Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Ib 848 849 Wss Outbound

    Încărcat de

    Madhu Mandava
    52 vizualizări6 pagini
    This document provides steps to enable WebService Security for outbound service operations in PeopleSoft 848 and 849 using a Username Token. It describes implementing WS-Security standards for digitally signed and encrypted messages using X.509 certificates. The key steps are: 1) Generate a key pair for the local node alias, 2) Import the remote node's public key, 3) Enable digital signatures by checking the "Digitally Signed" option, 4) Encryption is automatic when the remote node's public key is imported. Troubleshooting tips are provided to check for the Username Token in the SOAP header.

    Descriere originală:

    Integration Broker Outbound

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    DOC, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    This document provides steps to enable WebService Security for outbound service operations in PeopleSoft 848 and 849 using a Username Token. It describes implementing WS-Security standards for digitally signed and encrypted messages using X.509 certificates. The key steps are: 1) Generate a key pair for the local node alias, 2) Import the remote node's public key, 3) Enable digital signatures by checking the "Digitally Signed" option, 4) Encryption is automatic when the remote node's public key is imported. Troubleshooting tips are provided to check for the Username Token in the SOAP header.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOC, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    52 vizualizări6 pagini

    Ib 848 849 Wss Outbound

    Încărcat de

    Madhu Mandava
    This document provides steps to enable WebService Security for outbound service operations in PeopleSoft 848 and 849 using a Username Token. It describes implementing WS-Security standards for digitally signed and encrypted messages using X.509 certificates. The key steps are: 1) Generate a key pair for the local node alias, 2) Import the remote node's public key, 3) Enable digital signatures by checking the "Digitally Signed" option, 4) Encryption is automatic when the remote node's public key is imported. Troubleshooting tips are provided to check for the Username Token in the SOAP header.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOC, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 6

    How to enable WebService Security for outbound Service Operations in 848

    and 849?
    This document is a setup steps for IB outbound WSS message on 848 and 849 ONLY.

    In 848 and 849, WebService Security is enabled with Username Token.

    WS-Security Standard Supported


    PeopleSoft implements the Oasis Standard 1.0 WS-Security schema, which conforms to the Web
    Service Security standard version 1.
    See http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
    Within this framework, PeopleSoft implements:
     Username Token Profile 1.0
     X.509 Token Profile 1.0
    PeopleSoft's X.509 Token Profile is used as a supplement with Username Token Profile.
    The PeopleSoft implementation of WS-Security supports:
     Clear-text UsernameToken. (Password is optional.)
     Digitally signed UsernameToken
     Encrtyped Digitally signed UsernameToken.

    Notes: Digital signatures apply to the SOAP message header and SOAP message body.
    Encryption only applies to the SOAP header .

    Username token can be used in conjunction with Digitally Signed and/or Encryption [X.509
    Token].

    Username Token:
    We support clear text password in the Username Token only.
    If there is a concern on the password, one can use https or WebService Security’s encryption as
    defined below.

    We also support Username Token without a password.

    Prerequisite:
    The Integration Broker Gateway must be setup.

    WSS's uses interop.jks by default. However, you can also use the java keystore pskey.
    Whichever one you choose to use, the wss.properties file must point to the utilized keystore. The
    password defined in the wss.properties file must be the same one used in the keystore and must
    be encrypted using the pscipher utility. If you are using interop.jks, the default password is:
    interop; if using pskey, the default password is: password.

    For Integration Broker, WSS by default uses


    PSHOMEwebserv\peoplesoft1applications\peoplesoft\PSIGW.war\WEB-INF\classes\interop.jks

    Wellen Lau Page 1 7/14/20191


    Example:
    Service Operation QE_PO_SYNC is published from QE_LOCAL (default local node) to
    QE_IBTGT (external/remote node)

    The following is for Outbound Service Operations ONLY:

    1. To enable the digitally signed for the outbound message:


    a. Create a keypair [public key and private key] value through java keytools utility.
    b. The Alias name for this keypair value MUST match your Default Local node,which is
    QE_LOCAL in this example.

    keytool -genkey -alias QE_LOCAL -keyalg RSA -keysize 1024 -dname "CN=QE_LOCAL,
    OU=PeopleTools, O=Oracle, L=Pleasanton, ST=California, C=US" -keypass interop -keystore
    interop.jks -storepass interop

    c. Generate CSR for this public key and then signed by the CA.
    d. Downloaded the signed public key cert and root ca.
    e. Import the Root CA and then import the public key cert.

