Security (Incorporating LDAP Directory Services)

21/09/2016
IncorporatingLDAPDirectoryServices
ThischapterprovidesanoverviewLDAPdirectoryservicesanddiscusseshowto:
Configurethedirectory.
Cachethedirectoryschema.
Createtheauthenticationmap.
CreateUserProfilemaps.
Createrolemembershiprules.
Deletedirectoryconfigurations.
EnablesignonPeopleCodeforLDAPauthentication.
UsingLDAPoverSSL.
Note.ThischapterassumesyouhaveaworkingknowledgeofLDAPenableddirectoryservers.
UnderstandingthePeopleSoftLDAPSolution
PeopleSoftdeliversthreetechnologiesthatenableyouto:
AuthenticateagainstanLDAPV3compliantdirectoryserver.
ReuseyourexistingUserProfilesstoredwithinLDAP.
Thethreetechnologiesare:
DirectoryBusinessInterlink.TheDirectoryBusinessInterlinkexposestheLightweightDirectoryAccess
Protocol(LDAP)toPeopleCode.ThesystemusesitforallcommunicationwiththeLDAPserverprocess
runningonadirectoryserver.
UserProfileComponentInterface.TheUserProfileComponentInterfaceexposestheUserProfileComponent
toPeopleCode.ThesystemusesittoprogrammaticallymanagealocalcacheofUserProfiles.
SignonPeopleCode.SignonPeopleCodeisPeopleCodethatexecuteswhenausersignsontothesystem
similartotheloginscriptingofmostnetworksystems.SignonPeopleCodeusestheDirectoryBusiness
InterlinkandtheUserProfileComponentInterfacetoverifydirectorybasedcredentialsandprogrammatically
createalocalUserProfilescache.
ThecombinationofthesethreetechnologiesprovidesaflexiblewaytoconfigurePeopleSoftforintegrationwithyour
directoryserver.Nosetschemaisrequiredinthedirectory.Instead,youcanconfigureandextendtheSignon
PeopleCodetoworkwithanyschemaimplementedinyourdirectoryserver.
ThefollowingtopicsinvolvesettinguptheLDAPintegrationtechnologyonyoursite.Thesetasksassumethatthere
isalreadyanLDAPV3compliantdirectoryserviceinstalled,andthatyouareintendingtoimportLDAPgroupvalues
andapplythemtoPeopleSoftroles.
Note.WhenyouenableLDAPAuthenticationthepasswordcolumnonthePSOPRDEFNrecordisnolongerused.
Also,LDAPAuthenticationrequiresanapplicationserveritdoesnotworkfortwotiersignon.
ConfiguringtheDirectory
TheConfigureDirectorycomponentcontainsfourpagesthatyouuseforspecifyingconnectioninformationandtesting
directoryserverconnections.
ToenableyourPeopleSoftsystemtosuccessfullyconnecttoyourdirectoryserver,youmustentertheappropriate
connectioninformation.Thisincludestheservername(DNSorIPaddress)andthelisteningportnumber.Youalso
mustentertheUserDN(userdistinguishedname)andassociatedpassword.
ThePeopleSoftapplicationserverusestheUserDNandpasswordtoconnecttotheLDAPservertoretrieveuser
profileinformationaboutthespecificusersigningintothesystem.TheUserDNmustreflectauserwiththe
appropriateLDAPbrowserights.
http://notes02.ntc.edu/servunits/isit/PS8_peoplebooks/eng/psbooks/tsec/book.htm
1/17
21/09/2016
Inthissection,wediscusshowto:
SpecifynetworkinformationforLDAP.
SpecifyadditionalconnectDN's.
InstallselectedPeopleSoftspecificschemaextensions.
Testtheconnectivity.
PagesUsedtoConfiguretheDirectory
Page Name
Navigation
Usage
DirectorySetup
PeopleTools,Security,Directory,Configure
Directory,DirectorySetup
Specifythenetworkinformationofyour
LDAPdirectoryservers,suchassigninIDs
andpasswords.
AdditionalConnectDN's
PeopleTools,Directory,ConfigureDirectory,
AdditionalConnectDN's
SpecifyconnectDNsinadditiontothe
defaultconnectDNspecifiedonthe
DirectorySetuppage.
SchemaManagement
Directory,SchemaManagement
InstallselectedPeopleSoftspecificschema
extensionsintoyourdirectory.
TestConnectivity
Directory,TestConnectivity
Testthedistinguishednamesandsearch
criteriathatyouenteredontheprevious
pagesoftheConfigureDirectorycomponent
andviewtheresults.Thesystemteststhe
connectivitywhenyouaccessthispage.
SpecifyingNetworkInformationforLDAP
AccesstheDirectorySetuppage.
