PeopleSoft Technology Blog

Greg Kelly and I had a conversation the other day about this recent BusinessWeek article.  It's a somewhat interesting story about the recent re-organization within the Oracle Applications division and BW's views about Oracle's application strategy - including Fusion.

I found it particularly interesting because it's so full of misleading or misguided statements that are made in such a way as to sound informational and journalistic.  I understand that BW may be trying to summarize for a lay audience a complex market landscape and necessarily complicated strategy.  To a degree they've been successful.  The article reads well with no evident spin.  It sounds informational.

Unfortunately, some of the information is simply incorrect.  One statement in particular comes to mind:  "Oracle risks losing ground to SAP and Salesforce.com, both of which have been quicker to deliver Web-based versions of enterprise software".  For one, PeopleSoft 8 was released long before Salesforce.com was a glint, but this bit of editorial license leads the reader to think that we're only just now, with Fusion, planning to release a Web-based version of our applications. 

Worse is the summary of our Fusion strategy in which they indicate Oracle will "cherry-pick the best of [our] software collection ... including Oracle's own accounting software, PeopleSoft's human resources product and Siebel's customer management application."  This statement leaves the reader to assume we are cobbling together applications that already exist and "unifying an approach to storing data and interacting with the programs". 

It's unfortunate that a publication such as BusinessWeek hasn't done a better job of ensuring their material is correct and accurate.  On the other hand, it's our job to ensure that our strategy is dead-simple and easy for our customers (and editors who only do half a job with their homework) to understand.

We have some interesting sessions planned for Open World in the area of Web 2.0. If you are interested in collaboration in the Enterprise, come see what PeopleSoft is doing in this area. There are two sessions scheduled for this topic. Here they are with abstracts:

- Web 2.0 in Your Enterprise : Collaboration Technology for Improved...
Web 2.0 has introduced many opportunities to improve efficiency and effectiveness. This session describes the collaborative features available in Enterprise Portal today, what's coming soon, and will help you learn how to adopt and apply those features. We'll describe clear examples of Enterprise Portal in action applied to familiar, important processes, and show how Web 2.0 can improve those processes in your enterprise.

- Enterprise 2.0 Live!
Would you like to take advantage of the Web 2.0 features available in PeopleSoft portal technologies but just don’t know how? Not sure how they could benefit your business? Think they might be hard to deploy? We’ll put those concerns to rest by demonstrating how to employ these features using familiar transactions and business processes. This session will be more than a demonstration: it will be interactive. You can ask about your specific business processes, and our panel will brainstorm Web 2.0 solutions and design ideas with you.

We'll also be announcing some new projects in this area that will make it much easier for customers to adopt this technology.

Visit us in the PeopleTools demo pods as well.

There are 3 scenarios where LDAP may be used with PeopleSoft
Delivered external authentication
In this instance the customer chooses an attribute in the user object which will contain the PeopleSoft user ID. The login process is configured to access the LDAP server using the user credentials entered in the challenge screen. Signon PeopleCode connects to the LDAP server, retrieves the user object which matches the value entered by the user as the "UserID", extracts the DN from the user object and attempts to BIND the user object using the entered password. If this sequence is successful, Signon PeopleCode extracts the value in the attribute which has been configured as storing the PeopleSoft user ID, usually "uid" and makes a call to SetAuthenticationResult to cache the user profile and log the user into a PeopleSoft session.

Default or Dynamic Role creation
This is an extension to the authentication functionality above. If the user successfully authenticates against LDAP but does not have an entry in PSOPRDEFN and a default Role has been configured, the entry will be created in PSOPRDEFN and the user will be logged into that default Role in PeopleSoft. This default Role is usually the Self Service Role, so customer PeopleSoft administrators do not have to create an account for every employee, for instance.

With Dynamic Roles, a user account can be created or modified using attribute values in the user object, queries against the PeopleSoft instance or other custom logic.

PeopleSoft Directory Interface (PDI)
This is a licensable option with HCM and developed/supported as an Enterprise Component.
With this option, the LDAP schema is modified with PeopleSoft specific object classes and attributes to create a structure in LDAP which reflects the organizational structure defined in HCM. Messages are created from Workforce Management events to modify the LDAP structure to reflect changes in the workforce.