    This process will ensure the SOAP message will be signed. It is signing the entire SOAP
    message – the header and the body.

    Wellen Lau Page 2 7/14/20192


    2. To enable the encryption for the outbound service operation:
    a. Make sure to get the third party's public key and rootca into Integration Broker's interop.jks
    b. Make sure to import the third party's public key with an Alias name that MUST be same as
    the Remote Node name, which is QE_IBTGT in this example.

    keytool -import -alias QE_IBTGT -file qe_ibtgt.cer -keypass interop -keystore interop.jks -
    storepass interop
    [note : cert file name does not need to match with the alias name].

    Note : if step #1 is enable, make sure Digitally Signed is also checked.

    The following example shows a WS-Security SOAP header that contains a UsernameToken in
    cipher text and that is digitally signed. This is the most secure configuration for WS-Security in
    PeopleSoft Integration Broker.
    <soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.
    oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0
    .xsd">
    <xenc:EncryptedKey>
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/
    xmlenc#rsa-1_5"/>
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference>
    <ds:X509Data>
    <ds:X509IssuerSerial>
    <ds:X509IssuerName>CN=PeopleTools TEST root CA,
    DC=peoplesoft,DC=com,OU=PeopleTools Development,
    O=PeopleSoft Inc,L=Pleasanton,ST=CA,C=US</ds:
    X509IssuerName>
    <ds:X509SerialNumber>174697022083003580418117</ds:
    X509SerialNumber>

    Wellen Lau Page 3 7/14/20193


    </ds:X509IssuerSerial>
    </ds:X509Data>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    <xenc:CipherData>
    <xenc:CipherValue>q8ytyn0kRisc3i7GwGtoQuU6NSXfvSNoJg76PWpppt
    4b4DoH8bRObvht8GLu904OExYBrNDB26qqOlKVpIzGrCJFgetlhikGghH/u2
    9GC96+YfFdxSFqcJo5PpJR1KnVZP0sKO4IHVIEcuxp7MonoV6dm5kd0d8atVw
    KXhJe5Yk=</xenc:CipherValue>
    </xenc:CipherData>
    <xenc:ReferenceList>
    <xenc:DataReference URI="#EncDataId-13925529"/>
    </xenc:ReferenceList>
    </xenc:EncryptedKey>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/
    2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/
    xmldsig#rsa-sha1"/>
    <ds:Reference URI="#id-763474">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/
    xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
    xmldsig#sha1"/>
    <ds:DigestValue>cNBCuvnSP5MMlsJvaHMrZm9CsK0=</ds:
    DigestValue>
    </ds:Reference>
    <ds:Reference URI="#id-13925529">
    <ds:Transforms>
    <ds:Transform Algorithm="http://www.w3.org/2001/10/
    xml-exc-c14n#"/>
    </ds:Transforms>
    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/
    xmldsig#sha1"/>
    <ds:DigestValue>p+IodojBA2QzX6p9xe6PKJyUKSg=</ds:
    DigestValue>
    </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>D/kTMJZvxnv7fjWzmvKC1xe8VSDiSz4lZDzFrf8q
    FFoXux+C2xD47TLWnD7m8ejp/Un3mzjWkVN8S4FpwRr/ymrxWTKWLrjCO
    zmjSW+ZbjGvs5UfpFyzEH7PWrXt+LnTeMKKJWYjzOi7HCHCVK9aC/RZCt
    7PkCbSZ7DJoOQO/lU=
    </ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-28705465">
    <wsse:SecurityTokenReference wsu:Id="STRId-7131385" xmlns:wsu=
    "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
    wssecurity-utility-1.0.xsd">
    <ds:X509Data>
    <ds:X509IssuerSerial>
    <ds:X509IssuerName>CN=PeopleTools TEST root CA,DC=
    peoplesoft,DC=com,OU=PeopleTools Development,
    O=PeopleSoft Inc,L=Pleasanton,ST=CA,C=US
    </ds:X509IssuerName>
    <ds:X509SerialNumber>174332155640842765207620