DirectorySetuppage
DirectoryID
Identifiesthedirectoryconnectionthatyouarecreating.ThedirectoryIDthatyou
entercanidentifyaspecificLDAPserveroracollectionofLDAPservers
dependingonhowmanyserversyouaddintheServerNamesection.
Description
Enteradescriptionofthedirectoryconnection.
DirectoryProduct
Selectyourdirectoryproductfromthelistofoptions.
DefaultConnectDN
EntertheDistinguishedNametousewhenconnectingtothedirectory.ThisDN
willbechosenbydefaultwhencreatingsubsequentmaps.ThedefaultDNcanbe
overriddenoneachmappingpage.
Password
Enterthepasswordassociatedwiththedirectorybasedaccountthatappearsinthe
DefaultConnectDNfield.
Note.Thepasswordisstoredinencryptedforminthedatabasenoteven
individualswithadministrationaccesstothedatabasecanviewthepassword.
2/17
21/09/2016
ServerName
AddLDAPdirectoryserverstoaconnectionlist.Youcanaddmultipleserversfor
failoverpurposesusingtheplusbutton.Allserversyouaddmustparticipateinthe
samedirectoryservice.
LDAPServer
IdentifyaspecificLDAPserver.YoucanusetheDNSnameoryoucanuseIP
addressdottednotation.Forexample,eitherofthefollowingformatsisacceptable:
ldap12.yourcompany.comor192.201.185.90.
Port
EntertheportnumberonwhichtheLDAPserverisconfiguredtoreceivesearch
requests.ThestandardLDAPportis389.Ifyoudonotspecifythecorrectport,
PeopleSoftDirectoryInterfacecan'texchangedatawithyourLDAPserver.
SSLPort
IfyouareimplementingSecureSocketLayer(SSL),entertheSSLportonthe
LDAPserver.
SpecifyingAdditionalConnectDN's
AccesstheAdditionalConnectDN'spage.
Note.UnlessyouhaveinstalledthePeopleSoftDirectoryInterfaceyouwillnotseeanyavailableschemaextensions.
AdditionalConnectDN'spage
UserDN
AddanyDNsthatyouneedinadditiontothedefaultconnectDNthatyouentered
ontheDirectorySetuppage.ThedefaultuserIDismostlikelyanadministrative
ID.ThisenablesyoutosetupamoresecureuserIDforthescopeofthemapping.
Password
ForeachadditionalDNthatyouenter,addthecorrespondingpassword.
InstallingSelectedPeopleSoftSpecificSchemaExtensions
AccesstheSchemaManagementpage.
Note.UnlessyouhaveinstalledthePeopleSoftDirectoryInterfaceproductyoumaynothaveanyPeopleSoftschema
extensionsavailabletoyou.
SchemaManagementpage(1of3)
3/17
21/09/2016
Apply
Selectthischeckboxtoapplytheselectedschemaextensiontypetoyour
directory.
Type
Displaysthetypeofschemaextension:eitheranObjectClassoranAttribute
Type.
Name
Displaystheschemaextensionname.
ObjectIdentifier
Displaystheschemaextensionobjectidentifier.Thesequence1.3.6.1.4.1.2810.20
identifiestheobjectasaPeopleSoftobject.Thesecondtolastnumberiseithera1
ora2.A1indicatesanobjectclasstypeanda2indicatesanattributetype.The
lastnumberindicatesthesequenceinwhichtheextensionwascreated.
Revision
Displaysthenumberoftimesthattheschemaextensionwasrevised.
Details
ClicktodisplaydetailsabouttheselectedschemaextensionintheDetailsregion
atthebottomofthepage.
SelectAll
Clicktoselectalltheschemaextensionstoapplytoyourdirectory.
DeselectAll
Clicktodeselecteveryschemaextension.
Apply
Clicktoapplytheselectedschemaextensionstoyourdirectory.
Details
Whenyouclickaschemaextension'sDetailsbutton,thesystemdisplaysthedetailsofthatextension.Inadditionto
theobjectidentifierandname,youmayalsobeinterestedinthe"Superiors"detail,whichindicateswhichextensions
areabovethisoneonthehierarchy,ifany.Alsoofinterestisthe"Type"detail,whichindicateswhethertheschema
extensionisamandatory,optional,orauxiliaryextension.
SchemaCacheInformation
Forconvenience,youcanusetheSchemaCacheProcesslinktotransferyoutotheSchemaCachepagesothat
youcaninvoketheSchemaCacheprocess.TheLastUpdateDate/TimeandLastUpdateUserIDenableyouto
monitorthefrequencyofupdatesaswellasthelastadministratortoruntheprocess.
