Tuesday, December 08, 2015

PeopleSoft Support of TLS 1.2 when connecting to LDAP/HTTP servers using LDAPS/HTTPS URLs

Currently all PeopleSoft PeopleTools releases including 8.55 only supports Java 1.7 for the Appserver. Java 1.7 by default only enables support for SSL 3.0 and TLS 1, though it supports both TLS 1.1. and TLS 1.2. They are not enabled by default. This is easy to fix for HTTPS connections by modifying JavaVM options the following parameter to Appserver (psappsrv.cfg) and Batch server (psprcs.cfg) config files

JavaVM Options=-Dxdo.ConfigFile=%PS_HOME%/appserv/xdo.cfg -Xms32m -Xmx128m -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

Once you modify the Parameter, simply restart the Appserver or batch server and it will take effect. There is no need to reconfigure the appserver or batch server.

Please note this only work for HTTPS connections for e.g. when connecting to Integration Gateway Web server which only accepts TLS 1.1 or TLS 1.2 connections.

To make this also work for LDAP or Directory server that is configured to accept only TLS 1.2 connections for compliance with PCI DSS v3.1 (mandatory after June 30 2016), a code change to $PS_HOME/appserv/classes/psft/pt8/pshttp/PSLdapSSLSocketFactory.class is required so that it uses TLSv1.2 instead of SSL for the below code line.

SSLContext sslcontext = SSLContext.getInstance("SSL");

needs to be changed to

SSLContext sslcontext = SSLContext.getInstance("TLSv1.2");

Currently there are no configuration parameters to fix this issue. Please open a support case with Oracle and reference the below bug number if you need the fix for this issue.

There is an open PeopleSoft bug to address this issue.

22323376 - LDAP FAILS TO CONNECT TO LDAP SERVER USING TLS 1.2 to address this issue.

This will impact any PeopleSoft applications that are considered as PCI In scope applications and uses TLS 1.2 for Autnetication with LDAP Directory server using LDAPS protocol.

You will see the following error in the Appserver when connecting to LDAP server using delivered Page.

[Root exception is javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake]

Please note PeopleSoft uses JNDI to connect to LDAP Directory server via delivered Directory Interface Business interlink.


Amit Desai said...

I am interested to see how the java code is handling the sslhandshake. Possible to share more details. I am not using peoplesoft but the java version issue is same and applicable to my code.I am trying to use LDAPS and it fails with sslhandshake exception.

Unknown said...

I see some post enabling TLS on PIA weblogic side, by adding this parameter in PIA_HOME/webserv//bin/setEnv.cmd:

append in JAVA_OPTIONS variable: -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1

How is it different that you're doing it from Appserver/process scheduler config files?