    Wellen Lau Page 4 7/14/20194


    </ds:X509SerialNumber>
    </ds:X509IssuerSerial>
    </ds:X509Data>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    </ds:Signature>
    <xenc:EncryptedData Id="EncDataId-13925529" Type="http://www.w3.
    org/2001/04/xmlenc#Element">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/
    xmlenc#tripledes-cbc"/>
    <xenc:CipherData>
    <xenc:CipherValue>wqrOr/efBcghEdcTPZMPqbrUu9mF+iCSLf2UhLYjOc
    Vg30+58TX3FCKXJhExi3iEdbuVrYt60mq3Maka6cg6+0JXw0Qmbjbl5qG8p
    sHajRtenvZc3dJeLRDclplbqUw65cDvBqQz+3+K5DBMh+tIlutf+0j3D9MiO
    3ht4Ni4bJ9Zk/h+DY9y05px2xtOMsXSrEhn4STGz4SdaOwFYHDUTT+y+D6zj
    GYxpRAexVQxAkjehW1JEGhyaqqdDmIYPJxCSy8JBc7xL/CaUng98ak8hAr38I
    obBt1qjlYjGo9VybfrX5j9lqn6pcrWX6x3o/9JYXeiaY36qHj+jVm0STq1fPr
    DDfh6ZI0/aeks83MnesMrX9bB7aKOo67DPjJstRvW/qfbIo3wYgv+3Jl68sHv
    u6p6GZEujaLIYIosJ+HtDzmZ2Q9aOtkk7+zFwDohkljAwmNSe3bt9e2i60pgF
    fVYcxg1Pwfz03MyKm83m5cLT9INb8LHK/GsKOl+9GvQ49nsJ6EYuAcPO4Q8Sr
    BvLVVPY3Qljw+4ZOZOEcndxVw+vU9n7cAMyeYa7p5Jpl6l2naeC4J98MIa16D
    CuVdvLIkipurkn2lbVYe5/m0SYbVibvTWE3BIQlWzF/mRHKkOhBhTaKg/Y/Q7
    sRlKcxKHtjnsjX2d4hTqTRYOoKFEH5sVi+gtyhgogiXRjg8wCAS68cYVwAFre
    W9xf2/ojGJFcO354Sk5rWt3GZzK8yRG5Jcgf5pgxnKC3LVgvvGPQM2Q/yGy1N
    OrXDhtzc80zM2SIOjv3A90Gzj9RGKzrWm+bw4QlhveY+rwyZGZRu3ibVUm+mi
    Ul7CdBBbrLOfz9xY45w3H2c6mtu98OwhuoiYHeVS/FkdpL+ztLmZi7gINIAQi
    sCZudpyKsZIcEhTPbTjQcdCVPZim1v9HFft00cSOE1u1CVEYNOSuCisrLJIch
    zAtE7gfa86/NcyEGmUBtvRsGVPkPq81cw1AosV8x4+KPCpTjxxeuMKGrowC2h
    Y/7DY+IYn4
    </xenc:CipherValue>
    </xenc:CipherData>
    </xenc:EncryptedData>
    </wsse:Security>
    </soapenv:Header>

    Troubleshooting:
    1. Username Token is not in the header of the SOAP message.
    a. Make sure the remote node that is associated with the Service Operation has WS-
    Security enabled.
    b. The remote node must be using the HTTPTARGET Connector as WSS is only
    implemented with this target connector.

    Wellen Lau Page 5 7/14/20195


    2. What if the issue is still persistent?
    a. Set ig.log.level = 5 in the integrationgateway.properties file. The file is located in
    PSHOME\webserv\peoplesoft\applications\peoplesoft\PSIGW.war\WEB-
    INF\integrationGateway.properties
    b. Test and then send the MsgLog.html and ErrorLog.html to GCS. The location of the log
    files is defined in the integrationgateway.properties file.

    Wellen Lau Page 6 7/14/20196

    S-ar putea să vă placă și