Before we go into step-by-step instructions few things to know:


1. Sign routines (like rsa_md5_sign, rsa_sha1_sign and dsa_sha1_sign) require PSHexEncode step after the sign step. The result of the sign process needs to produce the HEX value that is to be copied into the SIGNATURE parameter of the verify Algorithm.
   
   
2. Verify routines (rsa_md5_verify, rsa_sha1_verify and dsa_sha1_verify) have a KeySet requirement for SIGNATURE parameter to begin with 0x to be valid. i.e. Result of sign profile is pre-fixed with 0x and copied to verify SIGNATURE Keyset parameter
   
   
3. Verify routines (rsa_md5_verify, rsa_sha1_verify and dsa_sha1_verify) have a Keyset requirement for SIGNERPUBLICKEY. The parameter value should be pointing to a certificate and not a public key.
   
   
4. Testing your results: When you test the verify routine using Test Encryption Profile, you would type in the same value you used when you run the sign routine. If the verification succeeds it will return true else false. In 8.49 in order to show the test result you would need to do a minor edit to CRYPT_WRK.SELECT_FLAG.FieldChange PeopleCode.
   Add the below lines at the end of the function:
   
   If None(DERIVED_CRYPT.DESCRLONG) Then
         DERIVED_CRYPT.DESCRLONG = &cry.Verified;
   End-If;
   
   

1. Select PeopleTools, Security, Security Objects, Digital Certificates. The Digital Certificates page displays.
2. Click the plus button (+). A new row appears.
   • From the Type drop-down list, select Local Node.
   • In the Alias field, enter a meaningful name. At most a single Encryption Profile would reference two of these aliases. You may need one for Signer/Sender and one for Recipient. For our example we used the alias as “signer”
   • In the Issuer Alias field, click the lookup button to select the issuer alias.
3. At the end of the row, click the Request link. The Request New Certificate page displays.
4. In the Subject Information section, enter the following information:
   These fields represent attributes of the default local node's DN. The CA to whom you submit the CSR might require values for any or all of the fields. The DN is also stored on the Detail page of the local node certificate.

   Common Name.	Enter The Sender or Receivers name.
   Org Unit(organizational unit)	Enter the name of the organizational unit.
   Organization	Enter the name of the organization.
   Locality	Enter the location of the organization.
   State/Province	Enter the state or province name.
   Country	Enter the two-character country code.
   Email Address	Enter an email address - ie. name@email.com
   Challenge Password	Enter a password you can remember – ie signerpassword or recipientpassword.

5. In the Key Pair Information section, enter the following information:
   • Select from the Algorithm drop-down list one of the three types mentioned above.
   • From the Key Size drop-down list, select 1024.
6. Click the OK button.

To submit a local node certificate for signing:


1. After you click the OK button as described in the previous section, the CSR is generated. Cut and paste the CSR and submit it to your CA for signing.
   
   When you submit the CSR for signing, you must include the begin section (-----BEGIN NEW CERTIFICATE REQUEST-----) and the end section (-----END NEW CERTIFICATE REQUEST-----).
   
   Download the base64 encoded singed certificate.

To import signed local node certificates into a PeopleSoft system:


1. Select PeopleTools, Security, Security Objects, Digital Certificates. The Digital Certificates page displays.
2. Locate the row that contains the local node certificate.
3. At the end of the row, click the Import link. The Import Certificate page displays.
4. Open the file where you saved the signed certificate you received back from the CA, copy it and paste it into the text box. The content you paste must include the begin section (-----BEGIN CERTIFICATE-----) and end section (-----END CERTIFICATE-----).
5. Click the OK button.
6. Click the Refresh button.

To submit a local node certificate for signing:


1. Start with creating an algorithm chain for signing as shown. As noted above we will add the PSHexEncode step after sign. We will call it RSA_SIGN
   
   
   
   
2. Build a signature verification chain as shown. We will call it RSA_VERIFY
   
   
   
   
3. Define an encryption profile for the above defined algorithm chain for signing. When you add the profile it will show you what parameters or Keyset values are required. In this case these Algorithms require Certificates and Private Keys. We will use the key and certificate generated above using Digital Certificate component. The SIGNERPKPASSPHRASE parameter is entered directly into the Profile page. This is the password to decrypt and unlock the private key. For the sake of this example we do not need to provide a value as the prviate key is encrypted and stored in the database and is transparent to us.
   
