EAS-SEC. Oracle PeopleSoft Security Configuration. Part 7: Unencrypted connections
The PeopleSoft Internet Architecture (PIA) is a multi-component system with a lot of cross-component interactions and numerous types of interactions between users and external systems. Therefore, various ways exist to attack the interaction channel.
In PIA that is shown below (see figure 1), the following connections are used:
- Jolt / Tuxedo
- RDBMS connections (SQL)
Each connection may be susceptible to man-in-the-middle (MITM) attacks. To secure links between elements of the system including browsers, web servers, application servers, and database servers, PeopleSoft software incorporates a combination of SSL/TLS security and BEA Tuxedo and BEA Jolt encryption.
The SSL/TLS encryption to protect HTTP connections [EASSEC-PVAG-PS-19]
By default, PeopleSoft is delivered with both HTTP and HTTPS access. It is well-known that HTTP has no protection, so all data between a user and PeopleSoft can easily be intercepted with a MITM attack.
The system uses SSL/TLS encryption in the following locations:
- between the browser and the web server;
- between the application server and the integration gateway;
- between the integration gateway and an external system.
Lack of encryption in the network connection may lead to the interception of transmitted data, thus to an unauthorized access. The HTTP protocol transmits all authentication data as a plain text, that allows intercepting it easily with a spoofing attack.
Best practice is to protect HTTP connections with SSL/TLS. To enable SSL/TLS on a web server for HTTPS, please refer to PeopleBooks for instructions on how to enable SSL/TLS on the web server.
Follow the instructions of Enterprise PeopleTools PeopleBook: System and Server Administration, Working with Oracle WebLogic, Defining SSL Certificates on WebLogic.
Follow the instructions of Enterprise PeopleTools PeopleBook: System and Server Administration, “Working with IBM WebSphere,” Setting Up SSL on WebSphere.
If an HTTP server is also deployed, follow the instructions found in Enterprise PeopleTools PeopleBook: System and Server Administration, “Working with IBM WebSphere,” Setting Up SSL on IBM HTTP Server.
How to disable HTTP on a web server
You can do this at multiple levels. Start by configuring the web profile:
- In PIA, navigate to PeopleTools, Web Profile, Web Profile Configuration.
- Select the web profile you want to configure (for example, PROD).
- Select the Security page.
- Select Secured Access Only.
- Save your changes.
To further disable HTTP on a WebLogic server, first ensure that HTTPS is set up and works properly using the instructions in the previous section. Then do the following:
- Log onto the WebLogic console.
- Expand from the left panel PeopleSoft, Server, PIA.
- On the right panel, select Configuration, General tab.
- Deselect the Listen Port Enabled check box.
- Select Apply.
To further disable HTTP on the WebSphere server, first ensure that HTTPS is set up and works properly using the instructions in the previous section.
In WebSphere, you can disable HTTP by converting an HTTP port into an HTTPS port, as follows:
- Expand Servers, Application Server, server_name, Web Container, HTTP Transport.
- Click the relevant HTTP port.
- Select the Enable SSL check box.
- Select the SSL drop-down that is tied to the certificates.
- Save the configuration and log off.
- Restart the WebSphere server.
Encryption usage for Jolt/Tuxedo connections protection [EASSEC-PVAG-PS-20]
The system uses Oracle Tuxedo and Oracle Jolt encryption in the following locations:
- between the web server and the application server;
- between the integration gateway and a PeopleSoft system (Oracle Jolt only).
Jolt is used for interactions between the Web Server and the application server. Tuxedo is used when developers apply the 3-tier connection (from developers to an application server). Jolt/Tuxedo is not encrypted by default either, but encryption can be turned on.
As Jolt/Tuxedo is not encrypted by default, data is transmitted as a plain text. Data inside packets look like plain SQL queries and can contain users’ passwords. Thus all the data between the user and PeopleSoft can be easily intercepted with a MITM attack.
To enable Tuxedo-level encryption, edit the psappsrv.cfg configuration file for the domain. Change the Min Encryption property for the Workstation Listener and the JOLT Listener sections. The default value of 0 does not encrypt. Change the value to 64 for 64-bit encryption or to 128 for 128-bit encryption:
Encryption usage for RDBMS connection protection [EASSEC-PVAG-PS-21]
Requests from the application server and 2-tier connections from developers go directly to the RDBMS. Security between the application server or 2-tier connections and a database is supplied by RDBMS connectivity.
Lack of encryption in this segment also allows intercepting full control of the system. It is true for Microsoft SQL Server especially, where the connection password can be retrieved in a plain text.
Best practice is to use SSL/TLS from your application to encrypt a connection to a DB instance running MS SQL Server, Oracle or other. Each DB engine has its own process for implementing SSL/TLS. Also, it is recommended to use data network encryption and integrity to ensure that data is secure as it travels across the network. The step-by-step instructions are detailed in an appropriate Administrator’s Guide.
This section contains the detailed encryption settings for various services. However, you should understand that even if the encryption is enabled, it is not always securely configured: there are various fine-tuned settings that protect against attacks for each encryption type and for a particular case. For example, the recent BEAST and CRIME attacks on the SSL determined the need for more SSL fine-tuned settings or use TLS. That is why you should configure the encryption very carefully, considering new attack types and specifics of the configured service.