#36 – Brace yourselves, Elasticsearch is coming

This week on The PeopleSoft Administrator Podcast, Kyle updates his psadmin-plus project, Duncan Davies shares an “Oh No!” story, Dan talks about some custom Puppet modules he wrote, and we talk about Elasticsearch’s 8.55.10 release.

16p3u2


We want to make this podcast part of the community discussion on PeopleSoft administration. If you have comments, feedback, or topics you’d like us to talk about, we want to hear from you! You can email us at podcast@psadmin.io, tweet us at @psa_io, or use the Twitter hashtag #psadminpodcast.

You can listen to the podcast here on psadmin.io or subscribe with your favorite podcast player using the URL below, or subscribe in iTunes.

Podcast RSS Feed

Show Notes

#23 – The App Server w/ David Kurtz

This week David Kurtz joins us again to talk about the application server. David get’s into the details on how the application server works. Dan and Kyle also discuss a proposal for Control-J information on mobile devices and Fluid pages.

We want to make this podcast part of the community discussion on PeopleSoft administration. If you have comments, feedback, or topics you’d like us to talk about, we want to hear from you! You can email us at podcast@psadmin.io, tweet us at @psa_io, or use the Twitter hashtag #psadminpodcast.

You can listen to the podcast here on psadmin.io or subscribe with your favorite podcast player using the URL below, or subscribe in iTunes.

Podcast RSS Feed

Show Notes

Let’s Encrypt with PeopleSoft

Let’s Encrypt is a service provided by the Internet Security Research Group to provide free SSL certificates to anyone. The goal of the project is get the entire web encrypted. I mentioned the project in Episode 7 of The PeopleSoft Administrator Podcast and thought it would be a great exercise to try it with PeopleSoft.

Let’s Encrypt uses a client on the server to automate the certificate request process. The client will:

  • Validate that you own the web server
  • Generate a CSR
  • Download the certificate
  • Apply the certificate to the web server (limited support)
  • Automatically renew the certificate

There are a few requirements to use the Let’s Encrypt clients though:

  • The web server needs to accessible by the internet. The Let’s Encrypt site will validate that you own the server by checking for a specific file on the web server.
  • Not all operating systems are supported, yet.
  • Some web server’s have built-in support (IIS, Apache), but others do not (e.g, WebLogic). We can still generate certificates though, the automatic renewal won’t update the webserver though.

Install Let’s Encrypt Client for Windows

We’ll use the letsencrypt-win-simple command line client for Windows. Download the latest release from GitHub and extract the folder to a permanent location.

Generate a new certificate

  1. Run .letsencrypt.exe --accepttos[code lang=text]
    Let’s Encrypt (Simple Windows ACME Client)

    ACME Server: https://acme-v01.api.letsencrypt.org/
    Config Folder: C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.org
    Loading Signer from C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgSign
    er

    Getting AcmeServerDirectory
    Loading Registration from C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgRegistration

    Scanning IIS 7 Site Bindings for Hosts
    No IIS bindings with host names were found. Please add one using IIS Manager. A host name and site path are required to
    verify domain ownership.
    No targets found.

    M: Generate a certificate manually.
    A: Get certificates for all hosts
    Q: Quit
    Which host do you want to get a certificate for:
    [/code]

