A typical PeopleSoft system is quite large and complex, so there are a lot of settings, which affect its security. Some of them we have already described. This part of the guideline is focused on specific insecure configurations, which can’t be tied to any other group.
There are 4 important areas that should be covered; one is common for any large ERP system and the remaining ones are specific to PeopleSoft.
Password Configuration [EASSEC-PVAG-PS-15]
Description
Password policies include everything that concerns user accounts: minimum password length, its complexity, number of logon attempts, etc.
PeopleSoft is typically used by a large number of users, and the chance that someone will try to bruteforce a password of one of them is quite high. PeopleSoft allows rather detailed and precise configuration of password policies, but they rarely implemented correctly. Here we will list only the most important parameters that should be implemented properly.
Common Password Controls Settings and their default values:
| Password Controls Setting | Default Value |
|---|---|
| Validity period of user passwords | 0 |
| Minimum password length | 0 |
| Minimum number of special characters in a password | 0 |
| The maximum period of user inactivity | 0 |
| Failed Logons | 0 |
Threat
If Password Controls Settings doesn’t configured duly, an attacker can easily bruteforce the password and сonsequently penetrate into the system. For instance, if password length is less than 8 characters, and Failed Logon attempts parameter is 0, it will facilitate bruteforcing; if failed logon attempts is set to more than 0, it’s also an issue that can be exploited by getting access to the password hash.
Solution
The best practice is to configure Password Controls Settings properly in accordance with the company security policy. If the security policy of a company does not set Password Controls Settings, it’s recommended to set the following parameters:
| Password Controls Setting | Recommended Value |
|---|---|
| Validity period of user passwords | not more than 90 |
| Minimum password length | not less than 8 |
| Minimum number of special characters in a password | not less than 2 |
| The maximum period of user inactivity | 90 |
| Failed Logons | not more than 6 |
To change the settings, go to tabs PeopleTools > Security > Password Configuration > Password Controls. When changes are made, press the Save button
Default Encryption Key [EASSEC-PVAG-PS-16]
Description
The PSCipher feature encrypts and decrypts text used in your PeopleSoft system. System administrators interact with PSCipher through a Java; command line utility is located on the web server, which enables you to encrypt text, such as user IDs and passwords, stored in configuration files. PSCipher also involves a runtime element implemented on the application server that decrypts the encrypted text.
The PSCipher utility provides Triple DES encryption (also 3DES) for increased data security. When you install Enterprise PeopleTools on your application servers and web servers, a default Triple DES encryption key is provided.
The version of the default encryption key is 1.1, or {V1.1}. If you generate a unique key, the current version used by the system would be {V1.2}. Each time you generate a new key, the system increments the current version number.
Threat
PeopleSoft is installed with default encryption key, which is known anyway. Even if the administrator changes all important passwords, but doesn’t change the encryption key, an attacker who has an encrypted password can decrypt it using the default encryption key.
Solution
The best practice is to update the encryption key:
- Run the following command to create a new key in the key file:
[PIA_HOME]\webserv\[DOMAIN]\PSCipher –buildkey (for Weblogic)
[PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear PSCipher –buildkey (for Websphere) - Copy [PIA_HOME]\webserv\[DOMAIN]\psvault for Weblogic
([PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\psvault for IBM WebSphere) to the equivalent location on all other web server hosts and to [PS_HOME]\secvault\psvault on all application servers in your system. - Modify the encrypted text fields in
- configuration.properties file, located in:
[PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PORTAL\WEB-INF\psftdocs\site_name (for Weblogic)
[PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PORTAL\WEB-INF\psftdocs\ps\ (for Websphere)
The following encrypted text values in the configuration.properties file need to be updated:
WebUserId=
WebPassword= - gatewayUserProfile.xml and integrationGateway.properties files, located in
[PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PSIGW\WEB-INF (for Weblogic)
[PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PSIGW\WEB-INF\ (for Websphere)
In the gatewayUserProfile.xml file, update the following text value:
{V1.1}GD9klUFw8760HVaqeT4pkg==
Update the following text values stored in the integrationGateway.properties file:
ig.isc.password=
ig.isc.$NODENAME.password=
ig.certificatePasswd=
secureFileKeystorePasswd=
ig.jms.JMSTargetConnector.JMSProvider.Password=
ig.jms.Queue1.Password=
ig.jms.Topic1.Password=
ig.jms.Topic1.NodePassword= - wss.properties file located in
[PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PORTAL\WEB-INF\classes\ (for Weblogic)
[PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PORTAL\WEB-INF\classes\ (for Websphere)
[PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\pspc\WEB-INF\classes\ (for Weblogic)
[PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\pspc\WEB-INF\classes\ (for Websphere)
[PIA_HOME]\webserv\[DOMAIN]]\applications\peoplesoft\PSIGW\WEB-INF\classes (for Weblogic)
[PIA_HOME]\webserv\[Node_Server]\[APPLICATION].ear\PSIGW\WEB-INF\classes (for Websphere)
Update the following text entry in the wss.properties file in all locations:
org.apache.ws.security.crypto.merlin.keystore.password=
- configuration.properties file, located in:
Web Profile Public Access Configuration [EASSEC-PVAG-PS-17]
Description
A Web Profile is a specific configuration of portal-related properties that control or affect the functionality of your PeopleTools portal. These predefined web profiles provide several configurations for use with your PeopleTools portal:
- DEV
This web profile provides basic portal functionality for development, including trace and debug settings that are appropriate for development.
