Well, it would appear that the lead up to the Christmas season is when the Panda seems to get really involved with the community.  This past month we were able to get out and help a local group by installing a new floor in one of their apartments.  Next week The Panda will be out with our Rotary Club assisting Local Legion 41 collect donations for Poppies in support of our Veterans – Remember To Remember.

Since Christmas is right around corner, Christmas Care was out talking with the Rotary Club last week, and we are excited to working with them again to help ensure families that are having tough times will have a great Christmas.  This year the Rotary Club will be selling teddy bears as we did last year, with all proceeds going to support Christmas Care, and the best part is in many cases people that buy the bears also donate them.  Last year we had almost 40 bears that went to families to put smiles on kids faces.  This year the goal is 100.

If you would like to buy a bear online and have the bear donated to Christmas Care Click:

Once the bears are all sold, we will continue to work with Christmas Care and package up food and gifts into the over 1500+ hampers that will be going out to the community.  It is a great community project that brings out the good in everyone and puts smiles on many faces.

Another project we are excited to continuing this year is working with Inn Out of The Cold, last year The Rotary Club and The Panda donated a pile of clothing, thermal blankets and made several meals to help out folks that are homeless and in need.  The first meals were served this past weekend, and The Panda will be in there doing dishes soon.

Till next month……

Wildcard SSL + PeopleSoft

Out of the box you can do just about anything with WebLogic, however, when you get into some of the specifics and try to tie it into an application like PeopleSoft you can run into some interesting quirks.  I personally really like wildcard SSL certificates because it cuts down on a huge administrative headache that can come from trying to manage certificates for every “name”  that needs to be managed.  In PeopleSoft you can have dozens of servers and it can get to be an administrative nightmare.

WebLogic allows you to store and reference the wildcard certificate in you keystore, however, Wildcard Host Name Verification will fail with default settings.  If you do a quick google search you will turn up several posts that explain to simply “ignore” wildcard host name verification.  I am not a fan of just “ignoring” things.  So you could simply add the following to the start command of Weblogic:

-Dweblogic.security.SSL.ignoreHostnameVerification=true

However, I found what I consider a better option which is to set the validation to a custom wildcard host name verification with a delivered public class for WebLogic Security: SSLWLSHostnameVerifier, which can be called for hostname verification and will apply wildcard host name verification checks. This wildcard host name verification is instantiated by the WebLogic hostname verifier wrapper that checks for proxies, expectedName, etc. It obtains this hostname verifier class name from the SSLMBean or the hostname verifier property.

In the WebLogic Console:

you can change the advanced SSL properties:

Hostname Verification:

Custom HostName Verification

Custom Hostname Verifier:

weblogic.security.utils.SSLWLSWildcardHostnameVerifier

This will do a check of the peer certificate of the SSL session’s peer certificate SubjectDN CommonName attribute supports wildcarding, the CommonName attribute must meet the following:

• the CN must have at least two dot (‘.’) characters
• the CN must start with “*.”
• the CN can have only one “*” character

Almost every piece of software installed these days seems to have some java version included with it. So sometimes when you are trying to run an application you could potentially be running the wrong java version based on the paths that are looked up for the java executable.

In windows from the command prompt you can issue the command:

where java

In Linux you can issue the command:

which java

The windows command will show you all the locations where it finds java, which from my tests it is sequenced from the first location it will find it to the last location it will find it.

As of PeopleTools 8.50 PeopleSoft no longer requires the NSS cert7.db or Oracle Wallet Manager and all the crazy setup in order to get the LDAPS configuration to work. As of 8.50 PeopleSoft uses the Java Naming and Directory Interface (JNDI) API which allows Java software clients to discover and look up data and objects. JNDI being a JAVA API means that it is independent of the underlying implementation.

There is no need for additional installations and the certificates no longer need to be stored on the application server domain folders, all the certificates are stored in the database.

In order to setup LDAPS, you will need the Root CA certificate for the LDAPS Server, in my case I am using Active Directory so I went on my domain controller and went into the certificate store and exported the CA certificate for the server. Next you need to import that certificate into the digital certificates within PeopleSoft.

Home > PeopleTools > Security > Security Objects > Digital Certificates

Next, you need to add a Root CA, and give it an Alias Description – click refresh – you you will see hyperlink to import the certificate. Next you will want to copy the “pem” format of the CA certificate into the window. The easiest way to get this format is to export the file in Base x.509 format while viewing the certificate.

Bounce the application server and you should be able to Test Connections to the LDAPS server:

In the old days of PeopleSoft you needed to create a cert7.db database file in order to do things like LDAPS. However, to create an cert7.db file requires very old software because this format is very uncommon today. I have found you can create a cert7.db file using Netscape v4.7.3 or earlier according to various websites. However, I am very suspect of downloading old versions of software. There is an old toolset NSS (Network Security Services) & NSPR (Netscape Portable Runtime) available from Netscape (Mozilla) which does a nice job in creating the cert7.db.

To download I found you want to get version: NSS v3.4.2 and NSPR v4.1.2 use the Mozilla FTP site:
https://ftp.mozilla.org/pub/security/nss/releases/
https://ftp.mozilla.org/pub/nspr/releases/

I unzipped the files to separate directories, and then used a command prompt to setup the PATH to include both directories library’s:

SET PATH=%PATH%;%NSS_PATH%/lib;%PATH%;%NSPR_PATH%/lib

From the \bin directory, we need to run the certutil to create a new NSS Certificate Database:

certutil -N -d c:\temp\certdbfolder

To Add The Root CA Certificate:

certutil -A -n MyCA -d c:\temp\certdbfolder -i CA.cert -t C,C,C

To Add The Server Certificate:

certutil -A -n MyServer -d c:\temp\certdbfolder -i server.cert -t P

In order to use the cert7.db in the PeopleSoft Application Server, depending on your Tools & Application level you will want to put the files cert7.db & key3.db & secmod.db in the Application Server Domain root directory or in a folder “cert” in the root directory.