LDAP authentication and Role management are described in the Security Administration PeopleBook, http://www.oracle.com/applications/peoplesoft/tools_tech/ent/ptools/peoplebook-security-administration.pdf, which is part of the PeopleTools suite., PDI is described in the Enterprise Components PeopleBook, http://download.oracle.com/docs/cd/B40039_02/psft/acrobat/hrcs9ecq-b1206.pdf, which is part of the HCM suite.

PeopleSoft supports LDAP v3, and delivers 4 pre-built configurations:
- Oracle Internet Directory
- Sun Java System Directory Server
- Novell eDirectory
- Microsoft Active Directory
There is also a custom option to allow any other configuration to be defined.

[All third party trademarks are the property of their respective owners]

Oracle PeopleSoft Enterprise Hosted PeopleBook website
http://www.oracle.com/pls/psft/homepage

This is the full searchable set of PeopleBooks. It will be updated as the the documentation changes. You can LINK your PeopleSoft applications directly to this site.

This is a publicly accessible site.

You can also access the PDF versions here - http://www.oracle.com/technology/documentation/psftent.html

Check this link:
Customer Connection References Within PeopleSoft Enterprise Documentation
http://download.oracle.com/docs/cd/E05317_01/psft/acrobat/pb_metalink.pdf

This document lists the new MetaLink navigations for Customer Connection pages

I showed this graphic recently as part of a security presentation and without the context it's probably difficult to see that there is a connection between the objects. This is by no means an exhaustive set but it does open the conversation around the problems of risk compensation and de-perimeterization. While not PeopleSoft or Oracle specific, it is within the realm of security, and Oracle does have products to help mitigate the risk.

1. USB Adapter Cable


2. WiFi Point of Sale Terminal


3. NetBook


4. Bluetooth Adapter


5. iPhone


6. Twitter

          

1 USB Adapter Cable

This is a USB adapter cable ( ~ $19) for hard drives, 2.5 and 3.5 IDE (PATA) and SATA drives. With this cable you can connect any typical hard disk to the USB port. In any office environment, what's familiar becomes invisible. Someone walks through an area on a regular basis is not suspicious. This is where the two pictures above become relevant. The left hand picture shows the back of a typical desktop, the eye-hole tab is not just for locking the desktop against stealing, it is also to lock the casing shut to prevent unauthorized physical access. The right hand picture shows the cover open and the disk drive(s) available. (The blue lead is the SATA cable connecting the disk.) This particular HP makes access even easier, since the drives are mounted on plastic slides. Opening the case and removing the drive takes less than a minute. The miscreant takes the drive back to the comfort of their office, copies interesting data off the disk, or copies toxic code directly onto the disk. Another minute to re-install the disk in the unsuspecting user's desktop and nothing appears to have happened. It's not enough to think that desktops used by users with relatively trivial access do not need to be protected, since network resources are much more accommodating to systems within the firewall. All corporate desktops should have locks on this tab.



2 WiFi enabled Point of Sale Terminal

Increasingly Point of Sale (POS) terminals are PC based and WiFi enabled. Because keyboard access is generally disabled and all user input is by a specialized keypad, security on these workstations is relatively trivial. WEP can be easy to crack, so all the system abuser has to do is sit outside the store with a WiFi sniffing laptop to gain access to the network. Then they can mimic the IP and MAC address of the POS terminal and start exploring the connected systems.



3 NetBook

These fully functional Windows XP or Linux based platforms have now achieved commodity status and will become ubiquitous. The XP version is available at less than $300 and the Linux version less than $250. In fact Netbooks have breathed new life into XP. Anyone who has reason to be in your premises can easily transport these devices inside your firewall and play around to their heart's content usually after most of your staff have left. They can take advantage of any rogue or compromised WiFi network in your buildings.



4 Bluetooth Adapter

There are a number of sophisticated libraries, especially on Linux, for manipulating these Bluetooth network adapters to seek unprotected Bluetooth enabled cell phones. It is possible for the miscreant to take control of your cell phone and have it dial out to their phone so your phone becomes an inadvertent bugging device. This does not need the recently announced downloaded malware, it takes advantage of the capability of delivered functionality. If you're going to a sensitive meeting, take the battery out of your phone.



5 iPhone

These are WiFi enabled mobile computing platforms, not just phones. There have been some anecdotal, but completely credible, stories of a package being delivered for someone who has recently left a company and the package being left at reception or with security for subsequent collection. The package contains a provisioned iPhone which listens for WiFi and then connects to a rogue web server, creating a proxy inside the firewall. Firewalls generally allow outbound connections on port 80.



