Wednesday, 31 January 2018

Setting up security for Orchestration Studio 6.0

Let's fix UDO security for orchestration notification button

image
Cannot add orchestration

image
Also cannot see the notifications button...

Make sure that you have these UDC's, the list below is correct for 9.2
image
I was able to change the security setting below for NTF
Security before:
After

Clear cache from SM
image
Reset the cache (JDBj) via server manager

image

Great, now I can add notifications!

Let's fix the security for orchestration now.

Above can now be chosen
Create UDO action security for NTF, SCHEDULE and ORCH
image

image

Should look like below
image

Now we can add a new orchestration!





imageNow lets download some samples to view what we need to orchestrate
Note that there is a download type of EnterpriseOne Orchestrator
image

Now goto tools menu from orchestration login

image
Import files, hit the BIG brown button
image

Save the par files and rename them to zip files.

image

Choose the file from the downloaded items

image

It shows you the included operations, note that these include orchestrations and service requests

Nice, we can now choose to edit the components


We can also see all of the edit controls, because our UDO security is correct
image

Sharing orchestrations

I’ve been developing some orchestrations and am having a great time, no honestly.  There is so much power and so much productivity that you can implement using orchestration.  Notifications and subscriptions (although a little clunky) are also very cool.  I’ll do a bunch of blogging in this area, as it’s very cool.

But, let’s focus on a little issue I have.

I’ve been testing JD Edwards transaction processing (TP), locking and reservations using HTML, AIS and orchestration.  This involves different users and often different users trying to run the same code.

I WAS logging into the orchestrator and exporting my zip files and then importing with another user.  This is nice and easy, but not the correct way of doing things.

When calling with the alternate user, I get

{   "message" : "Endpoint not defined: POandVoucherCombo. Add the orchestration, or make sure it is shared to this user.",   "exception" : "java.lang.Exception",   "timeStamp" : "2018-01-31:02.28.59"
}

Method 1: save and restore:

image

Login to orchestration studio as user that created the orchestration.

edit the orchestration

Choose the export button, then ALL (this will include the rules and service requests and everything).

Import

image

Find the tools exit and choose import


image

Easy, choose the zip file that you created and you are away


image

Note they exist for me.  If they did not – just tick the box and choose submit!

Method 2: Fix security – share the UDO

run P98220U

image

You’ll see orchestrations of various status

The orchestration that I’m dealing with is below, note that I’ve already selected the publish button.  My only options now are to reserve it so that I can publish it again.

image

Note that if I select reserve

image

The P9822OU changes immediately to editing

image

Let’s hit the request

image

image

And now it’s pending in JDE

image


How cool, the comments are in the MO – love it!

image

Lets share this awesome orchestration

image

Easy!!! – shared with public!

image

Unless you have it reserved, you cannot use it in the client:

image

So, you need specific security for the UDO to be able to run and see the shared orchestration

From P98220U

image

Now choose the “Revise View Security” tab

image

Enter the user names to share to and click SAVE (unlike me)

image

And now!

image


{   "message" : "ServiceRequest P0411OpenAndUpdateLedger.xml := java.io.IOException: P0411OpenAndUpdateLedger Not Found.  Check permissions of the UDO.",   "exception" : "java.lang.Exception",   "timeStamp" : "2018-01-31:03.04.48"
}

Okay, at least I get a different error now, this is a service request security problem, not orchestration problem.  I can fix that with all of the above mechanisms.

Tuesday, 30 January 2018

Error Error: Login Failed User is not included in the AIS server White List, contact your server administrator

I just created a new user, essentially GOD in JDE.

but it gets the following error when trying to log into the orchestration suite:


Note that it does not get this error when logging into the orchestration client (directly to AIS), so the error is a little bit strange!

A quick check of support.oracle.com shows me an error found in 9.2.1.2 - great -that is our release.

go here:  https://support.oracle.com/epmos/faces/DocContentDisplay?_afrLoop=249178588426576&id=2040956.1&_afrWindowMode=0&_adf.ctrl-state=10h8xp9h9n_145

Funny thing is that is works as JDE, but not as another user.  So I decided to follow the following option2 (as option 1 was for windoze).

Option 2:
a. take a backup of the config.xml file found in the 'WebLogic_home\user_projects\domains\AISDomainLocation\config' directory
b. add the '<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>" entry to the config.xml just before the closing
tag of the Weblogic Server domain:

myrealm
{AES}25la24ZXYsP1hsgwbVl7Qa6T6UxFeF/D2PN57oYOgOe1rmBOQYhviia/HoFghUXIeoYsJFteAhHWzaD0D4L8tykrYsYRnt/kzS3AQWPwZuc+jwLOE9r1LwyneM8dhHr6
weblogic
{AES}MtUDlUBN2E8NLXcHI3v/VE9AU3F3bwiMMqPBOBVGcPw=
false
true

backup your config.xml file from you domain home config dir

[oracle@ip-10-10-1-235 config]$ cp config.xml confix.shannon.xml
[oracle@ip-10-10-1-235 config]$ pwd
/Oracle_Home/user_projects/domains/e1apps/config

vi this file and add the line in bold

    weblogic
    {AES}UitOE/8SEeR3PneMozFFmPnhLCyzAzXEC4A8WUtUtHk=
false
    true
 
 
    AdminServer
   

Note that I had my AIS server, ADF and everything under the same home.  So I do not need to do this multiple times for multiple config.xml's

The fact that I get this problem with orchestration studio, means that I need to restart 9401, but I'll probably do my AIS server also.

