2.4. USERIDLENGTH - the maximum number of characters a user ID can contain. 2.5. USERIDNAME - the user ID’s label on the LDAP logon page. You can customize this for your institution. 2.6. WEBUSER - this contains the Oracle user that Self-Service Banner will connect as. The new VBS and Personally Identifiable Information (PII) using FGAC needs this value to function appropriately. The value delivered with this parameter is UPDATE ME. You must change this value to be the Oracle ID your users will use to connect to Self-Service Banner (e.g., OAS_PUBLIC). Note This value is required for the system to function properly, regardless of whether you are using FGAC with VBS or PII. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 55 3. (Optional) Use the column on the GOBTPAC table to map the user to their LDAP user ID. You can populate the column by using the GOATPAD form. LDAP Function Mapping The following functions are provided by SunGard Higher Education to perform LDAP mapping. You must define this function on the Web Tailor Parameters page (twbkparm.P_DispAllParams) as LDAPFUNCTION. Warning When mapping an LDAP user ID on the GOATPAD form, be sure to assign a different LDAP ID for each Banner ID. They must be unique. Note If you want to create a custom function, SunGard Higher Education recommends that you copy one of the existing functions, modify it, and change the Web Tailor parameter LDAPFUNCTION to point to it. Storage Location of Self-Service Mapping Delivered Function Description F_LDAP_CUSTOMSEARCH Returns a string exactly as it is. Use this function if the LDAP user is mapped to Self-Service Banner by storing self-service IDs as an attribute in LDAP. LDAP Server F_LDAP_CPSEARCH In addition to mapping LDAP to SelfService Banner, it also manipulates the returning string to remove extraneous text from the end of it. LDAP Server F_LDAP_BANNERSEARCH Returns the mapping from the GOBTPAC table. Use this function if the LDAP user is mapped to Self-Service Banner by storing the LDAP user ID in the GOBTPAC_LDAP_USER column in the GOBTPAC table. GOBTPAC Step 14 Assign View and Update Privileges for Addresses Until this point, you have performed most of the set-up and customization work using Web Tailor. Now there are some steps that you must perform using Banner General. In Banner General, use the Address Role Privileges Form (GOAADRL) to associate an address type code from the Address Type Code Validation Form (STVATYP) with a user role (student, employee, alumni or faculty member) and access privilege (update, display, or none). Information from this form determines access to the Update Addresses and Phones and View Addresses and Phones pages. 56 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 For example, you can grant the Student role the authority to update billing addresses. Address Type The value in this field is validated against the Address Type Validation Table (STVATYP). Role The type of user to be granted a level of address view privilege. Set the Role field the appropriate value. Privileges This value indicates what the privilege is. To specify that a certain role has no privilege on an address type, either list it with a privilege of None or omit it from the table. Valid values are: U = Update D = Display N = None In Banner General, the underlying table for the Address Role Privileges Form is GORADRL, which is described below. Field Name Data Type Null Indicator GORADRL_ATYP_CODE VARCHAR2(2) VARCHAR2(30) VARCHAR2(1) DATE NOT NULL NOT NULL NOT NULL NOT NULL GORADRL_ROLE GORADRL_PRIV_IND GORADRL_ACTIVITY_DATE Step 15 Establish Web User Parameters and Third Party History Information PIN administration is performed using Banner General, unless you are using an LDAP server for authentications. In that case, the PIN administration features in Web Tailor are ignored. In Banner General: • A history of all PIN changes, and the User ID responsible for those changes, is stored in the Third Party Access Audit Form (GOATPAD). Only system administrators should be able to access this form. • Another General form used for managing PINs is the Third Party Access Form (GOATPAC). You would use it to set up user parameters for third-party access products. This form allows employees to reset someone’s PIN without seeing what that new PIN is. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 57 The same PIN can be used by authorized end-users to access personal and institution information via telephone Voice Response, Kiosk and the Web. Once a PIN has been assigned, the user can change it at any time. Your institution’s policies and procedures may also require PIN changes by designating expiration dates. Assigning PINs PINs can be assigned either manually or automatically. Manual PIN Assignment Use the Third Party Access Form (GOATPAC) to set up PINs and other user parameters for third party access products. To update third party information or to view third party history information, use the Third Party Access Audit Form (GOATPAD). You access the forms from the General Web Management Menu in Banner General. Automatic PIN Assignment A person must have a PIN to be selected for extraction by any of the data synchronization programs that load third-party systems (such as Luminis or WebCT). Banner system administrators can assign PINs manually using GOATPAC, or they can create third party PIN records automatically when they create roles for individuals, to save time. The Enterprise PIN Preferences Form (GUAPPRF) allows you to specify institution-wide preferences for how PINs will be handled. • Source Table Triggers Individual triggers at the source tables are associated with base student-related processing for students themselves (SGBSTDN), for instructors (SIBINST), and for financial aid (RORSTAT). These triggers create updated PIN records for the GOBTPAC, GOBSRID, and GORPAUD tables. Your institution may want to disable automatic PIN assignment at critical times, such as during a large financial aid data load. • Batch Processing Administrators may run the batch Third Party Access Creation Program (GURTPAC), specifying population selection parameters, to create PIN records for all the persons identified in the selection. The process generates PINs and associated detail (audit trails, external user ID, Sourced ID) if a previous PIN record does not exist. If a PIN record does exist, the person will be bypassed. The program prints a standard control report, but you may request a detailed status report, too. Population selection required runtime parameters include: Application, Selection ID, Creator ID, and User ID. They are checked by a job-level validation routine to make sure that the combination of keys is valid with at least one associated PIDM. 58 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 The routine converts any lower case input characters to upper case, to prevent rejection through job submission. You can add the following parameters: # - Parameter Description Length Validation 01 - Application Application for the selected population. Required. 30 characters GLBAPPL_EQUAL 02- Selection ID An identifier for the selected population. Required. 30 characters Null 03 - Creator ID The creator of the Selection ID rules. Required. 30 characters Null 04 - User ID The ID of administrator who performed the population selection. Required. 30 characters Null 05 - Pre-expire PINs? Specifies whether PIN One character numbers should be preexpired. When set to Y, the PIN records you create have yesterday’s date as a PIN Expiration Date. When set to N, the PIN Expiration Date is null. Null. Valid values are Y and N, from GJBPVAL. 06 - Print Report Detail? Specifies whether to produce a One character detailed report in addition to the standard control report. When set to Y, the report lists each person in the selection, and the action that occurred. The detailed report includes the person’s current ID, current name, and a status message, sorted by last name. The generated PIN is not displayed for security reasons. Null. Valid values are Y, N, and E, from GJBPVAL N = Print only the standard report. Y = Print the report plus detail. E = Print errors only. Entering Current PIN Information To enter current PIN information, enter the appropriate information into these fields on the Third Party Access Form (GOATPAC): December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 59 PIN Disabled Use the PIN Disabled Indicator to deny a user access privileges even with a correct ID and PIN combination. The system administrator can set this indicator manually. The system will update the indicator from cleared (No) to selected (Yes). Access is denied if the number of invalid Web login attempts using that ID reaches the number of Login Attempts specified on the Web Tailor Web Rules page (twbkwrul.P_ModifyPgWebRules). For example, if the number of login attempts allowed in Web Tailor is 3, and if the third attempt is still uses invalid PIN, the system selects the indicator. The indicator’s default value is cleared for a newly-created PIN. It retains its current setting (selected or cleared) if a PIN is changed directly on this form; you must manually clear the check box before the user can access the account again, even with the new PIN. Web Access Terms Accepted The Usage Accepted Indicator. Use this field to specify whether to present the Terms of Usage page to Web users when they logon for the first time. The Terms of Usage page carries the institution’s conditions of use and other information. If your institution is using the Terms of Usage page, a Web user must agree to its terms to proceed. After the user agrees, the indicator is updated to selected (Yes), and the page will not be displayed when they logon again. If your institution is not using the Terms of Usage page, the value in the Accept field will always be cleared (No). If you need to change the information on the Terms of Usage page and redisplay it to all your users, clear the indicators for all users (No). Valid values are: • Selected (Yes) = Accepted • Cleared (No) = Not accepted (default) The Usage Accepted Indicator defaults to cleared when a new PIN is created. When an existing PIN is changed, it keeps its current setting (selected or cleared). 60 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 PIN Expiration Date Use the PIN Expiration Date field to specify a date on which you require a Web user to change the PIN. An expiration date may be specified at any time. The existing PIN is not valid on the expiration date. If it has expired, the user must change their PIN on the Web, or an administrator may change the PIN Expiration Date in this form. The Web system calculates an expiration date for the new PIN if the PIN Expiration Days rule in the Web Tailor has a value. The number of expiration days is added to the current date to calculate the new expiration date. This new expiration date will be updated and displayed in this field. If your institution sets no expiration date for PINs and no Expiration Days rule exists in Web Tailor, then no new expiration date will be calculated. If you want to pre-expire a PIN, enter a past date in the field. Last Web Access Date Date of the last Web access by this user, maintained by Web Tailor. Reset PIN An icon that invokes a procedure to change the current PIN value of the person identified in the key block. The procedure sets the PIN expiration date to one day less than the current day. When the PIN value is changed with this procedure, Banner inserts a record into the PIN History Table (GORPAUD) via a database trigger on the GOBTPAC table. GORPAUD_CHANGE_IND is set to P. Note: The value of the new PIN depends on the PIN reset preferences set for the institution on the GUAPPRF form. Note that U.S.-based institutions should not use the birthdate option for PIN resets. According to the U.S. Family Policy Compliance Office (FPCO), using a student’s birthdate when assigning PINs is a violation of the Family Educational Rights and Policy Act (FERPA). Third Party ID Mapped to GOBTPAC_EXTERNAL_USER, this is a unique ID within Banner. When this value is changed, Banner inserts a record into the PIN History Table (GORPAUD) via a database trigger on the GOBTPAC table. GORPAUD_CHANGE_IND is set to I. LDAP User ID The mapping between the Banner ID and the LDAP User ID. This allows LDAP to use the settings in Banner General to regulate how the user’s credentials are authenticated. Optional. Changing Third Party Information or Viewing History To change third party information, or view history, use the following fields on the Third Party Access Audit Form (GOATPAD) in Banner General: December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 61 PIN Enter a new PIN or change an existing PIN for the user. PINs must be six digits; letters are not permitted. To create a new PIN, enter the six digits for the PIN and save the record. To change an existing PIN to a new one, overtype the old PIN with the new one and save the change. You may also create or change a PIN by selecting the Update button located next to the PIN heading. Disabled Use the PIN Disabled Indicator to deny a user access privileges even with a correct ID and PIN combination. As the system administrator, you may set this indicator manually. The system will update the indicator from cleared (No) to selected (Yes), meaning that access is denied, if the number of invalid Web logon attempts using that ID reaches the number of specified on the Web Tailor Web Rules page (twbkwrul.P_ModifyPgWebRules). For example, if the number of logon attempts allowed in Web Tailor is 3, and if the third attempt is still uses invalid PIN, the system selects the indicator. The indicator defaults to cleared when a new PIN is created. It retains its current setting (selected or cleared) if a PIN is changed directly on this form; you must manually remove it before the user can access the account again, even with the new PIN. Accepted The Usage Accepted Indicator. Use this field to specify whether to present the Terms of Usage page to Web users when they log on for the first time. The Terms of Usage page carries the institution’s conditions of use and other information. If your institution is using the Terms of Usage page, a Web user must agree to its terms to proceed. After the user agrees, the indicator is updated to selected (Yes), and the page will not be displayed when they log on again. If your institution is not using the Terms of Usage page, the value in the Accept field will always be cleared (No). If you need to change the information on the Terms of Usage page and redisplay it to all your users, reset all the Accept indicators to cleared (No). Valid values are: • Selected (Yes) = Accepted • Cleared (No) = Not accepted (default) The Usage Accepted Indicator defaults to cleared when a new PIN is created. When an existing PIN is changed, it keeps its current setting (selected or cleared). 62 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 Expiration Date Use the Expiration Date field to specify when you require a user to change the PIN. You can specify an expiration date at any time. The existing PIN is no longer valid on the expiration date. If the PIN has expired, the user must change their PIN on the Web, or an administrator may change the PIN Expiration Date in this form. The system calculates an expiration date for the new PIN if the PIN Expiration Days rule in the Web Tailor has a value. The number of expiration days is added to the current date, and this calculated date is displayed here. If your institution sets no expiration date for PINs and no Expiration Days rule exists in Web Tailor, then no new expiration date will be calculated. If you want to pre-expire a PIN, enter a past date in the field. User ID The User ID field displays the Oracle User ID associated with any change on this form. If the PIN is entered or changed in Banner, the User ID is the Banner Oracle User ID. If the PIN is changed on the Web by the user, the User ID is the Oracle Web Broker User ID. The cursor cannot be moved to this field, but in query mode the field can be accessed and used to specify query criteria. Last Web Access Date The date derived from Web Tailor Web Session Table, TWGBWSES, of the last time the user accessed a self-service product. Activity Date The Activity Date field contains the system-maintained date on which the last change was made on the GOATPAD form. The cursor cannot be positioned to this field, but in query mode users can access the field to specify query criteria. Third Party ID Mapped to GOBTPAC_EXTERNAL_USER, this is a unique ID within Banner. When this value is changed, Banner inserts a record into the PIN History Table (GORPAUD) via a database trigger on the GOBTPAC table. GORPAUD_CHANGE_IND is set to I. A Third Party ID may also be created or changed by selecting the Update button next to the Third Party ID field. Sourced ID System-generated, one-up number used to synchronize the user's data with various SunGard Higher Education partner systems. The ID is unique for the PIDM. This is a display-only field. LDAP User ID The mapping between the Banner ID and the LDAP User ID. This allows LDAP to use the settings in Banner General to regulate how the user’s credentials are authenticated. Optional. PIN Hint Question A free-form text field, this value is mapped to GOBTPAC_QUESTION. The field is required if GOBTPAC_RESPONSE is populated. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 63 PIN Hint Response A free-form text field, this value is mapped to GOBTPAC_RESPONSE. The field is required if GOBTPAC_QUESTION is populated. Activity Source Describes the source of the PIN insert or update. Valid codes are: SELF = User changed the PIN record; ADMIN = Administrator changed the PIN record; SYSTEM = Record was changed by logic in a process. For details about the Third Party Access Form (GOATPAC), refer to “Self-Service Technical Information” on page 135. Step 16 Set Up Campus Directory Processing Web General lets your institution create campus directories for staff, and class member directories for alumni. Batch program bwpredir collects directory information, storing it in tables for display on the Campus Directory page. The page lists address and phone information for each directory listing in alphabetical order by the individual’s last name or by Department. Online, Web readers may use the links to jump to different letters of the alphabet to find other student or staff listings. The employee directory program runs through Job Submission. The Employee Directory Report is delivered with the Employee Self-Service product. Please consult Employee Self-Service User Guide for detailed instructions on how to run the campus directory programs. The Alumni directories are delivered with Advancement Self-Service. 1. Review Banner General Directory Options. Although the campus directories themselves are generated using Web General, they are set up in Banner General: 1.1. Use the Directory Options Rule Form (GOADIRO) to determine the campus directory options, preferred addresses and telephone numbers to include in the campus directory. 1.2. Use the Directory Item Validation Form (GTVDIRO) to list the valid options of each individual in the directory. 2. Set up the Campus Directory Profile. In Banner General, use the Directory Options Rule Form (GOADIRO) to determine which directory profile options from the Directory Profile Table (GORDPRF) will be included in the campus directory or alumni directory. The form contains indicators for all of the directory fields. 