Now we have the core PeopleSoft stack communicating encrypting traffic, we need to address the add-ons. Elastic search is becoming more important, and it is difficult to use PeopleSoft without it. Here is how to add encryption to Elastic Search and Kibana.

There is two way communication between Elastic search and PeopleSoft, Both of these directions need to be configured. Fortunately we have already done some of this work.

This procedure is documented in PeopleBooks under Products -> Development Tools -> Search Technology -> Working with PeopleSoft Search Framework Security Features. Here are links for Elasticsearch and Kibana

Here is an interesting problem we had recently. A field which should be length 1 was being reported in some cases to be length 4. How is this possible?

The Problem

I use dbms_sql.describe_columns to discover the size of the field in a remote database. I use this value to recreate a copy of the view in the remote database as a table locally. This is used for testing. We can mimic this in the local database as follows:

Further to my last article about applying critical patches to the web server, lets take a look at the application and database servers.

Which Servers?

In my mind WebLogic runs on the web tier, and Tuxedo runs on the Application and process scheduler tier. The Oracle Client is also on the Application and process scheduler tier. However, since these and Java are installed on all tiers, we should apply the patches on all tiers.

As I write this it is a month after Oracle released the critical patch updates, but there is still no sign of the Infra DPK, which contains Java and WebLogic updates. If Oracle are not going to supply this patch reliably, we will have to work out how to do it ourselves.

WebLogic (On the Web Server)

What WebLogic Patches does Oracle Install?

In a default install we can do the following as user psadm1:

In the last article we looked at encrypting communication between WebLogic and the load balancer. Now it is time to investigate the traffic between WebLogic and the Application server. Without this configuration the logs get filled with messages like this:

WARNING: LLE Configuration discovered!
   Note that LLE has been deprecated.
   You should upgrade to SSL to secure network links.

Let’s upgrade to SSL then!

Application Server

We already discussed TLS with regards to the Integration Broker and the Web Server. The application server conceptually works in the same way, but it (mostly) isn’t written in Java, so in practice the procedure is slightly different.

In the past we used to assume communication on our network was protected by physical security. Now that seems not to be a reasonable assumption. So we should probably encrypt communication within PeopleSoft. Here is how I do that.

We control both ends of communication between tiers of PeopleSoft. So we can create our own certificate authority, and instruct our software to trust it.

Creating the Certificate Authority (CA)

We need a root certificate for our Certificate Authority (CA). I created it as follows:

PeopleSoft in general leaves it to the administrator to ensure that digital certificates are set up properly. Given digital certificates don’t tend to change very often, and the provider changes even less frequently, it can be difficult to understand and remember how this works, and prevent issues.

What is a digital certificate?

The two parts

There are two parts to a digital certificate. One part is the private key which is used to encrypt data, and is installed, in our case, on the load balancer. It is important to keep this safe so nobody can impersonate our system. The public key is what we are mostly dealing with here. This is available to anyone and can be used to decrypt the data, and check it came from someone we trust.

The Problem

Our WebLogic server recently crashed. There were a number of issues identified in the post mortem, which were addressed to prevent the same thing happening again. It also occurred to us that WebLogic should restart itself automatically if it fell over. This is easily achieved using systemd, but for whatever reason Oracle chose not to configure it to do this.

Oracles Default Setup

This is a PeopleSoft system which might be configured slightly differently to other WebLogic installations. PeopleSoft by default provides a systemd unit file which is mostly copyright warnings, so I won’t include it here. Oracle have created a legacy init.d file which is called by systemd as a oneshot. This in turn calls the startPIA.sh and stopPIA.sh scripts as appropriate. So if the web server crashes, it stays stopped.