   The SIGNERPRIVATEKEY parameter must be entered as a Keyset value (Note the grayed check box labeled From Keyset – that tells you if you enter the value here or in the Keyset.)
   
   We will need to define Keyset for the signing algorithm (rsa_sha1_sign).
   
   
   
   Save the encryption profile. We will come back to it after defining Keyset.
   
   
4. Navigate to Algorithm Keyset and search for rsa_sha1_sign algorithm chain. Provide a Keyset ID, in our case we call it ‘sign-pk’. Enable Use Certificate Store Value and Private Key check box. Provide the certificate alias name that you provide when signing the CA above using Digital Certificate component. In our case it was ‘Signer’. Click Save.
   
   
   
   
5. Navigate back to RSA_SIGN encryption profile and add the Keyset value generated in above step. Save the profile.
   
   
   
   
6. Set up Verify Encryption Profile:
   
   Build another Encryption Profile for the Verify chain you created in step 2 above. Give the Profile a name so that you know it matches to the Encryption Profile you previously created. In our example we call it RSA_VERIFY. As you can see verify needs two parameters. First is the signature which needs to be verified. We will generate this signature using RSA_SIGN encryption profile. Second parameter is SIGNERPUBLICKEY. Essentially this is the certificate which contains the public key.
   
   
   
   
   • For the first parameter we will generate a signature for the string we want to sign using sign encryption profile and copy over the resulting signature here. To generate a signature go to Test Encryption Profile and open RSA_SIGN encryption. Add a test string, in our case ‘SIGNATURE’ and run the profile.
     
     
     
     Prefix the above signature with ‘0x’ as it is hex encoded and copy it as the value for the SIGNATURE parameter of the RSA_VERIFY profile.
     
     
     
     Save the profile. We will come back to it to add value for second parameter.
     
     
   • For the second parameter for SIGNERPUBLICKEY similar to signing step we will need to define a Keyset for the verify algorithm. We will call it ‘verify-pk’. Enable Use Certificate Store Value and Certificate checkbox. Enter certificate alias (‘signer’ in our example) and save.
     
     
     
     
7. Navigate back to SHAI_VERIFY profile and add the value for the second parameter SIGNERPUBLICKEY from the Keyset defined in above step.
   
   
   
   Save the profile.
   
   

WS-Security: Publishing outbound SOAP messages using WS-Security

This document is a set of setup steps for Integration Broker Outbound WSS message on PeopleTools 8.48 and 8.49 ONLY.

PeopleTools provides support for WS-Security standard enabling secure web services. It implements Oasis standard 1.0 WS-Security schema which conforms to Web Services Security Standard 1.0.

Within this framework, PeopleSoft implements:
• Username Token Profile 1.0
• X.509 Token profile 1.0

Peoplesoft use X.509 token profile in conjunction with Username Token Profile.
The PeopleSoft implementation of WS-Security :
A) Username Token Profile.
-----------------------------------------
1. Username Token with Password as ClearText **.
2. Username Token without Password.

Both options above can be enabled with X.509 Token Profile.

B) X.509 Token Profile.
--------------------------------------
1. Digitally Signed.
2. Encryption.
3. Digitally Signed and Encrpytion.

Encryption only applies to SOAP header.
Digital Signature applies to both SOAP header and body.

Notes: **
If there is a concern on the password, one can use SSL over HTTP or Encryption from WS-Security.

We’ll discuss how to publish an outbound SOAP message for a service operation for WS-Security.

Steps detailed below assume you have already configured integration gateway and a service operation on your environment. For more details on setting up gateway and service operation refer to 8.49/8.48 Peoplebooks.

To enable Encryption and Digital signature, certificates in Java keystore must be correctly set up and configured. wss.properties file is used to list details about the keystore location and password to it. interop.jks is used as the default keystore file. If you need to use a different keystore you can edit wss.properties file accordingly. You should also ensure the password defined in wss.properties is in sync with the password set for your keystore.

