Once the infrastructure is secure, PeopleSoft Internet Architecture needs to be secured. The various layers to secure for a production system are described below followed by individual sections describing how to configure each item.

• Apply vendor recommended security hardening procedure to web server.
• Use HTTPS as a minimum level of security for PeopleSoft Internet Architecture.
• Disable HTTP access to PeopleSoft Internet Architecture, if possible.
• Change default password of PSKEY.
• Disable configuration re-initialization.
• Disable browser caching for applications deployed in a kiosk environment.
• Use a forward proxy server for the portal and integration gateway when using a firewall.
• Configure the forward proxy to bypass local addresses.
• Use only HTTPS and mutual authentication for integration.
• Encrypt the password in integration.properties file.
• Use secure LDAP (LDAPS) for authentication.
• Use TUXEDO layer encryption.

WebLogic

If you have deployed a WebLogic J2EE server, take the following steps to harden the installation: · Follow BEA’s recommendations for hardening WebLogic 8.1, located on the BEA website at http://edocs.bea.com/wls/docs81/lockdown/practices.html · Change the WebLogic server user’s password.
Follow the instructions in Enterprise PeopleTools 8.45 PeopleBook: System and Server Administration, “Working with BEA WebLogic,” Changing a WebLogic User’s Password. · Restrict access to a servlet.
Follow the instructions in Enterprise PeopleTools 8.45 PeopleBook: System and Server Administration, “Working with BEA WebLogic,” Restricting Access to a Servlet.

WebSphere

If you have deployed a WebSphere J2EE server, follow IBM’s recommendations to security harden the installation, located on the IBM website at http://publib-b.boulder.ibm.com/Redbooks.nsf/9445fa5b416f6e32852569ae006bb65f/d630ec33fde5486785256b5f007ecac5?OpenDocument

Please refer to PeopleBooks for instructions on how to enable SSL on the web server.

WebLogic
Follow the instructions in Enterprise PeopleTools 8.45 PeopleBook: System and Server Administration, “Working with BEA WebLogic,” Defining SSL Certificates on WebLogic.

WebSphere
Follow the instructions found in Enterprise PeopleTools 8.45 PeopleBook: System and Server Administration, “Working with IBM WebSphere,” Setting Up SSL on WebSphere 5.1.

If an HTTP server is also deployed, follow the instructions in Enterprise PeopleTools 8.45 PeopleBook: System and Server Administration, “Working with IBM WebSphere,” Setting Up SSL on IBM HTTP Server.

This can be achieved at multiple levels. Start by configuring the web profile:

1. In PIA, navigate to PeopleTools, Web Profile, Web Profile Configuration.
2. Select the web profile that you want to configure; for example, PROD.
3. Select the Security page.
4. Select Secured Access Only.
5. Save your changes.

WebLogic

To further disable HTTP on a WebLogic server, first ensure that HTTPS is set up and working properly, using the instructions in the previous section, then do the following:

1. Log on to the WebLogic console.
2. Expand from the left panel PeopleSoft, Server, PIA.
3. On the right panel select Configuration, General tab.
4. Clear the Listen Port Enabled check box.
5. Select Apply.

WebSphere

To further disable HTTP on the WebSphere server, first ensure that HTTPS is set up and working properly, using the instructions in the previous section. In WebSphere, you can disable HTTP by converting an HTTP port into an HTTPS port, as follows:

1. Expand Servers, Application Server, server_name, Web Container, HTTP Transport.
2. Click the relevant HTTP port.
3. Select the Enable SSL check box.
4. Select the SSL dropdown that is tied to the certificates.
5. Save the configuration and log out.
6. Restart the WebSphere server.

PSKEY is a keystore file located in the PS_HOME\webserv\domain\keystore directory. The file contains all root and node certificates used by the Integration Gateway and PIA. The keystore file is shipped with a default password of “password” that should be changed.

To change the default password:

1. Use pskeymanager.bat (pskeymanager.sh on UNIX) to change the default password. Enter the following at a command prompt: % pskeymanager -changeKeystorePassword
2. Enter the old password, then the new password, for example, “Sec123Pass”.
3. Update the secureFileKeystorePasswd property in the integration.properties file with the “Sec123Pass” string. Note that unlike other passwords in this file, the secureFileKeystorePasswd is not encrypted.
4. Since the web server (WebLogic or WebSphere) also uses this keystore, you must update the password for the web server as well with the string “Sec123Pass”. See the previous section “How to Enable SSL on a Web Server for HTTPS.”