64 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 Another set of indicators allows your institution to determine whether to allow the user to choose to display a particular item of his or her information in the directory. Still another set of check boxes allows the institution to determine which profile information will be defaulted to the campus directory if a user does not have a directory profile setup. GOADIRO includes other columns in which to enter address and telephone types, associated with a priority number to enable the directory processes and profile to know which addresses and numbers to display and/or update. If telephone types are not entered, the primary telephone type associated with the corresponding address will be used. If such a phone number cannot be found, then the system displays "Not Reported" on the Web page. Note A separate address hierarchy is required because employees and students will often have different address types for their permanent addresses. With an address hierarchy, the employee directory will be able to find addresses for students who are also employees. Were there only one employee address type for permanent address, student employees would be listed in the employee directory without permanent addresses. The following is an example of what GOADIRO needs to include to produce the Campus Directory. Directory Information Directory Information item Description Code Print in Alumni, Employee or All Directories Item Type Indicator -Address, Telephone, or Not Applicable (N/A) Include in Directory Profile Allow User to Choose to Display in Directory Default to Directory for Users without a Directory profile NAME Permanent Name All N/A (Yes) (Yes) (Yes) ADDR_PR Permanent Address All Address (Yes) (Yes) (Yes) TELE_PR Permanent Telephone All Telephone (Yes) (Yes) (Yes) ADDR_CP Campus Address All Address (Yes) (Yes) (Yes) TELE_CP Campus Phone Employee Telephone (Yes) (Yes) (Yes) ADDR_OF Office Address Employee Address (Yes) (Yes) (Yes) December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 65 Directory Information Directory Information item Description Code Print in Alumni, Employee or All Directories Item Type Indicator -Address, Telephone, or Not Applicable (N/A) TELE_OF Office Phone Employee Telephone TELE_FAX FAX Number All Telephone EMAIL E-mail All N/A DEPT Department Employee N/A GRD_YEAR Expected Graduation Year Employee N/A COLLEGE College Affiliation Alumni N/A TITLE Employee Employee Position Title N/A MAIDEN Maiden Name Alumni N/A ADDR_HO Home Address Alumni N/A TELE_HO Home Phone Alumni N/A ADDR_BU Business Address Alumni N/A TELE_BU Business Phone Alumni N/A CLASS_YR Class Year Alumni N/A PR_COLL Preferred College Alumni N/A Allow User to Include Choose to in Directory Display in Directory Profile (Yes) Default to Directory for Users without a Directory profile (Yes) For details about the Campus Directory tables, refer to “Self-Service Technical Information” on page 135. 66 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 Step 17 Set Up Web E-Mail Address Options Web General allows users to change an e-mail address online. The end user can select the e-mail address type (personal, professional, alternate, school, etc.) to add or change. Use Banner General to set up this feature: • All of the end user’s addresses appear on the E-mail Address Form (GOAEMAL). If the Display on Web indicator is selected, that address will appear in Web General. • The E-Mail Address Type Validation Form (GTVEMAL) determines which types of addresses are available in the pull-down list. E-mail Address Form (GOAEMAL) The E-mail Address Form lets you maintain one or more e-mail addresses for any ID already entered into Banner. You can enter more than one of the same type of e-mail address, but you cannot enter the same e-mail address for the same type. Only one e-mail record may be designated as the preferred e-mail address. In the E-mail Address Block, users enter and update one or more e-mail addresses for an individual ID. When entering a new record, both the e-mail type and e-mail address must be specified. If the Inactivate indicator is not selected on GOAEMAL, the e-mail address information is currently active, and an A is stored in the database field (goremal_status_ind). If the Inactivate indicator is selected on GOAEMAL, the e-mail address information is inactive, and an I is stored in the database field (goremal_status_ind). When a user adds a new e-mail address, the system sets: • The Preferred indicator to cleared (or No, meaning not preferred) • The Inactivate indicator to cleared (or A, meaning active). If a previous e-mail address had been the preferred address, its Preferred indicator is automatically cleared (not preferred). December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 67 E-mail Type Enter the code for the type of e-mail address associated with the record. They can use the LIST function from this field to display the valid e-mail address types defined in the E-mail Address Type Validation Form (GTVEMAL), search the items listed, and select one. Required. E-mail Addr(ess) Specify the full e-mail address for the e-mail type record. Preferred The e-mail address selected is the user’s preferred e-mail address. If multiple e-mail addresses exist for person in the key block, only one of those addresses may be checked as the preferred e-mail address. If a preferred e-mail address is updated to inactive, the system will automatically remove the preferred indicator (cleared). The address should be entered with all the required syntax and punctuation. No validation is performed for entries in this field, other than checking for duplicates, and no e-mail processing is supported. The stored e-mail address is required, and is informational only. Required. E-mail Address Type Validation Form (GTVEMAL) Use this form to define the valid e-mail address type codes for your institution. Examples of e-mail address types include business, personal, and school. These codes are used on the E-mail Address Form (GOAEMAL) to enter e-mail address information for individuals. Code Enter the code for the type of e-mail address. Required. Description Specify the description that should appear on Web pages where users can view or update e-mail information. Once created, an e-mail address type code cannot be changed, but the description can be updated any time. Required. Activity Date The date that the record was created or was last changed. Web Specifies if the e-mail type will be included in LOVs in Self-Service Banner as a valid address type. Note: This indicator has no influence on the E-mail Address Form (GOAEMAL). Instead, this indicator specifies if this type of address is valid for use on the Web at your institution. You can use GOAEMAL to determine which addresses for a particular person should appear on the Web. For example, you may want a person’s university address to appear, but not their home address. URL 68 If selected, the e-mail address type is a URL. Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 Step 18 Set Up Web Surveys Use the Survey Definition Form (GUASRVY) in Banner General to define the following information for a survey: • Whether the survey appears on the Web • Date range when the survey appears on the Web • Description that appears on the Web • Questions and valid responses in the survey • Web products and populations that can access the survey Main Window Use this window to describe the survey and, optionally, to identify a population of Banner IDs that can respond to the survey. Survey Name of the survey. Title Description of the survey that appears, if the survey is displayed on the Web. Display on Web If selected, the survey should appear on the Web. Display from First day the survey is displayed on the Web. The format is DD-MONYYYY. Display to Last day the survey is displayed on the Web. The format is DD-MONYYYY. Information Text Free-form description that appears if the survey is displayed on the Web. Application Functional area associated with a population of Banner IDs. Edit List Selection Editor window Population Selection Applications Code that identifies a set of rules to select a population of Banner IDs. List Population Selections Creator Oracle ID of the user who created the rules to select the population. User Oracle ID of the user who ran the Population Selection Extract Process (GLBDATA) to select the population of Banner IDs. Note: The Application, Selection, Creator, and User fields identify a population of Banner IDs that can access and respond to the survey. No other IDs can access the survey. December 2009 Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner 69 Survey Questions Window Use this window to define the questions and valid responses for the survey. Survey Name Name of the survey. This field is display only. Title Description of the survey. This field is display only. Question Number Sequential number that identifies each question in the survey. Use the scroll bar to scroll through the questions in the survey. The maximum number of questions is 999. (untitled) Free-form text of each question in the survey. If the question is too long to display in this field, select Edit to display the complete question in the Editor window. Allow Multiple Responses If selected, the person taking the survey can give more than one response to the question, and Y is stored in the database. If cleared, only one response is allowed and N is stored in the database. Response [n] Free-form text that appears on the Web to describe each possible response to the question. A question can have up to five responses. Allow Comments If selected, the person taking the survey can enter comments as a response, and Y is stored in the database. If cleared, comments are not allowed and N is stored in the database. Comment Text Free-form text that appears on the Web before the comment box if comments can be entered as a response. Survey Roles Window Use this window to define the self-service products where the survey can appear. 70 Survey Name of the survey. This field is display-only. Title Description of the survey. This field is display-only. Roles Self-service product where the survey can appear. Valid values are ALUMNI, EMPLOYEE, FACULTY, and STUDENT. Activity Date Date when the role was entered or last changed. Display-only. Banner General 8.3 Middle Tier Implementation Guide Configuring Self-Service Banner December 2009 3 Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels Overview This chapter contains the preliminary steps you must perform in order to set up Single Sign-On for either Internet-Native Banner® (INB), Self-Service Banner (SSB), or both. 1. “Create an Encryption Key” on page 75 2. “Create Entries in LDAP to Store Configuration Values” on page 76 3. “Configure Parameters using GUAUPRF” on page 78 After completing the steps in this chapter, you must then proceed to the corresponding Single Sign-On chapter for INB (chapter 4) and/or SSB (chapter 5). Note The use of Single Sign-On functionality is optional. If you do not use this feature at your institution, you do not need to perform the steps in this chapter. Note This section does not cover SSO setup through Banner Enterprise Identity Services. If you are using Banner Enterprise Identity Services, please refer instead to the Banner Enterprise Identity Services Handbook. The Banner implementation of SSO described in this chapter uses a Lightweight Directory Access Protocol (LDAP) server as a data store and for user validation. It is assumed that Luminis® or another product will provide the SSO framework and session management for your institution. The implementation steps in this chapter tell you how to add Banner as a participant in an existing LDAP and SSO framework. December 2009 Banner General 8.3 Middle Tier Implementation Guide Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels 71 About Single Sign-On In the context of Banner, the term Single Sign-On, or SSO, means that users can access your applications in two different ways: • Through the Luminis Portal using the Campus Pipeline Integration Protocol (CPIP). • Using an LDAP proxy. You can set up an LDAP server as a “proxy” for authentication, and require your users to enter their bind credential, for example, a user ID and password. If they successfully bind to the LDAP server, they are also logged into Banner. You can implement both options using the same set of database packages and a Java Applet that wraps the Oracle-delivered Forms Applet. The database packages use configuration data from the Personal Preference Table (GURUPRF), entries on the LDAP server, and other configuration data to define the names of servers and directories. These packages are implemented using the PL/SQL features of the OAS10g server. If you are using the Luminis Portal: 3.1. You will configure Luminis to recognize the external system sctinb. 3.2. You will add a link to a page in Luminis that references both the sctinb external system and the INB URL. 3.3. When a user is logged on to Luminis and selects the above link, the package GOKKSSO gets the Luminis user ID and password from the Luminis server using a server-to-server HTTP connection, and validates it by binding back to the Luminis LDAP Server. The Luminis user ID is now mapped to the Banner user ID, if they are different. The GOKSSSO package generates key information for SSO. 72 3.4. The user ID and password are then obfuscated using a key generated by GOKKSSO and the Oracle DBMS_OBFUSCATION_TOOLKIT utility, and a random session identifier is generated. The obfuscated user ID and password are DES Encrypted and placed on a DBMS_PIPE or on the SSO_Q queue if the Advanced Queuing alternate communication mechanism to that of DBMS_PIPE has been implemented. 3.5. An HTTP Redirect sends the obfuscated information to the GOKCSSO package. This package generates client information for SSO. 3.6. The GOKCSSO package reads the encrypted data from the pipe or dequeues from the SSO_Q queue, extracts the obfuscated user ID and password, and alters the Banner password to match the Luminis password. It then generates a new session identifier, puts the user ID and password on another DBMS_PIPE or on the SSO_Q queue if the Advanced Queuing alternate communication mechanism to that of DBMS_PIPE has been implemented, and redirects it to the INB URL. Banner General 8.3 Middle Tier Implementation Guide Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels December 2009 3.7. SunGard® Higher Education’s configuration changes to the INB URL files cause the Oracle-delivered Applet to be wrapped by a SunGard Higher Education-delivered Applet. The SunGard Higher Education Applet reads the data from the DBMS_PIPE (or dequeues from the SSO_Q queue) and extracts the obfuscated user ID and password. It then calls the Oracle Applet, passing it the user ID and password, and the user is logged into Banner. The process is the same without Luminis, except that the user ID and password originate in a different place. A new Web page defined in gokssso.p_login prompts the user for an ID and password, then the same programming logic processes the information. ID Mappings Between Systems It is time-consuming and frustrating for users to have to remember different user IDs passwords for different systems. ID mappings enable you to store the IDs and passwords in a single location, so that when a user logs onto an application with one ID and password, and then goes to another application, the system can look up that user’s ID and password for the second application and enter it automatically. Single Sign-On between Luminis and Banner The following points describe how SSO works between Luminis and Banner: • The mapping exists on the LDAP server, stored in a DN specified in configuration parameters. • The configuration values are loaded into Banner to point to the SSO procedures at the Luminis LDAP server. • The Luminis ID is mapped to the Banner ID. The Banner password is synchronized to the Luminis password for every login. • You will logon to both Banner and Luminis using your Luminis ID and password. • No mapping is defined for situations where your Luminis user ID and password are used to connect to Banner. If this mapping entry is not defined, the procedures assume that the Luminis and Banner users are identical. Single Sign-On between Luminis and Self-Service Banner The following points describe how SSO works between Luminis and Self-Service Banner: • The mapping exists in the Luminis LDAP server in the pdsExternalSystemID attribute. It is a multi-value attribute, and the last five characters of it must be: ::SCT December 2009 Banner General 8.3 Middle Tier Implementation Guide Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels 73 The PIN for this user is also stored in the Luminis “secret store”. • The values are loaded into Banner when the extract is run against Banner. Note The mapping in the GOBEACC table is used to create an Oracle connection to self-service pages that are restricted using the Administration Secured feature. For more information, please refer to the WebTailor 7.0 Release Guide. • The Luminis ID is mapped to the Banner ID. • You will logon to both Banner and Luminis using your Luminis ID and password. Single Sign-On between Luminis/Channels and Banner The following points describe how SSO works between Luminis Channels and Banner: • The UserMapDN exists on the LDAP server. For details, refer to: • Step 1, “Update New Entries in LDAP for INB” in Chapter 4 • Step 2, “Update New Entries in LDAP for SSB” in Chapter 5 • The proxy package GSPPRXY determines which Oracle user is used to connect to the channels: • If the mapping exists on the LDAP server, then the Oracle user defined in the map is used to connect to the channels. • If the mapping does not exist on the LDAP server, then GSPPRXY checks to see if the Luminis user is defined in GOBEACC. • If no mapping is defined anywhere, then GSPPRXY assigns the default user ID and password. The default user is defined in Banner Security PXY_CHANNELS_LUMINIS. Note For information about GXPPRXY, refer to the Banner Security Technical Reference Manual. • The Luminis ID is mapped to the Banner ID. • You will logon to Banner and connect to the channels using your Luminis ID and password. Refer to the Luminis Channels for Banner documentation for more information. 74 Banner General 8.3 Middle Tier Implementation Guide Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels December 2009 Single Sign-On and Value-Based Security To use SSO and VBS, you must make sure that the Oracle IDs that will be restricted under VBS have been granted the role ban_default_webprivs. This role is required for any Oracle IDs that will be using the self-service packages. Luminis IV Support If you are using Luminis Platform IV, then Banner General 7.4.1 and Luminis Channels for Banner 7.2 (or later versions) are required. Refer to the chapter about working with users and user accounts in the Luminis Platform Administration Guide, as well as the Luminis Platform IV Release Notes for more information about specific Luminis functionality and configuration. Implementation Steps Step 1 Create an Encryption Key The SSO process uses DES encryption as supported through the Oracle-delivered package DBMS_OBFUSCATION_TOOLKIT. This type of encryption uses a key, or password, to perform the encryption. Note During your Banner upgrade or new installation, you should have created the directory KEY_DIR. The GOKKSSO package looks for the key in the enckey file in the KEY_DIR directory. Verify that this directory exists by selecting from the DBA_DIRECTORIES view to see the details of the directory that was created. If KEY_DIR exists in the database and the physical directory has been created on your database server, and you have a valid enckey file, then you may skip this step and proceed to Step 2, “Create Entries in LDAP to Store Configuration Values”. If KEY_DIR does not exist in the DBA_DIRECTORIES table, and the physical directory has not been created on your database server, you must create it using the following steps. Make sure your group permissions are readable by Oracle. 1. Create the physical directory on your database server (e.g. mkdir $BANNER_HOME/ key_dir). 2. Create a plain text file named enckey in the directory you just created. 