Password in wss.properties can be stored encrypted using pscipher utility. For the default interop.jks keystore it is stored encrypted.

wss.properties file and interop.jks are located at ...\PSIGW.war\WEB-INF\classes on your webserver.

Set Up: For our example below we will use QE_PO_SYNC as our service operation that we will publish with WS-Security. Note: As mentioned at the beginning of the post these instructions only apply for outbound messages

1. To enable the digital signature for the outbound service operation.
a. Create keypair [public key and private key] value through java keytools utility.

b. Alias name for your keypair must match your Default Local node.
For example, if the default local node is defined as “qe_local”, we would generate keypair as below:
keytool -genkey -alias QE_LOCAL -keyalg RSA -keysize 1024 -dname "CN=QE_LOCAL, OU=PeopleTools, O=Oracle, L=Pleasanton, ST=California, C=US" -keypass interop -keystore interop.jks -storepass interop

c. Generate CSR for this public key and get it signed by CA.

d. Downloaded the signed public key cert and Root CA

e. Import Root CA and the signed public key cert.

f. Enable digital signature on the remote node. In our example we have defined QE_IBTGT as the remote node. Navigate to PeopleTools->Integration Broker->Integration Setup->Nodes. On WS-Security tab set authentication token type to ‘Username Token’ and enable ‘Digitally Signed'.

This process will ensure the soap message will be signed. It is signing the header and the body. This means the whole soap message.

2. To enable the encryption for the outbound service operation.
a. Import public key and Root CA of the third party application into your keystore. For our case here it will be interop.jks

b. Ensure third party’s public key with the Alias name must match with the Remote Node name. In our case that would be QE_IBTGT.

Import cert as below:
keytool -import -alias qe_ibtgt -file qe_ibtgt.cer -keypass interop -keystore interop.jks -storepass interop

Note: It is not required for cert file name to match cert alias name.

c. Enable encryption on the remote node, QE_IBTGT. Navigate to PeopleTools->Integration Broker->Integration Setup->Nodes. On WS-Security tab set authentication type to ‘Username Token’ and enable ‘Encrypted’ flag.

If you are signing the message in addition to encrypting it then you would have both the flags, for encryption and signature enabled

Troubleshooting:

One of the common issues is that UserName token is not generated and you get an empty header. In those cases ensure

a. Remote node that tied with the service operation has WS-Security enabled. Navigate to
PeopleTools -> Integration Broker -> Integration Setup -> Nodes. Verify authentication token type is set to ‘Username Token’

b. IB supports various connector types. For Web Service Secruity you need to have HTTPTARGET connector enabled. Verify it accordingly on the Connectors tab.

c. In cases you need to investigate further and report issues to Global Support to help diagnose the problem, turn on the message log set to level 5 in intergrationGateway.properties file. It generates MsgLog.html and ErrorLog.html that provide useful information to support analyst to help identify the problem. It is located at: …\PSIGW.war\WEB-INF.

PeopleTools General
PeopleSoft Enterprise Portal
PeopleSoft, more than just Tools

If you would like to share information and ideas with other Oracle/PeopleSoft customers and Oracle employees, these are good places to visit.

Let us know if there are other useful networks outside of Oracle where PeopleSoft customers, consultants, and other interested parties meet.

PeopleTools RVP
Enterprise Portal RVP

Here is synopsis of the PeopleTools RVP:
The PeopleTools 8.50 release continues Oracle’s commitment to protect and extend the value of your PeopleSoft implementation, provide additional technology options and enhancements that reduce ongoing operating costs, as well as improve the end user’s experience.
Key areas of investment include:
• Extending the PeopleSoft service-enabled architecture.
• Improving the user experience.
• Lowering your total cost of ownership.

The value of PeopleTools 8.50 is grounded in our normal process of including accumulated bug fixes as well as enhancements based upon customer feedback. As a result, we added features that will simplify the integration of your heterogeneous environments, run your business more efficiently, improve the end user’s experience, and increase cost effectiveness. Many of the enhancements of this release involve improving the end user’s productivity through improved usability enhancements, page performance, and integrated related content.