  2. Since we are not running IIS, we’ll generate a certificate manually.[code lang=text]
    Which host do you want to get a certificate for: M
    Enter a host name:
    [/code]
  3. Enter the DNS name for your web server.[code lang=text]
    Enter a host name: hr.psadmin.io
    Enter a site path (the web root of the host for http authentication):
    [/code]
  4. Next, enter the root path for your web server. If you are running WebLogic, that will be PORTAL.war directory on your web server.[code lang=text]
    Enter a site path (the web root of the host for http authentication): W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war
    [/code]
  5. Then, the Let’s Encrypt client will create a new file under PORTAL.war.well-knownacme-challenge. That file will be used to validate that you own the web server.[code lang=text]
    Authorizing Identifier ps92t855.psadmin.io Using Challenge Type http-01
    Writing challenge answer to W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war.well-known/acme-challenge
    /1c2yN7Y93sJwRUmRGaoG4kT-QynrIcGr4szre-3nTsQ
    Answer should now be browsable at http://ps92t855.psadmin.io/.well-known/acme-challenge/1c2yN7Y93sJwRUmRGaoG4kT-QynrIcG
    r4szre-3nTsQ
    Submitting answer
    Refreshing authorization
    Authorization Result: valid
    Deleting answer
    [/code]
  6. After the web server ownership is verfied, new certificates will generated and copied to your system. The certificates are copied to your %USERPROFILE%AppDataRoamingletsencrypt-win-simple folder in a few formats:
    • .der
    • .pem
    • .pfx

    The client will also add the certificates to the Windows Certificate Store for you. To add the certificates to WebLogic, we’ll use the .pem

    [code lang=text]
    Requesting Certificate
    Request Status: Created
    Saving Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orghr.psadmin.io-crt.der
    Saving Issuer Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgca-009813F47513E5750B43E7431E971E44BD-crt.pem
    Saving Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orghr.psadmin.io-all.pfx (with no password set)
    Opened Certificate Store “WebHosting”
    Adding Certificate to Store
    Closing Certificate Store
    WARNING: Unable to configure server software.
    Creating Task letsencrypt-win-simple httpsacme-v01.api.letsencrypt.org with Windows Task Scheduler at 9am every day.
    Renewal Scheduled Manual hr.psadmin.io (W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war) Renew A
    fter 2/9/2016
    Press enter to continue.
    [/code]

Create a New pskey Keystore

Now that we have certificates, let’s create a new pskey file with the certificates. We’ll use Keystore Explorer to quickly generate the file.

  1. Open Keystore Explorer. (If it’s first time you’ve used it, follow the instructions to download the Unlimited Strength files).
  2. Create a new keystore file.
  3. Select the file type of “JKS”.
  4. Select “Tools > Import Key Pair”.
  5. Select the “OpenSSL” option.
  6. Deselect “Encrypted Private Key”.
  7. For the “OpenSSL Private Key File”, select the file hr.psadmin.io-key.pem.
  8. For the “Certificate(s) File”, select hr.psadmin.io-cert.pem
  9. Click “Import”.
  10. Enter an alias name that is descriptive. I used hr.psadmin.io-2015-12.
  11. Since the prive key was delivered without a password, we’ll want to enter one. Enter a password for the key pair.

Now you have the private and public key for your DNS entry in the keystore. Next, we need to add the root (and intermediate) certificates so that a chain of trust is established.

  1. In Keystore Explorer in our new keystore file, right-click on our certificate. Select “Edit Certificate Chain > Append Certificate”.
  2. Select the file ca-GUID-crt.pem and click “Append”.
  3. Save the file, give the keystore a password, and name the file pskey-2015-12.

Load Keystore into WebLogic

After importing the certificates into pskey-2015-12, we need to copy the file to the web server and tell WebLogic to use the new file. The integrationGateway.properties file will need to know about the new keystore as well.

  1. Copy the pskey-2015-12 file to your web server directory %PS_CFG_HOME%webservpeoplesoftpiaconfigkeystore.
  2. Log into the WebLogic console.
  3. Navigate to “Environment > Servers > PIA > Keystores”.
  4. Click the “Lock & Edit” button to allow editing.
  5. Click the “Change” button for the Keystores option.
  6. Select “Custom Identity and Custom Trust” and “Save”.
  7. In the “Custom Identity Keystore” box, change the file name to piaconfig/keystore/pskey-2015-12.
  8. In the “Custom Identity Keystore Passphrase” boxes, enter the keystore password you entered when saving the file in Keystore Explorer.
  9. In the “Custom Trust Keystore” box, change the file name to piaconfig/keystore/pskey-2015-12.
  10. In the “Custom Trust Keystore Passphrase” boxes, enter the keystore password you entered when saving the file in Keystore Explorer.
  11. Click Save.

