PT 856 and TLS vs. SSL

    Hello, we are in the process of upgrading our PeopleTools from 855 to 856. Oracle recommends that we use TLS instead of SSL. We are having some issues enabling TLS on the load balancer for now so we are thinking about using SSL temporarily. We are wondering whether anyone is still using SSL with PT 856? We would really appreiciate any inputs in terms of pitfalls we need to watch out, etc. Thank you!. Alex.

    Hi Alex

    I had a chat with one of DBA / System Admin people.

    He said "SSL is fully supported in PT8.56"

    He is also not aware of any issues in using SSL with PT8.56 but did say TLS is the improvement to SSL 3.0.

    Hope this helps

    [email protected]

    What are the PeopleSoft changes that need to be made to send and receive TLS v1.2 transmissions?  Thank you.

    Hi there

    The below is what one of our system admin guys provided without knowing the version details that you are on:

    TLS is not enabled by default in PeopleTools , but it is easy to enable on all the configuration files.

    For App server and Batch Server

    Modify JavaVM options parameter in the Appserver (psappsrv.cfg) and Batch server (psprcs.cfg) config files

    JavaVM Options=-Dxdo.ConfigFile=%PS_HOME%/appserv/xdo.cfg -Xms32m -Xmx128m -**Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 **

    Also, PeopleTools supports TLS for SMTP security. To use TLS with PeopleTools, you need to add these parameters manually to the PSAPPSRV.CFG file and PSPRCS.CFG file in the SMTP settings section, and set to true.

    SMTPTLSEnable=true

    SMTPTLSRequired=true

    SMTPTLSEnable1=true

    SMTPTLSRequired1=true

    Enable TLS-Only On WebLogic

    In setEnv.cmd or setEnv.sh, JAVA_OPTION needs to  be appended with -Dweblogic.security.SSL.protocolVersion=TLS1

    For Example , in windows setEnv.cmd (windows)

    SET JAVA_OPTIONS_WIN=-jrockit -XnoOpt -XXnoJITInline -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dweblogic.security.SSL.protocolVersion=TLS1

    PIA requires restart after this change and also the PIA service need to be reinstalled or commandline needs to be modified.

    LDAP or Directory connection

    For LDAP or Directory server that is configured to accept only TLS 1.2 connections ,  a code change to_$PS_HOME/appserv/classes/psft/pt8/pshttp/PSLdapSSLSocketFactory.class_ is required so that it uses TLSv1.2 instead of SSL for the below code line.

    SSLContext sslcontext = SSLContext.getInstance("SSL");

    needs to be changed to

    SSLContext sslcontext = SSLContext.getInstance**("TLSv1.2");**

    Also If they are using SES, there are changes need to be made as described in the  PeopleTools online document -> Enforcing a Specific TLS Version in PeopleSoft with SES

    Reference

    http://thesmartpanda.com/weblogic-ssl-v3-0-disable-enable-tls-v1/

    http://peoplesoftexperts.blogspot.co.nz/2015/12/peoplesoft-support-of-tls-12-when.html

    PT8.56 system and server administration guide (Link)

    chamanthi weerasinghe

    [email protected]

    Thanks Chamanthi! I had an isssue with my login and sorry for the late response. We will read your suggestions through and ask if we have additional questions. Thanks again! Alex.

     

Looks like your connection to Quest Oracle Community was lost, please wait while we try to reconnect.