The configuration that enables dynamic re-initialization is only set by default on the PROD web profile; no other profile has this setting enabled. However, it is possible that an administrator may have set this on a production system.

To ensure that this setting is off, follow these steps:

1. In PIA, navigate to PeopleTools, Web Profile, Web Profile Configuration.
2. Select the web profile that you want to configure; for example, PROD.
3. Select the Custom Properties page.
4. Delete any property with the name “auditPWD” as in the following example:


5. Save your changes.

1. In PIA, navigate to PeopleTools, Web Profile, Web Profile Configuration.
2. Select the web profile that you want to configure; for example, PROD.
3. Select the Caching page.
4. Make sure that the “Cache Generated HTML” and “Cache Homepage” check boxes are both cleared.
5. Save your changes.

http.proxyHost=proxy.corp.com

http.proxyPort=5080

https.proxyHost=proxy.corp.com

https.proxyPort=5443

Setting a Forward Proxy Server for WebLogic

# HTTP_PROXY_ENABLE - Enable the use of the following forward http proxy

# HTTP_PROXY_HTTPHOST - IP/hostname of forward http proxy server to for HTTP requests.

#

# HTTP_PROXY_HTTPPORT - HTTP Port number of forward http proxy server.

# HTTP_PROXY_HTTPSHOST - IP/hostname of forward http proxy server for HTTPS requests

#

# HTTP_PROXY_HTTPSPORT - HTTPS Port number of forward http proxy server.

Setting a Forward Proxy Server for WebSphere

1. Log on to WebSphere Administration console.

2. Expand Servers, Application Servers, server1, Process Definition, Java Virtual Machine, Custom Properties.

3. Click New Key/Value pair and add the following new pairs:

Key="http.proxyHost", Value="forward proxy hostname"

Key="http.proxyPort", Value="forward proxy HTTP port"

Key="https.proxyHost", Value="forward proxy hostname"

Key="https.proxyPort", Value="forward proxy HTTPS port"

4. Save the configuration changes, log out, and re-start WebSphere.

To bypass a forward proxy server for Portal and Integration Gateway, set up the following system property:

http.nonProxyHosts=machinename1.corp.com|machinename2.corp.com|...

Using a different machine name for each host you want to bypass. The value is a list of host names separated by the pipe ( | ) symbol. For example, to bypass the proxy for hosts a.corp.com and b.corp.com, the value should be:

http.nonProxyHosts=a.corp.com|b.corp.com

You can also bypass all servers in a domain by using an asterisk (*) as a wildcard:

http.nonProxyHosts=*.corp.com

indicating that all servers in .corp.com domain are bypassed from using the proxy.

How to Bypass Forward Proxy for Local Hosts for WebLogic

# HTTP_PROXY_NONPROXY_HTTPHOSTS - Host names and domain names of HTTP content

to not proxy.

How to Bypass Forward Proxy for Local Hosts for WebSphere

Set the property using the WebSphere Administration console.

1. Log in to the WebSphere Administration console.
2. Expand Servers, Application Servers, server1, Process Definition, Java Virtual Machine, Custom Properties.
3. Click New Key,Value pair and add the following new pairs:

Key="http.nonProxyHosts"
Value="machinename1.corp.com|machinename2.corp.com|..."

4. Save the configuration changes, log out and re-start WebSphere.

To enable TUDEDO-level encryption, edit the configuration file psappsrv.cfg for the domain. Change the Encryption property for the Workstation Listener and the JOLT Listener sections. The default value of 0 does not encrypt. Change the value to 64 for 64-bit encryption or to 128 for 128-bit encryption:

[Workstation Listener]
;=========================================================================
; Settings for Workstation Listener
;=========================================================================
;Address Note: Can be either Machine Name or IP address.
;Address Note: %PS_MACH% will be replaced with THIS machine's name
Address=%PS_MACH%
Port=7000
Encryption=128
Min Handlers=1
Max Handlers=2
Max Clients per Handler=40
Client Cleanup Timeout=60
Init Timeout=5
Tuxedo Compression Threshold=5000

[JOLT Listener]
;=========================================================================
; Settings for JOLT Listener
;=========================================================================
;Address Note: Can be either Machine Name or IP address.
;Address Note: %PS_MACH% will be replaced with THIS machine's name
;Address Note: 0.0.0.0 enables JSL to bind to all IP addresses mapped for this machine
Address=0.0.0.0
Port=9000
Encryption=128
Min Handlers=1
Max Handlers=2
Max Clients per Handler=40
Client Cleanup Timeout=60
Init Timeout=5
Client Connection Mode=ANY
Jolt Compression Threshold=1000000