The Latest Updates to PeopleTools Security

Staying up to date on PeopleTools security features is the best way to protect your data. This post explores several new features and important aspects of PeopleTools security that you may have missed in the past. Read on to learn about the privacy, entropy, and standards discussed by PeopleTools Security Product Strategy Director, Greg Kelly, at Quest’s BLUEPRINT 4D 2023 Conference. You’ll also find links to additional documents for more in-depth learning along the way.

Critical Patch Updates

Oracle’s Critical Patch Update is published on a scheduled quarterly basis. The schedule can be found on Oracle’s page, Critical Patch Updates, Security Alerts and Bulletins.  It’s advantageous to subscribe to notifications regarding upcoming releases to stay in the know. Another option is to view and plug your RSS reader into the RSS feed without subscribing to anything.

Patches in the CPU provide security fixes for issues that were discovered through testing or by external reporting.

Even issues with a low CVSS (score) have been shown to compromise systems, either individually or in combination with other issues.

The recent Log4j issue has shown that many customers are not able to apply the available fixes.

Once a version of PeopleTools is out of date, no security patches are available. While support will assist customers on out-of-date releases, sometimes the only advice they can offer is to update to the most recent patch version of that release to improve your PeopleTools security.

Cryptography

Oracle’s Information Protection Policy defines high-level requirements for protecting data via encryption when data is at rest (in storage) on laptops, devices, and removable media.

Oracle has corporate standards that define the approved cryptographic algorithms and protocols. Oracle products and services are required to only use up-to-date versions of approved security-related implementations, as guided by industry practice. Oracle modifies these standards as the industry and technology evolve to enforce, for example, the timely deprecation of weaker encryption algorithms.\

Oracle defines requirements for encryption, including cipher strengths, key management, generation, exchange/transmission, storage, use, and replacement.

Entropy

Entropy is the secret ingredient of cryptography. It is the foundation upon which all cryptographic functions operate. Entropy, in cyber security, is a measure of the randomness or diversity of a data-generating function. Data with full entropy is completely random and no meaningful patterns can be found. Low entropy data provides the ability or possibility to predict forthcoming generated values. One measure of the quality of cryptographic functions is to measure the entropy of their output. Highly entropic algorithms are needed for encryption and has functions.

Entropy is a degree of uncertainty. The level of chaos in the data can be calculated using the entropy of the system. Higher entropy indicates higher uncertainty and a more chaotic system.

Hash Functions

A couple of years ago, Oracle moved from SHA1 to SHA256 to make PeopleSoft passwords more complex. They did this because they realized the number of characters in the password and the Hash function itself were working together to reduce complexity in cracking the passwords.

Therefore, Oracle changed the Hashing function to 256 and added WithSalt which increases the complexity of the resulting Hash string. They also made those functions available to customers.

They included a secure random generator that is a cryptographically secure random number generator in PeopleCode.

The Rand function is a pseudo-random number generator. It’s typically based on a string that is embedded in the firmware. It will always be the same. At one stage, it was used as a signature for installing software.

Below are descriptions of the Hash functions:

PeopleSoft Encryption Technology

PeopleSoft Encryption Technology provides a way for you to secure critical PeopleSoft data and communicate safely with other businesses. It enables you to extend and improve cryptographic support for your application data, giving you strong cryptography with the flexibility to change and grow by incrementally acquiring stronger and more diverse algorithms for encrypting data. You can use PeopleSoft Encryption Technology to secure data in flat files or in database tables.

You can encrypt any data used in your application by invoking PeopleCode to apply your preferred encryption algorithms. You can obtain these algorithms from various vendors’ cryptographic libraries using the capabilities you want from each library.

Features of PeopleSoft Encryption Technology give you access to a robust set of algorithms. These include:

• The ability to encrypt, decrypt, sign, and verify fields in a database
• The ability to encrypt, decrypt, sign, and verify external files
• A secure keystore for encryption keys of widely varying types
• The ability to convert data from one encryption scheme to another

PSCipher

The PSCipher feature encrypts and decrypts text used in your PeopleSoft system. System administrators interact with PSCipher through a Java command line utility located on the web server.  This enables you to encrypt text, such as user IDs and passwords, stored in configuration files. PSCipher also involves a runtime element running on the application server that decrypts the encrypted text. The runtime element requires no user interaction.

The PSCipher decrypts text encrypted in previous releases. For example, PSCipher in Enterprise PeopleTools 8.50 supports text encrypted with PSCipher in Enterprise PeopleTools 8.46. For more info, see the following document from Oracle: Using the PSCFipher Utility.

The encryption key used by PSCipher is stored in a key file named psvault. This file is critical to your system security. It is very important to protect this file using OS level protection for read and write access and to save a backup of your key file. Oracle recommends backing up your latest key file to a safe location each time you build a new one.

