Recent times all the organization had started disabling the tls 1.0/1.1 protocol across thirer network.
here is the extensive list on various places you need to disable in peoplesoft component.
1. Webserver - Under setenv append below parameter.
SET JAVA_OPTIONS_WINXX=-server -Xms512m -Xmx512m -XX:MaxPermSize=128m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2
2. Appserver/Prcs Server - under psappsrv.cfg & psprcs.cfg file append below parameter.
JavaVM Options=-Dxdo.ConfigFile=%PS_HOME%/appserv/xdo.cfg -Xms32m -Xmx128m -Dhttps.protocols=TLSv1.2
3. Elastic Search- Update below in $JAVA_HOME/lib/security/java.security (Doc ID 2470444.1)
jdk.tls.disabledAlgorithms=SSLv3, TLSv1.0,TLSv1.1, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
4. Ren Server - Update psrenconfig.txt with below values. (Doc ID 2536363.1))
# Restrict the REN server to a particular version or versions of SSL
# allowed values are tlsv1, tlsv1_1, tlsv1_2
ns_param ServerProtocols tls1_2
ns_param SockServerProtocols tls1_2
ns_param SockClientProtocols tls1_2
5. LDAP - For peopletools 8.54.20 or above its already TLS1.2 is enabled by default.
final String protocol = vendor.toLowerCase().contains("ibm") ? "SSL_TLSv2" : "TLSv1.2";
final SSLContext sslcontext = SSLContext.getInstance(protocol);
6. SES - Update below.
In <mw_home>/user_projects/domains/search_domain/bin/setDomainEnv.sh, set:
JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2"
Testing:
1. Webserver - Disable TLS 1.0/TLS1.1 in browser and try accessing your PIA site or if your site is accessible in chrome it is enforced to TLSv1.2. Chrome disable TLS1.0/1.1 long back.
2. App Server - If you use https gateway try loading it . it should succesully load the connectors.
Prcs Server - In case if your report node is configured to use https protocol. then try running sample report and this should succesfully post your report to web server.
3. ES Server - Here we are just disabling as far as ES ping succesful then you are good.
4. Ren Server - Follow point #1 to run the ren server reports in browser.
5. LDAP -Try pinging LDAP configure directory.
6. SES - Follow Point #3.
Hello, these steps are what's needed and did not find on Oracle support. The two key things that helped me was #3 and #4. We are running PT 8.57.06. Thank you!!
ReplyDelete