Enforcing a Specific TLS Version in PeopleSoft with SES

Important! This topic is applicable only to Oracle SES implementation in PeopleSoft.

This topic describes how to enforce a specific Transport Layer Security (TLS) version in WebLogic and WebSphere in PeopleSoft with Oracle SES.

TLS version 1.2 is the default protocol in Java 8. If you want to enforce TLS version 1.2 in Java 7 or Java 6, follow the instructions listed here:

  1. In PeopleSoft and SES, if you are using Java 7, upgrade to JDK 7u95 or later. If you are using Java 6, upgrade to JDK 6u121 or later.

  2. Create root and server certificates, and import them into the PeopleSoft and SES keystores.

  3. Navigate to PeopleTools, Security, Security Objects, Digital Certificates and import the certificates into the PeopleSoft database using the Digital Certificates page. Import them as Root CA type.

  4. Import PeopleSoft server certificates into the PeopleSoft cacerts folder (<PS_HOME>/jre/lib/security/cacerts).

  5. Import SES server certificates into SES cacerts that are available in the following paths.

    • <mw_home>/Oracle_SES1/jdk/jre/lib/security

    • <mw_home>/wlserver/server/lib

    where mw_home refers to SES mid-tier home directory.

  6. Import the PeopleSoft server certificates into the SES keystore and the SES server certificates into the PeopleSoft keystore.

  7. Download and install unlimited strength Java Cryptography Extension (JCE) policy files for both PeopleSoft and SES in <JAVA_HOME>/jre/lib/security.

  8. Add security properties to JAVA OPTIONS in the configuration files. Choose the appropriate configuration file based on whether Oracle JDK or IBM JDK is used.

    If you are using Oracle JDK, edit the PeopleSoft and SES configuration files.

    To edit the PeopleSoft configuration files:

    • In <PS_CFG_HOME>/appserv/<domain_name>/psappsrv.cfg, add Dhttps.protocols=TLSv1.2 to the JavaVM Options as shown:

      JavaVM Options=<standard configuration options> -Dhttps.protocols=TLSv1.2

    • In <PS_CFG_HOME>/appserv/prcs/<domain_name>/psprcs.cfg, add Dhttps.protocols=TLSv1.2 to the JavaVM Options as shown:

      JavaVM Options=<standard configuration options> -Dhttps.protocols=TLSv1.2

    • In <PS_CFG_HOME>/webserv/<domain_name>/bin/setEnv.cmd, set:

      JAVA_OPTIONS_LINUX=”${JAVA_OPTIONS_ LINUX} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2

      JAVA_OPTIONS_ADMINSERVER=”${JAVA_OPTIONS_ ADMINSERVER} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2

    To edit the SES configuration files:

    • In <mw_home>/user_projects/domains/search_domain/bin/setDomainEnv.sh, set:

      JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2"

    • In <mw_home>/Oracle_SES1/bin/clexecutor.sh, set:

      CRAWLER_EXEC_PARAMS="${CRAWLER_EXEC_PARAMS} -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2"

    If you are using IBM JDK, edit the PeopleSoft and SES configuration files.

    To edit the PeopleSoft configuration files:

    • In <PS_CFG_HOME>/appserv/<domain_name>/psappsrv.cfg, add Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Dcom.ibm.jsse2.overrideDefaultTLS=true to the JavaVM Options as shown:

      JavaVM Options=<standarad configuration options> -Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Dcom.ibm.jsse2.overrideDefaultTLS=true

    • In <PS_CFG_HOME>/appserv/prcs/<domain_name>/psprcs.cfg, add Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Dcom.ibm.jsse2.overrideDefaultTLS=true to the JavaVM Options as shown:

      JavaVM Options=<standard configuration options> -Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Dcom.ibm.jsse2.overrideDefaultTLS=true

    • In <PS_CFG_HOME>/webserv/<domain_name>/bin/setEnv.cmd, set:

      JAVA_OPTIONS_AIX=”${JAVA_OPTIONS_AIX} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Dcom.ibm.jsse2.overrideDefaultTLS=true

      JAVA_OPTIONS_ADMINSERVER=”${JAVA_OPTIONS_ ADMINSERVER} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Dcom.ibm.jsse2.overrideDefaultTLS=true

    To edit the SES configuration files:

    • In <mw_home>/user_projects/domains/search_domain/bin/setDomainEnv.sh, set:

      JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Dcom.ibm.jsse2.overrideDefaultTLS=true"

    • In <mw_home>/Oracle_SES1/bin/clexecutor.sh, set:

      CRAWLER_EXEC_PARAMS="${CRAWLER_EXEC_PARAMS} -Dhttps.protocols=TLSv1.2 -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 -Dcom.ibm.jsse2.overrideDefaultTLS=true"

  9. Restart the Application Server, the Process Scheduler Server, and the Web Server domains of PeopleSoft.

  10. Restart SES mid-tier.

  11. Enable the specific TLS (TLSv1.2) in the browser. Disable all other TLS versions in the browser.