PeopleTools 8.51 PeopleBook: Security Administration

Working with SSL/TLS and Digital Certificates

This chapter provides an overview of Secure Sockets Layer/Transport Layer Security (SSL/TLS) and discusses how to configure digital certificates.

Understanding SSL/TLS and Digital Certificates

The PeopleSoft system takes advantage of HTTPS, Secure Sockets Layer/Transport Layer Security (SSL/TLS), and digital certificates to secure the transmission of data from the web server to an end user's web browser and also to secure the transmission of data between PeopleSoft servers and third-party servers (for business-to-business processing) over the internet.

PeopleSoft customers can implement PeopleSoft software using HTTP or HTTPS. The native SSL/TLS support in commercially available web browsers and web servers is used to provide HTTPS communication between the web browser and web server.

Understanding SSL/TLS

With business-to-business applications, where systems communicate with each other over the internet, data must flow securely. As such, system-to-system authentication is critical. PeopleSoft uses HTTPS and digital certificates for secure transmission of data between systems and system-to-system authentication. PeopleTools use the inherently supported SSL/TLS implementation provided with JRE.^TM

The PeopleSoft system uses Extensible Markup Language (XML) messaging over HTTPS for our Integration Broker and Business Interlink technologies to deliver system-to-system integration over the internet. HTTPS is used to guarantee secure transmission of the XML message. The digital signature of the XML message is used for authentication between systems. With digital certificates, XML messages are digitally signed to prove that the message came from the server that created and signed the message and to prove the message has not been altered.

The following table shows the PeopleSoft technologies that use HTTPS (HTTP over SSL/TLS) and how it is implemented in for each technology.

Technology	How HTTPS (HTTP over SSL/TLS) is Implemented
PeopleSoft Portal Solutions	Secure page transport — Uses web server platform to provide server side SSL/TLS. Secure access to remote content providers—Application server uses JRE to provide the client side of SSL/TLS connection to gateway. Uses web server platform to provide server side SSL/TLS.
PeopleSoft Integration Broker (application messaging)	Secure message transport to remote nodes—Application server uses JRE to provide client side of SSL/TLS connection to gateway. Uses web server platform to provide server side SSL/TLS.
PeopleSoft Business Interlinks	Secure calls to remote data sources or modules—Application server uses JRE to provide client side of SSL/TLS connection to gateway. Uses web server platform to provide server side SSL/TLS.
User Authentication	Certificate-based client authentication—Uses web server SSL/TLS client authentication. Certificate data is passed to application server. The application server trusts the web server's authentication. Distinguished name of the certificate is used to logon to PeopleSoft system.

Understanding Certificate Authorities

Anytime you implement SSL/TLS with mutual authentication (both client and server authenticate each other) you need the following three items:

Server Certificate (issued by some trusted third party or certificate authority).
Client Certificate (issued by the same trusted third party or certificate authority).
Client and server both need a copy of a root certificate for the trusted third party. The root certificate has the crypto keys (public and private key) of the authority. Using these keys and the client and server certificates, each party is able to authenticate the other.

When you logon to an SSL/TLS server using your browser, you don’t have to worry about a Root Certificate because they come bundled with the browser. You don’t have to worry about having a client certificate because the web server doesn’t require “Client Side Authentication”.

Important! When you are importing a digital certificate, you may receive an error message if you attempt to import the digital certificate immediately after downloading it from a certificate authority. This is due to issues related to "valid from" dates and times, and the inconsistencies in time settings between different computers. You should save the certificate to a Microsoft Windows workstation, right click on it using Microsoft Windows Explorer, and select Open. This opens the Certificate dialog box. Examine the information regarding the “valid from” and “to” dates. Make sure those dates are valid on the application server the certificate will be installed on. The Details tab on the Certificate dialog presents the most thorough information.

Configuring Digital Certificates

Select PeopleTools, Security, Security Objects, Digital Certificates.

The Digital Certificates page displays your inventory of server-side digital certificates. This page also enables you to import new certificates from a certificate authority.

Note. For user certificates, no redundant setup of user certificates is required. With a few lines of Signon PeopleCode, you can reuse the existing PKI server that you have in place.

Note. Currently, root CA key size is limited to 1024 bits.

To view details regarding a particular certificate, click Details.

Type	Select the type of certificate. Local Node. Select this option when you are setting up a local node for the PeopleSoft messaging system (PeopleSoft Integration Broker). Root CA. Select this when you are adding a new Root CA to your key store. Remote. Select this option when you are setting up a remote node for the PeopleSoft messaging system (PeopleSoft Integration Broker).
Alias	Enables you to add a custom alias for identification purposes.
Issuer Alias	Contains the alias of the authority that issued the certificate.
Valid To	Shows how long the certificate is valid for use.
Detail	Launches a sub-page with more certificate information. The Certificate Detail page reveals subject and certificate information so you can determine such characteristics as the serial number, the fingerprint, the encryption algorithm, and so on. Note. Depending on the type of certificate you're adding, this link might be displayed as Add Root, Import, or Request.

Note. When adding a Local Node certificate and you click the Import link, the Request New Certificate page appears in which you need to add Subject information (Organization, Locality, and so on) and Key Pair information (encryption algorithm, and key size).