6 Twitter

This really turns on the point of judicious password selection, not an indication that Twitter poses a security risk. Recently there were reports of Twitter accounts being cracked. Unfortunately the users had relatively high levels of access in their corporate domains, but used the same user ID and password on their Twitter accounts. This emphasizes the need to maintain separate sets of credentials for internal and external resource access. See more on passwords below.



None of these objects is inherently insecure, but hackers/crackers/system abusers are very creative!

These are a some of interesting links relating to passwords

The Top 500 Worst Passwords of All Time

http://www.whatsmypass.com/?p=415

" ... If you see your password on this list, please change it immediately. Keep in mind that every password listed here has been used by at least hundreds if not thousands of other people."



Ten Windows Password Myths

http://www.securityfocus.com/infocus/1554

" ... With all of our advances in security technology, one aspect remains constant: passwords still play a central role in system security."



Passwords or Pass Phrase? Protecting your Intellectual Property

http://ezinearticles.com/?Passwords-or-Pass-Phrase-Protecting-your-Intellectual-Property&id=7870

" ... A new theory on passwords is emerging that may help us remember our access codes, be more secure, and generally keep hackers and thieves out of our networks."



Here are some sensible rules for password creation:

- Unacceptable - less than eight characters

- Weak - Eight or more Characters, including one or more Numerics

- Fair - Eight or more Characters including:

    - 1 Numeric, and

    - 1 or more Special characters, and

    - 1 or more Uppercase Characters

- Strong - Eight or more characters including:

    - 2 or more Numerics, and

    - 1 or more Special Characters, and

    - 1 or more Uppercase characters

- Very Secure - Fourteen or more characters including:

    - 2 or more Numerics, and

    - 2 or more Special Characters, and

    - 1 or more uppercase characters

    - Ensure maximum keyboard "distance" between characters

    - Equivalent use of each hand to enter

Check the password strength on Microsoft's non-recording checker

http://www.microsoft.com/protect/yourself/password/checker.mspx

Trademarks

Oracle and PeopleSoft are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Two new release value propositions are now available: one covers PeopleTools 8.50, another covers Enterprise Portal 9.1. Both documents provide an overview of the value proposition for the enhancements that are planned for PeopleTools 8.50 and Enterprise Portal 9,1. Both are intended to help you assess the business benefits of these products and to plan your information technology (IT) projects and investments.

PeopleTools RVP
Enterprise Portal RVP

Here is synopsis of the PeopleTools RVP:
The PeopleTools 8.50 release continues Oracle’s commitment to protect and extend the value of your PeopleSoft implementation, provide additional technology options and enhancements that reduce ongoing operating costs, as well as improve the end user’s experience.
Key areas of investment include:
• Extending the PeopleSoft service-enabled architecture.
• Improving the user experience.
• Lowering your total cost of ownership.

The value of PeopleTools 8.50 is grounded in our normal process of including accumulated bug fixes as well as enhancements based upon customer feedback. As a result, we added features that will simplify the integration of your heterogeneous environments, run your business more efficiently, improve the end user’s experience, and increase cost effectiveness. Many of the enhancements of this release involve improving the end user’s productivity through improved usability enhancements, page performance, and integrated related content.

In sum, PeopleTools 8.50 continues to deliver unparalleled customer choice that ensures support of the latest technical innovation with the industry’s lowest cost of ownership and improved user satisfaction.

Key areas and features of PeopleTools 8.50 are:
• Related content
• Improved integration technology
• Greater end-user productivity
• Supported platforms

And here is a synopsis of the Portal RVP:
The PeopleSoft Enterprise Portal 9.1 release continues our strategy that began with release 8.8: to provide rich functionality beyond a simple portal framework. PeopleSoft Enterprise Portal offers a rich set of functional Web 2.0 features, which distinguishes it from conventional framework portals. In addition to new framework improvements and benefits accrued from PeopleTools 8.50, we have added functional features to the PeopleSoft Enterprise Portal—especially in Collaborative Workspaces—that will enable you to introduce Web 2.0 concepts and practices into your enterprise with a resulting improvement in user effectiveness, efficiency, and profitability.

This introduces one of an occasional series which will be created by the PeopleTools Development Team. (remember, if you have any comments on this or any post, click on the email link on the "About" panel)

WS-Security: Publishing outbound SOAP messages using WS-Security

This document is a set of setup steps for Integration Broker Outbound WSS message on PeopleTools 8.48 and 8.49 ONLY.