Data Masking and Data Privacy

GDPR was the big boost for implementing data masking, but it has always been recommended for maintaining privacy. PeopleSoft Data Privacy Framework provides pages for identifying and maintaining Personally Identifiable and sensitive information. Personally Identifiable Information (PII) is any information that directly or indirectly helps to determine the identity of an individual. A common example for PII is a person’s name. Examples of sensitive information include ethnicity or compensation rate. PeopleSoft captures many data elements that can be considered PII, Sensitive, or both.

The framework helps in the following ways:

• Maintain Category/Classification setup data and their Data Privacy attributes
• Maintain Data Privacy Attributes for PeopleSoft Application Record Fields that store Sensitive and Personally Identifiable data
• Generate and View references for Components at Record Field Level and Component Record Field level

Page and Field Configurator

PeopleSoft Page and Field Configurator enables users to configure certain properties of pages and fields in Classic and Fluid pages based on their business requirements. It allows the users to define multiple configurations for a component based on different user roles or user lists. Users can define multiple criteria based on the component fields and system variables, and selectively apply the configurations at runtime if the criteria is satisfied based on runtime values. The Page and Field Configurator supports two types of configurations: Standard and Masking.

In standard configuration, a user can do the following without having to customize delivered application pages:

• Hide a field/page
• Change the label of a field
• Add a default value to a field
• Make a field/page read-only
• Mark a field as mandatory
• Verify configuration against underlying page metadata

In masking configuration, a user can mask page fields and search fields based on a chosen Mask profile.

PeopleSoft Security Queries

Security queries are delivered as PS queries. This means they can be combined for better reporting on where compromises are likely to exist. For example, you can see which users have permission lists or roles that they shouldn’t have.

To run User ID queries, go to User Profiles > User Profiles and click the User ID Queries tab.

Web Profile – Client IP Address and HTTP Reporter

As for accessing the remote client page, you’ll take this route: PeopleTools > Web Profile > Web Profile Configuration. Then select the Remote Client page tab.

Use the Remote Client page to define directives used by the PeopleSoft system to identify and log remote client addresses.

When a remote client makes a request to a PeopleSoft system, it is rare that the remote client connects directly to the PeopleSoft system. Instead, multiple intermediate servers such as firewalls, proxy servers, load balancers, routers, and more handle the request on behalf of the actual remote client. Any of these machines may forward the request after putting their own address in place of the actual remote client’s address. When this address substitute takes places, then that network machine must put the actual remote client address elsewhere in the packet—usually in an HTTP request header. If it does not do this, then the actual remote client address is lost to downstream hosts. When this occurs, the address recorded by the PeopleSoft system is the HTTP request’s last hop, which is frequently a load balancer, reverse proxy server, or other box within your intranet.

To learn more about configuring remote client directives check out Oracle’s Configuring Web Profiles document.

HTTP Request Reporter

HTTP Request Reporters is similar to an extended version of printenv CGI or Perl scripts delivered with most web servers as a debug or triage function, mainly for developers.

OAuth 2.0 Support

OAuth (Open Authorization) is an open standard which allows an end user’s account information to be used by third-party services without exposing the user’s password. Initially, OAuth 2.0 supported Oracle Identity Cloud Service (IDCS) and Chatbot REST Services. Oracle has extended OAuth 2.0 support to Azure, Okta, and Ping.

For additional information on OAuth 2.0, you can check out Oracle’s Understanding OAuth 2.0 document.

SSL/TLS

The PeopleSoft system takes advantage of HTTPS, Secure Sockets Layer/Transport Layer Security (SSL/TLS) and digital certificates to secure the transmission of data from the web server to an end user’s web browser. It also secures the transmission of data between PeopleSoft servers and third-party servers over the internet.

PeopleSoft customers can implement PeopleSoft software using HTTP or HTTPS. The native SSL/TLS support in commercially available web browsers and web servers is used to provide HTTPS communication between the web browser and web server.

Anytime you implement SSL/TLS with mutual authentication (both client and server authenticate each other), you need the following three items:

• Server Certificate (issued by some trusted third party or certificate authority)
• Client Certificate (issued by the same trusted third party or certificate authority)
• Client and server both need a copy of a root certificate for the trusted third party

The root certificate has the crypto keys (public and private key) of the authority. Using these keys and the client and server certificates, each party is able to authenticate the other. When you log on to an SSL/TLS server using your browser, you don’t have to worry about a Root Certificate because most come bundled with the browser.

BI Publisher

BI Publisher for PeopleSoft report output in PDF format can be digitally signed to verify the authenticity of the report output that you send and receive, and to validate that the output has not been altered since the PDF was created and digitally signed.

To learn more about applying digital signatures to PDF Report Output and the participants, permission lists, and roles involved, check out Oracle’s Understanding Applying Digital Signatures to PDF Report Output.