In sum, PeopleTools 8.50 continues to deliver unparalleled customer choice that ensures support of the latest technical innovation with the industry’s lowest cost of ownership and improved user satisfaction.

Key areas and features of PeopleTools 8.50 are:
• Related content
• Improved integration technology
• Greater end-user productivity
• Supported platforms

And here is a synopsis of the Portal RVP:
The PeopleSoft Enterprise Portal 9.1 release continues our strategy that began with release 8.8: to provide rich functionality beyond a simple portal framework. PeopleSoft Enterprise Portal offers a rich set of functional Web 2.0 features, which distinguishes it from conventional framework portals. In addition to new framework improvements and benefits accrued from PeopleTools 8.50, we have added functional features to the PeopleSoft Enterprise Portal—especially in Collaborative Workspaces—that will enable you to introduce Web 2.0 concepts and practices into your enterprise with a resulting improvement in user effectiveness, efficiency, and profitability.

Can Data Guard be used with PeopleSoft?

PeopleSoft does not use any unsupported data types for logical or physical standby databases. As of PeopleTools 8.49, PeopleSoft Enterprise only uses VARCHAR2, DATE, NUMBER, BLOB, CLOB, LONG RAW, LONG VARCHAR.

However, none of our reporting options are strictly read only and therefore we cannot use an active standby database; a customer might want to do this to set up a separate reporting database. Reports are usually run through the process scheduler, and the PS reporting tools and the scheduler update the database (think of the status updates that are made as the report is run).

BOTTOM LINE:
Customers can use Data Guard 10g to set up standby databases for failover purposes (logical or physical standby), but they can’t use Active Data Guard (11g) for reporting, as that requires opening the database read only.

The following knowledge document will help you setup the Period Close workspaces. This includes code to import the pagelets developed by the Financials team.

E-PORTAL: Creating A Sample Workspace For Financial Period End Close Process (Doc ID 786969.1)

To help test AppClass development, a PeopleSoft app development group built a tool called PSUnit. PSUnit is a simple testing framework that is used to write and run repeatable tests. It follows the xUnit architecture for unit testing frameworks.

Up to this point, PSUnit has only been available within PeopleSoft, but now it's available as 'open source'. Thanks to Jim Marion who took the time to clean up the pages, code, and other managed objects in the project and wrote an excellent document introducing PSUnit and describing how PSUnit can be used with Test Driven Development (TDD) projects.

The document and projects are found here:
Download project file

Introducing PSUnit

Give it a try and be sure to share your experience with other developers.

1. USB Adapter Cable


2. WiFi Point of Sale Terminal


3. NetBook


4. Bluetooth Adapter


5. iPhone


6. Twitter

          

1 USB Adapter Cable

This is a USB adapter cable ( ~ $19) for hard drives, 2.5 and 3.5 IDE (PATA) and SATA drives. With this cable you can connect any typical hard disk to the USB port. In any office environment, what's familiar becomes invisible. Someone walks through an area on a regular basis is not suspicious. This is where the two pictures above become relevant. The left hand picture shows the back of a typical desktop, the eye-hole tab is not just for locking the desktop against stealing, it is also to lock the casing shut to prevent unauthorized physical access. The right hand picture shows the cover open and the disk drive(s) available. (The blue lead is the SATA cable connecting the disk.) This particular HP makes access even easier, since the drives are mounted on plastic slides. Opening the case and removing the drive takes less than a minute. The miscreant takes the drive back to the comfort of their office, copies interesting data off the disk, or copies toxic code directly onto the disk. Another minute to re-install the disk in the unsuspecting user's desktop and nothing appears to have happened. It's not enough to think that desktops used by users with relatively trivial access do not need to be protected, since network resources are much more accommodating to systems within the firewall. All corporate desktops should have locks on this tab.



2 WiFi enabled Point of Sale Terminal

Increasingly Point of Sale (POS) terminals are PC based and WiFi enabled. Because keyboard access is generally disabled and all user input is by a specialized keypad, security on these workstations is relatively trivial. WEP can be easy to crack, so all the system abuser has to do is sit outside the store with a WiFi sniffing laptop to gain access to the network. Then they can mimic the IP and MAC address of the POS terminal and start exploring the connected systems.