3. Edit the enckey file and enter the key (for example, PASSWORD). December 2009 Banner General 8.3 Middle Tier Implementation Guide Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels 75 Your key must start in column 1 and be a combination of letters and numbers, and be at least eight characters. It can be longer (in multiples of eight only), but the GOKKSSO package only uses the first 24 characters. The DES encryption only uses eight characters, but SunGard Higher Education has provided for eventual use of the DES3 algorithm in a future release, which uses a 24-character key. The string you enter as the key is padded to a length of 24, but you must still use at least eight characters, since those are the ones used by the current DES encryption. The passwords stored and passed by the SSO process will now be encrypted using DES and your key. 4. Edit the banssodir.sql script located in the $BANNER_HOME/install directory and change the directory name to match the name of the directory you just created (e.g. $BANNER_HOME/KEY_DIR). Note If you cannot find the banssodir.sql script, you may need to manually copy the file from upgrade/Gen70/banssodir.sql to $BANNER_HOME/ install/banssodir.sql. 5. Finally, run the script as follows: sqlplus /nolog connect general/general_password start banssodir Step 2 Create Entries in LDAP to Store Configuration Values You must add the configuration entries to your LDAP directory. The default DN path is: o=config,o=Banner,o=SCTSSOapplications SunGard Higher Education delivers a number of sample LDIF files to help you. You can edit any of these files to customize them for your institution. They are located in the $BANNER_HOME\install directory, and you must use ASCII mode to transfer them to your LDAP server. Note LDIF files are temporary files which you can copy into a temporary directory on Luminis and then run. These files modify the schema. For Oracle Internet Directory: • sso_oclass_oid.ldif - Defines the required LDAP Object Classes so you can use them in the Oracle Internet Directory (OID) and many other servers. For SUNOne: • sso_oclass_sunone.ldif - Defines the required LDAP Object Classes if you are using the Sun LDAP server with Luminis. This file creates an LDAP object class called SCTSSOConfig that has cn, SCTSSOConfigString, and description as its 76 Banner General 8.3 Middle Tier Implementation Guide Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels December 2009 required attributes. This file creates the LDAP attribute SCTSSOConfigString, a single-value string. • sso_root_sunone.ldif - Defines a new root entry in the SUNOne LDAP directory where you can store parameters, if desired. • sso_root_sunone2.ldif - Defines a new database entry in the SUNOne LDAP directory where the root entries will be stored. For All: • sso_parms.ldif - Defines the parameters that must be present for the SSO process. This file creates the following entries with the object class SCTSSOConfig in the config directory: INBServerName DADNormal DADSpecial CPAuth CPDeAuth CPLastAct UserPrefix SearchBase UserMapDN PswdChangeMessage INBServletPath HTTPPrefixServer HTTPPrefixClient CSSURL AnonmsSearch Note The delivered examples are for SUNOne and OID. You can, however, use them as examples to interface Banner with other LDAP directories (e.g., OpenLDAP and Novell Directory Server (NDS)). 1. Run ldapmodify, a utility delivered with your LDAP server, with the LDIF files you just edited. Run them in the order specified below. Warning Be sure to run the ldapmodify that was delivered with your server. This is especially important with the platforms where LDAP is delivered as part of the operating system (e.g., some versions of SUN Solaris). You must use the ldapmodify command that was delivered with the SunOne software stored in the Luminis software directory. The format of the ldapmodify command in a Luminis SunOne environment is: ldapmodify -c -a -v -D"cn=Directory Manager" -w <password for Directory Manager> -f <file name from list above> December 2009 Banner General 8.3 Middle Tier Implementation Guide Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels 77 For SUNOne, run: 1.1. sso_oclass_sunone.ldif Example: ldapmodify -c -a -v -D "cn=Directory Manager" -w yourpassword -f sso_oclass_sunone.ldif 1.2. sso_root_sunone.ldif Example: ldapmodify -c -a -v -D "cn=Directory Manager" -w yourpassword -f sso_root_sunone.ldif 1.3. sso_root_sunone2.ldif Example: ldapmodify -c -a -v -D "cn=Directory Manager" -w yourpassword -f sso_root_sunone2.ldif 1.4. sso_parms.ldif Example: ldapmodify -c -a -v -D "cn=Directory Manager" -w yourpassword -f sso_parms.ldif For OID, run: 1.1. sso_oclass_oid.ldif 1.2. sso_parms.ldif Step 3 Configure Parameters using GUAUPRF 1. Logon to Banner as the BASELINE user. 2. Access the General User Preferences Maintenance Form (GUAUPRF). 3. Go to the LDAP tab. 4. Enter your institution’s values in the Default Value field for each configuration parameter (bind password, bind user ID, location in LDAP directory where SSO configuration parameters are stored, and URL for LDAP authentication server). 78 Banner General 8.3 Middle Tier Implementation Guide Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels December 2009 Parameter Description BIND_PASSWORD This is the password for the bind user. It is stored in the database using the DES encryption with the encryption key you configured in an earlier step. BIND_USER This is a user with rights to bind to the LDAP server to retrieve the configuration data for SSO. This user should also be able to search your LDAP directory to determine if users exist. DN This is the location in the LDAP directory where the SSO configuration parameters will be stored. Several LDIF files are delivered as examples of where this could be stored. SERVER This defines the LDAP server that is used to validate users and to store additional SSO configuration parameters. The parameter is formatted using Internet URL format for LDAP, for example: ldap://my.ldapserver:389 Note: If you are using LDAPS, you will need to configure the parameters in the SSL key as well. December 2009 Banner General 8.3 Middle Tier Implementation Guide Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels 79 Parameter Description USERMAP_OPT Usermap option. Valid values are: I—ImmutableID is being used for mapping. This option can only be used with Luminis Platform IV and later. L—LoginID is being used for login mapping. N—No usermap option is used. USERMAP_PRFX Prefix for the usermap. This file will contain the prefix for the usermap option. The default delivered value is cn=. This option is related to CMS-DFCT101141. 5. In the SSL (Secured Socket Layer) key, configure the following parameters: Parameter Description LOCATION To configure SSL, a certificate wallet must be created on the Database Server using Oracle Wallet Manager. This parameter is set to point to the physical location on the server where this wallet is created. It uses the file: URL format. Example: file:d:\oracle\wallet for Windows file:/u01/oracle/wallet for Unix PASSWORD This is the password to the wallet and it is stored using DES encryption using the key you created in a previous step. MODE This is the SSL authentication mode, and can be one of the following values: 1 - No authentication is required (SSL encryption only) 2 - One-way authentication is required, the client certificate is authenticated by the server 3 - Two-way authentication is required, the client and the server authenticate each other’s certificates 80 Banner General 8.3 Middle Tier Implementation Guide Required Tasks for Single Sign-On (SSO) to INB, SSB, and/or Channels December 2009 4 Implementing Single Sign-On for Internet-Native Banner Follow the steps in this chapter to implement Single Sign-On functionality for InternetNative Banner® (INB). 1. “Update New Entries in LDAP for INB” on page 81 2. “Create DADs for Running SSO” on page 85 3. “Configure your INB Server” on page 86 4. “Verify Configuration Steps in Banner” on page 87 5. “Configure your Luminis Server” on page 89 6. “Test” on page 90 7. “(Optional) Set up SSO INB on Macintosh” on page 90 Note Before performing these steps, you must already have performed the steps in chapter 3. Note This section does not cover SSO setup through Banner Enterprise Identity Services. If you are using Banner Enterprise Identity Services, please refer instead to the Banner Enterprise Identity Services Handbook. Step 1 Update New Entries in LDAP for INB Update the following entries in the LDAP server location that you chose previously with the actual values for your institution. In the sample below, an LDAP browser was used. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner 81 Note You may not see sserv in your browser until you have completed more steps. • INBServerName - Defines the name of your INB server, in the format server name:port. One example is my.inbserver.edu:8000, where the server name is my.inbserver.edu and the port is 8000. Note Do not use http:// on the server, as this is configured in another parameter. Note The port is not required if you are using Port 80. • DADNormal - The OAS10g URL snippet that indicates the DAD running under a "normal" database user, such as WWW_USER or OAS_PUBLIC. If you are running Self-Service Banner, this is the same as the DAD you use with that system. You should include the /pls prefix in the name if you are using the pls prefix in your configuration. One example would be /pls/dadnormal, where dadnormal is the DAD in OAS10g. Note OAS10g no longer requires that you include /pls in the URL, although you can include it, if desired. • DADSpecial - The OAS10g URL snippet that indicates the DAD running under the special BANSSO user. You should include the /pls prefix in the name if you are using the pls prefix in your configuration. One example would be /pls/dadspecial, 82 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner December 2009 where dadspecial is the DAD in OAS10g that connects to the database as BANSSO. Note OAS10g no longer requires that you include /pls in the URL, although you can include it, if desired. • CPAuth, CPDeAuth, CPLastAct - These values should be left as delivered in the LDIF files. They have been made parameters to facilitate future modifications by SunGard® Higher Education or your own local customizations. • CPAuth should be set to gokssso.p_cp_login • CPDeAuth should be set to gokssso.p_cp_logout • CPLastAct should be set to gokssso.p_cp_lastact • UserPrefix - Defines the prefix added to a userid when a bind is issued to the LDAP server. This provides the flexibility necessary to support users added to LDAP using the uid= or cn= formats. • SearchBase - The user suffix used for searching and binding as users. It is appended to the end of user IDs when doing an LDAP bind. An example of an LDAP user that would be formed by the system with the user ID is myuser and the UserPrefix and SearchBase above uid=myuser,ou=people,o=your.domain,o=cp • UserMapDN - Points to a location in the LDAP directory where users can be mapped, if they are different from the LDAP server and the Banner database. Each entry in this location should be of the object class SCTSSOConfig, and the Common Name (CN) of the entry should be the same as the LDAP user. The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database. If the user IDs for a user in both systems are the same, an entry in this location is not necessary for that user, and it is not recommended for performance reasons. One example would be an entry with a DN of cn=StudentUser,o=usermap,o=Banner,o=SCTSSOapplications and an SCTSSOConfigString of saisusr. The UserMapDN would be set to o=usermap,o=Banner,o=SCTSSOapplications and at runtime the LDAP user StudentUser would be changed to saisusr when the user logs in to Banner. of How to establish and test the mapping of a Luminis/LDAP ID to an Oracle/Banner ID In order for users to use SSO to INB through Luminis® using LDAP authentication, the LDAP and Banner IDs must either be: • The same value (Luminis ID = jsmith - Oracle/Banner ID = jsmith) • Mapped to one another in LDAP (Luminis ID = Joe.Smith - Oracle/Banner ID = jsmith) December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner 83 The following example explains how to establish and test the ID mapping if the IDs are different from one another. In this example, the Oracle/Banner account name is jsmith, and the Luminis account name is Joe.Smith. Note With Luminis IV, you could also use immutable ID to create the mapping. These options are defined in the USERMAP_OPT parameter. 1. First, create a mapping file, for example, sso_map.ldif. sso_map.ldif dn: cn=Joe.Smith,o=usermap,o=Banner, o=SCTSSOapplications SCTSSOConfigString: jsmith objectClass: top objectClass: SCTSSOConfig description: Map of Luminis ID - Joe.Smith to Banner/Oracle ID jsmith cn: Joe.Smith OR sso_map.ldif (using immutable ID) Note This option can only be used with Luminis IV. dn: cn=1234987987,o=usermap,o=Banner, o=SCTSSOapplications SCTSSOConfigString: jsmith objectClass: top objectClass: SCTSSOConfig description: Map of Luminis ID - Joe.Smith to Banner/Oracle ID jsmith cn: 1234987987 2. Import this file into the LDAP Server. ldapmodify -a -c -v -f sso_map.ldif -D "cn=Directory Manager" -w pipeline Note that you must wait approximately 20 minutes for the mapping to take effect. 3. Login to Luminis as Joe.Smith. Click your direct INB SSO link or INB Channels link and you should be logged in to INB as jsmith. Click your direct SSB SSO link or SSB Channels link and you should be logged in to SSB as jsmith (who has a Banner ID = 555555555 in this example). • PswdChangeMessage - Defines the message presented to the user when their password is modified in the Banner database. It appears only when the password is 84 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner December 2009 changed to a different value, and the message includes a link that continues the process of logging them into Banner. • INBServletPath - The URL snippet concatenated to the INBServerName to launch Banner. It generally begins with /forms, and must include the config= parameter, which points to the proper configuration. Examples: /forms/frmservlet?config=sctsso This is addressed in greater detail later in this chapter. • HTTPPrefixServer - Defines the http protocol for server-to-server HTTP communications. This is inserted before the INBServerName whenever communications between servers are performed. It should be http:// for normal HTTP and https:// for SSL. • HTTPPrefixClient - Defines the http protocol used when communicating to the client browser. It should be http:// for normal HTTP and https:// for SSL. • CSSURL - Defines a full URL to the Cascading Style Sheet (CSS) you want to use for the Logon screen. This can be the same value as the CSSURL you are using for that system. • AnonmsSearch - Specifies if an anonymous search is performed to get the DN entry. Valid values are: • Y - An anonymous search will be performed to get the DN entry, and that entry will be used to perform the bind. • A - An authenticated search will be performed to get the DN entry, and that entry will be used to perform the bind. • N - The entries defined in LDAP will be used to perform the bind. Step 2 Create DADs for Running SSO Refer to chapter 2 for basic information about creating a DAD. SunGard Higher Education recommends that you use Oracle Enterprise Manager (OEM) for all configuration file changes. 1. Create two new DADs for INB: • dadnormal.txt • dadspecial.txt Tip: If INB and SSB use the same Oracle web server at your site, then you can use the same dadnormal.txt file for both INB and SSB. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner 85 Sample DADs To help you configure the DADs necessary for running your packages, SunGard Higher Education has delivered sample DAD files: dadnormal.txt and dadspecial.txt. These files are located in your $BANNER_HOME/install directory. Note You must configure dadnormal to be logged on as a normal database user (e.g., OAS_PUBLIC or WWW_USER), but you must configure dadspecial to be logged on as the BANSSO special user. This is because BANSSO has the alter user Oracle privilege necessary to alter the users’ passwords after they have logged into Banner. Step 3 Configure your INB Server There are a number of steps you must perform to configure your INB server: 1. Copy the delivered bannersso.jar file from $BANNER_HOME/general/java to the <ORACLE_HOME>/forms/java directory. Be sure to transfer it in binary mode if you use FTP. 2. Modify your environment to use the delivered basejsso.htm file, which uses a different Java Applet and the new sctinb_token parameter. The sctinb_token parameter is used to pass a session token to the applet so it can access the DBMS_PIPE (or on the SSO_Q queue if the Advanced Queuing alternate communication mechanism to that of DBMS_PIPE has been implemented) that contains the encrypted user ID and password. 2.1. Copy basejsso.htm from the $BANNER_HOME/install directory to the <ORACLE_HOME>/forms/server directory on your OAS10g server. 2.2. Access OEM on your INB server. 2.3. Choose Forms in the System Components section. 2.4. Choose Configuration. 2.5. Update the baseHTMLJinitiator parameter to point to basejsso.htm. 3. Update your forms configuration. You can use the formsweb_sso.cfg file that is located in the $BANNER_HOME/install directory for reference. 86 3.1. Open the formsweb_sso.cfg file that is located in $BANNER_HOME/ install/ directory. 3.2. Locate the sctsso configuration section for reference. 3.3. Access OEM on your INB server. 3.4. Choose Forms in the System Components section. Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner December 2009 3.5. Choose Configuration. 3.6. Choose Create New Section and enter your new section name (for example, sctsso). 3.7. Add the parameters from the sample formsweb_sso.cfg to your new section. Example sctsso configuration section on OAS10gR2: baseHTMLJInitiator=d:\oas10g\forms\server\basejsso.htm archive_jini=bannersso.jar,banspecial.jar,frmall_jinit.jar,banico ns.jar,bannerui.jar workingDirectory=c:\temp envFile=sctsso.env 4. Copy the sctsso.env file from $BANNER_HOME/install/ to the <ORACLE_HOME>/ forms/server directory on your OAS10gR2 server. Tailor it for your institution. Make sure the database connect string is set in either the LOCAL (Windows) or TWO_TASK (Unix) environment variable. Step 4 Verify Configuration Steps in Banner The sso_ldapinb script can be used to verify your SSO environment by reading all the parameters and displaying their values. It is delivered in the $BANNER_HOME/install directory. 1. Run this script logged on as BANINST1. 2. Verify that the output looks similar to the following example: December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner 87 Sample Output (your values will differ) SQL> @sso_ldapinb ***** ***** GURUPRF SETUP ***** UPRF-> key=AUTHENTICATION str=BIND_PASSWORD val= UPRF-> key=AUTHENTICATION str=BIND_USER val=cn=Directory Manager UPRF-> key=AUTHENTICATION str=DN val=o=config,o=Banner,o=SCTSSOAPPLICATIONS UPRF-> key=AUTHENTICATION str=SERVER val=ldap://my.ldapserver.com:389 UPRF-> key=SSL str=LOCATION val=Wallet Location UPRF-> key=SSL str=MODE val=Authentication Mode UPRF-> key=SSL str=PASSWORD val=Wallet Password Decrypt BIND_PASSWORD Decrypt Key is YOURKEYS Decrypted Password is ur.password ***** ***** LDAP INB SETTINGS ***** INBServerName is my.ldapserver.com:7778 DADNormal is /DADB70 DADSpecial is /DADB70spec CPAuth is gokssso.p_cp_login CPDeAuth is gokssso.p_cp_logout CPLastAct is gokssso.p_cp_lastact UserPrefix is uid= SearchBase is ou=people,o=sct.com,o=cp UserMapDN is o=usermap,o=Banner,o=SCTSSOapplications PswdChangeMessage is Your password in the Banner system has been changed to match your password in the Luminis system. INBServletPath is /forms90/f90servlet?config=sctsso HTTPPrefixClient is http:// HTTPPrefixServer is http:// CSSURL is http://my.ldapserver.com:99/css/web_defaultapp.css AnonmsSearch is N PL/SQL procedure successfully completed. You can then use the sso_bindinb script to verify that a successful bind went through for specified users. 3. Run this script logged on as BANINST1. 4. Verify that the output looks similar to the following example: Sample Output (your values will differ) SQL> @sso_bindinb Enter value for bind_user: USERNAME old 2: bind_credential varchar2 (100):='&Bind_User'; new 2: bind_credential varchar2 (100):='USERNAME'; Enter value for bind_password: 111111 old 3: bind_password varchar2 (100):='&Bind_Password'; new 3: bind_password varchar2 (100):='PASSWD'; Input Server is ldap://my.ldapserver.com:389 Server after string is my.ldapserver.com:389 ldap_srch_base ou=people,o=sct.com,o=cp ldap_prfx uid= Successful Server Bind Before user Bind Successful user Bind Cookie string is http://my.ldapserver.com:7778/testdatabase/gokssso.p_banner PL/SQL procedure successfully completed. 88 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner December 2009 5. Access Banner using the following URL, using your Luminis ID and password: yourserver.com:port/testdatabase/gokssso.P_login 6. The General Menu Form (GUAGMNU) should appear. Step 5 Configure your Luminis Server This step should be performed by the Luminis administrator. 1. Use the Luminis console command configman to update the es.systems parameter, and to add the es.sctinb.configURL and es.sctinb.doGMTOffset parameters. 