WebLogic will look at the new keystore file. Next, we need to tell WebLogic certificate it should serve to users.

  1. Click on the “SSL” tab.
  2. Change the “Private Key Alias” to hr.psadmin.io-2015-12.
  3. In the “Private Key Passphrase” boxes, enter the password you gave the hr-psadmin.io-2015-12 keypair.
  4. Click Save.
  5. Click the “Activate Changes” button.

Update integrationGateway.properties

Before we reboot the WebLogic domain, we need to update the integrationGateway.properties file.

  1. On your web server, open the integrationGateway.properties file under %PS_CFG_HOME%webservpeoplesoftapplicationspeoplesoftPSIGW.warWEB-INF.
  2. Find the line secureFileKeystorePath and change file name to pskey-2015-12.
  3. If the password you gave the keystore is different than the previous file, you’ll need to update that parameter in the file.
    1. Open a command prompt and go to %PS_CFG_HOME%webservpeoplesoftbin.
    2. Run the command setEnv.cmd to set the environment variables.
    3. Go to the folder piabin.
    4. Run the command PSCipher to get the encrypted text.
  4. Restart your WebLogic domain.

Test your HTTPS Connection

As WebLogic is starting up, make sure to check the logs to verify that the server started with your new certificate. Once the server has started, open a browser and go test the site. You should see a secure connection in the browser to your site.

#3 – HTTPS and WebLogic

In episode 3 of The PeopleSoft Administrator Podcast, Dan and Kyle talk about HTTPS. We discuss what HTTPS is and how to implement HTTPS with WebLogic. Dan shares how to mitigate against the newer SSL attacks, and tips and tricks to help manage certificates and simplify configuring HTTPS. We also review some of our PeopleTools 8.55 predictions after the OpenWorld presentations were released.

We want to make this podcast part of the community discussion on PeopleSoft administration. If you have comments, feedback, or topics you’d like us to talk about, we want to hear from you! You can email us at podcast@psadmin.io, tweet us at @psa_io, or use the Twitter hashtag #psadminpodcast.

You can listen to the podcast here on psadmin.io or subscribe with your favorite podcast player using the URL below, or subscribe in iTunes.

Podcast RSS Feed

Links from this episode:

Resetting a Lost pskey Password

Recently, I had to install a new certificate on a web server, but was unable to open the keystore where the private key was generated. At some point, the password for the pskey file has been changed (or not documented when set) so I was unable to open the file. I didn’t want to loose the private key, so I had to find a way to get into the keystore.

JKS files

The pskey file is just a JKS (Java KeyStore) file and has a well documented format. There isn’t a built-in way to reset the password using pskeymanager or keytool (without knowing the existing one), but we can rewrite the JKS file and add in a new password. This gist has two classes that you can compile to rewrite your pskey file.

This does not change the passwords on your private keys inside the keystore, just the password that opens the keystore itself.

Compile and Run

You will need to download the two classes and compile them. Save the files as:

  • ChangePassword.java
  • JKS.java

Make sure you have a JDK installed on your machine; you need to have the javac compiler. Compile the two classes with this command:

javac ChangePassword.java

After it compiles, you will have to new .class files. Copy your pskey from the web server to the folder where you compiled the two classes. Finally, let’s rewrite our pskey file with a new password:

java ChangePassword pskey pskey-new

You will be prompted to enter a new password. Now you have a new keystore file. The contents are the same, but the keystore password is reset. You can copy the pskey-new file to your web server and rename it back to pskey. If the password is new, you will need to update the Keystore tab in the WebLogic console, and update your integrationGateway.properties file.


This should be a last resort, but if you find yourself unable to open pskey you can always give this a try. Make to sure back up your pskey file before you try anything. You don’t want to try this and end up losing the keystore completely!