PeopleTools provides support for WS-Security standard enabling secure web services. It implements Oasis standard 1.0 WS-Security schema which conforms to Web Services Security Standard 1.0.

Within this framework, PeopleSoft implements:
• Username Token Profile 1.0
• X.509 Token profile 1.0

Peoplesoft use X.509 token profile in conjunction with Username Token Profile.
The PeopleSoft implementation of WS-Security :
A) Username Token Profile.
-----------------------------------------
1. Username Token with Password as ClearText **.
2. Username Token without Password.

Both options above can be enabled with X.509 Token Profile.

B) X.509 Token Profile.
--------------------------------------
1. Digitally Signed.
2. Encryption.
3. Digitally Signed and Encrpytion.

Encryption only applies to SOAP header.
Digital Signature applies to both SOAP header and body.

Notes: **
If there is a concern on the password, one can use SSL over HTTP or Encryption from WS-Security.

We’ll discuss how to publish an outbound SOAP message for a service operation for WS-Security.

Steps detailed below assume you have already configured integration gateway and a service operation on your environment. For more details on setting up gateway and service operation refer to 8.49/8.48 Peoplebooks.

To enable Encryption and Digital signature, certificates in Java keystore must be correctly set up and configured. wss.properties file is used to list details about the keystore location and password to it. interop.jks is used as the default keystore file. If you need to use a different keystore you can edit wss.properties file accordingly. You should also ensure the password defined in wss.properties is in sync with the password set for your keystore.

Password in wss.properties can be stored encrypted using pscipher utility. For the default interop.jks keystore it is stored encrypted.

wss.properties file and interop.jks are located at ...\PSIGW.war\WEB-INF\classes on your webserver.

Set Up: For our example below we will use QE_PO_SYNC as our service operation that we will publish with WS-Security. Note: As mentioned at the beginning of the post these instructions only apply for outbound messages

1. To enable the digital signature for the outbound service operation.
a. Create keypair [public key and private key] value through java keytools utility.

b. Alias name for your keypair must match your Default Local node.
For example, if the default local node is defined as “qe_local”, we would generate keypair as below:
keytool -genkey -alias QE_LOCAL -keyalg RSA -keysize 1024 -dname "CN=QE_LOCAL, OU=PeopleTools, O=Oracle, L=Pleasanton, ST=California, C=US" -keypass interop -keystore interop.jks -storepass interop

c. Generate CSR for this public key and get it signed by CA.

d. Downloaded the signed public key cert and Root CA

e. Import Root CA and the signed public key cert.

f. Enable digital signature on the remote node. In our example we have defined QE_IBTGT as the remote node. Navigate to PeopleTools->Integration Broker->Integration Setup->Nodes. On WS-Security tab set authentication token type to ‘Username Token’ and enable ‘Digitally Signed'.

This process will ensure the soap message will be signed. It is signing the header and the body. This means the whole soap message.

2. To enable the encryption for the outbound service operation.
a. Import public key and Root CA of the third party application into your keystore. For our case here it will be interop.jks

b. Ensure third party’s public key with the Alias name must match with the Remote Node name. In our case that would be QE_IBTGT.

Import cert as below:
keytool -import -alias qe_ibtgt -file qe_ibtgt.cer -keypass interop -keystore interop.jks -storepass interop

Note: It is not required for cert file name to match cert alias name.

c. Enable encryption on the remote node, QE_IBTGT. Navigate to PeopleTools->Integration Broker->Integration Setup->Nodes. On WS-Security tab set authentication type to ‘Username Token’ and enable ‘Encrypted’ flag.

If you are signing the message in addition to encrypting it then you would have both the flags, for encryption and signature enabled

Troubleshooting:

One of the common issues is that UserName token is not generated and you get an empty header. In those cases ensure

a. Remote node that tied with the service operation has WS-Security enabled. Navigate to
PeopleTools -> Integration Broker -> Integration Setup -> Nodes. Verify authentication token type is set to ‘Username Token’

b. IB supports various connector types. For Web Service Secruity you need to have HTTPTARGET connector enabled. Verify it accordingly on the Connectors tab.

c. In cases you need to investigate further and report issues to Global Support to help diagnose the problem, turn on the message log set to level 5 in intergrationGateway.properties file. It generates MsgLog.html and ErrorLog.html that provide useful information to support analyst to help identify the problem. It is located at: …\PSIGW.war\WEB-INF.