1.1. Navigate to the $CP_ROOT/webapps/luminis/WEB-INF directory on the Luminis server. 1.2. Export the current properties from Luminis by running the following command: configman -x ldi_banner.properties 1.3. Open the ldi_banner.properties configuration file in your text editor. 1.4. Locate the es.systems parameter and add sctinb to the end. Example: es.systems = sct is cal epos mb gtmb webct wp sctwf sctinb 1.5. Go to the end of the ldi_banner.properties file. 1.6. Add the es.sctinb.configURL parameter with the value: http://your.inb.server:port/<YourNormalDAD>/ gokssso.P_GetConfigVersion2 Example: es.sctinb.configURL = http://your.inb.server:port/testdatabase/ gokssso.P_GetConfigVersion2 1.7. Add the es.sctinb.doGMTOffset parameter with the value false. Example: es.sctinb.doGMTOffset=false 1.8. From the command prompt on the Luminis server, issue the following command to import the new values: configman -i ldi_banner.properties 2. Stop and restart the Luminis server using the stopcp and startcp commands. 3. From a cygwin window on the Luminis server, issue the following commands to add filters to Luminis that are required for SSO: December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner 89 cptool sync password -add cpip sctinb Note You must wait at least 10 minutes for this to take effect, or you can stop and restart your Luminis server again to see the changes immediately. Step 6 Test You should always test your changes before migrating them to your production environment. 1. (Optional) For testing purposes, enter the following in Luminis to create a link that you can use to access Banner. Make sure you change the text to reflect your institution’s configuration. Example: http://your.luminisserver.edu/cp/ip/login?sys=sctinb&url=http:// your.inbserver.edu/forms/frmservlet?config=sctsso Note The timeout function in the URL above ensures that the Luminis and Banner sessions are not connected. This is necessary because the timeout functions of the CPIP protocol are not implemented in Banner. 2. Logon to Luminis and select the link to access Banner. The Banner main menu should appear. Note Do not implement any special Oracle Password Management features with your test account because they can cause problems with LDAP testing. Use the default Oracle profile with no Oracle Password Management features enabled. Step 7 (Optional) Set up SSO INB on Macintosh If you want to run Single Sign-on (SSO/LDAP) using INB through Luminis on a Macintosh, you must perform several additional steps. Otherwise, users will be prompted to enter the Banner/Oracle user ID and password again when they click the INB link in Luminis. Note The following steps assume that your SSO/LDAP using INB through Luminis works perfectly on a PC running JINIT. 1. Access OEM on your INB server. In most cases, OEM can be accessed using: http://servername:1810. 90 1.1. Choose Forms in the System Components section. 1.2. Choose Configuration. Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner December 2009 1.3. Locate your current SSO/LDAP configuration that works (for example, ban7_sctsso). 1.4. Edit the ban7_sctsso configuration. 1.5. Change the following lines to be SSO-specific: baseHTMLJInitiator = basejsso.htm archive_jini = bannersso.jar,banicons.jar,bannerui.jar,banspecial.jar, banorep.jar,frmall_jinit.jar envFile = ban7_sctsso.env 1.6. Add the following two Mac lines to the configuration: baseHTML=basejsso_mac.htm archive=bannersso.jar,banicons.jar,bannerui.jar,banspecial.jar,ba norep.jar,frmall.jar 1.7. Save your changes. 2. Copy the file ORACLE_HOME\FORMS\server\base.htm in OAS10gR2 and name it basejsso_mac.htm. 3. Edit the new basejsso_mac.htm file, making the following changes: 3.1. Find this value: CODE="oracle.forms.engine.Main" And change it to: CODE="com.sct.banner.web.applet.BannerApplet" 3.2. Find this value: <PARAM NAME="serverArgs" VALUE="%escapeParams% module=%form% userid=%userid% sso_userid=%sso_userid% sso_formsid=%sso_formsid% sso_subDN=%sso_subDN% sso_usrDN=%sso_usrDN% debug=%debug% host=%host% port=%port% %otherParams%"> And change it to: <PARAM NAME="serverArgs" VALUE="module=%form% sso_userid=%sso_userid% %otherParams%"> 3.3. Find this value: <PARAM NAME="imageBase" VALUE="%imageBase%"> And add the following additional line below it: <PARAM NAME="imageBase" VALUE="%imageBase%"> <PARAM NAME="sctinb_token" VALUE="%sctinb_token%"> 4. Save your changes to the basejsso_mac.htm file. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner 91 5. Test: 5.1. Login to Luminis on the Mac and test the INB link. It should load the new .jar file bannersso.jar, and connect you to Banner without the extra Banner/ Oracle login box. 5.2. Test the direct login URL: http://server4.xyz.com:9010/ban7_sctsso/gokssso.p_login 5.3. 92 Login with the LDAP user ID and password and it should log you in without prompting for the Banner/Oracle user ID and password. Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Internet-Native Banner December 2009 5 Implementing Single Sign-On for Self-Service Banner Follow the steps in this chapter to implement Single Sign-On functionality for SelfService Banner® (SSB). 1. “Create Entries in LDAP to Store Configuration Values” on page 93 2. “Update New Entries in LDAP for SSB” on page 95 3. “Configure WebTailor for LDAP Server” on page 97 4. “Update WebTailor Parameters” on page 99 5. “Verify Configuration Steps in Self-Service” on page 99 6. “(Optional) Create DADs for Running SSO with VBS” on page 101 7. “Configure your Luminis Server” on page 103 8. “Test” on page 104 Before performing these steps, you must already have performed the steps in chapter 3. Note This section does not cover SSO setup through Banner Enterprise Identity Services. If you are using Banner Enterprise Identity Services, please refer instead to the Banner Enterprise Identity Services Handbook. Step 1 Create Entries in LDAP to Store Configuration Values You must add the configuration entries to your LDAP directory. The default DN path is: o=config,o=Banner,o=SCTSSOapplications SunGard® Higher Education delivers the sample LDIF file below to help you. You can edit this file to customize it for your institution. It is located in the December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner 93 $BANNER_HOME\install directory, and you must use ASCII mode to transfer it to your LDAP server. Note LDIF files are temporary files which you can copy into a temporary directory on Luminis® and then run. These files modify the schema. For all directories: • sso_parms_sserv.ldif - Defines the parameters used by the SSO process for Self-Service Banner. This file creates the following entries in the sserv directory (a subdirectory under config): SSBServerName DADNormal CPAuth CPDeAuth CPLastAct UserPrefix SearchBase UserMapDN PswdChangeMessage HTTPPrefixServer HTTPPrefixClient CSSURL AnonmsSearch Note The delivered examples are for OID and SUNOne. You can, however, use them as examples to interface Banner with other LDAP directories, e.g., OpenLDAP and Novell Directory Server (NDS). 1. Run ldapmodify, a utility delivered with your LDAP server, with the LDIF file you just edited. Warning Be sure to run the ldapmodify that was delivered with your server. This is especially important with the platforms where LDAP is delivered as part of the operating system (e.g., some versions of SUN Solaris). You must use the ldapmodify command that was delivered with the SunOne software stored in the Luminis software directory. The format of the ldapmodify command in a Luminis SunOne environment is: ldapmodify -c -a -v -D"cn=Directory Manager" -w <password for Directory Manager> -f <file name from list above> For SUNOne, run: 1.1. sso_parms_sserv.ldif Example: ldapmodify -c -a -v -D "cn=Directory Manager" -w yourpassword -f sso_parms_sserv.ldif 94 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner December 2009 Step 2 Update New Entries in LDAP for SSB Update the following entries in the LDAP server location that you chose previously with the actual values for your institution. In the sample below, an LDAP browser was used. • SSBServerName - Defines the name of your Self-Service server, in the format server name:port. One example would be my.ssbserver.edu:8000, where the server name is my.ssbserver.edu and the port is 8000. Note Do not use http:// on the server, as this is configured in another parameter. • DADNormal - The OAS10g URL snippet that indicates the DAD running under a "normal" database user, such as WWW_USER or OAS_PUBLIC. If you are running Self-Service Banner, this is the same as the DAD you use with that system. You should include the /pls prefix in the name if you are using the pls prefix in your configuration. One example would be /pls/dadnormal, where dadnormal is the DAD in OAS10g. Note OAS10g no longer requires that you include /pls in the URL, although you can include it, if desired. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner 95 • CPAuth, CPDeAuth, CPLastAct - These values should be left as delivered in the LDIF files. They have been made parameters to facilitate future modifications by SunGard Higher Education or your own local customizations. • CPAuth should be set to gokssso.p_cp_login_sserv • CPDeAuth should be set to gokssso.p_cp_logout_sserv • CPLastAct should be set to gokssso.p_cp_lastact_sserv • UserPrefix - Defines the prefix added to a userid when a bind is issued to the LDAP server. This provides the flexibility necessary to support users added to LDAP using the uid= or cn= formats. • SearchBase - The user suffix used for searching and binding as users. It is appended to the end of user IDs when doing an LDAP bind. An example of an LDAP user that would be formed by the system with the user ID is myuser and the UserPrefix and SearchBase above uid=myuser,ou=people,o=your.domain,o=cp • UserMapDN - Points to a location in the LDAP directory where users can be mapped, if they are different between from the LDAP server and the Banner database. Each entry in this location should be of the object class SCTSSOConfig, and the Common Name (CN) of the entry should be the same as the LDAP user. The SCTSSOConfigString attribute of the entry should be set to the user in the Banner database. If the user IDs for a user in both systems are the same, an entry in this location is not necessary for that user, and it is not recommended for performance reasons. One example would be an entry with a DN of cn=StudentUser,o=usermap,o=Banner,o=SCTSSOapplications and an SCTSSOConfigString of saisusr. The UserMapDN would be set to o=usermap,o=Banner,o=SCTSSOapplications and at runtime the LDAP user StudentUser would be changed to saisusr when the user logs in to Banner. of • PswdChangeMessage - Defines the message presented to the user when their password is modified in the Banner database. It appears only when the password is changed to a different value, and the message includes a link that continues the process of logging them into Banner. • HTTPPrefixServer - Defines the http protocol for server-to-server HTTP communications. This is inserted before the INBServerName whenever communications between servers are performed. It should be http:// for normal HTTP and https:// for SSL. • HTTPPrefixClient - Defines the http protocol used when communicating to the client browser. It should be http:// for normal HTTP and https:// for SSL. • CSSURL - Defines a full URL to the Cascading Style Sheet (CSS) you want to use for the Logon screen. This can be the same value as the CSSURL you are using for that system. 96 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner December 2009 • AnonmsSearch - Specifies if an anonymous search is performed to get the DN entry. Valid values are: • Y - An anonymous search will be performed to get the DN entry, and that entry will be used to perform the bind • N - The entries defined in LDAP will be used to perform the bind. Step 3 Configure WebTailor for LDAP Server You can use the Lightweight Directory Access Protocol (LDAP) authentication process to authenticate your users’ IDs and passwords for Self-Service Banner. Users can use their LDAP user IDs and passwords to logon to all the self-service applications they use. Use the following steps to configure WebTailor specifically for Single Sign-On to Luminis. Your LDAP administrator can provide you with the values you need for this step. Note You may have already completed several of the steps when you configured Self-Service Banner in chapter 2. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner 97 1. Logon to WebTailor as the WebTailor Administrator. 2. Go to the LDAP Administration page (twbkldap.P_ModifyPgLDAP) in WebTailor and set up the LDAP options: 2.1. LDAP Protocol - Specifies the protocol to be used with self-service. Select LDAP_S if you are using LDAP with SSL at your institution. Note If you are not using LDAP authentication for Self-Service Banner, then the protocol should be left as none. 2.2. Search Indicator–Indicates whether anonymous search should be performed before binding. 2.3. LDAP Server Name–LDAP server name that is used to validate users. 2.4. LDAP Port–Port number for LDAP server. 2.5. Search Base for LDAP–User suffix used for searching and binding users. 2.6. Suffix for LDAP User–User suffix that should be used before binding user. 2.7. Prefix for LDAP User–User prefix that should be used before binding user. 2.8. Attribute for Banner in LDAP–Attribute which stores Self-Service Banner ID in LDAP. 2.9. SSL Wallet Location - Specifies the wallet location. This is required if you are using a one-way or two-way SSL connection. 2.10. SSL Wallet Password - Specifies the wallet password. This is required if you are using a one-way or two-way SSL connection. 2.11. SSL Authentication Mode - Specifies the authentication mode. 98 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner December 2009 Step 4 Update WebTailor Parameters 1. Login to WebTailor as the WebTailor Administrator. 2. Go to the WebTailor Parameters page (twbkparm.P_DispAllParams) and enter values for the following parameters: Parameter Name Value CPBASEURL http://servername.yourdomain.com CPCOOKIEDOMAIN .yourdomain.com CPCOOKIENAME CPSESSID CPCOOKIEPATH / CPPASSWDEXP Specifies how password are expired in a Banner/Luminis setup. CPTIMEOUTURL SCTSSB (where SCTSSB is the name specified for Banner SelfService in your CPIP configuration) Example: /cp/ip/timeout?sys=sctssb&api= LDAPMAPUSER Specifies where LDAP mapping is defined. See the “Web Tailor Parameters” topic in Chapter 3 of the Banner Web Tailor User Guide for a detailed description of these and other Web Tailor parameters. Step 5 Verify Configuration Steps in Self-Service The sso_ldapssb.sql script can be used to verify your SSO environment by reading all the parameters and displaying their values. It is delivered in the $BANNER_HOME/install directory. 1. Run this script logged on as BANINST1. 2. Verify that the output looks similar to the following example: December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner 99 Sample Output (your values will differ) SQL> @sso_ldapssb ***** ***** BASIC LDAP SETTINGS ***** LDAP Function: twbklogn.f_ldap_cpsearch Server: my.ldapserver.edu:389 User: cn=Directory Manager PW: ur.password Config Base: o=sserv,o=config,o=Banner,o=SCTSSOAPPLICATIONS ***** ***** TWGBLDAP SETTINGS ***** Protocol: NONE Search Indicator: N Server Name: my.ldapserver.edu Port: 389 Search Base: ou=People,o=sct.com,o=cp Suffix: Prefix: uid= Attribute for Banner: pdsExternalSystemID Wallet Location: Authentication Mode: ***** ***** LDAP SSB SETTINGS ***** SSBServerName - my.ldapserver.edu:9000 DADNormal - /DADB70 CPAuth - gokssso.p_cp_login_sserv CPDeAuth - gokssso.p_cp_logout_sserv CPLastAct - gokssso.p_cp_lastact_sserv UserPrefix - uid= SearchBase - ou=people,o=sct.com,o=cp UserMapDN - o=usermap,o=Banner,o=SCTSSOapplications PswdChangeMessage - Your password in the Banner system has been changed to match your password in the Lumins system. HTTPPrefixServer - http:// HTTPPrefixClient - http:// CSSURL - http://my.ldapserver.edu:9100/css/web_defaultapp.css AnonmsSearch - N PL/SQL procedure successfully completed. You can then use the sso_bindssb script to verify that a successful bind went through for specified users. 3. Run this script logged on as BANINST1. 4. Verify that the output looks similar to the following example: Sample Output (your values will differ) SQL> @sso_bindssb Run this as the user in your DAD from your Application Server Enter value for directorymanagerpassword: cp.admin old 30: ldap_dir_pwd := '&DirectoryManagerPassword'; new 30: ldap_dir_pwd := 'ur.password'; LDAP Server: my.ldapserver.edu:389 Before bind Bind was successful PL/SQL procedure successfully completed. 5. On the WebTailor LDAP Administration page, change the LDAP Protocol to LDAP. 100 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner December 2009 6. Use your Luminis ID and password to log into Self-Service. Step 6 (Optional) Create DADs for Running SSO with VBS Note This step is required only if you are using VBS. Self-Service Banner allows you to logon with your Oracle password instead of your Banner ID and PIN. The process in which SSO works seamlessly between Banner and Luminis is as follows: 1. As part of the normal SSO process between Luminis and Banner, your Luminis ID is checked to see if it can be mapped to an Oracle/Banner ID. 2. The programming logic then checks the WebTailor tables to see if there are any for which the ADMIN switch is set to Y (TWGBWMNU_ADM_ACCESS_IND = Y). 3. If any ADMIN switches are set to Y, then the user ID and password are encrypted and stored in a cookie. The Oracle password is now identical to the one in Luminis. 4. You are then transferred to Self-Service Banner, and the CPSESSID cookie is set. 5. When you select a menu link in Self-Service Banner that has the ADMIN switch set, the programming logic checks to see if the CPSESSID cookie exists. 6. If it does, _admin is added to the end of the DAD name in the URL. 7. This is picked up by the Oracle Application Service using a rewrite rule, which does an internal redirect to a perl script. 8. The perl script changes the _admin to the actual ADMIN DAD, as defined by the WEBUSER WebTailor parameter. 9. The programming logic then redirects to the TWBKAUSR package that maintains all the post data, using the URL as a parameter. 10. The TWBKAUSR package receives the request from the perl script and uses the encrypted cookie to build an authentication header. 11. The utl_http package issues the actual URL request with this header set, providing the authorization to the ADMIN DAD so you aren’t prompted for a username and password. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner 101 12. The results from the URL are edited to add _admin to all the URLs contained in it, so the rewrite rule will be invoked again if you click on one of those URLs. You will not need to enter your password again for this session. Note You must copy $BANNER_HOME/install/admin_redir.pl to <ORACLE_HOME>/Apache/Apache/cgi-bin/admin_redir.pl. 13. In order for this process to work correctly, you must do the following: 13.1. Create a new DAD identical to your database DAD, and append the letter o to the end. Refer to chapter 2 for information about creating a DAD. Example: DAD name: test New DAD name: testo Note If you have changed the CGI-BIN Admin Directory Suffix to a value other than o in your web rules in WebTailor, then you must append that value rather than o. 13.2. Include the following rewrite rules in your OAS10g http.conf configuration file located in <ORACLE_HOME>/Apache/Apache/conf/. <Location /YourDAD_admin> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_METHOD} GET RewriteRule /YourDAD_admin/(.*) /perl/admin_redir.pl\?dadname=YourDAD&url=http:/ /YourSSBServer/YourDADo/$1\%3F%{QUERY_STRING} RewriteCond %{REQUEST_METHOD} POST RewriteRule /YourDAD_admin/(.*) /perl/admin_redir.pl\?dadname=YourDAD&url=http:/ /YourSSBServer/YourDADo/$1\%3F%{QUERY_STRING} </Location> Where Example YourDAD_admin is the name of your DAD, followed by the string _admin test_admin /perl/admin_redir.pl is the UNIX example of the SunGard Higher Education-delivered script located in $BANNER_HOME/install/ directory. /perl/admin_redir.pl Note: You should not rename this file. This script must be copied to <ORACLE_HOME>/ Apache/Apache/cgi-bin/ on your SSB server. YourDAD is the name of your DAD 102 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner test December 2009 Where Example YourDADo is the name of your DAD, followed by an o testo YourSSBServer is the name or IP address of your server which runs Self-Service Banner ssb.yourschool.edu:8000 Step 7 Note: The port is not needed if it is 80. Configure your Luminis Server This step should be performed by the Luminis administrator. 