Understanding SSL/TLS and Digital Certificates
The PeopleSoft system takes advantage of HTTPS, Secure Sockets Layer/Transport Layer Security (SSL/TLS), and digital certificates to secure the transmission of data from the web server to an end user's web browser and also to secure the transmission of data between PeopleSoft servers and third-party servers (for business-to-business processing) over the internet.
PeopleSoft customers can implement PeopleSoft software using HTTP or HTTPS. The native SSL/TLS support in commercially available web browsers and web servers is used to provide HTTPS communication between the web browser and web server.
With business-to-business applications, where systems communicate with each other over the internet, data must flow securely. As such, system-to-system authentication is critical. PeopleSoft uses HTTPS and digital certificates for secure transmission of data between systems and system-to-system authentication. PeopleTools use the inherently supported SSL/TLS implementation provided with JRE.TM
The PeopleSoft system uses Extensible Markup Language (XML) messaging over HTTPS for our Integration Broker and Business Interlink technologies to deliver system-to-system integration over the internet. HTTPS is used to guarantee secure transmission of the XML message. The digital signature of the XML message is used for authentication between systems. With digital certificates, XML messages are digitally signed to prove that the message came from the server that created and signed the message and to prove that the message has not been altered.
The following table lists the PeopleSoft technologies that use HTTPS (HTTP over SSL/TLS) and how it is implemented in for each technology.
|
Technology |
How HTTPS (HTTP over SSL/TLS) is Implemented |
|---|---|
|
PeopleSoft Portal Solutions |
Secure page transport — Uses web server platform to provide server side SSL/TLS. Secure access to remote content providers—Application server uses JRE to provide the client side of SSL/TLS connection to gateway. Uses web server platform to provide server side SSL/TLS. |
|
PeopleSoft Integration Broker (application messaging) |
Secure message transport to remote nodes—Application server uses JRE to provide client side of SSL/TLS connection to gateway. Uses web server platform to provide server side SSL/TLS. |
|
PeopleSoft Business Interlinks |
Secure calls to remote data sources or modules—Application server uses JRE to provide client side of SSL/TLS connection to gateway. Uses web server platform to provide server side SSL/TLS. |
|
User Authentication |
Certificate-based client authentication—Uses web server SSL/TLS client authentication. Certificate data is passed to application server. The application server trusts the web server's authentication. Distinguished name of the certificate is used to logon to PeopleSoft system. |
Anytime you implement SSL/TLS with mutual authentication (both client and server authenticate each other) you need the following three items:
Server Certificate (issued by some trusted third party or certificate authority).
Client Certificate (issued by the same trusted third party or certificate authority).
Client and server both need a copy of a root certificate for the trusted third party. The root certificate has the crypto keys (public and private key) of the authority. Using these keys and the client and server certificates, each party is able to authenticate the other.
When you logon to an SSL/TLS server using your browser, you don’t have to worry about a Root Certificate because they come bundled with the browser. You don’t have to worry about having a client certificate because the web server doesn’t require “Client Side Authentication”.
Important! When you are importing a digital certificate, you may receive an error message if you attempt to import the digital certificate immediately after downloading it from a certificate authority. This is due to issues related to "valid from" dates and times, and the inconsistencies in time settings between different computers. You should save the certificate to a Microsoft Windows workstation, right click on it using Microsoft Windows Explorer, and select Open. This opens the Certificate dialog box. Examine the information regarding the “valid from” and “to” dates. Make sure those dates are valid on the application server the certificate will be installed on. The Details tab on the Certificate dialog presents the most thorough information.