Understanding PeopleSoft Encryption Technology
PeopleSoft Encryption Technology provides a way for you to secure critical PeopleSoft data and communicate securely with other businesses. It enables you to extend and improve cryptographic support for your application data , giving you strong cryptography with the flexibility to change and grow, by incrementally acquiring stronger and more diverse algorithms for encrypting data.
You can use PeopleSoft Encryption Technology to secure data in flat files or in database tables.
You can encrypt any data used in your application by invoking PeopleCode to apply your preferred encryption algorithms. You can obtain these algorithms from various vendors' cryptographic libraries, using the capabilities you want from each library.
The features of PeopleSoft Encryption Technology include:
Access to a robust set of algorithms (symmetric and asymmetric ciphers, password-based encryption, hashes, MACs, signatures, enveloping, encoding, and writing/processing secured messages).
The ability to encrypt, decrypt, sign, and verify fields in a database.
The ability to encrypt, decrypt, sign, and verify external files.
A secure keystore for encryption keys of widely varying types.
The ability to convert data from one encryption scheme to another.
This section describes key PeopleSoft Encryption Technology concepts.
Field or Control
An encryption algorithm encrypts and decrypts data. As described in the previous sections of this documentation, PeopleSoft supports symmetric and asymmetric encryption algorithms.
An encryption chain is a sequence of encryption algorithms.
An encryption profile is a specific implementation of an encryption chain.
When you create an encryption profile definition, you review the algorithm chain to identify all the algorithms and parameters that are required for the task. You must supply values for all of the parameters for the encryption profile to be viable for use.
The design of the encryption profile allows you to reuse algorithms across many different encryption chain definitions. And you can implement the encryption chain definitions in many different encryption profiles, with each profile having its own distinct set of parameter values.
|Encryption Algorithm Parameters||
Some encryption algorithms may require input parameters. These input parameters may come from keysets or may be entered directly into the encryption profile definition.
|Keyset, Keyset ID, and Keyset Value||
A keyset is a definition that associates a keystore certificate alias or private key to an encryption algorithm.
The definition is identified by a user-defined keyset ID. The keyset value is the certificate alias or private key defined.
Some encryption algorithms may require a keyset ID as an input parameter. At runtime the keyset ID is used to get the keyset value that is used in the algorithm.
A keyset can also be a SYMMETRIC KEY value
The functional elements of PeopleSoft Encryption Technology are:
A DLL for each supported encryption library, which uses C glue code to convert each cryptographic library's API into a unified plug-in with an API accessible from PeopleCode.
A universal keystore that handles all forms of encryption keys, protected with row-level security.
A sequence, or chain, of algorithms that you define for a specific type of encryption task.
These algorithms are applied in turn to transform data from its original form into a desired final form.
An encryption profile, which you define as an instance of an algorithm chain, applicable to a specific encryption task.
The PeopleCode crypt class for accessing the algorithm chains that you define.
To develop and use an encryption profile:
Obtain an encryption library.
The current release of PeopleTools includes the OpenSSL encryption library.
Develop API glue code to access the encryption library's algorithms.
PeopleTools includes glue code already developed to support the delivered OpenSSL encryption library, as well as glue code to support the PGP encryption library.
The glue code combines with each library to create a plug-in accessible from PeopleCode. The plug-in can be an independent DLL file, or it can be incorporated into the encryption library file, which is the case with the delivered OpenSSL library.
You can develop glue code to produce plug-in wrappers for other encryption libraries of your choice. The plug-ins make their APIs accessible to PeopleCode, and the new algorithms become as easily available as the delivered algorithms. You can find development information and examples of glue source code in PS_HOME\src\pspetssl.
Load the encryption library's algorithms into the PET database, generate accompanying encryption keys, and insert them into the PET keystore.
Define a chain of algorithms by selecting from the algorithms in the database.
Because all algorithms are accessed from PeopleCode, you can combine algorithms from different libraries regardless of their source.
Define an encryption profile, which is an instance of an algorithm chain applicable to a specific encryption task.
With an encryption profile you can apply parameter values that differ from the default values.
Test the encryption profile using the Test Encryption Profile page.
Write PeopleCode to invoke the encryption profile.
With the delivered glue code, you can take advantage of the capabilities of these libraries through a single PeopleCode object. The PeopleCode crypt class provides an interface into all algorithms loaded from the underlying encryption libraries.
This section describes encryption algorithm libraries and those libraries supported by PeopleSoft.
An algorithm library is computer code provided from a vendor that provides access to a collection of encryption algorithms. As an example, PGP and OpenSSL are algorithm libraries. These vendor algorithms are stored in tables within the PeopleSoft system and become part of the organized collection of PET data (or PET database).
Accessing Algorithm Libraries
PeopleSoft delivers the open source OpenSSL library as well as the glue code to interact with the library.
For other third-party libraries, such as PGP, you must separately obtain a license and install the product.
Access to the delivered OpenSSL library is obtained through the PeopleSoft Internet Architecture using the pages in the Encryption component (ALGORITHM_PFRL). These pages are discussed in later sections of this documentation.
Algorithm Library Glue Code
PeopleSoft delivers the glue code to interact with OpenSSL and PGP libraries. The location of the glue code is:
The OpenSSL glue code has been tested on all supported PeopleSoft platforms with PKCS7 and 3DES. The glue code to interact with the PGP library has been tested on the Microsoft Windows platform only.
For other third-party libraries you must develop the glue code, using the PeopleSoft glue code as a guide.
PGP Library Considerations
If you license the PGP encryption library, you must ensure that its installed location is included in the paths used by both the application server and PeopleSoft Process Scheduler, as follows:
Using the PSADMIN utility, add the full installed path of the PGP SDK to the Add to PATH parameter.
See Domain Settings.
In the Oracle Tuxedo Settings section of the Process Scheduler configuration file, add the full installed path of the PGP SDK to the Add to PATH parameter.
Note: The path added must be the directory which contains the .dll and .lib files. There can be no intermediate subdirectory between the path setting and these files.
PGP operations are supported only on platforms where the PGP SDK is supported: Microsoft Windows, Oracle Solaris, and Red Hat Linux. Note that the glue code provided by PeopleTools is tested on Microsoft Windows only.