1. Use the Luminis console command configman to update the es.systems parameter, and to add the es.sctssb.configURL and es.sctssb.doGMTOffset parameters. 1.1. Navigate to the $CP_ROOT/webapps/luminis/WEB-INF directory on the Luminis server. 1.2. Export the current properties from Luminis by running the following command: configman -x ldi_banner.properties 1.3. Open the ldi_banner.properties configuration file in your text editor. 1.4. Locate the es.systems parameter and add sctssb to the end. Example: es.systems = sct is cal epos mb gtmb webct wp sctwf sctinb sctssb 1.5. Go to the end of the ldi_banner.properties file. 1.6. Add the es.sctssb.configURL parameter with the value: http://your.ssb.server:port/testdatabase/ gokssso.P_GetConfigVersion2_sserv Example: es.sctssb.configURL = http://your.ssb.server:port/ <YourNormalDAD>/gokssso.P_GetConfigVersion2_sserv 1.7. Add the es.sctssb.doGMTOffset parameter with the value false. Example: es.sctssb.doGMTOffset=false 1.8. From the command prompt on the Luminis server, issue the following command to import the new values: configman -i ldi_banner.properties 2. Stop and restart the Luminis server using the stopcp and startcp commands. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner 103 3. From a cygwin window on the Luminis server, issue the following commands to add filters to Luminis that are required for SSO: cptool sync password -add cpip sctssb Note You must wait at least 10 minutes for this to take effect, or you can stop and restart your Luminis server again to see the changes immediately. Step 8 Test You should always test your changes before migrating them to your production environment. 1. (Optional) For testing purposes, enter the following in Luminis to create a link that you can use to access SSB. Make sure you change the text to reflect your institution’s configuration. http://your.luminisserver.edu/cp/ip/login?sys=sctssb&url=http:// your.ssbserver:port/YourDAD/bwgkogad.P_SelectAtypView 2. Logon to Luminis and select the link to access Self-Service Banner. In this example, you would be taken to your information in the Directory Profile. 104 Banner General 8.3 Middle Tier Implementation Guide Implementing Single Sign-On for Self-Service Banner December 2009 6 Implementing Luminis Channels for Banner This chapter details the following steps for implementing Luminis® Channels for Banner®. 1. “Create the Home Directory for Luminis Channels for Banner” on page 110 2. “Edit the Configuration File” on page 110 3. “Localize the Configuration File” on page 114 4. “Deploy the EAR File” on page 115 5. “Install CAR Files” on page 117 6. “Publish the Channel” on page 118 7. “Check Your Work” on page 119 Each Luminis Channel for Banner is delivered as a .car (channel archive) file. The .car file is a .zip file that contains all elements needed to render the channel and to set up database elements, supporting automation, publishing characteristics, etc., for the channel. Prerequisites Before proceeding with your Luminis Channels for Banner implementation, make sure you have completed the following prerequisite activities: Apply Upgrade Apply the Luminis Channels for Banner upgrade to your Banner database. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner 105 Set up Security on GSASECR 1. Access the Security Maintenance Form (GSASECR). 2. Go to the Objects tab and verify that there has been an entry created for CHANNEL. The delivered record should look like this: Object: CHANNEL Current Version: 7.0 System Code: G Default Role: BAN_DEFAULT_M Note The Current Version value may be a higher version. 3. Go to the Classes tab and verify that there has been an entry created for PXY_CHANNEL_LUMINIS. Move your cursor to that record to highlight the record. Then press the Objects button and assign the CHANNEL object to this class with a role of BAN_DEFAULT_M. The PXY_CHANNEL_LUMINIS class determines the default user mapping for Banner Channels and will be used for all users that do not have an Oracle account in the Banner database (for example, students). 4. Define a default Oracle ID for Banner Channels. Go to the Users tab and enter the ID you would like to use. The recommended user ID is INTEGMGR, or you can create a new Oracle ID. Next, press the Modify button and then User Classes. Click the All radio button next under Show Classes and look for the PXY_CHANNEL_LUMINIS class. Click the value in the class code item for this record. If the field is protected against update, then there is already a default user assigned to the class (and GSASECR will not allow more than one user to be assigned to this class). 5. Press the Close button twice to return to the Users tab. 6. On the Users tab, enter the same user ID (INTEGMGR or new ID) that you just entered. Press the Alter button, check the Authorize BANPROXY box, and save your changes. 7. Users with existing Oracle accounts (such as employees, finance users, and so on) must be granted access to the CHANNEL object to use Banner Channels. The easiest way to do this is to assign the CHANNEL object to one or more classes that are assigned to your users. For example, to allow all users in the BAN_GENERAL_C class access to Channels, go to the Classes tab and highlight BAN_GENERAL_C. Then press the Objects button and add the CHANNEL object to this class with a role of BAN_DEFAULT_M. 106 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner December 2009 8. Individual users also must be granted BANPROXY access. Go to the Users tab and enter the person’s Oracle ID. Then press the Alter button, check the Authorize BANPROXY box, and save your changes. Perform Required Steps Perform the required steps from chapter 3 of this guide, if you have not already performed them. Note that if the Single Sign-On steps from chapter 4 and chapter 5 are not also completed, login will be required every time a link to Internet-Native Banner or SelfService Banner is used from within a channel. Architectural Overview Every channel that integrates with Banner connects to it using a Java channel class named com.sct.portals.luminis.ProviderChannel. The design of this channel provides for easy configuration and connection to a database instance. The ProviderChannel asks for the content and renders it within the portal. For Banner, a provider is used to communicate to a J2EE application running within OAS10g. The banportals application is a J2EE application, which delivers the content for channels. It manages fine-grained access through an Oracle database connection pool. Since the ProviderChannel communicates to the banportals application using HTTPS (as shown in the illustration below), you must make sure that a line of communication is available and will not be hampered by a firewall. You could also use the HTTP protocol, but, since some data is sensitive in nature, SunGard Higher Education recommends that you use HTTPS for your production instances. ProviderChannel Get content with SOURCE_INFO parameter Oracle Application Server banportals Return XML for rendering The channel type for the ProviderChannel is custom. The ProviderChannel expects its channel parameters to dictate what to execute on the Banner side. The following parameters are used. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner 107 Parameter Name Type Description DEFAULT Req This parameter specifies the default view for the channel to render. Example: LI_DASHBOARD_DEFAULT PROVIDER Req For all Banner channels the provider to be used is com.sct.banner.portals.providers. BannerDataProvider. SOURCE_INFO Req This parameter is the driver command to acquire channel specific data. CACHE_TIMEOUT Opt If a channel’s data is not refreshed often, it could be very beneficial to system performance to cache the channel for a period of time while the user is logged into the system. The CACHE_TIMEOUT value is the number of seconds on a per-user per-session basis to cache a channel. The Banner channel framework will automatically refresh the cache if the channel is focused or if the edit button is clicked. EDIT 108 Opt Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner If the channel appears different in edit mode from the way it appears in default mode, a different style sheet will be used. December 2009 Parameter Name Type Description SOURCE_SSL Opt An SSL is a map of all style sheet titles and their related XSL files. By default the ProviderChannel will take the SOURCE_INFO name and apply .ssl to the end to look up the SSL file. If a specific SSL file is needed that does not follow this naming convention, an SSL can be specified using the SOURCE_SSL parameter. Example: /com/sct/banner/portals/ui/gc_nav/ gc_nav.ssl CONNECTION_NAME Opt By default, channels will use the default connection database pool setup on the OAS10g server. If multiple connection pools are available, a channel can set the CONNECTION_NAME parameter to link the channel to a specific pool. For example, if you have a PROD database that is your default connection pool, but want to have a channel interact with your TEST database you could specify TEST as your CONNECTION_NAME. Review setting up your connection pools for more details. Preparing to Install Luminis Channels for Banner Before you can configure and install the Luminis Channels for Banner, some files have to be moved to the Luminis servers and others need to be moved to the OAS10g server. The following files are used in the installation and configuration of Luminis Channels for Banner. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner 109 File Name Description sctecf.car This file lays down the foundation on which Luminis Channels for Banner are built. It stands for the Enterprise Channel Foundation. It will be placed in a specified directory on the Luminis server. banportals.ear This file is deployed to the OAS10g server and is used to accept requests for content and return XML content to the portal. bannerCommon.car This file provides the BannerDataProvider used to implement the Luminis Channels for Banner. It also contains the common XSL, images, and properties used by all Luminis Channels for Banner. This file contains a properties file that tells it the location of the OAS10g server that all channels will contact for content. banportalsadmin. jar This helper file provides a means to easily import properties from a file and disseminate them through both the banportals.ear and bannerCommon.car. banportals.config This is a template file that is used to set values within banportals.ear and bannerCommon.car. Step 1 Create the Home Directory for Luminis Channels for Banner 1. To manipulate and configure the files, create a directory on the OAS10g server. Example: /u01/PROD/sghe/banner/channels 2. Copy the contents of your Banner production directory/channel/admin to this directory. In the instructions in this chapter, this directory is referred to as the CHANNEL_HOME directory. Step 2 Edit the Configuration File Edit the banportals.config file that is located in your CHANNEL_HOME directory (for example, D:\SGHE\BAN7\CHANNELS\banportals.config). 110 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner December 2009 Banner Database Connection Configuration Property Name Description connectionName. list Connection listings. Each item in this list will expect to have <connection name>.<property> specified. For example, the default value in the list makes the configuration look for default.tnsName, default.UserName, etc.: connectionName.list=default connectionName.list=default, other connectionName. default For channels that do not specify the connection name to use, the default name will be used. Example: connectionName.default=default default.tnsName TNS Name to use when connecting to the Banner database. Example: default.tnsName=LB70.sct.com default.userName Connection pool user to use. Example: default.userName=banproxy default.password Connection pool password to use. Example: default.password=banproxy default. poolConfig. min-limit Minimum number of physical connections maintained by the pool. Example: default.poolConfig.min-limit=1 default. poolConfig. max-limit Maximum number of physical connections maintained by the pool. Example: default.poolConfig.max-limit=5 default. poolConfig. increment Incremental number of physical connections to be opened when all the existing ones are busy and a new connection is requested. Example: default.poolConfig.increment=1 December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner 111 Property Name Description default. poolConfig.timeout Specifies how much time must pass before an idle physical connection is disconnected. Example: default.poolConfig.timeout=30 This does not affect a logical connection. The default time is in seconds. log4j.rootCategory This specifies the logging level and logging scheme to be used from within the servlet. The default logging level is INFO, stdout, which directs the output of the servlet to the system output, which in turn writes to the <ORACLE_HOME>/ opmn/<oc4j instance> logs. To limit the growth and overall size of the log, the logging can be turned down to ERROR. To do so, set the value of log4j.rootCategory to ERROR, stdout. Banner Channel Properties Property Name Description providerServlet. url URL to access the Banner portal servlet. This is the URL of the webserver, and points to the OC4J servlet, which will reside on the webserver machine. Example: providerServlet.url=https:// yourservername.com:4445/banportals/ The port of 4445 in the document is an example. You will provide the port number that takes you to the welcome page of the webserver (for example, http:// yourservername.com:7777). The /banportals/ portion of the URL is suggested as the virtual path for the OC4J servlet. You will then reference the banportals portion of the URL in later steps. 112 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner December 2009 Property Name Description providerServlet. userName User name to secure the servlet. Example: providerServlet.userName=channelAdmin providerServlet. password Password to secure the servlet. Example: providerServlet.password=u_pick_it The recommended value for username is channelAdmin. You can use any value for the password. This username and password are used for authentication between Luminis and the OC4J servlet engine. When you complete Step 3, “Localize the Configuration File”, the information stored in banportals.config is loaded into the bannerCommon.car and banportals.ear files. Then bannerCommon.car is moved to the Luminis server and banportals.ear is deployed on the OAS10g server. When the OC4J servlet engine receives a Channel request, it compares the username/password stored in banportals.ear with the username/password sent by Luminis from the bannerCommon.car file. Thus the providerServlet username and password need to be defined only in the banportals.config file. There does not need to be any corresponding OS user, Oracle user, etc. XSL Parameters The following are parameters that will be set on each XSLT translation. Additional parameters can be added here for custom parameters in XSLTs. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner 113 Property Name Description xsl-parameter. erpUrlBase URL for the INB server. Example: xsl-parameter.erpUrlBase=http:// yourservername.com:7777/forms90/ f90servlet%3Fconfig%3Dsctsso %2526separateFrame%3Dfalse %2526otherParams%3Dlaunch_form%3D Note: If you want to load Banner forms in a separate window, remove %2526separateFrame%3Dfalse from the URL above. xsl-parameter. urlHostAndPath URL for the self-service application. Example: xsl-parameter.urlHostAndPath=http:// yourservername.com:9001/YourDAD/ xsl-parameter. externalSystem-inb CPIP URL for the INB system. Example: xsl-parameter.externalSystem-inb= %2fcp%2fip%2ftimeout%3fsys%3dsctinb xsl-parameter. externalSystem-ssb CPIP URL for the self-service system. Example: xsl-parameter.externalSystem-ssb= %2fcp%2fip%2flogin%3fsys%3dsct Step 3 Localize the Configuration File The banportals.config file contains values that need to be inserted into the bannercommon.car and the banportals.ear file. To roll out the changes an installer file, banportalsadmin.jar, is provided.To use this installer, a Java VM must be installed on the same machine as the CHANNEL_HOME. A Java VM of 1.3.1 or higher is required. Tip If the CHANNEL_HOME is on the same machine as your OAS10g server, you can use the JAVA_HOME rooted at <ORACLE_HOME>/jdk. Set an environment variable JAVA_HOME and point it to <ORACLE_HOME>/jdk. Then ensure that JAVA_HOME\bin is the first item in your PATH. Tip To check the java version, run java –version 114 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner December 2009 To execute the installer, run java –jar banportalsadmin.jar banportals.config Step 4 Deploy the EAR File SunGard Higher Education recommends that you use Oracle Enterprise Manager to deploy the EAR file. Using Oracle Enterprise Manager 1. Create an OC4J instance for the EAR file. For example, the Banner database is named PROD: PROD_banportals It is recommended that you create a new OC4J instance for each channel servlet instance. SunGard Higher Education recommends a naming convention of <SID>_banportals where <SID> is the service identifier for your Banner instance. 2. Select the created OC4J instance, and go to the Applications tab. Click Deploy EAR file (or Deploy Application in older versions). 3. You may be shown an introduction. Read it, then click Next. 4. Browse for the banportals.ear file that has just been updated in the CHANNEL_HOME directory and select this file for deployment. This step actually takes the EAR file within the CHANNEL_HOME directory and moves it up to the OAS10g server. The EAR file must be made available to the machine on which you are browsing the Enterprise Manager. If access is not readily available, the file must be moved locally to the browser machine to upload it to the OAS10g server. When selecting an application, select: J2EE Application = the local file system location of the EAR file For example, if the computer you are using to view the Enterprise Manager has a shared drive to the OAS10g server, the J2EE Application location would refer to CHANNEL_HOME/banportals.ear file. If you do not have access using mapped drives or symbolic links, you will need to FTP the file to the local machine and then select the file locally. 5. Select a name to identify the application within the OC4J instance. This name must be unique to the OC4J instance and should typically contain the application currently being deployed. The suggested name is <SID>_banportals. 6. Click Next. 7. Map the URL for the web modules. If the desired web root URL is not banportals, alter the value on this step of the Oracle Enterprise Manager deployment wizard. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner 115 8. Click Finish to navigate to the last summary step. 9. When the summary is displayed, click Deploy to deploy the EAR file. This step generally takes approximately one to three minutes to complete. 10. Go to the Oracle Enterprise Manager home page to ensure that the newly created OC4J instance is started. 11. Deploy the base CAR files From your CHANNEL_HOME location copy the following files to the Luminis server CP_ROOT/webapps/luminis/WEB-INF/cars: • bannerCommon.car • sctecf.car For Luminis III.2 systems and higher, this directory will already exist. For earlier versions of Luminis, you must create it. Using Command Line Deployment - DCMCTL This method is an alternative to the steps listed above. Although Oracle Enterprise Manager is recommended for deploying the EAR file, you can also deploy it from the command line by following the steps below. 