Important! Never run your production system with the DEV web profile. This profile is for development environments and is not tuned for performance. - TEST
This web profile uses the same settings as the DEV web profile, except that fewer trace and debug properties are enabled. - PROD
This web profile uses the settings that are most commonly needed in a production environment that authenticates users. - KIOSK
This web profile uses the same settings as the PROD web profile, except that public user access is enabled for the Guest user, and all options for storing caching or persistent cookies on the browser are disabled.
Web Profile Security consists of Public Access settings.
| Web Profile Security Parameter | Default Values for PROD | Default Values for TEST | Default Values for KIOSK |
|---|---|---|---|
| Allow Public Access | N | N | Y |
| Public User ID/Password | – | – | GUEST/GUEST |
Also a security-relevant parameter AuditPWD in Custom Properties page is essential. It turns on an access to the PeopleSoft Portal functions, that permits revealing a lot of information about the system configuration remotely (see EAS-SEC. Oracle PeopleSoft Security Configuration. Part 5: Open remote management interfaces).
Threat
If there is Public User, an attacker can conduct the TockenChpoken attack, which is a kind of privilege escalation attack. If a Public User has a special role, an attacker can perform a dangerous action in the system, as it does not require authorization.
Solution
Make sure that you do not use the DEV or TEST Web Profiles in the production systems.
The Best practice is not to use Public Access and Public Users.
Also, ensure that XML Link User ID and Public User ID don’t have a special role and critical actions.
To change Web Profile Settings, go to the tabs PeopleTools > Web Profile > Web Profile Configuration, choose the current Web Profile and go to the Security page.
It is highly recommended not to use auditPWD Custom Property for current Web Profile in productive systems. You can delete this property on Custom Properties page.
Web Profile SSL Configuration [EASSEC-PVAG-PS-18]
Description
In addition to the Public Access described in the previous section, a Web Profile allows configuring SSL settings. Selected Secured Access Only check box enforces SSL in case the entire website requires the SSL protocol. This prevents users from using a non-SSL protocol to access any link within this website or application. Selected Secure Cookie with SSL check box prevents the single signon token from traveling over an insecure network.
Some default values for delivered Web Profiles:
| Web Profile Security Parameter | Default Values for PROD | Default Values for TEST | Default Values for KIOSK |
|---|---|---|---|
| Secured Access Only | N | N | N |
| Secure Cookie with SSL | Y | Y | Y |
Threat
With business-to-business applications, where systems communicate with each other via the Internet, data must flow securely. If you don’t use the SSL protocol, an attacker can steal the transmitted critical information.
Solution
Make sure that you do not use the DEV or TEST Web Profile in production systems.
For current Web Profile configure Settings properly like in the following table:
| Web Profile Security Parameter | Recommended Value |
|---|---|
| Secured Access Only | Y |
| Secure Cookie with SSL | Y |
As well it is recommended to set Delete Cookie on Logout, HttpOnly and Secure flags on Cookie Rules page.
Further steps
The number of various fine-tuned security settings is enormous, and there are specific ones for each particular PeopleSoft solution or module. Likewise the main portal and user accounts, auxiliary subsystems can be bruteforced, so their password configuration should be enabled as well.
Start with the document dubbed PeopleTools 8.55: Security Administration and System and Server Administration, then you can examine the documents on particular application security configuration in detail.
The post EAS-SEC. Oracle PeopleSoft Security Configuration. Part 6: Insecure settings appeared first on ERPScan.