Okay, so none of that made any difference.  It seems that you need to add this to the AIS server config for allowed users...

Change the SM view to advanced, then general.

Admin Service Allowed User List Help

Once I did this and synchronised rest.ini, then stopped and then started...  

We finally could login as another user.




Monday, 22 January 2018

Transaction processing & locking in JDE

“To lock or not to lock” – that is the question!

To say that JDE does not do any locking is not quite true…  It calls the database functions that do the locking, so it does have a lot of responsibility in this.

Let’s look at a simple scenario, SOE and stock commitment…  Wait, that is not simple at all – but it’s understandable!

We have a person entering a sales order.  We know that this goes across a number of screens in JDE -

We know that this adds records to a number of tables

We want integrity in our database

We do not use fancy things like foreign keys – we use application logic to enforce transactional boundaries and we use database agnostic manual commits.

There are two things at play here though…  Locking and transaction processing…  They work together but are not necessarily the same time.

Locking

Let’s look at locking by itself.  I’m using a lot of information from here https://docs.oracle.com/cd/E24705_01/doc.91/e24234/record_locking.htm#EOTBF00095

I’m also reaching back to when I was programming and before JDE in C…  dark repressed memories.

In the scenario of SOE, we don’t really want to lock anything, as they are really new lines being added to a bunch of tables.

We do however want to lock the inventory for the orders so that there is enough to fulfill the order – so this is the lock we are talking about

We want to select for update over the F41021 (?) so ensure that we have enough inventory and then update when the order is committed.

JD Edwards does locking in two ways, optimistic and pessimistic.

optimistic is half glass full locking.  This is where you do not expect any problems, but if there are – you have a solution.  This involves manually checking timestamps and things…  If there is a situation, deal with it then.

pessimistic is where you ensure that there is never going to be a conflict – coz you’ve prevented it in the first place.  You are selecting the record for update (i.e. selecting the current stock levels)  and then you update when you are ready and the lock goes away.  Note that this is different to including the update in a transaction (with your inserts into the F4201 and F4211 – as they are naturally going to lock the record that is in the transaction boundary)…  See how they are the same but different.

Transaction Processing.

As demonstrated above, TP actually enforces pessimistic locking at the database level.  If you are doing an update as part of a transaction, the database is going to lock that record until the commit (or rollback) is issued, this is the purpose of TP and Multi Statement Transactions (MST).  Hopefully your database has row level locking and then you are not going to cause cascading of locks to pages and then tables… arrgghhh.

Transaction processing is all about manual commits.  It’s a series of transactions to databases with commit points, any errors will rollback the entire transaction – not just a single statement. handy.

Note that this DOES get more difficult with JDE.  We have this awesome thing called OCM which allows us to distribute logic and data.  Different logic locations can enforce a single transaction (using native DB tech like DTP Distributed Transaction Processing – I hope), neither will different data sources (event if they point to the same database).  This is because JDE opens the database connection and sets the commitment mode to manual or automatic.  It cannot programmatically enforce these boundaries with non standard logic and data setups.  This does get pretty complex under the scenes – stay standard and you will not have a problem.

Note that you also must look out for a BSFN (that runs on the enterprise server locking a record) and then having java code (or JDBC) reading or manipulating the same data – you are going to create some problems if they are not part of the single transaction. 

Want to know all of the areas in JDE that use TP?

https://support.oracle.com/epmos/faces/DocumentDisplay?parent=DOCUMENT&sourceId=1208208.1&id=1320968.1

Some of your purists out there might be surprised by the small number of listed programs (both batch and interactive).

You might be asking yourself about dirty reads

Not magazines passed around the boarding house… NO!  different dirty reads.

I’m talking about the above scenario when you are updating and inserting records in the database as a single transaction – do you allow people to see the uncommited version of the data or the commited version? Lets be honest for OLTP, you should only see committed data.  (You can see that massively parallel databases and noSQL databases might do something else).

This introduces the concept of isolation level

  1. Level 1: READ COMMITTED
    • This is default setting in SQL Server to prevent SQL from dirty read (which reads dirty page which is (not-yet) committed data)
  2. Level 0: READ UNCOMMITTED
    • This is to read uncommitted data that is, intentionally to have dirty read

 

Summary:

There seems to be enough tools and examples of TP and locking in the existing JD Edwards code and base code for you to be able to create some tight code, whether you are half glass full (optimistic) or half glass empty (pessimistic).  Remember that you need to manually do this locking if you are using technology like BSSV by using The startPublishedMethod, finishPublishedMethod, and close methods.  If you are using AIS, you are going to benefit from inheriting the TP functionality from forms that you are calling!  Nice.

Note that if you are manually calling BSFN’s – all at your own peril!

Extending JDE to generative AI