3 NetBook

These fully functional Windows XP or Linux based platforms have now achieved commodity status and will become ubiquitous. The XP version is available at less than $300 and the Linux version less than $250. In fact Netbooks have breathed new life into XP. Anyone who has reason to be in your premises can easily transport these devices inside your firewall and play around to their heart's content usually after most of your staff have left. They can take advantage of any rogue or compromised WiFi network in your buildings.



4 Bluetooth Adapter

There are a number of sophisticated libraries, especially on Linux, for manipulating these Bluetooth network adapters to seek unprotected Bluetooth enabled cell phones. It is possible for the miscreant to take control of your cell phone and have it dial out to their phone so your phone becomes an inadvertent bugging device. This does not need the recently announced downloaded malware, it takes advantage of the capability of delivered functionality. If you're going to a sensitive meeting, take the battery out of your phone.



5 iPhone

These are WiFi enabled mobile computing platforms, not just phones. There have been some anecdotal, but completely credible, stories of a package being delivered for someone who has recently left a company and the package being left at reception or with security for subsequent collection. The package contains a provisioned iPhone which listens for WiFi and then connects to a rogue web server, creating a proxy inside the firewall. Firewalls generally allow outbound connections on port 80.



6 Twitter

This really turns on the point of judicious password selection, not an indication that Twitter poses a security risk. Recently there were reports of Twitter accounts being cracked. Unfortunately the users had relatively high levels of access in their corporate domains, but used the same user ID and password on their Twitter accounts. This emphasizes the need to maintain separate sets of credentials for internal and external resource access. See more on passwords below.



None of these objects is inherently insecure, but hackers/crackers/system abusers are very creative!

These are a some of interesting links relating to passwords

The Top 500 Worst Passwords of All Time

http://www.whatsmypass.com/?p=415

" ... If you see your password on this list, please change it immediately. Keep in mind that every password listed here has been used by at least hundreds if not thousands of other people."



Ten Windows Password Myths

http://www.securityfocus.com/infocus/1554

" ... With all of our advances in security technology, one aspect remains constant: passwords still play a central role in system security."



Passwords or Pass Phrase? Protecting your Intellectual Property

http://ezinearticles.com/?Passwords-or-Pass-Phrase-Protecting-your-Intellectual-Property&id=7870

" ... A new theory on passwords is emerging that may help us remember our access codes, be more secure, and generally keep hackers and thieves out of our networks."



Here are some sensible rules for password creation:

- Unacceptable - less than eight characters

- Weak - Eight or more Characters, including one or more Numerics

- Fair - Eight or more Characters including:

    - 1 Numeric, and

    - 1 or more Special characters, and

    - 1 or more Uppercase Characters

- Strong - Eight or more characters including:

    - 2 or more Numerics, and

    - 1 or more Special Characters, and

    - 1 or more Uppercase characters

- Very Secure - Fourteen or more characters including:

    - 2 or more Numerics, and

    - 2 or more Special Characters, and

    - 1 or more uppercase characters

    - Ensure maximum keyboard "distance" between characters

    - Equivalent use of each hand to enter

Check the password strength on Microsoft's non-recording checker

http://www.microsoft.com/protect/yourself/password/checker.mspx

Trademarks

Oracle and PeopleSoft are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

This is the full searchable set of PeopleBooks. It will be updated as the the documentation changes. You can LINK your PeopleSoft applications directly to this site.

This is a publicly accessible site.

You can also access the PDF versions here - http://www.oracle.com/technology/documentation/psftent.html

Check this link:
Customer Connection References Within PeopleSoft Enterprise Documentation
http://download.oracle.com/docs/cd/E05317_01/psft/acrobat/pb_metalink.pdf

This document lists the new MetaLink navigations for Customer Connection pages

PeopleSoft supports LDAP v3, and delivers 4 pre-built configurations:
- Oracle Internet Directory
- Sun Java System Directory Server
- Novell eDirectory
- Microsoft Active Directory
There is also a custom option to allow any other configuration to be defined.