1. As the owner of the OAS10g server, navigate to <ORACLE_HOME>/dcm/bin. 2. Create an OC4J instance: dcmctl createcomponent –co <OC4J Instance Name> -ct oc4j where: • co = component name • ct = component type It is recommended that you create a new OC4J instance for each channel servlet instance. SunGard Higher Education recommends a naming convention of <SID>_banportals where <SID> is the service identifier for your Banner instance. For example: dcmctl createcomponent –co PROD_banportals –ct oc4j 3. Deploy the EAR file to the newly created OC4J instance. dcmctl deployapplication –co <OC4J Instance Name> -a banportals –f $CHANNEL_HOME/banportals.ear 4. Ensure that the OC4J instance is running. dcmctl start –co <OC4J instance name> 116 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner December 2009 5. Deploy the base CAR files. From your CHANNEL_HOME location copy the following files to the Luminis server CP_ROOT/webapps/luminis/WEB-INF/cars: • bannerCommon.car • sctecf.car For Luminis III.2 systems and higher, this directory will already exist. For earlier versions of Luminis, you must create it. Installing a Luminis Channel for Banner Step 5 Install CAR Files 1. Copy (or FTP in binary mode) the gc_nav.car file from your Banner production directory/channels/admin directory to the following directory: $CP_ROOT/webapps/luminis/WEB-INF/cars Note For Luminis III.2 systems and higher, this directory will already exist. For earlier versions of Luminis, you must create it. 2. Copy (or FTP in binary mode) the CAR files for each licensed Self-Service product from its corresponding $BANNER_HOME\web_product\java\*.car directory to the following directory: $CP_ROOT/webapps/luminis/WEB-INF/cars For example, if Student Self-Service is installed, then you need to copy the CAR files located in the Banner Production directory/stuweb/java directory. Examples: copy $BANNER_HOME\aluweb\java\*.car $CP_ROOT/webapps/luminis/WEB-INF/ cars copy $BANNER_HOME\facweb\java\*.car $CP_ROOT/webapps/luminis/WEB-INF/ cars copy $BANNER_HOME\finweb\java\*.car $CP_ROOT/webapps/luminis/WEB-INF/ cars copy $BANNER_HOME\genweb\java\*.car $CP_ROOT/webapps/luminis/WEB-INF/ cars copy $BANNER_HOME\payweb\java\*.car $CP_ROOT/webapps/luminis/WEB-INF/ cars copy $BANNER_HOME\stuweb\java\*.car $CP_ROOT/webapps/luminis/WEB-INF/ cars December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner 117 copy $BANNER_HOME\wtlweb\java\*.car $CP_ROOT/webapps/luminis/WEB-INF/ cars Note You can only install the products you have licensed. 3. Restart the Luminis Web server. Once the restart is complete, the channel will be recognized by the system and any optional data required to set up its supporting elements will be processed. Step 6 Publish the Channel For detailed information about the WebTailor pages mentioned in this procedure, see the Luminis Channels for Banner Handbook. 1. Logon to Luminis as the administrator. 2. Choose the Channel Admin link. 3. Choose the Modify a currently published channel link. The system displays the Channel Manager page. When the system was restarted previously, it automatically processed all the elements needed for the initial setup of the channel. Therefore, you will only need to modify values to customize the channel for your institution’s business practices. 4. Locate the channel you want to modify. You can use the page number links to go to a different page, and you can select a category from the pull-down list to reduce the number of channels displayed on the Channel Manager page. 5. Click the Edit button for the channel you want to modify. The system displays the Channel Manager page at the Review workflow “step.” 6. Click the Categories step. 7. For the Categories step, check the check box for the category you want the channel associated with (Applications is recommended), then click Next or the Groups step. 8. For the Group step, check the check box for the group you want the channel associated with, then click Next or the Review step. Note If you are using Luminis III.2 or higher, the system automatically assigns SunGard Higher Education-delivered channels to the Auto-Published category, and only a user with the “Admin” role can subscribe to it. SunGard Higher Education recommends that an Admin user subscribe to 118 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner December 2009 the channel to test it, modify institutional preferences if necessary, then reassign it to a different group as explained in this procedure. Only users assigned to the group selected in this step will be able to subscribe to the channel. 9. For the Review step, click Finished. Note If desired, you can modify any of the clickable values displayed on the Review step, but you do not need to do this for installation. Step 7 Check Your Work 1. Return to the Luminis portal. 2. Subscribe to the channel. 3. Test it to make sure it works. Locale-Specific URLs For a multi-language implementation of Banner, you can set up locale-specific URLs for INB and SSB. Note This setup is possible only for an international version of Banner. 1. Edit the banportals.config file to add locale-specific configurations to the end of the file. For example: xsl-parameter.erpUrlBase.<Locale>= Locale-specific INB URL xsl-parameter.urlHostAndPath.<Locale>= Locale-specific SSB URL 2. Run banportaladmin.jar to generate the bannerCommon.car, sctecf.car, and banportals EAR files. 3. To deploy, restart the web server. Example INB Test for the My Banner Channel 1. Create a BANSECR/Oracle account for testing, if you do not already have one: December 2009 1.1. Login to Banner as BANSECR. 1.2. Go to the User Maintenance section of GSASECR. 1.3. Enter a user such as testinb7 and choose insert. Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner 119 1.4. Enter a password. 1.5. Enter TEMP for Temp Tablespace. 1.6. Enter USERS for Default Tablespace. 1.7. Enter BAN_DEFAULT_CONNECT for the Default Role. 1.8. Check the Authorize BANPROXY check box. 1.9. Save your changes. 1.10. Click Modify, and then User Classes, and finally BAN_GENERAL_C class (which should include object CHANNEL - BAN_DEFAULT_M) to enroll the user in that class. 1.11. Login to INB as testinb7 (or whatever test user you just set up) with the password to confirm that it works. 2. Set up a My Banner menu item for the E-mail Form (GOAEMAL): 2.1. While still logged in as testinb7, go to form GUAPMNU. 2.2. Enter a few personal forms such as GOAEMAL, SPAIDEN, and GTVEMAL. 2.3. Save your changes. 2.4. Exit Banner. 3. Log back into Banner as any user with access to GOAEACC: 120 3.1. Go to GOAEACC. 3.2. For Username, enter TESTINB7. 3.3. For ID, enter 111111111. 3.4. Save your changes. 3.5. Exit Banner. Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner December 2009 4. Create a matching Luminis test account (such as testinb7), if do not already have one: 4.1. Login to Luminis as administrator. 4.2. Choose Admin Toolbox. 4.1. In User Admin, select New. 4.1. Enter test for First Name. 4.1. Enter inb7 for Last Name. 4.1. Enter 01-JAN-1980 (or some value) for Birthdate. 4.1. Enter the password. 4.1. Confirm the password. 4.1. Enter testinb7 as the Login Name. 4.1. Choose Next and then OK. 4.1. Exit Luminis. 5. Login to Luminis with your test account. 6. Choose Content/Layout. 7. Choose the Add Channel button in desired location. 8. Select Category = Application. 9. Choose GO. 10. Select My Banner. 11. Choose the Add Channel button. 12. Choose the Back to All Users Sample tab and review your work. 13. Choose the new My Banner link from your chosen location. 14. Choose the E-mail Address Form link and it should launch INB 7.x and the GOAEMAL form. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner 121 Example SSB Test for Personal Information Channel 1. Locate a Banner ID with access to SSB. Example: ID = 111111111 (ex. SPRIDEN_ID) 2. Login to Luminis as the administrator. 2.1. Choose Admin Toolbox. 2.2. In User Admin, select New. 2.3. Enter test for First Name. 2.4. Enter ssb7 for Last Name. 2.5. Enter 01-JAN-1980 (or some value) for Birthdate. 2.6. Enter 111111111 (ex. SPRIDEN_ID) in the External Information System ID field. 2.7. Enter the password. 2.8. Confirm the password. 2.9. Enter testssb7 as the Login Name. 2.10. Choose Next and then OK. 2.11. Exit Luminis. 3. Login to Luminis with testssb7 and the password. 4. Choose Content/Layout. 5. Choose the Add Channel button in desired location. 6. Select Category = Application. 7. Choose GO. 8. Select the Personal Information link. 9. Choose the Add Channel button. 10. Click the Back to All Users Sample tab, and review your work. 11. Choose the new Personal Information link from your chosen location. 12. Choose Update E-mail Addresses. You should be transferred directly into the SSB application on the Change E-mail web page. 122 Banner General 8.3 Middle Tier Implementation Guide Implementing Luminis Channels for Banner December 2009 7 Implementing Banner HR Effort Reporting and Labor Redistribution Banner® HR’s Effort Reporting and Labor Redistribution system is a Rich Internet Application (RIA). To implement it, you need to install Oracle Application Server 10.1.3.x. The minimum requirement for installation is the J2EE Server. Procedure to Deploy Effort Reporting and Labor Redistribution Deploy the ear File 1. Create a folder called EffortDeploy on your Oracle Application Server and copy the efc.ear file and EFC plan file to this new folder. • For OAS version 10.1.3.1 or 10.1.3.3, use efc_plan.dat for the EFC plan file. • For OAS version 10.1.3.4, use efc_plan_10_1_3_4.dat for the EFC plan file. 2. Create a folder called earExtract within the EffortDeploy folder and Unzip the efc.ear file into this new folder. (from earExtract, jar xvf ..\efc.ear) 3. Create a folder called warExtract within the earExtract folder and unzip the efc.war file created from Step 2 into this new folder (from warExtract, jar xvf ..\efc.war) 4. Go to the folder EffortDeploy\earExtract\warExtract\WEB-INF\classes and modify the applicationContext-springSecurity.xml file. Change the logout-success-url to point to your Employee Self Service URL. <security:logout logout-url="/efc-flex/j_spring_security_logout" logout-success-url="http://<Oracle Application Server>:<port>/<sid> /twbkwbis.P_GenMenu?name=pmenu.P_MainMnu"/> December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Banner HR Effort Reporting and Labor Redistribution 123 5. Go to the folder EffortDeploy\earExtract\warExtract\WEB-INF\classes and configure your datasource information in file jdbc.properties. # This file contains JDBC specific properties that are configurable by a client. jdbc.driver=oracle.jdbc.driver.OracleDriver jdbc.url=jdbc:oracle:thin:<Oracle Database Server>:<port>:<sid> jdbc.user=flexusr jdbc.password=<password> jdbc.max.active=-1 jdbc.max.idle=8 jdbc.max.wait=-1 jdbc.proxy=false jdbc.driver The jdbc driver classname. jdbc.url The url used to locate the database for this datasource. jdbc.user The default username for the database connection.The flexusr account was created in the 8.1 release. Note If you are configuring Effort Reporting and Labor Redistribution (ERLR) 8.1 while also using Travel and Expense Management 8.2, you must use Banner’s GSASECR form to add the ban_default_m role as a default role for the flexuous account. jdbc.password The default password of the user for the database connection. jdbc.max.active The maximum number of active connections that can be allocated from this pool at the same time, or non-positive for no limit. jdbc.max.idle The maximum number of active connections that can remain idle in the pool, without extra ones being released, or negative for no limit. jdbc.max.wait The maximum number of milliseconds that the pool will wait (when there are no available connections) for a connection to be returned before throwing an exception, or -1 to wait indefinitely. 124 Banner General 8.3 Middle Tier Implementation Guide Implementing Banner HR Effort Reporting and Labor Redistribution December 2009 jdbc.proxy Valid values are true and false. True indicates that Oracle connections will be proxy connections. Proxy connections will allow Oracle’s VBS and FGAC rules to be employed for the user. False indicates that Oracle connections are exclusive for the identified user. 6. Reconstruct the ear file using the steps below. 6.1. Change directory to the warExtract folder and create efc.war. This will overwrite the originally extracted war file Windows: jar cmf META-INF\MANIFEST.MF ..\efc.war *.* Unix: jar cmf META-INF/MANIFEST.MF ../efc.war * 6.2. Change directory to the earExtract folder and create the efc.ear file. This will overwrite the originally extracted ear file. (jar cmf META-INF\MANIFEST.MF ..\efc.ear efc.war META-INF) 7. Access OEM on your 10.1.3.x Oracle Application Server. In most cases, OEM can be accessed using http://yourservername:8888 You will be creating a new instance in the following steps. 8. Create a new group for SGHE application deployments. 8.1. Choose Create in the Groups section of the Oracle Application Server console. 8.2. Enter Group Name: sghe_group 8.3. Choose Create. 9. Expand All Application Servers. 10. Choose your installation of 10.1.3, for example, asdbR3.<yourservername>. 11. Choose Create Instance. 12. Use instance name = efc 13. Add to existing group with name: sghe_group 14. Check Start this instance after creation. 15. Choose Create. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Banner HR Effort Reporting and Labor Redistribution 125 16. Under Cluster Topology –> Application Server: OAS 10.1.3 server name, click the new efc instance and then choose Applications. 17. Choose Deploy. 18. In the Archive section, browse for the modified ear file from Step 6. 19. In the Deployment Plan section, select Deployment plan is present on local host. Upload the deployment plan to the server where Application Server Control is running. and browse for the efc_plan.dat file. 20. Click Next. 21. Click Next. 22. Click Deploy. Modify the Server Properties After you’ve deployed the ear file, modify the server properties with the information that follows. The ear file created by the installer must be deployed to an OAS R3 (10.1.3.x) instance. The ear file should be deployed to a new instance that has no other application deployed to it. 1. Access the server properties as follows: 1.1. Under Cluster Topology > Application Server: OAS 10.1.3 server name, click the efc instance. 1.2. Click the Administration tab. 1.3. Locate Server Properties and click the Go To Task icon. 2. Under Ports > Web Sites, make the following settings: Name = default-web-site Port = 8889 Protocol = http 3. Change the following settings in Start-parameters: Java Options Maximum heap size = 1024M Initial heap size = 512M It is recommended that the instance be configured with a minimum of 1 gigabyte as the max memory. This parameter may need to be increased depending upon the size of your institution. 4. The max perm size should be set to at least 512M by adding the following under Start-parameters: 126 Banner General 8.3 Middle Tier Implementation Guide Implementing Banner HR Effort Reporting and Labor Redistribution December 2009 Java Options on the Server Properties of the instance: '-XX:MaxPermSize=512M' 5. Add the following option to the Start-parameters: Java Options of the Server Properties for the instance: -D.jmx.security.proxy.off=true 6. Under the Start-parameters: options, add the option -userThreads if it is not already present. 7. The Apache TIMEOUT parameter in the httpd.conf defaults to 5 minutes. This parameter may need to be increased depending upon the size of your institution for the EFC batch extract process. 8. Restart your Oracle Application Server. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Banner HR Effort Reporting and Labor Redistribution 127 128 Banner General 8.3 Middle Tier Implementation Guide Implementing Banner HR Effort Reporting and Labor Redistribution December 2009 8 Implementing Banner Finance Travel and Expense Management Banner® Finance's Travel and Expense Management system is a Rich Internet Application (RIA). To implement it, you need to install Oracle Application Server 10.1.3.4. The minimum requirement for installation is the J2EE Server. For additional information on Travel and Expense Management deployment, refer to FAQ 1-4DIQJ3. Procedure to Deploy Travel and Expense Deploy the ear File 1. Create a folder called tvlexp on your Oracle Application Server and copy the tvlexp.ear and tvlexp_plan.dat files to this new folder. 2. Create a folder called earExtract within the tvlexp folder and Unzip the tvlexp.ear file into this new folder. (from earExtract, jar xvf ..\tvlexp.ear) 3. Create a folder called warExtract within the earExtract folder and unzip the tvlexp.war file created from Step 2 into this new folder (from warExtract, jar xvf ..\tvlexp.war) 4. Go to the folder tvlexp\earExtract\warExtract\WEB-INF\classes and configure your datasource information in file jdbc.properties. # This file contains JDBC specific properties that are configurable by a client. jdbc.driver=oracle.jdbc.driver.OracleDriver jdbc.url=jdbc:oracle:thin:<Oracle Database Server>:<port>:<sid> jdbc.user=ftaeusr (or flexusr—see note below) jdbc.password=<password> jdbc.max.active=-1 jdbc.max.idle=8 jdbc.max.wait=-1 December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Banner Finance Travel and Expense Management 129 jdbc.proxy=false jdbc.driver The jdbc driver classname. jdbc.url The url used to locate the database for this datasource. jdbc.user The default username for the database connection. • If you are configuring Travel and Expense Management 8.2 or later, use the ftaeusr username. • If you are configuring Travel and Expense Management 8.1, use the flexusr username. • If you are configuring Travel and Expense Management 8.1 while also using Effort Reporting and Labor Redistribution (ERLR) 8.2, use the flexusr username. In this case you must use Banner’s GSASECR form to add the ban_default_m role as a default role for the flexusr account. jdbc.password The default password of the user for the database connection. jdbc.max.active The maximum number of active connections that can be allocated from this pool at the same time, or non-positive for no limit. jdbc.max.idle The maximum number of active connections that can remain idle in the pool, without extra ones being released, or negative for no limit. jdbc.max.wait The maximum number of milliseconds that the pool will wait (when there are no available connections) for a connection to be returned before throwing an exception, or -1 to wait indefinitely. jdbc.proxy Valid values are true and false. True indicates that Oracle connections will be proxy connections. Proxy connections will allow Oracle’s VBS and FGAC rules to be employed for the user. False indicates that Oracle connections are exclusive for the identified user. 130 Banner General 8.3 Middle Tier Implementation Guide Implementing Banner Finance Travel and Expense Management December 2009 5. Reconstruct the ear file using the steps below. 5.1. Change directory to the warExtract folder and create tvlexp.war. This will overwrite the originally extracted war file Windows: jar cmf META-INF\MANIFEST.MF ..\tvlexp.war *.* Unix: jar cmf META-INF/MANIFEST.MF ../tvlexp.war * 5.2. Change directory to the earExtract folder and create the tvlexp.ear file. This will overwrite the originally extracted ear file. (jar cmf METAINF\MANIFEST.MF ..\tvlexp.ear tvlexp.war META-INF) 6. Access OEM on your 10.1.3.x Oracle Application Server. In most cases, OEM can be accessed using http://yourservername:8888 7. Create a new group for SGHE application deployments, if the group does not already exist. 7.1. Click Create in the Groups section of the Cluster Topology Page. 7.2. Enter Group Name: sghe_group. 7.3. Click Create. 8. Create a new instance for this application. 8.1. Expand All Application Servers. 8.2. Click your installation of 10.1.3, for example, OAS_10_1_3.<yourservername> 8.3. Click Create Instance. 8.4. Use instance name = tvlexp. 8.5. Check Add to an existing group with name sghe_group. 8.6. Check Start this instance after creation. 8.7. Click Create. 9. Deploy the .ear file and the .dat file. December 2009 9.1. Click the new tvlexp instance. 9.2. Click the Applications tab. 9.3. Click Deploy. Banner General 8.3 Middle Tier Implementation Guide Implementing Banner Finance Travel and Expense Management 131 9.4. In the Archive section, check Archive is present on local host. Upload the archive to the server where Application Server Control is running. 9.5. Browse for the modified ear file from Step 5. 9.6. In the Deployment Plan section, check Deployment plan is present on local host. Upload the deployment plan to the server where Application Server Control is running. 9.7. Browse for the tvlexp_plan.dat file. 9.8. Click Next. It may take some time to upload. 9.9. Click Next. 9.10. Click Deploy. It may take some time to upload. 