Oracle Transparent Data Encryption

PeopleTools enables you to implement Oracle’s Transparent data encryption (TDE) feature to encrypt the data you select, enhancing the security of your PeopleSoft applications. TDE enables encryption of sensitive data in database table sets as it is stored in the operating system files. It provides for secure storage and management of encryption keys in a security module located outside database, separating ordinary program functions from those that pertain to security, such as encryption.

Major caveats are:

• Ensuring safety of the Wallet and password
• Performance degradation depending on the encryption algorithm chosen (e.g. AES 256 is slower than AES 128)
• Managing password and key rotation

NACHA

The National Automated Clearing House Association (NACHA) sets data security requirements for originators to protect Direct Deposit Bank Account Numbers used in the initiation of Automated Clearing House (ACH) entries by rendering them unreadable when stored electronically. To comply with these rules you must perform a small amount of setup. It is also important to understand how PeopleSoft encrypts, decrypts, and masks bank account numbers

Part of the NACH requirements indicate that you must have a secure transmission when sending or receiving bank account information. PeopleSoft is not responsible for this. You must work with your financial institution to guarantee secure transmissions.

Note: This feature requires PeopleTools 8.57.15 or above.

Access Management – OAS and IDCS

PeopleSoft applications support Oracle Access Manager as the single sign on solution. To see how to implement OAM for SSO, review Oracle’s Implementing Oracle Access Manager as the PeopleSoft Single Signon Solution.

Oracle Identity Cloud Service integration with Oracle PeopleSoft Human Capital Management (HCM) provides Single Sign on (SSO) using a User ID and a password. For more information, see Oracle’s Integrate Oracle Identity Cloud Service SSO with Oracle PeopleSoft HCM.

PeopleTools 8.60 Features

New features delivered in PeopleTools 8.60 include several PeopleTools security features, including increased password character limits and virus scanning on application server.

Password length has been found to be a primary factor in password strength. The number of characters that you can entre for passwords has been increased for user accounts. Enter up to 64 characters for passwords when configuring the following accounts:

• PeopleSoft user accounts (operator IDs on the User Profile page
• LDAP administrator on the Configure LDAP Directories page
• Public user ID on the Web Profiles Configuration page

As mentioned above, PeopleTools also now provides the capability to scan attachments for viruses before streaming the attachments from the application server to the PeopleSoft system.

The graph below shows the amount of time it takes for a hacker to brute force your password. When applied successfully, the new PeopleSoft security features from Oracle empower you to be in the green zone:

Improved Access Logging

System administrators use queries on the Review Security Information page to track user log-in and lot-out activity. In addition to tracking log-in and log-out times, the queries have been enhanced with more information about each session and the reason the session ended. The queries include the following information:

• Sign On Type – Describes whether the user has signed on in PIA.
• Tracking ID/TRID – Uniquely identifies a user session.
• Sign Out Reason
  • User abandoned – a user closes the browser’s last PIA page without signing out or puts a new URL in the current PIA page and navigates away to another site.
  • Browser expire – The browser window times out due to inactivity and sends the web server notice of the expiration event.
  • User logout – The user actively signs out of PIA.
  • User re-login – While the user was signed on, a new login arrived for the same or another user.
  • Not set or other – When none of the above reasons apply, and, therefore, the reason is unknown.

User Profile Expiration Date

It is not possible to set user accounts so that they are locked out on a future date. This gives security administrators more control and convenience. For example, to grant access authorizations to accounts on a temporary basis, such as for contingent workers, or to expire an entire account when an employee leaves the company. You can use the Lock as a field on the User Profiles page to set the user account expiration date.

Support for Subject Alternate Names by PSKeyManager

Many browsers today require SSL certificates to be configured with subject alternate names or SAN attributes. Now the PSKeyManager utility supports the use of SAN attributes in creating private keys and certificate signing requests for web-based certificates. The PSKeyManager script includes a prompt for SAN. You can specify one or more domain name servers, IP addresses, email addresses, URLs, or an arbitrary object identifier.

PeopleTools Security Roadmap

There are enhancements to come for Page and Field Configurator.

Oracle is reviewing the feasibility of using the Page and Field Configurator to track changes to business documents. With this capability, an organization may be able to identify specifics fields on specific components for which they would like changes tracked.

This might include changes to:

• The organization’s external banking account information
• A project budget or contract award profile in Financials
• An employee’s benefit enrollment or job information based on criteria such as business unit or other fields on the page and user role

Tracked information may include the user who made the change, if correction mode was used to make the change, the date of the change, and the new and previous value. Oracle is also looking to provide power users quick and efficient access to the change history using a reporting index and analytics.

For more PeopleTools Security features and information, watch the full BLUEPRINT 4D session Recording: Keeping up with the latest updates to PeopleTools Security.

To learn more about PeopleSoft, check out the Quest Content Library.