Close

HAVE QUESTIONS?

Contact us today.

Subscribe me to your mailing list

EAS-SEC. Oracle PeopleSoft Security Configuration. Part 6: Insecure settings

A typical PeopleSoft system is quite large and complex, so there are a lot of settings, which affect its security. Some of them we have already described. This part of the guideline is focused on specific insecure configurations, which can’t be tied to any other group.

There are 4 important areas that should be covered; one is common for any large ERP system and the remaining ones are specific to PeopleSoft.

Password Configuration [EASSEC-PVAG-PS-15]

Description

Password policies include everything that concerns user accounts: minimum password length, its complexity, number of logon attempts, etc.

PeopleSoft is typically used by a large number of users, and the chance that someone will try to bruteforce a password of one of them is quite high. PeopleSoft allows rather detailed and precise configuration of password policies, but they rarely implemented correctly. Here we will list only the most important parameters that should be implemented properly.

Common Password Controls Settings and their default values:

Password Controls Setting Default Value
Validity period of user passwords 0
Minimum password length 0
Minimum number of special characters in a password 0
The maximum period of user inactivity 0
Failed Logons 0

Threat

If Password Controls Settings doesn’t configured duly, an attacker can easily bruteforce the password and сonsequently penetrate into the system. For instance, if password length is less than 8 characters, and Failed Logon attempts parameter is 0, it will facilitate bruteforcing; if failed logon attempts is set to more than 0, it’s also an issue that can be exploited by getting access to the password hash.

Solution

The best practice is to configure Password Controls Settings properly in accordance with the company security policy. If the security policy of a company does not set Password Controls Settings, it’s recommended to set the following parameters:

Password Controls Setting Recommended Value
Validity period of user passwords not more than 90
Minimum password length not less than 8
Minimum number of special characters in a password not less than 2
The maximum period of user inactivity 90
Failed Logons not more than 6

To change the settings, go to tabs PeopleTools > Security > Password Configuration > Password Controls. When changes are made, press the Save button

Default Encryption Key [EASSEC-PVAG-PS-16]

Description

The PSCipher feature encrypts and decrypts text used in your PeopleSoft system. System administrators interact with PSCipher through a Java; command line utility is located on the web server, which enables you to encrypt text, such as user IDs and passwords, stored in configuration files. PSCipher also involves a runtime element implemented on the application server that decrypts the encrypted text.

The PSCipher utility provides Triple DES encryption (also 3DES) for increased data security. When you install Enterprise PeopleTools on your application servers and web servers, a default Triple DES encryption key is provided.

The version of the default encryption key is 1.1, or {V1.1}. If you generate a unique key, the current version used by the system would be {V1.2}. Each time you generate a new key, the system increments the current version number.

Threat

PeopleSoft is installed with default encryption key, which is known anyway. Even if the administrator changes all important passwords, but doesn’t change the encryption key, an attacker who has an encrypted password can decrypt it using the default encryption key.

Solution

The best practice is to update the encryption key:

  1. Run the following command to create a new key in the key file:
    [PIA_HOME]\webserv\[DOMAIN]\PSCipher –buildkey (for Weblogic)
    [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear PSCipher –buildkey (for Websphere)
  2. Copy [PIA_HOME]\webserv\[DOMAIN]\psvault for Weblogic
    ([PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\psvault for IBM WebSphere) to the equivalent location on all other web server hosts and to [PS_HOME]\secvault\psvault on all application servers in your system.
  3. Modify the encrypted text fields in
    • configuration.properties file, located in:
      [PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PORTAL\WEB-INF\psftdocs\site_name (for Weblogic)
      [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PORTAL\WEB-INF\psftdocs\ps\ (for Websphere)
      The following encrypted text values in the configuration.properties file need to be updated:
      WebUserId=
      WebPassword=
    • gatewayUserProfile.xml and integrationGateway.properties files, located in
      [PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PSIGW\WEB-INF (for Weblogic)
      [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PSIGW\WEB-INF\ (for Websphere)
      In the gatewayUserProfile.xml file, update the following text value:
      {V1.1}GD9klUFw8760HVaqeT4pkg==
      Update the following text values stored in the integrationGateway.properties file:
      ig.isc.password=
      ig.isc.$NODENAME.password=
      ig.certificatePasswd=
      secureFileKeystorePasswd=
      ig.jms.JMSTargetConnector.JMSProvider.Password=
      ig.jms.Queue1.Password=
      ig.jms.Topic1.Password=
      ig.jms.Topic1.NodePassword=
    • wss.properties file located in
      [PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PORTAL\WEB-INF\classes\ (for Weblogic)
      [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PORTAL\WEB-INF\classes\ (for Websphere)
      [PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\pspc\WEB-INF\classes\ (for Weblogic)
      [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\pspc\WEB-INF\classes\ (for Websphere)
      [PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PSIGW\WEB-INF\classes (for Weblogic)
      [PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PSIGW\WEB-INF\classes (for Websphere)
      Update the following text entry in the wss.properties file in all locations:
      org.apache.ws.security.crypto.merlin.keystore.password=