9.11. Click Return. Modify the Server Properties After you’ve deployed the ear file, modify the server properties with the information that follows. The ear file created by the installer must be deployed to an OAS R3 (10.1.3.4) instance. The ear file should be deployed to a new instance that has no other application deployed to it. 1. Access the server properties as follows: 1.1. Under Cluster Topology > Application Server: OAS 10.1.3 server name, click the tvlexp instance. 1.2. Click the Administration tab. 1.3. Locate Server Properties and click the Go To Task icon. 2. Under Ports > Web Sites, make the following settings: Name = default-web-site Port = 8890 Protocol = http 3. Change the following settings in Start-parameters: Java Options Maximum heap size = 1024M Initial heap size = 512M It is recommended that the instance be configured with a minimum of 1 gigabyte as the max memory. This parameter may need to be increased depending upon the size of your institution. 132 Banner General 8.3 Middle Tier Implementation Guide Implementing Banner Finance Travel and Expense Management December 2009 4. The max perm size should be set to at least 512M by adding the following under Start-parameters: Java Options on the Server Properties of the instance: '-XX:MaxPermSize=512M' 5. Add the following option to the Start-parameters: Java Options of the Server Properties for the instance: -D.jmx.security.proxy.off=true 6. Under the Start-parameters: options, add the option -userThreads if it is not already present. 7. The Apache TIMEOUT parameter in the httpd.conf defaults to 5 minutes. This parameter may need to be increased depending upon the size of your institution. 8. Restart your Oracle Application Server. Tips and Additional Information If you are using Travel and Expense Management in combination with Banner Workflow, check that the clock on the Workflow server matches the clock on the Travel and Expense Management server. If the two clocks are out of sync, then report statuses, which are generated on both servers, could be listed in the wrong order for Travel and Expense Management users. For additional information on Travel and Expense Management deployment, refer to FAQ 1-4DIQJ3. December 2009 Banner General 8.3 Middle Tier Implementation Guide Implementing Banner Finance Travel and Expense Management 133 134 Banner General 8.3 Middle Tier Implementation Guide Implementing Banner Finance Travel and Expense Management December 2009 A Self-Service Technical Information The following describes the PIN tables for Self-Service Banner®. Third Party Access Form Table The underlying table for the Third Party Access Form (GOATPAC) and the Third Party Access Audit Form (GOATPAD) is GOBTPAC. Technical descriptions follow. GOBTPAC Field Name Data Type Null Indicator GOBTPAC_PIDM NUMBER(8) VARCHAR2(1) VARCHAR2(1) DATE VARCHAR2(30) VARCHAR2(256) DATE VARCHAR2(30) VARCHAR2(90) VARCHAR2(30) VARCHAR2(8) VARCHAR2(255) VARCHAR2(128) NOT NULL NOT NULL NOT NULL NOT NULL NOT NULL GOBTPAC_PIN_DISABLED_IND GOBTPAC_USAGE_ACCEPT_IND GOBTPAC_ACTIVITY_DATE GOBTPAC_USER GOBTPAC_PIN GOBTPAC_PIN_EXP_DATE GOBTPAC_EXTERNAL_USER GOBTPAC_QUESTION GOBTPAC_RESPONSE GOBTPAC_INSERT_SOURCE GOBTPAC_LDAP_USER GOBTPAC_SALT Third Party Access Audit Form Tables The underlying tables for the Third Party Access Form (GOATPAC) and the Third Party Access Audit Form (GOATPAD) are GOBTPAC and GORPAUD. Technical descriptions follow. December 2009 Banner General 8.3 Middle Tier Implementation Guide Self-Service Technical Information 135 GOBTPAC Field Name Data Type Null Indicator GOBTPAC_PIDM NUMBER(8) VARCHAR2(1) VARCHAR2(1) DATE VARCHAR2(30) VARCHAR2(6) DATE VARCHAR2(30) VARCHAR2(90) VARCHAR2(30) VARCHAR2(8) VARCHAR2(255) NOT NULL NOT NULL NOT NULL NOT NULL NOT NULL GOBTPAC_PIN_DISABLED_IND GOBTPAC_USAGE_ACCEPT_IND GOBTPAC_ACTIVITY_DATE GOBTPAC_USER GOBTPAC_PIN GOBTPAC_PIN_EXP_DATE GOBTPAC_EXTERNAL_USER GOBTPAC_QUESTION GOBTPAC_RESPONSE GOBTPAC_INSERT_SOURCE GOBTPAC_LDAP_USER GORPAUD Field Name Data Type Null Indicator GORPAUD_PIDM NUMBER(8) DATE VARCHAR2(30) VARCHAR2(6) VARCHAR2(30) VARCHAR2(1) NOT NULL NOT NULL NOT NULL GORPAUD_ACTIVITY_DATE GORPAUD_USER GORPAUD_PIN GORPAUD_EXTERNAL_USER GORPAUD_CHG_IND NOT NULL VALUES: P = PIN Change I = ID Change Campus Directory Tables Use the following tables to understand Campus Directory tables related to Self-Service Banner. GTVDIRO --- Directory Item Validation Table Primary Key: GTVDIRO_CODE 136 Banner General 8.3 Middle Tier Implementation Guide Self-Service Technical Information December 2009 The form allows the user to query delivered data or to insert new data. Data with a system_req_ind of checked (Yes) cannot be deleted. Also, when the system_req_ind is checked (Yes), the gtvdiro_code cannot be updated. Field Name Description Data Type Null Indicator GTVDIRO_CODE Code for Directory Item Description for Directory Item Is this a required code for the system? Valid values: selected (Yes) cleared (No) Activity Date VARCHAR2(8) NOT NULL VARCHAR2(30) NOT NULL VARCHAR2(1) NOT NULL DATE NOT NULL GTVDIRO_DESC GTVDIRO_SYSTEM_REQ_IND GTVDIRO_ACTIVITY_DATE GOBDIRO --- Directory Options Rule Table Primary Key: GOBDIRO_CODE Data with a system_req_ind of Y cannot be deleted. Null Indicator Field Name Description Data Type GOBDIRO_DIRO_CODE Code for Directory Item Alumni, Employee, or All Indicator Valid values: Employee (E) Alumni (D) All (A) Address, Telephone, or Not Applicable Valid values: Address (A) Telephone (T) Not Applicable (N) Include in Directory Profile Indicator? Valid values: selected (Yes) cleared (No) VARCHAR2(8) NOT NULL GOBDIRO_DIRECTORY_TYPE GOBDIRO_ITEM_TYPE GOBDIRO_DISP_PROFILE_IND December 2009 VARCHAR2(1) NOT NULL VARCHAR2(1) NOT NULL VARCHAR2(1) NOT NULL Banner General 8.3 Middle Tier Implementation Guide Self-Service Technical Information 137 Null Indicator Field Name Description Data Type GOBDIRO_UPD_PROFILE_IND Allow user to choose to display in directory? Valid Values: selected (Yes) cleared (No) Default to directory for users without a directory profile? Valid Values: selected (Yes) cleared (No) Is this a required code for the system? Valid Values: selected (Yes) cleared (No) (default) Activity Date Sequence Number VARCHAR2(1) NOT NULL GOBDIRO_NON_PROFILE_DEF_I ND GOBDIRO_SYSTEM_REQ_IND GOBDIRO_ACTIVITY_DATE GOBDIRO_SEQ_NO VARCHAR2(1) NOT NULL VARCHAR2(1) NOT NULL DATE Number NOT NULL NOT NULL GORDADD --- Directory Address Table Primary Key: GORDADD_DIRO_CODE, GORDADD_PRIORITY_NO Field Name Description Data Type Null Indicator GORDADD_DIRO_CODE Code for Directory Item Priority Number Address Type Code Telephone Type Code Activity Date VARCHAR2(8) NOT NULL NUMBER (1) VARCHAR2(2) VARCHAR2(4) DATE NOT NULL NOT NULL NOT NULL NOT NULL GORDADD_PRIORITY_NO GORDADD_ATYP_CODE GORDADD_TELE_CODE GORDADD_ACTIVITY_DATE 138 Banner General 8.3 Middle Tier Implementation Guide Self-Service Technical Information December 2009 GORDPRF -- Directory Profile Table Primary Key: GORDPRF_PIDM, GORDPRF_DIRO_CODE Field Name Description Personal Identification Number GORDPRF_DIRO_CODE Code for Directory Item GORDPRF_DISP_DIRECTORY_IND Display Indicator Valid Values: Y or GORDPRF_PIDM Data Type Null Indicator NUMBER(8) NOT NULL VARCHAR2(8) NOT NULL VARCHAR2(1) NOT NULL N GORDPRF_USER_ID GORDPRF_ACTIVITY_DATE December 2009 User ID of person who last changed the record Activity Date VARCHAR2(30) NOT NULL DATE NOT NULL Banner General 8.3 Middle Tier Implementation Guide Self-Service Technical Information 139 140 Banner General 8.3 Middle Tier Implementation Guide Self-Service Technical Information December 2009 B Single Sign-On Connectivity Overview This section describes how the Banner® database, Internet-Native Banner (INB), Luminis®, and your browser interact when you log in to one product and access another. This information may be helpful if you already have Single Sign-On implemented at your institution, and that you are trying to add Banner, Self-Service Banner, and Luminis to it. Note This appendix does not cover SSO setup through Banner Enterprise Identity Services. If you are using Banner Enterprise Identity Services, please refer instead to the Banner Enterprise Identity Services Handbook. Accessing Banner from Luminis 1. The end user selects a link to INB, and Luminis receives the request. Note Steps 2 - 7 are performed only once, when the first user accesses the system from Luminis using SSO. 2. Luminis calls the configURL set in the Luminis configuration for Banner that is defined in the es.systems parameter. This URL calls the database procedure gokssso.P_GetConfigVersion2. December 2009 Banner General 8.3 Middle Tier Implementation Guide Single Sign-On Connectivity Overview 141 3. P_GetConfigVersion2 calls the Banner database, telling Luminis which URLs to call for login and logout. 4. The procedure calls the Luminis server LDAP, asking for configuration data. 5. Configuration data is returned to the database and URLs are built to be sent back to Luminis. 6. The URLs are passed back to the INB server to be transferred to Luminis. 7. The URLs are sent to Luminis. Note The following steps are performed for each user. 8. The Luminis server uses the configuration data it received to build the logon request. 9. The procedure gokssso.p_cp_login is called to process the login request. 10. The procedure revalidates the credentials it received. 11. If the credentials are valid, the process continues. 12. The procedure encrypts the credentials, generates a “token,” and creates a database pipe containing the data. The token is also the pipe name. If the Advanced Queuing alternate communication mechanism to that of DBMS_PIPE has been implemented, the encrypted credentials and generated token are enqueued to the SSO_Q queue. The token value will be used for subsequent conditional dequeuing. 142 Banner General 8.3 Middle Tier Implementation Guide Single Sign-On Connectivity Overview December 2009 13. A URL is sent back to Luminis as the “pickup URL”, which includes the token. 14. Luminis communicates the pickup URL back to the browser as a redirect. 15. The browser redirects to the pickup URL, which is a call to procedure gokcsso.p_call_banner. 16. The INB startup Java Applet receives the authentication information from the database pipe (or from the SSO_Q queue if the Advanced Queuing alternate communication mechanism to that of DBMS_PIPE has been implemented). 17. The authentication information passed in memory to the Oracle forms applet. 18. The forms applet starts and a Banner session is started. Accessing Self-Service Banner from Luminis 1. The end user selects a link to Self-Service Banner (SSB in the diagrams that follow), and Luminis receives the request. Note Steps 2 - 7 are performed only once, when the first user accesses the system from Luminis using SSO. 2. Luminis calls the configURL set in the Luminis configuration for SSB that is defined in the es.systems parameter. This URL calls the database procedure gokssso.P_GetConfigVersion2_sserv. 3. P_GetConfigVersion2_sserv is a database call that tells Luminis which URLs to call for login and logout. December 2009 Banner General 8.3 Middle Tier Implementation Guide Single Sign-On Connectivity Overview 143 4. The procedure calls the Luminis server LDAP, asking for configuration data. 5. Configuration data returned to the database and URLs are built to be sent back to Luminis. 6. The URLs are passed back to the INB server to be transferred to Luminis. 7. The URLs are sent to Luminis. 8. The Luminis server uses the configuration data it received to build the logon request. 9. The procedure gokssso.p_cp_login_sserv is called to process the login request. 10. The procedure revalidates the credentials it received. 11. If the credentials are valid, the process continues. 12. The procedure encrypts the credentials, generates a “token,” and creates a database pipe containing the data. The token is also the pipe name. If the Advanced Queuing alternate communication mechanism to that of DBMS_PIPE has been implemented, the encrypted credentials and generated token are enqueued to the SSO_Q queue. The token value will be used for subsequent conditional dequeuing. 13. A URL is sent back to Luminis as the “pickup URL”, which includes the token. 14. Luminis communicates the pickup URL back to the browser as a redirect. 15. The browser redirects to the pickup URL, which is a call to procedure gokcsso.p_call_banner_sserv. The CPSESSID cookie is created. 16. The SSB session starts because the CPSESSID cookie exists. 144 Banner General 8.3 Middle Tier Implementation Guide Single Sign-On Connectivity Overview December 2009 C Oracle Version-Specific Information Oracle Database 11g Beginning with Banner General Release 8.2, Banner® is able to offer support for Oracle Database 11g. Database 11g is officially supported, but is not required. Oracle Database version 10.2.0.3 is the minimum required for Banner 8.x. Required Versions for Banner in Database 11g For institutions migrating to Database 11g: • Oracle Database 11g: version 11.1.0.7.0 is the minimum required. • Oracle Application Server: version 10.1.2.x is the minimum required. Version 10.1.2.3.0, with patch 1-3GSD7J applied, is recommended. • Oracle Developer*Suite: version 10.1.2.x is the minimum required. Version 10.1.2.3.0 is recommended. The following are the minimum Banner releases needed for institutions migrating to Database 11g: • Banner Advancement 8.2 • Banner Accounts Receivable 8.1 • Banner Document Management Suite 8.2 • Banner Finance 8.3 • Banner Financial Aid 8.4 • Banner General 8.2 • Banner Position Control 8.2 • Banner Human Resources 8.2 • Banner Student 8.2 • Banner Voice Response 8.0 December 2009 Banner General 8.3 Middle Tier Implementation Guide Oracle Version-Specific Information 145 For Banner Self-Service products, the following are the minimum releases needed: • Banner Advancement Self-Service 8.3 • Banner Employee Self-Service 8.2 • Banner Faculty Self-Service 8.2 • Banner Finance Self-Service 8.0 • Banner Financial Aid Self-Service 8.4 • Banner Student Self-Service 8.2 • Banner Web General 8.2 • Banner Web Tailor 8.2 For other SunGard Higher Education products Database 11g support will be listed in FAQ 1-4W1JEA. Case-Sensitive Passwords in 11g Oracle Database 11g supports case-sensitive passwords. This feature allows users to create stronger passwords that mix upper- and lowercase characters. Use of this feature is not required. If you are migrating to Database 11g and want to take advantage of case-sensitive passwords in Banner, you must make the following settings: • The initialization parameter SEC_CASE_SENSITIVE_LOGIN must be set to TRUE. • You must create an Oracle*Forms environment variable, FORMS_USERNAME_CASESENSITIVE and set its value to 1 (the number one). Note Environment variable FORMS_USERNAME_CASESENSITIVE is available only when using Application Server version 10.1.2.2 or higher. Issues with Database 11g There are several known issues and concerns that you should review before proceeding with a migration to Oracle Database 11g. These issues are outlined in FAQ 1-4W1JEA, Banner and Oracle Database 11g. The FAQ will be updated as new issues are discovered and new solutions are found. Highlights of known issues are described below. Platform Issues There are several known issues with Oracle Database 11g on various platforms. Further details of these issues can be found in FAQ 1-4W1JEA. 146 Banner General 8.3 Middle Tier Implementation Guide Oracle Version-Specific Information December 2009 • An Oracle error occurs on startup in certain Linux platforms with Oracle Database 11.1.0.7. This issue is Oracle Bug 7272646. • With Application Server version 10.1.2.3.0 and the UTF-8 character set, text may be replace by the pound sign (#) under some circumstances. This issue is Oracle Bug 7126045: Oracle Patch 5983622 resolves the problem. • Banner Java code references to ojdbc14.jar and classes12.zip no longer exist in the Oracle 11g (11.1.0.7.0) default location $ORACLE_HOME/jdbc/lib. This problem is partially resolved through changes to shell scripts files; the modified files are delivered with. Banner HR 8.2, Banner Student 8.2, and Banner Financial Aid 8.4.2. A workaround is available for the other affected object, script file GURPDJAR. This issue is Defect 1-5I381L. • Luminis® single sign-on (SSO) was impacted by a behavior change of Database 11g related to the password column in DBA_USERS. This problem was resolved through changes to objects gokcss1.sql and gspsecr.sql delivered with Banner General 8.2. • Depending on your platform, Oracle’s prerequisites may require an operating system upgrade before installing Database 11g. • Oracle error ORA-24247 may be encountered when sending e-mails after upgrading to Database 11g. Instructions for resolving this issue are found in FAQ 1-4W1JEA. Change in Default Role Behavior With Database 11g, Oracle has changed the way that default roles can be used in connection with database security. Roles that are password-encrypted, such as the BAN_DEFAULT_CONNECT role, cannot be assigned as a user’s default role. This issue is described in Defect 1-5DG7XF, which lists two possible workarounds for this issue. For more information, refer to FAQ 1-5BWTYS and Oracle Metalink Note 745407.1. Oracle Database 10g and Application Server 10g This section includes FAQs related to configuring and maintaining an Oracle 10g database and Oracle 10g Application Server. Since new FAQs are added to the Customer Support Center on a frequent basis, you might want to periodically review FAQ #1-S35GU, which contains a listing of all 10g-related FAQs. In addition, the following FAQs address specific issues: • 14145--Contains answers to common questions about Oracle 10g support and requirements. December 2009 Banner General 8.3 Middle Tier Implementation Guide Oracle Version-Specific Information 147 • 1-5K95Q--Provides steps for upgrading an Oracle 9.2.0.6 Banner 7.2 database to Oracle 10.2.0.1 on Linux Red Hat 3.0. • 1-SEFVX--A listing of Banner problem resolutions related to Oracle Database 10g and Banner Cost-Based Optimization (CBO). • 1-ST9HR--Instructions for correcting poor database performance if you have the database initialization parameter SGA_MAX_SIZE set to a value greater than 50% of physical memory on the server. Note The SGA_MAX_SIZE parameter is described in the Example Init.ora For Oracle RDBMS 10.2.0 topic in the following section. • 1-RUMST--How to adjust your Web Cache properties for a high volume of SelfService Connections. • 1-DY3Q5--How to bypass Oracle 10g v9.0.4 Web Cache for Forms. • CMS-13884--Addressing performance problems with Forms 10g using SSL and INB. • 1-4PGDH--Addressing performance issues with INB Webforms Forms 10g using Oracle Database 9i and Oracle Database 10g. • 1-DH6D6--FAQs about Banner and Oracle Application Server 10g Release2. • CMS-14077--Oracle MetaLink Note:294749.1 (Troubleshooting WebForms Tuning / Performance /Time out). • 1-RZ7CW--Oracle 10g Release 10.2.0.2 Advisory - UNION with CONNECT BY. 10g Database Example Init.ora For Oracle RDBMS 10.2.0 (FAQ#1-95O8T) This note contains example starting point settings for a Banner or ODS (Operational Data Store) Oracle 10.2.0 initSID.ora file. Using an SPFILE is recommended. An SPFILE can be created from the example initSID.ora in this note by using the information in CMS-10978 How To Migrate From A Pfile To A Spfile Metalink Doc ID: Note:166601.1. Example: CREATE SPFILE FROM PFILE = 'initBAN7.ora'; To change a parameter use the alter system command. 