SSL: Create a cert7.db Certificate Database

The Smart Panda - NSS&NSPRIn the old days of PeopleSoft you needed to create a cert7.db database file in order to do things like LDAPS. However, to create an cert7.db file requires very old software because this format is very uncommon today. I have found you can create a cert7.db file using Netscape v4.7.3 or earlier according to various websites. However, I am very suspect of downloading old versions of software. There is an old toolset NSS (Network Security Services) & NSPR (Netscape Portable Runtime) available from Netscape (Mozilla) which does a nice job in creating the cert7.db.

To download I found you want to get version: NSS v3.4.2 and NSPR v4.1.2 use the Mozilla FTP site:
https://ftp.mozilla.org/pub/security/nss/releases/
https://ftp.mozilla.org/pub/nspr/releases/

I unzipped the files to separate directories, and then used a command prompt to setup the PATH to include both directories library’s:

SET PATH=%PATH%;%NSS_PATH%/lib;%PATH%;%NSPR_PATH%/lib

From the \bin directory, we need to run the certutil to create a new NSS Certificate Database:

certutil -N -d c:\temp\certdbfolder

To Add The Root CA Certificate:

certutil -A -n MyCA -d c:\temp\certdbfolder -i CA.cert -t C,C,C

To Add The Server Certificate:

certutil -A -n MyServer -d c:\temp\certdbfolder -i server.cert -t P

In order to use the cert7.db in the PeopleSoft Application Server, depending on your Tools & Application level you will want to put the files cert7.db & key3.db & secmod.db in the Application Server Domain root directory or in a folder “cert” in the root directory.

Weblogic: SSL v3.0 Disable & Enable TLS v1.x

Smart Panda - Secure HTTPSThere is one big rabbit hole out there when it comes to security, and that happens to be around SSL encryption. In regards to PeopleSoft that rabbit hole is not only huge it is also highly undocumented. There is several reasons for this, however, the most common reason is that SSL encryption has nothing to do with PeopleSoft as an application — yes, I know what you are going to say, but….

In January of this year, Oracle released a critical patch update in which they highly recommend that the SSL v3.0 encryption should no longer be used due to vulnerabilities. It is recommended that everybody use TLS v1.2. For the longest time TLS v1.2 was not support by any browser except IE, however, all major browsers now fully support TLS v1.2. Click here to See SSL/TLS Support By Browser.

Oracle is constantly putting out updates and critical patches, and the latest Patch Set Updates for WebLogic 12x can be found on the My Oracle Support (MOS) Document:  1470197.1

Weblogic by default supports all protocol versions (which is dependent on the JSSE provider and JDK versions being used) – Click Here to See Supported Versions

In order to limit Weblogic 12 encryption protocols to just the TLS protocols (disable SSL v3.0), you need to add the following parameter to your WebLogic PIA instance startup:

-Dweblogic.security.SSL.protocolVersion=TLS1

If you are running in windows as a service you will want to modify the service parameter CmdLine in the Registry Editor, if you are running from the startPIA in Windows or Linux you can append the parameter to the start command in the shell script or batch program.

SSH Digital Certificates not working

Okay, in PeopleTools 8.53 you can now specify a digital certificate for SSH, not sure if this was there in 8.52, but in the past I would put the SSH keys (private and public) out in the sshkeys folders of the application server and reference them in the URL properties for SFTP configurations.

Well, you can now store these in the digital certificates area and just reference it using the alias key.  In order to make this work you need to generate an ssh key pair.  On a Redhat system you should be able to run:

ssh-keygen

Just follow the prompts.  You will need to have the openssl rpm’s installed.  This should generate and id_rsa and id_rsa.pub file in the users home directory under the .ssh directory.  You will want to append the id_rsa.pub key to the authorized_keys file (create it if it does not exist).

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

chmod 644 ~/.ssh/authorized_keys

You should be able to check you key by issuing the following:

openssl rsa -in ~/.ssh/id_rsa -check

Now here comes the trick, if you try to copy the public and private key from the SSH window on a windows machine and paste it into the digital store, I found that this would cause the certificate to fail.  I had to sftp the private and public key to my local machine and use my trusty UltraEdit to open the files in unix mode and copy and paste the contents into the digital certificates windows.  It appears that when copying in windows mode it uses the CR/LF versus if you have it in Linux mode it will just have the LF.  This appears to make a big difference.  No errors either way except it just won’t work with the windows format.

NOTE:  If you are copying the .ssh directory from one server to another (multiple application servers) make sure that the permissions on this folder are 700.  If you have a separate batch processing server you will want to ensure that it too has the .ssh folder and keys for the assignment user.

ENCRYPT_PASSWORD Fails with JVM Error

When building environments with PeopleTools 8.53 & 8.54 everything will be going along tickety boo and it will go to encrypt the passwords and bam:

Error: Process aborted. Possibly due to JVM is not available or missing java class or empty password.

Well, isn’t that interesting.  The PeopleTools 8.53 and 8.54 have a new SALT component to its passwords and clearly uses the Java to do the encryption.  Add %PS_HOME%\jre\bin to the beginning of the PATH variable and re-run data mover and try the encryption of the passwords again.

Cisco AnyConnect – Fails To Initialize Subsystem

Well, it has been one of those weeks.  Correction, it has been one of those months.  I am finally sitting back in my home office ready to jump on a clients VPN and Cisco AnyConnect decides that today is NOT the day.

So off to Google we go and sure enough there are a lot of blogs with comments about Cisco AnyConnect failing to initialize subsystem.  A common one I say said to set the GlobalUser default of I.E. to disabled in the registry or set the I.E. to work online.  However, that did not fix my problem.

A little more reading and I found Chris Tierney’s blog with the solution that worked for me.  Basically with the patches/hot fixes that Windows released over the weekend it messed with the compatibility modes.  So once you change the vpnui.exe to Windows 8 compatibility mode everything works like on charm.

Big Smiles….. Big Smiles…….