RSA Sign and Verify using PeopleSoft [pluggable] Encryption Technology (PET)

This is another entry created by the PeopleTools Development Team.

Introduction

PeopleSoft Encryption Technology enables you to secure sensitive data and ensure secure communications for business processes. It provides a way to determine the degree of cryptography for your need using the ability to build your own encryption profiles. The encryption profile consists of an algorithm chain which is a series of steps that include one or more algorithms and required PeopleSoft internal routines. In addition you also need to define algorithm Keyset which is used to store parameter values.

The discussion below walks through an example of setting up a RSA SHA1 sign and verify profile in PeopleTools 8.49.

    Before we go into step-by-step instructions few things to know:

  1. Sign routines (like rsa_md5_sign, rsa_sha1_sign and dsa_sha1_sign) require PSHexEncode step after the sign step. The result of the sign process needs to produce the HEX value that is to be copied into the SIGNATURE parameter of the verify Algorithm.

  2. Verify routines (rsa_md5_verify, rsa_sha1_verify and dsa_sha1_verify) have a KeySet requirement for SIGNATURE parameter to begin with 0x to be valid. i.e. Result of sign profile is pre-fixed with 0x and copied to verify SIGNATURE Keyset parameter

  3. Verify routines (rsa_md5_verify, rsa_sha1_verify and dsa_sha1_verify) have a Keyset requirement for SIGNERPUBLICKEY. The parameter value should be pointing to a certificate and not a public key.

  4. Testing your results: When you test the verify routine using Test Encryption Profile, you would type in the same value you used when you run the sign routine. If the verification succeeds it will return true else false. In 8.49 in order to show the test result you would need to do a minor edit to CRYPT_WRK.SELECT_FLAG.FieldChange PeopleCode.
    Add the below lines at the end of the function:

    If None(DERIVED_CRYPT.DESCRLONG) Then
          DERIVED_CRYPT.DESCRLONG = &cry.Verified;
    End-If;


Generate/Use Keyset Variables

Some algorithms require one or more Keyset ID variables which should contain or refer to a HEX VALUE, PRIVATE KEY or CERTIFICATE. There are many ways to generate a CSR, and get Certificates and Private Keys generated. We will use the Tools delivered Digital Certificate component to generate key pair and import a signed certificate.

   We will need to do following 3 steps

   •   Add local node certificates to the PeopleSoft system and generate CSRs.
   •   Submit local node certificates to your CA for signing.
   •   Import signed local node certificates into the PeopleSoft system.


To install a signed public key certificate, you must define a local node certificate row in the keystore, then obtain the signed certificate from a CA whose root certificate is installed. To do this, you generate a CSR, submit the CSR to the CA, then retrieve and import the content of the signed certificate into your certificate row.

  1. Select PeopleTools, Security, Security Objects, Digital Certificates. The Digital Certificates page displays.
  2. Click the plus button (+). A new row appears.
    • From the Type drop-down list, select Local Node.
    • In the Alias field, enter a meaningful name. At most a single Encryption Profile would reference two of these aliases. You may need one for Signer/Sender and one for Recipient. For our example we used the alias as “signer”
    • In the Issuer Alias field, click the lookup button to select the issuer alias.
  3. At the end of the row, click the Request link. The Request New Certificate page displays.
  4. In the Subject Information section, enter the following information:
    These fields represent attributes of the default local node's DN. The CA to whom you submit the CSR might require values for any or all of the fields. The DN is also stored on the Detail page of the local node certificate.
    Common Name. Enter The Sender or Receivers name.
    Org Unit(organizational unit) Enter the name of the organizational unit.
    Organization Enter the name of the organization.
    Locality Enter the location of the organization.
    State/Province Enter the state or province name.
    Country Enter the two-character country code.
    Email Address Enter an email address - ie. name@email.com
    Challenge Password Enter a password you can remember – ie signerpassword or recipientpassword.
  5. In the Key Pair Information section, enter the following information:
    • Select from the Algorithm drop-down list one of the three types mentioned above.
    • From the Key Size drop-down list, select 1024.
  6. Click the OK button.

In addition to generating the CSR, which contains the default local node's public key, this step also creates the matching private key, which is automatically installed in the same row of the node's keystore.

    To submit a local node certificate for signing:

  1. After you click the OK button as described in the previous section, the CSR is generated. Cut and paste the CSR and submit it to your CA for signing.

    When you submit the CSR for signing, you must include the begin section (-----BEGIN NEW CERTIFICATE REQUEST-----) and the end section (-----END NEW CERTIFICATE REQUEST-----).