148 Banner General 8.3 Middle Tier Implementation Guide Oracle Version-Specific Information December 2009 Example: alter system set job_queue_processes=30; alter system set job_queue_processes=30 scope=spfile; create pfile='initBAN7.ora' from spfile; Oracle 10.2 init.ora The database name is set when the database is created. Typically the instance name is the same as the db_name. Example: db_name = BAN7 Create three control files on different file systems in case one fails. control_files = (/u01/oradata/ctl1BAN7.dbf, /u02/oradata/ctl2BAN7.dbf, /u03/oradata/ctl3BAN7.dbf) • Required for Oracle RDBMS version 10.2.0.2 for Oracle Bug # FAQ 1-VDJ4I Note:373806.1 Hierarchical Query Dumps in evaopn2_optimizer_order_by_elimination_enabled = FALSE • Required to fix Oracle Bug 4622729. Wrong results from queries using NOT EXISTS. Bug is fixed in Oracle11. _unnest_subquery = FALSE false ONLY when applying Oracle patches and installing Java. May cause problems with database performance and integrity if set to FALSE during normal database activity. _system_trig_enabled = false • Rollback segments - System Managed Undo Normally you need only set undo_tablespace for RAC since Oracle will use the first undo tablespace available. undo_management = auto undo_tablespace = RBS • Destination of the trace and core files: background_dump_dest = /u02/oracle/dump core_dump_dest = /u02/oracle/dump user_dump_dest = /u02/oracle/dump audit_file_dest = /u02/oracle/dump max_dump_file_size = 10240 • Required for ODS (Operational Data Store) Databases for Metadata creation: utl_file_dir = /u02/oracle/UTL • Buffer cache size New parameter replacing db_block_buffers: db_cache_size = 100M 25 users db_cache_size = 400M #db_cache_size = 1G 100+ users December 2009 Banner General 8.3 Middle Tier Implementation Guide Oracle Version-Specific Information 149 • New SGA parameter--See Metalink Note 270065.1 (FAQ 1-PCW2R). Total size of the SGA including buffer cache, log_buffer, shared_pool_size, large_pool_size. Some customers have reported that explicitly setting minimum SHARED_POOL_SIZE along with SGA_TARGET has improved performance. See Metalink Note:257643.1. (FAQ 1-G88U0). sga_target = 500M 25 users shared_pool_size = 300M sga_target = 1G sga_target = 2G 100+ users SGA_MAX_SIZE should be set to allow sga_target to dynamically increase should not exceed 50% of physical memory of machine in order to prevent thrashing of memory. SGA_MAX_SIZE sga_max_size = 2G • Cursor_Space_For_Time description: Shared SQL areas are kept pinned in the shared pool. As a result, shared SQL areas are not aged out of the pool as long as an open cursor references them. Because each active cursor's SQL area is present in memory, execution is faster. However, the shared SQL areas never leave memory while they are in use. Therefore, you should set this parameter to TRUE only when the sga_target is large enough to hold all open cursors. cursor_space_for_time = true • Although cursor_sharing=similar may reduce the parsing overhead for parsing similar SQL statements that differ only in literal values, exact should be set. Exact is the default value. Testing has shown similar may cause problems. cursor_sharing = exact • Number of session cursors to cache. Subsequent parse calls will find the cursor in the cache and will not need to reopen the cursor session_cached_cursors = 50 session_cached_cursors = 200 100+ users • New parameters replacing sort_area_size Note For OpenVMS, value must be 0. pga_aggregate_target pga_aggregate_target pga_aggregate_target workarea_size_policy = = = = 50M 25 users 500M 1G 100+ users auto • Maximum number of o/s user processes that can simultaneously connect to Oracle. Also include background processes - locks, job queue processes = 100 25 users processes = 300 processes = 800 100+ users 150 Banner General 8.3 Middle Tier Implementation Guide Oracle Version-Specific Information December 2009 • Sessions should be twice the number of processes sessions = 600 dml_locks = 10000 open_cursors = 1024 • New Optimizer settings For on 10.2 has shown to provide better performance than FIRST_ROWS for Banner databases. Some Banner customers may see even better performance with FIRST_ROWS_1. FIRST_ROWS_10 For ODS databases, FIRST_ROWS is recommended. Since the Cost-Based Optimizer is sensitive to the particular data in a database and the capabilities of a particular hardware configuration, it may be necessary to change the optimizer_index_caching and optimizer_cost_adj parameters to achieve optimal performance. • FAQ 1-GGFI4 Init.ora Parameters Which Effect Oracle Cost Based Optimizer (CBO) optimizer_mode = FIRST_ROWS_10 optimizer_index_caching = 90 optimizer_index_cost_adj = 30 optimizer_dynamic_sampling = 2 • See FAQs • 1-MR8NU Oracle 10.2 Performance And optimizer_secure_view_merging And MERGE ANY VIEW. • 1-1A87XT Note5195882.8 Bug 5195882 - Queries in FGAC use full table scan instead of index access. optimizer_secure_view_merging = false This parameter has been shown to fix performance problems with certain ODS composite views in 10.2.0.2 but has not been completely tested with all Banner processes. • See FAQ 1-1A1HZ7 ODS Mapping Error _complex_view_merging = false Set to the version of the database.This parameter may affect the optimizer path compatible = 10.2.0.2 • i/o calls for full table scan--If set too high may cause performance problems. Recommended values 8 to 32. db_file_multiblock_read_count = 16 • Allow users to see their trace files if database is in secured environment: _trace_files_public = true • Year2000 date compliant format: nls_date_format = DD-MON-RR • Back-up and Recovery: db_recovery_file_dest = /u01/oracle/flash_recovery #db_recovery_file_dest_size = 20G December 2009 Banner General 8.3 Middle Tier Implementation Guide Oracle Version-Specific Information 151 #log_archive_dest_1 = /u01/oracle/logs #log_archive_start = true #log_archive_format = %t_%s_%r.dbf • Multi-Threaded Server MTS. Also known as Shared Server. instance_name = BAN7 dispatchers = "(protocol=tcp)(dispatchers=2)" dispatchers = "(protocol=ipc)(dispatchers=2)" max_dispatchers = 10 service_names = BAN7 local_listener = "(address=(protocol=tcp)(host=YourHostName)(port=1521))" • Required for SQL trace and Statspack. Has minimal performance impact. timed_statistics = true • Required for 10.2 upgrade. Set the appropriate Database block size--2048 to 16384 (Linux, Solaris, Windows). 2048 to 32768 (AIX, HP, Tru64). db_block_size db_block_size db_block_size db_block_size = = = = 2048 8192 16384 32768 • Resource limits are enforced in database profiles. resource_limit = true • Allow dba remote access using the orapwBAN7 password file. The file orapwBAN7 can be used by only one database. The password file can contain names other than SYS. Example: cd $ORACLE_HOME/dbs orapwd file=orapwBAN7 password=manager entries=5 remote_login_passwordfile = exclusive Required for setting up Oracle Database Control 10g using emca: job_queue_processes = 10 • Oracle Database 10g supports automatic checkpoint tuning. 10g Automatic checkpoint tuning is in effect if FAST_START_MTTR_TARGET is unset. fast_start_mttr_target = 300 10.2 obsolete params hash_join_enabled = true max_enabled_roles = 50 sql_trace = false _complex_view_merging = false 152 Banner General 8.3 Middle Tier Implementation Guide Oracle Version-Specific Information December 2009 Troubleshooting Single Sign-On for INB Unsupported OID Service Try one of the following: • Verify syntax in the es.sctinb.configURL parameter in configman. • Check that your DAD user has execute permissions on gokssso and gokcsso packages. LDAP bind password and getting error ORA-29283 Try one of the following: • Double-check the permissions on the enckey file and make sure it is readable by Oracle. • Recreate the KEY_DIR and enckey file. LDAP Bind Failed. Message is ORA-31202: DBMS_LDAP: LDAP client/server error: No such object Try one of the following: • Make sure login userid is defined in LDAP server. • Check that you have the correct SearchBase configurations. • Check that you have the correct UserPrefix configuration. ORA-31202: DBMS_LDAP: LDAP client/server error: Invalid credentials Make sure you are using the correct LDAP password to login. When allowing multiple INB sessions from one Luminis link Either of the following error messages could occur: • FRM-92050: Failed to connect to the Server December 2009 Banner General 8.3 Middle Tier Implementation Guide Troubleshooting 153 • FRM-92102: A network error has occurred. The Form Client has attempted to reestablish its connection to the server 1 time(s) without success. Please check the network connection and try again later. Change the OAS webserver setting d:\oas10g\Apache\Jserv\servlets\zone.properties from: session.useCookies=true To: session.useCookies=false Single Sign-On for SSB Unsupported OID Service Try one of the following: • Verify syntax in the es.sctssb.configURL parameter in configman. • Check that your DAD user has execute permissions on gokssso and gokcsso packages. LDAP bind password and getting error ORA-29283 Try one of the following: • Double-check the permissions on the enckey file and make sure it is readable by Oracle. • Recreate the KEY_DIR and enckey file. LDAP SSB Luminis numeric password issue Page Not Found gokcsso.p_call_banner ORA-988 Change the Luminis and Banner passwords to something that starts with a letter and does not require double quotes to issue create or alter user commands. For example, password abc1 instead of 1abc. If that is not feasible, take the following staps 1. Edit BANNER_HOME\general\dbrpocs\gokcss1.sql 2. Find this line: execute immediate 'alter user '||sso_user||' identified by '||sso_pswd; 3. Change it to: 154 Banner General 8.3 Middle Tier Implementation Guide Troubleshooting December 2009 execute immediate 'alter user '||sso_user||' identified by '|| '"' || sso_pswd || '"'; 4. Save changes and rebuild package. Invalid login information. Please try again. Try one of the following: • Confirm the LDAP userid and password are correct. • If the WebTailor Administration -- LDAP Administration Search Indicator is checked, try unchecking it and testing again. Luminis Channels for Banner A SQL exception has occurred. ORA-12154: TNS:could not resolve service name 1. Edit banportals.config and change default.tnsName=rocoram1_ban7 to default.tnsName=rocoram1_ban7.sct.com. 2. Rebuild the bannerCommon.car and banportals.ear java -jar banportalsadmin.jar banportals.config 3. Redeploy the banportals.ear and recopy the bannerCommon.car to Luminis. A SQL exception has occurred.ORA-01017: invalid username/password; logon denied 1. Edit banportals.config and change default.password=banproxy to default.password=u_pick_it 2. Rebuild the bannerCommon.car and banportals.ear java -jar banportalsadmin.jar banportals.config 3. Redeploy the banportals.ear and recopy the bannerCommon.car to Luminis. HTTP 404 web page errors related to gokcsso.p_call_banner ORA-20007 Disable Oracle Profiles for LDAP/SSO accounts, or take the following steps: 1. Set PASSWORD_REUSE_TIME UNLIMITED in profile. 2. Alter profile TEST2_PROFILE LIMIT PASSWORD_REUSE_TIME UNLIMITED. December 2009 Banner General 8.3 Middle Tier Implementation Guide Troubleshooting 155 156 Banner General 8.3 Middle Tier Implementation Guide Troubleshooting December 2009 Index A C Address Role Privileges Form (GOAADRL) 56 Address Type Code Validation Form (STVATYP) 56, 57 alumni directory setting up 64 AnonmsSearch LDAP server entry 77, 85, 94, 97 assigning PINs for individual users 62 assigning web user roles 51 Authentication key parameters BIND_PASSWORD 79 BIND_USER 79 DN 79 SERVER 79 USERMAP_OPT 80 USERMAP_PRFX 80 campus directories 64 and address hierarchies 65 creating 64 creating profiles 65 certificate wallet 80 changing an e-mail address online 67 Common Name (CN) 83, 96 configuring your INB server 86 CPAuth LDAP server entry 77, 83, 94, 96 CPDeAuth LDAP server entry 77, 83, 94, 96 CPLastAct LDAP server entry 77, 83, 94, 96 creating an alumni directory 64 creating an alumni directory profile 65 creating an employee directory 64 creating an employee directory profile 65 creating an encryption key 75 creating campus directories 64 creating campus directory profiles 65 creating DADs for running SSO 86 credit card processing 53 CSSURL LDAP server entry 77, 85, 94, 96 Current PIN Table (GOBTPAC) 61 customizing graphic elements 47 customizing graphics and icons 47 customizing Info Text 53 customizing web rules 46 B bannersso.jar file 86 banportals application 107 BANSSO user 86 BASELINE and Local records Self-Service web menus and web procedures 48 BASELINE values Copying BASELINE values to users 21 Using the Propagate field 21 BIND_PASSWORD parameter 79 BIND_USER parameter 79 bottom-of-the-page link definition 51 bottom-of-the-page links adding 52 December 2009 D DADNormal LDAP server entry 77, 82, 94, 95 dadnormal.txt 86 DADSpecial LDAP server entry 77, 82 dadspecial.txt 86 Data Extract Choosing default output 20 Configuring environment variable 22 Enabling Data Extract for a form 20 Banner General 8.3 Middle Tier Implementation Guide Index 157 Setting up Data Extract 20 WebUtil 22 data synchronization with SunGard Higher Education partner systems 63 DBA_DIRECTORIES view 75 DBMS_OBFUSCATION_TOOLKIT Oracle package 75 DBMS_OBFUSCATION_TOOLKIT Oracle utility 72 DBMS_PIPE 72 defining graphic elements 47 defining graphics and icons 47 defining web rules 46 DES encryption 75 DES3 algorithm 76 directories 64 Directory Address Table (GORDADD) 138 Directory Item Validation Form (GTVDIRO) 64 Directory Item Validation Table (GTVDIRO) 136 Directory Options Rule Form (GOADIRO) 64, 65 Directory Options Rule Table (GOBDIRO) 137 Directory Profile Table (GORDPRF) 64, 139 disabling a menu item temporarily 52 DN parameter 79 documentation related 9 E E-mail Address Form (GOAEMAL) 67 E-mail Address Type Validation Form (GTVEMAL) 67, 68 e-mail addresses changing online 67 preferred 68 employee directory setting up 64 enckey file 75 encryption key creating 75 Environment variables Banner ID images environment variables 19 Data Extract environment variable 22 158 Banner General 8.3 Middle Tier Implementation Guide Index establishing third party history information 57 establishing web user parameters 57 external system sctinb 72 F Forms GUAUPRF General User Preferences Maintenance Form 78 forms GOAADRL Address Role Privileges Form 56 GOADIRO Directory Options Rule Form 64, 65 GOAEMAL E-mail Address Form 67 GOATPAC Third Party Access Form 57, 58, 59, 135 GOATPAD Third Party Access Audit Form 57, 58, 61, 63, 135 GTVDIRO Directory Item Validation Form 64 GTVEMAL E-mail Address Type Validation Form 67, 68 GUASRVY Survey Definition Form 69 GUAUPRF General User Preferences Maintenance Form 20 STVATYP Address Type Code Validation Form 56, 57 G General User Preferences Maintenance Form (GUAUPRF) 20, 78 GLBDATA Population Selection Extract Process 69 global menu bottom link definition 51 global menu bottom links adding 52 GOAADRL Address Role Privileges Form 56 GOADIRO Directory Options Rule Form 64, 65 GOAEMAL E-mail Address Form 67 GOATPAC Third Party Access Form 57, 58, 59, 135 GOATPAD Third Party Access Audit Form 57, 58, 61, 63, 135 GOBDIRO Directory Options Rule Table 137 GOBTPAC Current PIN Table 61 December 2009 GOKCSSO package 72 GOKKSSO package 72, 75, 76 goksso.p_cp_lastact 83, 96 goksso.p_cp_login 83, 96 goksso.p_cp_logout 83, 96 gokssso.p_login 73 GORDADD Directory Address Table 138 GORDPRF Directory Profile Table 64, 139 GORPAUD PIN Audit Trail History Table 135 GORPAUD PIN History Table 61, 63 GTVDIRO Directory Item Validation Form 64 GTVDIRO Directory Item Validation Table 136 GTVEMAL E-mail Address Type Validation Form 67, 68 GUASRVY Survey Definition Form 69 GUAUPRF General User Preferences Maintenance Form 20, 78 GURUPRF Personal Preference Table 72 H Home Directory for Luminis Channels for Banner 110 home page customizing the contents of 45, 54 customizing the look-and-feel 49 file location 45 homepage.htm 45 HTTPPrefixClient LDAP server entry 77, 85, 94, 96 HTTPPrefixServer LDAP server entry 77, 85, 94, 96 I INBServerName LDAP server entry 77, 82 INBServletPath LDAP server entry 77, 85 Info Text changing the order of paragraphs displayed 53 creating 53 customizing 53 graphics 53 modifying 53 December 2009 K KEY_DIR Oracle directory 75 L LDAP 46, 54, 55, 56, 57, 61, 63, 97, 135, 136 LDAP Lightweight Directory Access Protocol 71 LDAP server entries AnonmsSearch 77, 85, 94, 97 CPAuth 77, 83, 94, 96 CPDeAuth 77, 83, 94, 96 CPLastAct 77, 83, 94, 96 CSSURL 77, 85, 94, 96 DADNormal 77, 82, 94, 95 DADSpecial 77, 82 HTTPPrefixClient 77, 85, 94, 96 HTTPPrefixServer 77, 85, 94, 96 INBServerName 77, 82 INBServletPath 77, 85 PswdChangeMessage 77, 84, 94, 96 SearchBase 77, 83, 94, 96 SSBServerName 94, 95 UserMapDN 77, 83, 94, 96 UserPrefix 77, 83, 94, 96 ldapmodify 77, 94 LDAPS 79 LDIF files 76, 93 sso_oclass_oid.ldif 76 sso_oclass_sunone.ldif 76 sso_parms.ldif 77 sso_parms_sserv.ldif 94 sso_root_sunone.ldif 77 sso_root_sunone2.ldif 77 Lightweight Directory Access Protocol (LDAP) 46, 54, 55, 56, 57, 61, 63, 71, 97, 135, 136 LOCATION parameter 80 Luminis to Banner SSO with ADMIN Access 86, 101 M menu item criteria for display 51 definition 51 disabling temporarily 52 Banner General 8.3 Middle Tier Implementation Guide Index 159 menu items adding 52 changing the order of 52 modifying 52 MODE parameter 80 NDS 77, 94 Novell Directory Server (NDS) 77, 94 pre-expiring 59, 61, 63 resetting 60, 61, 62 Population Selection Extract Process (GLBDATA) 69 preferred e-mail addresses 67, 68 Propagate field on GUAUPRF 21 ProviderChannel 107 PswdChangeMessage LDAP server entry 77, 84, 94, 96 Publishing a channel 118 O R online surveys creating 69 defining questions for 70 defining the Web products where one can appear 70 defining who receives it 69 OpenLDAP 77, 94 Oracle Apache HTTP Listener 45 Oracle Apache PL/SQL Agent 48 Oracle Wallet Manager 80 resetting PINs 62 root directory 44 N P package.procedure combinations 48 Packages GOKCSSO 72 GOKKSSO 72, 75, 76 PASSWORD parameter 80 Personal Preference Table (GURUPRF) 72 PIN administration 57 PIN Audit Trail History Table (GORPAUD) 135 PIN Hint Question 63 PIN Hint Response 64 PIN History Table (GORPAUD) 61, 63 PINs assigning for individual users 58, 62 assigning via batch processing 58 assigning via database triggers 58 changing 62 disabling 60, 62 expiration 61, 63 generating automatically 58 historic information 57 160 Banner General 8.3 Middle Tier Implementation Guide Index S sample DADs dadnormal.txt 86 dadspecial.txt 86 screen reader 48 sctinb 72 SCTSSOConfig 83, 96 SCTSSOConfig object class 76 SCTSSOConfigString attribute 77, 83, 96 SearchBase LDAP server entry 77, 83, 94, 96 SERVER parameter 79 setting up campus directories 64 setting up campus directory profiles 65 Setting up Data Extract 20 Choosing the default output 20 Configuring environment variable 22 Copying BASELINE values to users 21 Enabling Data Extract for a form 20 Single Sign-On (SSO) Overview 72 SSBServerName LDAP server entry 94, 95 SSL (Secured Socket Layer) key parameters 80 SSL authentication mode 80 SSL key parameters LOCATION 80 MODE 80 PASSWORD 80 SSO Single Sign-On Overview 72 December 2009 sso_oclass_oid.ldif file 76 sso_oclass_sunone.ldif file 76 sso_parms.ldif file 77 sso_parms_sserv.ldif file 94 sso_root_sunone.ldif file 77 sso_root_sunone2.ldif file 77 STVATYP Address Type Code Validation Form 56, 57 Survey Definition Form (GUASRVY) 69 surveys creating 69 defining questions for 70 defining the Web products where one can appear 70 defining who receives it 69 synchronization with SunGard Higher Education partner systems 63 System Functions/Administration forms General User Preferences Maintenance Form (GUAUPRF) 20 establishing 57 viewing 61 third party ID 63 third party information changing 61 timing out 46 TWADMINU.SQL 42 TWGBWSES WebTailor Web Session Table 63 T validation forms E-mail Address Type Validation Form (GTVEMAL) 68 Tables GURUPRF Personal Preference Table 72 tables GOBDIRO Directory Options Rule Table 137 GOBTPAC Current PIN Table 61 GORDADD Directory Address Table 138 GORDPRF Directory Profile Table 64, 139 GORPAUD PIN Audit Trail History Table 135 GORPAUD PIN History Table 61, 63 GTVDIRO Directory Item Validation Table 136 TWGBWSES WebTailor Web Session Table 63 Terms of Usage displaying 60, 62 redisplaying 60, 62 Terms of Usage page 46 Third Party Access Audit Form (GOATPAD) 57, 58, 61, 63, 135 Third Party Access Form (GOATPAC) 57, 58, 59, 135 third party history information December 2009 U USERMAP_OPT parameter 80 USERMAP_PRFX parameter 80 UserMapDN LDAP server entry 77, 83, 94, 96 UserPrefix LDAP server entry 77, 83, 94, 96 V W web rules 46 web user parameters establishing 57 web user roles adding the WebTailor Administrator role to an existing Banner ID 42 assigning 51 assigning address view privileges 56 definition 50 WebTailor Web Session Table (TWGBWSES) 63 WebUtil About 22 Changing Data Extract output type to WebUtil 21 Banner General 8.3 Middle Tier Implementation Guide Index 161 162 Banner General 8.3 Middle Tier Implementation Guide Index December 2009

Banner General / Middle Tier Implementation Guide / 8.3

Related documents

Products

Support

Banner General / Middle Tier Implementation Guide / 8.3

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib