1. Using Connect Client

9Security

Security

    Data Confidentiality

    Taleo strongly recommends the enforcement of "Full SSL" as the supported communications protocol. The SSL communications protocol properties can be configured with the SmartOrg Communications Protocol Editor by a user with an Integrator role. When "Full SSL" mode is enforced, the Taleo-hosted environments only accept HTTPS requests. This communication protocol configuration ensures that only secure connections are accepted and that all data transmitted is properly encrypted. All Integration points created with TCC should conform to this protocol at the handshake. TCC supports TLS 1.2.

    To support organizations with limited HTTPS capabilities, TCC allows HTTP based communications. When this protocol is selected, the data is not encrypted during transmission between TCC and the Taleo-hosted environments. HTTP communication should only be used when the organization’s network does not support HTTPS communications.

      User Authentication

      TCC supports basic user name and password authentication as well as certificate based authentication.

      Web Services Security (WS-S)

      Oracle Taleo announced the deprecation of support for Username Token Profile 1.1 using the PasswordDigest scheme in release 14B. Any customers using this method for authenticating with the Oracle Taleo Enterprise Edition 14B and above zones, will be required to make modifications and replace Password Digest with Basic Authentication. Configuration that were using this scheme will now automatically default to basic authentication.

      Basic Authentication

      When using the basic authentication, TCC provides user credentials in the form of a user name and password, as HTTP headers.

      Certificate Based Authentication

      TCC supports the signing of communication between TCC and the Taleo zone. The authentication is used to sign the requests and responses between Connect Client and Taleo. This is in addition to basic authentication.

        Stored Passwords

        Taleo Connect Client (TCC) communicates to Taleo hosted products using an authenticated user and password. In addition, if proxy servers are installed within the environment additional user credentials can be required by TCC.

        Integration User password

        TCC maintains the Integration User password locally to establish a connection with a Taleo hosted product. Passwords can be stored in the following locations:

        • Default configuration board file: default.board.xml

        • Environment file: *.properties

        • Configuration files: *_cfg.xml

        The Integration User password is encrypted by an AES algorithm with a key size of 128 bits. It is stored in an XML file:

        EncryptedPassword=Base64 (AES:128 (password))

        Encryption Key Server (EKS)

        With release 14A, an encryption key server is delivered with Taleo Connect Client (TCC) which can be used to augment existing password management services. The EKS can be used to generate a key that encrypts passwords within the TCC application.

        Encryption Key Server Installation

        Step 1. Copy the encryptionkey-server.jar file from the server folder under the TCC installation folder, to a location on the network. It is recommended that this be a different location than the TCC installation. The encryptionkey-server.jar file is the default EKS delivered for enhancing password management.

        Step 2. By default, the EKS runs using a local host IP address and port 1126. To use another address or port, a folder and file must be created at the server root location. (A server restart is required following any modification.)

        Folder and file name:

        • conf/EncryptionKeyServer.conf File content:

        • HOST_PORT=YOUR_SERVER_PORT

        • HOST_ADDRESS=YOUR_SERVER_ADDRESS

        Step 3. The encryption server can now be started, call your_java_location –jar encryptionkey-server.jar.

        a. On Windows platform - the following screen prompts is displayed to the user. The user should enter a passphrase value. This value is masked with *.


        Image showing the Ecryption Server Passphrase window.

        b. On platform - command line will prompt user for passphrase entry.

        On starting the EKS for the first time, an AES symmetric encryption key is generated. This will be automatically saved into the conf/ClientKey.key file. The user entered passphrase is used to protect access to the encryption key value stored in this file. Each new installation of the EKS will generate a different & unique encryption key. Due to this, it is strongly recommended that a backup of the key file is made and saved in a secured location. In doing so, it is possible to recover encrypted data if there is a failure with the original implementation. Using the same passphrase would unlock the encryption key needed to decrypt the data. At all subsequent EKS startups, the entered passphrase will be used to unlock the encryption key needed to decrypt any encrypted data.

        Configuring TCC using an Encryption Key Server

        It is necessary for TCC to be provided with the host address and port of the EKS that was setup and configured in the previous step. This can be added when a new instance of TCC is being installed via the setup dialog step illustrated below. This information is captured during the installation process of the new version of TCC and stored in the TaleoConnectClient.ini file.

        If more convenient, the EKS can be installed at a later time, and the relevant host and port information can be added directly into the TaleoConnectClient.ini file as illustrated below:

        • -Dcom.taleo.integration.client.encryption.key.hostPort=Your_Server_Port

        • -Dcom.taleo.integration.client.encryption.key.hostAddress=Your_Server_Address

        Please note that using a different encryption server will imply modifying the configuration files to use the new encryption key.

        In TCC, no modifications are visible in the UI. When creating a new profile or configuration board entry, if both properties have been specified, the encryption from the server is used to encrypt the password. Otherwise, the default encryption mechanism is used.

        Encrypt Password Tool

        An additional tool is provided to encrypt individual string values. It is located in theTools > Encrypt Password menu.

        Enter the string value to encrypt in the text box and click Encrypt. If the encryption server properties are defined, this will be used to encrypt the value. Otherwise, the default encryption mechanism will be used. The encrypted result is displayed at the bottom of the page. Click Copy to save to clipboard. Click Close to close the window.

        Proxy Password Management Using EKS

        TCC uses a System Properties file to authenticate itself against proxy servers needed to access the internet. The required System properties are:

        -Dhttp.proxyHost=myproxyhostname

        -Dhttp.proxyPort=portnumber

        -Dhttp.proxyUser=username

        -Dhttp.proxyPassword=hello123

        -Dhttps.proxyPassword=securedHello123

        Note: Values defined for properties http.proxyPassword and https.proxyPassword need to be encrypted. The new Encryption Password Tool can be used to encrypt different String values. The presence of the Encryption Key Server address and port properties is used to determine the encryption mode.

        The two following properties must be added to use the Encryption Key Server:

        -Dcom.taleo.integration.client.encryption.key.hostAddress=your_server_address

        -Dcom.taleo.integration.client.encryption.key.hostPort=your_server_port

        There are two different ways to set up System properties, depending on the way TCC is launched.

        1. On windows via the GUI:

          When running TCC through the Windows GUI, all System properties must be defined in the TaleoConnectClient.ini file located at the root of the installation folder.

        2. Launching TCC through the Command Line interface:

          When running TCC in a Command Line interface, the System properties must be included in the TaleoConnectClient.bat (Windows) or TaleoConnectClient.sh (Linux) files.

          To be able to run TCC from command line without any issue it is recommended to use the following Java options (don't forget to replace the variables with the values that are best for the type of operations that are done).

          JAVA_OPTS=" 
-ms${JAVA_MIN_MEM}M 
-mx${JAVA_MAX_MEM}M 
-XX:NewSize=${NEWGEN}m 
-XX:MaxNewSize=${MAXNEWGEN}m 
-XX:PermSize=${PERMGEN}m 
-XX:MaxPermSize=${MAXPERMGEN}m

        EKS Logging Service

        A logging service is available for operations related to the encryption key server. Logging is written in file log/ EncryptionServerLog.log. Default level is INFO. It is possible to change the logging level using a property at startup. Here are the possibilities:

        • -Dlog.file.level=LEVEL_TO_USE

        • -Djava.util.logging.config.file=YOUR_LOGGING_PROPERTIES_FILE_PATH

          Here is an example of logging properties file content: com.taleo.integration.client.encryption.key.level=FINE

          Specifying Integration Password

          Specifying Integration user password as ENCRYPTED_PASSWORD symbol when using the command line to invoke TCC.

          Using ENCRYPTED_PASSWORD symbol improves security since the integration passwords do not have to be unveiled to TCC script developers.

          1. Encrypt the integration password.

            1. Use the command line tool provided by TCC.

              [TCCHome]>EncryptPassword.bat TheSecretPassword
Encrypting password using command line argument.
Encrypted password:
xH/JD4X3xuVTMz7pO1fdxcFUBUlFWGrZqTfNDw/DLpo=

            2. Copy the encrypted password to the clipboard.

          2. Start TCC.

          3. Open the default configuration board, File>Open>Configuration Board.

          4. Create a new symbol.

            1. Name: ENCRYPTED_PASSWORD

            2. Value: [DECRYPT("paste generated password here")]

              Make sure to use the complete syntax using all the control characters: square brackets, parenthesis, and double-quotes.

          5. Update the endpoint and use the [ENCRYPTED_PASSWORD] symbol in the Password field.

            Make sure the symbol is enclosed in square brackets as shown.

            Note: The runtime symbol function DECRYPT can only be used in Authentication Password fields.

            Override ENCRYPTED_PASSWORD

            To pass the password at the command line, add the following system property when invoking the TCC application:

            • clear text password

              -Dcom.taleo.client.symbol.ENCRYPTED_PASSWORD=TheSecretPassword

            • encrypted password

              -Dcom.taleo.client.symbol.ENCRYPTED_PASSWORD=[DECRYPT(\"xH/JD4X3xuVTMz7pO1fdxcFUBUlFWGrZqTfNDw/DLpo=\")]

              HTTP Proxy

              In certain corporate networks, IT policies enforce the use of a proxy to funnel all external HTTP requests. This is an important part of the overall network security.

              The Taleo Connect Client fully supports the use of an HTTP proxy both in the runtime execution script andthrough the design environment. The configuration of the HTTP proxy follows the Java standard documented at http://docs.oracle.com/javase/1.5.0/docs/guide/net/properties.html (these are the same specifications as for the 1.6 http://docs.oracle.com/javase/6/docs/technotes/guides/net/properties.html or 1.7 http://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.htmlversion).

              According to these specifications, the configuration of the HTTP proxy is done at the JRE level; that is the runtime environment in which the integration process is invoked. The connectivity information is passed as system properties in either the runtime execution script or the design environment initialization file.

              Hence, assuming the corporate HTTP proxy is available at proxy.acme.net on port 3128, the TaleoConnectClient.bat script should be changed to add

              %JAVA_HOME%\bin\java.exe

              -Dhttp.proxyHost=proxy.acme.net

              -Dhttp.proxyPort=3128

              -Djava.endorsed.dirs=%IC_HOME%\lib\endorsed

              Certain corporate HTTP proxy implementations require an explicit authentication. This information can be provided with two extra system properties as in the following example:

              %JAVA_HOME%\bin\java.exe

              -Dhttp.proxyHost=proxy.acme.net

              -Dhttp.proxyPort=3128

              -Dhttp.proxyUser=acmeuser

              -Dhttp.proxyPassword=secret

              -Djava.endorsed.dirs=%IC_HOME%\lib\endorsed

              Please note that we also fully support the http.nonProxyHosts property as defined in the Java specifications.

              If the use of an HTTP proxy is required also in the design environment, then the following lines should be added to the TaleoConnectClient.ini file:

              vmargs

              -Djava.endorsed.dirs=lib/endorsed

              -Dorg.apache.commons.logging.Log=org.apache.commons.logging.impl.Log4JLogger

              -Dhttp.proxyHost=proxy.acme.net

              -Dhttp.proxyPort=3128

              In previous versions, the configuration of the HTTP proxy was done in the client configuration file itself. This is no longer supported in favor of the standard way described above (see the section for more details).

              Certain implementations support the https.proxyHost property although it is not part of the Java standard. The Taleo Connect Client only supports http.proxyHost, which is used for all HTTP requests (HTTP or HTTPS protocol).

                Encrypting Proxy Password

                1. Open a command line interface.

                2. Execute the utility with the password as argument.

                  C:\Program Files\Taleo Connect Client>EncryptPassword.bat MySecre7P4ssword

                  Encrypting password using command line argument.

                  Encrypted password:

                  F0r6f9UebDtC+5cOeI0z0WQxYxA6m410vqqTr9OR1FE=

                3. Copy encrypted password.

                4. Open system properties file.

                5. Paste encrypted password as Dhttp.proxyPassword.

                  -Dhttp.proxyPassword=F0r6f9UebDtC+5cOeI0z0WQxYxA6m410vqqTr9OR1FE=

                  Microsoft NTLM V1 Support

                  The Microsoft NTLM V1 proxy server authentication scheme is now supported. Clients with network security policies leveraging only this authentication method can now install TCC within their infrastructure in compliance with their internal policy.

                  Things to Consider

                  • Technical limitations prevents password digest retrieval from the system.

                  • The proxy password cannot be read from the network automatically; it must be manually entered in the batch file.

                  • Users must keep the password in the batch file synchronized with the Windows domain password.

                  • All proxy passwords MUST be encrypted.

                  Proxy System Properties Configuration

                  The Microsoft NTLM V1 proxy server authentication scheme must be configured in files located at the root of the TCC installation folder.

                  • Launching TCC using the Windows user interface

                    When running TCC on Windows, all system properties must be defined in the TaleoConnectClient.ini file.

                  • Launching TCC using the command line

                    When running TCC using the command line, all system properties must be passed using the command line. Insert the system properties in the TaleoConnectClient.bat file for Windows or in the TaleoConnectClient.sh file for Linux.

                  System Properties for NTLM Proxies

                  The following list contains system properties you can configure for the proxy:

                  • -Dhttp.proxyHost=myproxyhostname

                  • -Dhttp.proxyPort=8080

                  • -Dhttp.proxyUser=username (Windows Domain User Name)

                  • -Dhttp.proxyPassword=encrypted password (Windows Domain Password)

                  • -Dhttp.proxyNTDomain=ACMEDOMAIN (Windows Domain Name)

                  Note: "http.proxyNTDomain" is only required for NTML proxy authentication.

                  Windows Vista

                  Although Microsoft Vista supports both the NTLM V1 and NTLM V2 proxy server authentication scheme, TCC currently supports only Microsoft NTLM V1.

                    Data at Rest

                    Standard TCC implementations have no data retention capabilities. Data-at-rest encryption capabilities are not required.