Today, I am going to share few important points on security in case you are integrating Peoplesoft with other system via Web services. (Which I experienced in my recent work)
Let you are integrating Peoplesoft with a third party via Restful/SOAP synchronous web services, we can authenticate the incoming Request to Peoplesoft via basic authentication/PS Token/SSL/None. Below are the steps mentioned in People book for securing your application.
1. Attach Permission list(who has access to Integration Broker) to Service Operation.
2. Set Service Operation page 'Required Verification' to desired one. If you will set the value to NONE, any of the validation at peoplesoft end will be triggered for incoming request(This was my assumption with Tool version 8.54.12)
So when we set the value to 'Basic Authorization', Incoming message should contain a header with basic Authorization value as 64bit encoded NodeUser:Password
Peoplesoft Node user is validated for each incoming request from third party.
There is a bug with People Tool set that if you will set the value to NONE, still it validates the node user and the request will fail if message does not contain basic authorization header or contain wrong values. You need to do below as a workaround,
1. Customization needed to RESTListeningConnector.class file on web server until Oracle puts a fix in next patch level(those who are in 8.54.12 or below)
2. This connector class searches for string 'BASIC' in incoming message and does validation without checking whether the validation flag is set to NONE or Basic Authorization on service operation page. Either you need to comment this or make conditional check for flag.
After modification to class file, place it in same path and restart the services. Hope this will help people who have faced such issue in their implementation. Good luck !
Thanks,
Manoranjan
Let you are integrating Peoplesoft with a third party via Restful/SOAP synchronous web services, we can authenticate the incoming Request to Peoplesoft via basic authentication/PS Token/SSL/None. Below are the steps mentioned in People book for securing your application.
1. Attach Permission list(who has access to Integration Broker) to Service Operation.
2. Set Service Operation page 'Required Verification' to desired one. If you will set the value to NONE, any of the validation at peoplesoft end will be triggered for incoming request(This was my assumption with Tool version 8.54.12)
So when we set the value to 'Basic Authorization', Incoming message should contain a header with basic Authorization value as 64bit encoded NodeUser:Password
Peoplesoft Node user is validated for each incoming request from third party.
There is a bug with People Tool set that if you will set the value to NONE, still it validates the node user and the request will fail if message does not contain basic authorization header or contain wrong values. You need to do below as a workaround,
1. Customization needed to RESTListeningConnector.class file on web server until Oracle puts a fix in next patch level(those who are in 8.54.12 or below)
2. This connector class searches for string 'BASIC' in incoming message and does validation without checking whether the validation flag is set to NONE or Basic Authorization on service operation page. Either you need to comment this or make conditional check for flag.
After modification to class file, place it in same path and restart the services. Hope this will help people who have faced such issue in their implementation. Good luck !
Thanks,
Manoranjan
Hello,
ReplyDeleteThanks for the information.
I am trying to transmit outbound calls from PeopleSoft to a third party REST service provider. I am trying to figure out on where to setup the username and password in PeopleSoft for authenticating the calls going to the third party service. This is needed as the third party REST service requires their incoming requests to be authenticated. The third party service uses HTTP basic auth for authentication.
Would you be able to advise on where this needs to be setup in PeopleSoft?
Thanks,
Vinodh
Thanks Manoranjan.. Very helpful..
ReplyDeleteThank you for sharing your blog, seems to be useful information can’t wait to dig deep!
ReplyDelete