Web Profile Public Access Configuration [EASSEC-PVAG-PS-17]

Description

A Web Profile is a specific configuration of portal-related properties that control or affect the functionality of your PeopleTools portal. These predefined web profiles provide several configurations for use with your PeopleTools portal:

  • DEV
    This web profile provides basic portal functionality for development, including trace and debug settings that are appropriate for development.
    Important! Never run your production system with the DEV web profile. This profile is for development environments and is not tuned for performance.
  • TEST
    This web profile uses the same settings as the DEV web profile, except that fewer trace and debug properties are enabled.
  • PROD
    This web profile uses the settings that are most commonly needed in a production environment that authenticates users.
  • KIOSK
    This web profile uses the same settings as the PROD web profile, except that public user access is enabled for the Guest user, and all options for storing caching or persistent cookies on the browser are disabled.

Web Profile Security consists of Public Access settings.

Web Profile Security Parameter Default Values for PRODDefault Values for TESTDefault Values for KIOSK
Allow Public Access NNY
Public User ID/Password GUEST/GUEST

Also a security-relevant parameter AuditPWD in Custom Properties page is essential. It turns on an access to the PeopleSoft Portal functions, that permits revealing a lot of information about the system configuration remotely (see EAS-SEC. Oracle PeopleSoft Security Configuration. Part 5: Open remote management interfaces).

Threat

If there is Public User, an attacker can conduct the TockenChpoken attack, which is a kind of privilege escalation attack. If a Public User has a special role, an attacker can perform a dangerous action in the system, as it does not require authorization.

Solution

Make sure that you do not use the DEV or TEST Web Profiles in the production systems.

The Best practice is not to use Public Access and Public Users.

Also, ensure that XML Link User ID and Public User ID don’t have a special role and critical actions.

To change Web Profile Settings, go to the tabs PeopleTools > Web Profile > Web Profile Configuration, choose the current Web Profile and go to the Security page.

It is highly recommended not to use auditPWD Custom Property for current Web Profile in productive systems. You can delete this property on Custom Properties page.

Web Profile SSL Configuration [EASSEC-PVAG-PS-18]

Description

In addition to the Public Access described in the previous section, a Web Profile allows configuring SSL settings. Selected Secured Access Only check box enforces SSL in case the entire website requires the SSL protocol. This prevents users from using a non-SSL protocol to access any link within this website or application. Selected Secure Cookie with SSL check box prevents the single signon token from traveling over an insecure network.

Some default values for delivered Web Profiles:

Web Profile Security Parameter Default Values for PRODDefault Values for TESTDefault Values for KIOSK
Secured Access Only NNN
Secure Cookie with SSL YYY

Threat

With business-to-business applications, where systems communicate with each other via the Internet, data must flow securely. If you don’t use the SSL protocol, an attacker can steal the transmitted critical information.

Solution

Make sure that you do not use the DEV or TEST Web Profile in production systems.

For current Web Profile configure Settings properly like in the following table:

Web Profile Security Parameter Recommended Value
Secured Access Only Y
Secure Cookie with SSL Y

As well it is recommended to set Delete Cookie on Logout, HttpOnly and Secure flags on Cookie Rules page.

Further steps

The number of various fine-tuned security settings is enormous, and there are specific ones for each particular PeopleSoft solution or module. Likewise the main portal and user accounts, auxiliary subsystems can be bruteforced, so their password configuration should be enabled as well.

Start with the document dubbed PeopleTools 8.55: Security Administration and System and Server Administration, then you can examine the documents on particular application security configuration in detail.

Do you want more?

Subscribe me to your mailing list