How to Disable TLS1.0/1.1 in Peoplesoft

Recent times all the organization had started disabling the tls 1.0/1.1 protocol across thirer network.

here is the extensive list on various places you need to disable in peoplesoft component.

1. Webserver - Under setenv append below parameter.

 

SET JAVA_OPTIONS_WINXX=-server -Xms512m -Xmx512m -XX:MaxPermSize=128m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2

 

2. Appserver/Prcs Server - under psappsrv.cfg & psprcs.cfg file append below parameter.

 

JavaVM Options=-Dxdo.ConfigFile=%PS_HOME%/appserv/xdo.cfg -Xms32m -Xmx128m -Dhttps.protocols=TLSv1.2

 

3. Elastic Search- Update below in $JAVA_HOME/lib/security/java.security (Doc ID 2470444.1)

 

jdk.tls.disabledAlgorithms=SSLv3, TLSv1.0,TLSv1.1, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 

4. Ren Server - Update psrenconfig.txt with below values. (Doc ID 2536363.1))

 

# Restrict the REN server to a particular version or versions of SSL

# allowed values are tlsv1, tlsv1_1, tlsv1_2

ns_param ServerProtocols tls1_2

ns_param SockServerProtocols tls1_2

ns_param SockClientProtocols tls1_2

 

5. LDAP - For peopletools 8.54.20 or above its already TLS1.2 is enabled by default.

 

final String protocol = vendor.toLowerCase().contains("ibm") ? "SSL_TLSv2" : "TLSv1.2";

final SSLContext sslcontext = SSLContext.getInstance(protocol);

 

6. SES - Update below.

 

In <mw_home>/user_projects/domains/search_domain/bin/setDomainEnv.sh, set:

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2"

 

Testing:

1. Webserver - Disable TLS 1.0/TLS1.1 in browser and try accessing your PIA site or if your site is accessible in chrome it is enforced to TLSv1.2. Chrome disable TLS1.0/1.1 long back.

2. App Server - If you use https gateway try loading it . it should succesully load the connectors.

    Prcs  Server  - In case if your report node is configured to use https protocol. then try running sample report and this should succesfully post your report to web server.

3. ES Server - Here we are just disabling as far as ES ping succesful then you are good.

4. Ren Server - Follow point #1 to run the ren server reports in browser.

5. LDAP -Try pinging LDAP configure directory.

6. SES - Follow Point #3.

Peoplesoft Kerberos SSO Extended Logging

Kerberos is moving away from peoplesoft as of PT 8.57. Until 8.56 Oracle used to deliver the SDK and later on they removed the SDK from Tools package.

Surprisingly oracle does delivers the source code for customers to make use of this and use kerberos as an SSO.

You can find the sorce code from below location

$PS_HOME/sdk/desktopsso/src/com/peoplesoft/pt/desktopsso/kerberos

KerberosSSOFilter.java  ===> Will be used in webserver for requesting token.
KerberosSSOValidator.java ===> Will be used for app server validation.


Kerberos is a such a nice and strong SSO solution so i would keep using SSO but it does lacking the logging feature.

Means if there is any issue you cannot simply troubleshoot as error message just says below


 <BEA-000000> <KerberosSSOFilter: Received invalid token.>

Error seems to be generic. So i thought we can add few more logging capability in java class and recompile it.

Add below line of code right after line #142.

142             catch (GSSException e) {
143                 this.verbPrint("Received invalid token.");
144                 this.verbPrint(e.getMajorString());
145                 this.verbPrint(e.getMinorString());
146                 this.verbPrint(e.getMessage());
147                 this.verbPrint(e.toString());
148                 System.out.println("Major Code: " + String.valueOf(e.getMajor()));
149                 System.out.println("Minor Code: " + String.valueOf(e.getMinor()));

Try compiling it using JDK (please do not use JRE)

$PS_CFG_HOME/webserv/<domain_name>/bin/. ./setEnv.sh

export CLASSPATH=$CLASSPATH:$PC_CFG_HOME/webserv/<domain_name>/applications/peoplesoft/PORTAL.war/WEB-INF/classes

$JDK_HOME/javac KerberosSSOFilter.java 

In case if you get below error while compiling.

KerberosSSOFilter.java:324: error: getHeaderNames() in KerberosSSOFilter.KerberosAuthWrapper cannot implement getHeaderNames() in HttpServletRequest public Enumeration getHeaderNames() { ^ return type Enumeration is not compatible with Enumeration

Please get the line # and change the ? with string like below.

180         @Override

181         public Enumeration<String> getHeaders(final String name) {

182             if (name.equals("KRB_USER")) {

183                 final Vector<String> values = new Vector<String>();

184                 values.add(this.principalName);

185                 return values.elements();

186             }

187             final HttpServletRequest req = (HttpServletRequest)this.getRequest();

188             return req.getHeaders(name);

Now the actual error message will be logeed in your PIA_stdout.log along with received invalid token.

<BEA-000000> <KerberosSSOFilter: Received invalid token.>

<BEA-000000> <KerberosSSOFilter: Failure unspecified at GSS-API level>

<BEA-000000> <KerberosSSOFilter: Invalid argument (400) - Cannot find key of appropriate type to decrypt

 AP REP - AES256 CTS mode with HMAC SHA1-96>

<BEA-000000> <KerberosSSOFilter: Failure unspecified at GSS-API level (Mechanism level: Invalid argument

 (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)>

<BEA-000000> <KerberosSSOFilter: GSSException: Failure unspecified at GSS-API level (Mechanism level: In

valid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)>

<BEA-000000> <Major Code: 11>

<BEA-000000> <Minor Code: -1>

You can pass on this error message to respective team who is responsible for generating keytab.