As of PeopleTools 8.50 PeopleSoft no longer requires the NSS cert7.db or Oracle Wallet Manager and all the crazy setup in order to get the LDAPS configuration to work. As of 8.50 PeopleSoft uses the Java Naming and Directory Interface (JNDI) API which allows Java software clients to discover and look up data and objects. JNDI being a JAVA API means that it is independent of the underlying implementation.

There is no need for additional installations and the certificates no longer need to be stored on the application server domain folders, all the certificates are stored in the database.

In order to setup LDAPS, you will need the Root CA certificate for the LDAPS Server, in my case I am using Active Directory so I went on my domain controller and went into the certificate store and exported the CA certificate for the server. Next you need to import that certificate into the digital certificates within PeopleSoft.

Home > PeopleTools > Security > Security Objects > Digital Certificates

Next, you need to add a Root CA, and give it an Alias Description – click refresh – you you will see hyperlink to import the certificate. Next you will want to copy the “pem” format of the CA certificate into the window. The easiest way to get this format is to export the file in Base x.509 format while viewing the certificate.

Bounce the application server and you should be able to Test Connections to the LDAPS server:

In the old days of PeopleSoft you needed to create a cert7.db database file in order to do things like LDAPS. However, to create an cert7.db file requires very old software because this format is very uncommon today. I have found you can create a cert7.db file using Netscape v4.7.3 or earlier according to various websites. However, I am very suspect of downloading old versions of software. There is an old toolset NSS (Network Security Services) & NSPR (Netscape Portable Runtime) available from Netscape (Mozilla) which does a nice job in creating the cert7.db.

To download I found you want to get version: NSS v3.4.2 and NSPR v4.1.2 use the Mozilla FTP site:
https://ftp.mozilla.org/pub/security/nss/releases/
https://ftp.mozilla.org/pub/nspr/releases/

I unzipped the files to separate directories, and then used a command prompt to setup the PATH to include both directories library’s:

SET PATH=%PATH%;%NSS_PATH%/lib;%PATH%;%NSPR_PATH%/lib

From the \bin directory, we need to run the certutil to create a new NSS Certificate Database:

certutil -N -d c:\temp\certdbfolder

To Add The Root CA Certificate:

certutil -A -n MyCA -d c:\temp\certdbfolder -i CA.cert -t C,C,C

To Add The Server Certificate:

certutil -A -n MyServer -d c:\temp\certdbfolder -i server.cert -t P

In order to use the cert7.db in the PeopleSoft Application Server, depending on your Tools & Application level you will want to put the files cert7.db & key3.db & secmod.db in the Application Server Domain root directory or in a folder “cert” in the root directory.

Smart Thinking Newsletter

Message from Wade

September came and went in a blink. Surprisingly, we had some of the best summer weather the minute the kids went back to school, I had sweat dripping off my forehead watching them close our pool for the winter. However, it was great for getting out and getting back on track with running and biking, and looking forward to some great new challenges next year!

Speaking of challenges, this entire year we have received a significant amount of requests for maintenance and support plans for Enterprise Systems.  In the world of Oracle PeopleSoft, maintenance is standardizing however, its implementation can be a significant challenge.  If you are facing ERP challenges The Smart Panda has some excellent solutions.

The month of September was relatively quiet. There was several end of season Triathlon, Biking and Running events this month, and we were proud to be out supporting our local community with Rotary at the St Thomas Railway City Road Races.  It looks like October will find the Panda wondering around the Niagara Region and New Haven to work with some clients, and that will give us the opportunity to meet with some new Rotary clubs!

Do you know what Rotary does in your community?  The St Thomas Railway City Rotary Club which I am apart of is a relatively small club, but we are active in our community doing service projects and raising monies for deserving programs while at the same time being a part of a fantastic group of people that are committed to making the community a great place to live.  For example I am spear heading a little project to sell Teddy Bears at our local hockey teams home games in November, to raise money for Christmas Care.  Last year we sold almost 75 bears half of which were donated back, which allowed us to donate almost a thousand dollars and forty bears to Christmas Care.  The best part is we did all this in partnership with the local St Thomas Junior B Stars, and we got to go and pack the boxes for the families in need at Christmas Care.  It may not sound like a lot but knowing that one child had a great Christmas, makes it well worth the effort. If you would like to buy a bear to donate this year let me know!  I hope to have  a facebook donation link available very soon.

Till next month……

There is one big rabbit hole out there when it comes to security, and that happens to be around SSL encryption. In regards to PeopleSoft that rabbit hole is not only huge it is also highly undocumented. There is several reasons for this, however, the most common reason is that SSL encryption has nothing to do with PeopleSoft as an application — yes, I know what you are going to say, but….

In January of this year, Oracle released a critical patch update in which they highly recommend that the SSL v3.0 encryption should no longer be used due to vulnerabilities. It is recommended that everybody use TLS v1.2. For the longest time TLS v1.2 was not support by any browser except IE, however, all major browsers now fully support TLS v1.2. Click here to See SSL/TLS Support By Browser.

Oracle is constantly putting out updates and critical patches, and the latest Patch Set Updates for WebLogic 12x can be found on the My Oracle Support (MOS) Document:  1470197.1

Weblogic by default supports all protocol versions (which is dependent on the JSSE provider and JDK versions being used) – Click Here to See Supported Versions

In order to limit Weblogic 12 encryption protocols to just the TLS protocols (disable SSL v3.0), you need to add the following parameter to your WebLogic PIA instance startup:

-Dweblogic.security.SSL.protocolVersion=TLS1

If you are running in windows as a service you will want to modify the service parameter CmdLine in the Registry Editor, if you are running from the startPIA in Windows or Linux you can append the parameter to the start command in the shell script or batch program.