Monday, August 3, 2020

How to Disable TLS1.0/1.1 in Peoplesoft

Recent times all the organization had started disabling the tls 1.0/1.1 protocol across thirer network.


here is the extensive list on various places you need to disable in peoplesoft component.


1. Webserver - Under setenv append below parameter.

 

SET JAVA_OPTIONS_WINXX=-server -Xms512m -Xmx512m -XX:MaxPermSize=128m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2

 

2. Appserver/Prcs Server - under psappsrv.cfg & psprcs.cfg file append below parameter.

 

JavaVM Options=-Dxdo.ConfigFile=%PS_HOME%/appserv/xdo.cfg -Xms32m -Xmx128m -Dhttps.protocols=TLSv1.2

 

3. Elastic Search- Update below in $JAVA_HOME/lib/security/java.security (Doc ID 2470444.1)

 

jdk.tls.disabledAlgorithms=SSLv3, TLSv1.0,TLSv1.1, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

 

4. Ren Server - Update psrenconfig.txt with below values. (Doc ID 2536363.1))

 

# Restrict the REN server to a particular version or versions of SSL

# allowed values are tlsv1, tlsv1_1, tlsv1_2

ns_param ServerProtocols tls1_2

ns_param SockServerProtocols tls1_2

ns_param SockClientProtocols tls1_2

 

5. LDAP - For peopletools 8.54.20 or above its already TLS1.2 is enabled by default.

 

final String protocol = vendor.toLowerCase().contains("ibm") ? "SSL_TLSv2" : "TLSv1.2";

final SSLContext sslcontext = SSLContext.getInstance(protocol);

 

6. SES - Update below.

 

In <mw_home>/user_projects/domains/search_domain/bin/setDomainEnv.sh, set:

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2"

 

Testing:

1. Webserver - Disable TLS 1.0/TLS1.1 in browser and try accessing your PIA site or if your site is accessible in chrome it is enforced to TLSv1.2. Chrome disable TLS1.0/1.1 long back.

2. App Server - If you use https gateway try loading it . it should succesully load the connectors.

    Prcs  Server  - In case if your report node is configured to use https protocol. then try running sample report and this should succesfully post your report to web server.

3. ES Server - Here we are just disabling as far as ES ping succesful then you are good.

4. Ren Server - Follow point #1 to run the ren server reports in browser.

5. LDAP -Try pinging LDAP configure directory.

6. SES - Follow Point #3.

Peoplesoft Downtime Notification in Header

  Often we recycle Non prod server or even prod server during business hours. ideally we send email to users but not all the time users will...