[All third party trademarks are the property of their respective owners]

Download file

A brief description of the problem and solution is here:

Download file

The sample code can be found here:

Download file

Here is Part 1: Download file

Here is Part 2: Download file

Enjoy!

- Web 2.0 in Your Enterprise : Collaboration Technology for Improved...
Web 2.0 has introduced many opportunities to improve efficiency and effectiveness. This session describes the collaborative features available in Enterprise Portal today, what's coming soon, and will help you learn how to adopt and apply those features. We'll describe clear examples of Enterprise Portal in action applied to familiar, important processes, and show how Web 2.0 can improve those processes in your enterprise.

- Enterprise 2.0 Live!
Would you like to take advantage of the Web 2.0 features available in PeopleSoft portal technologies but just don’t know how? Not sure how they could benefit your business? Think they might be hard to deploy? We’ll put those concerns to rest by demonstrating how to employ these features using familiar transactions and business processes. This session will be more than a demonstration: it will be interactive. You can ask about your specific business processes, and our panel will brainstorm Web 2.0 solutions and design ideas with you.

We'll also be announcing some new projects in this area that will make it much easier for customers to adopt this technology.

Visit us in the PeopleTools demo pods as well.

If you venture to the PeopleSoft/Fusion Middleware best practice site, you'llo see that several of the Oracle-By Example or viewlets showcasing PeopleSoft interoperability with Fusion Middleware use web services provided by a PeopleSoft system through Integration Broker.  Some of the examples go through some minor integration setup but don't explain what is going on and don't go through the entire setup.  Many of you have taken the 8.48 integration broker class or have implemented web services in your production system so finding or setting up a test PSFT environment is not an issue.  But not all of you . . .

More than once I've heard "I tried setting up integration broker but I couldn't get it to work so I gave up".  Usually the problem is something simple like typing the wrong tools release when configuring the gateway connector for a target node (<ctl> j from a pia page gives you that info!).  Making it through all the steps can be difficult, even for someone that is familiar with integration broker. 

To help you out, we�ve created a viewlet that identifies all the steps you need to go through to set up a PeopleSoft environment that provides web services.  There�s no sound, so you don�t have to worry about bothering your neighbor, and it�s interactive, so you can select only the steps you need more information on.

Here's a link to the viewlet: IBSetup

What are the steps it goes through?  Here they are:

1) Enable the pub/sub processes in the app server so there is support for asynchronous services. 

The web services used by examples on the best practice site are all synchronous so this is not mandatory.  But I�m sure some of you will take what you see to the next level and before long start trying out asynchronous service requests.  As soon as you try that, you�ll need these services enabled to provide queues for the gateway to store the service request.

2) Change the Default Local Node

Again, this is not required to run the samples provided.  You�ll only have to do this when you want to start testing more complex integration scenarios.  But it is easy to do and a good idea.  You�re much safer using a creative name for your PSFT system than sticking with the generic PSFT_HR that�s delivered.

It is easy but there�s a catch.  You have to run a data mover script (appmsgpurgeall.dms) to clear out the message queue (the data�s in database tables).  If you don�t do that, you�ll get a cryptic error message

3) Configure the PeopleSoft Listening Connector

Our first required step.  This is necessary for a PSFT AppServer to communicate with an Integration Gateway.  You get to test it right from the page you enter the URL so it�s pretty foolproof.  Don�t forget to load the rest of the connectors as part of this step.

4) Configure the PeopleSoft Target Connector

Step 3 told the AppServer where the Integration Gateway was located.  This tells the Integration Gateway where the AppServer is located.  You�ll set up a default location and add a node specific for the default local node you changed (or left unchanged) in step 2.

5) Service Configuration

The final and very important step is to complete the service configuration.  This is required for running web services.  You�ll enter some default naming information for services and schemas.  You�ll also identify where the PeopleSoft Service Listening Connector is.  It�s not required but a very good idea to change your Service System to Development.  That way you won�t have to worry about service versions each time you make a change.

You�re all set to go now.  Try the examples provided on the best practice site and experiment with some of your own.