    Download the base64 encoded singed certificate.
After the CA generates a CERTIFICATE for the local node, you import the signed certificate into PeopleSoft.

    To import signed local node certificates into a PeopleSoft system:

  1. Select PeopleTools, Security, Security Objects, Digital Certificates. The Digital Certificates page displays.
  2. Locate the row that contains the local node certificate.
  3. At the end of the row, click the Import link. The Import Certificate page displays.
  4. Open the file where you saved the signed certificate you received back from the CA, copy it and paste it into the text box. The content you paste must include the begin section (-----BEGIN CERTIFICATE-----) and end section (-----END CERTIFICATE-----).
  5. Click the OK button.
  6. Click the Refresh button.
The Digital Certificates page appears and the new certificate's row now contains a Detail link. In this case, the certificate has been successfully installed and will appear in the Drop Down list for Certificate Alias on the Keyset Page. Using this method you will not actually be able to see the actual PRIVATE KEY or CERTIFICATE values being used.

    To submit a local node certificate for signing:

  1. Start with creating an algorithm chain for signing as shown. As noted above we will add the PSHexEncode step after sign. We will call it RSA_SIGN

    image001.jpg

  2. Build a signature verification chain as shown. We will call it RSA_VERIFY

    image003.jpg

  3. Define an encryption profile for the above defined algorithm chain for signing. When you add the profile it will show you what parameters or Keyset values are required. In this case these Algorithms require Certificates and Private Keys. We will use the key and certificate generated above using Digital Certificate component. The SIGNERPKPASSPHRASE parameter is entered directly into the Profile page. This is the password to decrypt and unlock the private key. For the sake of this example we do not need to provide a value as the prviate key is encrypted and stored in the database and is transparent to us.

    The SIGNERPRIVATEKEY parameter must be entered as a Keyset value (Note the grayed check box labeled From Keyset – that tells you if you enter the value here or in the Keyset.)

    We will need to define Keyset for the signing algorithm (rsa_sha1_sign).

    image005.jpg

    Save the encryption profile. We will come back to it after defining Keyset.

  4. Navigate to Algorithm Keyset and search for rsa_sha1_sign algorithm chain. Provide a Keyset ID, in our case we call it ‘sign-pk’. Enable Use Certificate Store Value and Private Key check box. Provide the certificate alias name that you provide when signing the CA above using Digital Certificate component. In our case it was ‘Signer’. Click Save.

    image007.jpg

  5. Navigate back to RSA_SIGN encryption profile and add the Keyset value generated in above step. Save the profile.

    image009.jpg

  6. Set up Verify Encryption Profile:

    Build another Encryption Profile for the Verify chain you created in step 2 above. Give the Profile a name so that you know it matches to the Encryption Profile you previously created. In our example we call it RSA_VERIFY. As you can see verify needs two parameters. First is the signature which needs to be verified. We will generate this signature using RSA_SIGN encryption profile. Second parameter is SIGNERPUBLICKEY. Essentially this is the certificate which contains the public key.

    image011.jpg

    • For the first parameter we will generate a signature for the string we want to sign using sign encryption profile and copy over the resulting signature here. To generate a signature go to Test Encryption Profile and open RSA_SIGN encryption. Add a test string, in our case ‘SIGNATURE’ and run the profile.

      image013.jpg

      Prefix the above signature with ‘0x’ as it is hex encoded and copy it as the value for the SIGNATURE parameter of the RSA_VERIFY profile.

      image015.jpg

      Save the profile. We will come back to it to add value for second parameter.

    • For the second parameter for SIGNERPUBLICKEY similar to signing step we will need to define a Keyset for the verify algorithm. We will call it ‘verify-pk’. Enable Use Certificate Store Value and Certificate checkbox. Enter certificate alias (‘signer’ in our example) and save.

      image017.jpg

  7. Navigate back to SHAI_VERIFY profile and add the value for the second parameter SIGNERPUBLICKEY from the Keyset defined in above step.

    image019.jpg

    Save the profile.

Run Verify Test:

Choose Verify Profile and supply same text (in our example it was ‘SIGNATURE”) you used when you ran the Sign Profile and click Run Encryption Profile. Encrypted Text field should indicate true meaning signature was successfully verified.

image021.jpg

Try entering some other value and it should return false as expected

image023.jpg

Once you verify the profiles are set up correctly and tested, you can call them from your code using PeopleCode Crypt class

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog provides information to the PeopleSoft community, about PeopleSoft Technology, otherwise PeopleTools.

For information about PeopleSoft see the PeopleSoft Strategy Blog.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today