TestingtheConnectivity
AccesstheTestConnectivitypage.
TestConnectivitypage
4/17
21/09/2016
Thepagedisplaystheresults(PASSorFAIL)oftheconnectivitytest.Ifconnectivityfails,modifytheconnect
informationontheDirectorySetupandAdditionalConnectDN'spages.
CachingtheDirectorySchema
YouusetheCacheSchemapagetospecifyadirectoryserverandinvokeanApplicationEngineprogramdesignedto
createacacheinthePeopleSoftdatabaseofthedirectoryschema.ThisenablesyoutoselectnamesofObject
ClassesandAttributeTypeswhencreatingsecuritymaps.
PageUsedtoCachetheDirectorySchema
Page Name
Navigation
Usage
CacheSchema
PeopleTools,Security,Directory,Cache
DirectorySchema
Specifyadirectoryserverandinvokean
ApplicationEngineprogramdesignedto
createacacheinthePeopleSoftdatabaseof
thedirectoryschema.Thecacheofthe
LDAPschemaisusedtosimplifycreating
mapsforauthenticationanduserprofile
maintenance.
CreatingaCacheoftheDirectorySchema
AccesstheCacheSchemapage.
CacheSchemapage
DirectoryID
Searchforthenameofthedirectoryforwhichyouarecachingtheschema.
ServerName
SearchfortheProcessSchedulerserveronwhichtheCacheSchemaprocess
shouldrun.
CacheSchemaNow
ClickthisbuttontocachetheLDAPschemadatatotableswithinthePeopleSoft
database.Typically,youusethisoptionduringinitialsetupandanytimethatthe
schemahaschanged.
ProcessMonitor
Afterinvokingtheprocess,youcanmonitortheprogressbyclickingthislink.
CreatingtheAuthenticationMap
UsetheAuthenticationpageonlyifyouareimplementingdirectoryauthenticationasopposedtostoringauthentication
informationinthePeopleSoftdatabase.YoucreateamappingtothedirectorythatthePeopleSoftsystemreliesonfor
authenticatingusers.
PageUsedtoCreatetheAuthenticationMap
Page Name
Navigation
Usage
Authentication
PeopleTools,Security,Directory,
AuthenticationMap
Createamappingtothedirectorythatthe
PeopleSoftsystemreliesonfor
authenticatingusers.
CreatingtheAuthenticationMap
5/17
21/09/2016
AccesstheAuthenticationpage.
Authenticationpage
Status
ActivateanauthenticationmappingbyselectingActive.Todisablean
authenticationmapping,selectInactive.
Note.OnlyoneauthenticationmapshouldbeActiveatanytime.
DirectoryInformation
DirectoryID
SelectthedirectoryIDofthedirectorythatyouintendtouseforauthentication.
AnonymousBind
Ifalldirectorydatarequiredforauthenticationanduserprofilemaintenanceis
visibletoananonymousconnection,thenAnonymousBindcanbechecked.
UseSecureSocketLayer
SelectthisoptionifyouareimplementingaSecureSocketLayer(SSL)between
PeopleSoftandthedirectoryserver.
Ifyoudonotspecifyaportnumber,thesystemtriesthedefaultLDAPSport.
ConnectDN
ThisvalueisthedefaultconnectDNthatyouspecifiedontheDirectorySetup
page.ToselectoneoftheDNsspecifiedontheAdditionalConnectDN'spage,
clickthesearchbutton.
Note.IfAnonymousBindischecked,theConnectDNwillbeignored.
ListofServers
SeqNum(sequencenumber)
Settheorderthatthesystemshouldaccessthelistofserversforauthentication
LDAPServer
SelectthenameoftheLDAPserver.Usetheplusbuttontoenteradditional
servers.
UserSearchInformation
SearchBase
Entertherootofthedirectoryinformationtreeunderwhichthesystemshould
searchforuserinformation.
SearchScope
Selectthesearchscopeforthissearch.Availablevaluesare:
Base:N/AYoushouldnotuseBaseontheauthenticationmap.
One:Thequerysearchesonlytheentriesoneleveldownfromtheentryinthe
SearchBasefield.
Sub:ThequerysearchestheentiresubtreebeneaththeSearchBaseentry.
SearchAttribute
WhenausersignsonusingLDAPAuthenticationthesystemsearchesthe
directorytofindtheiruserentry.TheSearchAttributeisusedtoconstructthe
LDAPsearchfilterusedinfindingtheperson'suserentry.ThevalueontheSearch
Attributewillbeenteredbytheuserwhentheysignon.
6/17
21/09/2016
SearchFilter
DisplaystheLDAPsearchfilterthatthesystemusestosearchthedirectoryfor
equalentries.
CreatingUserProfileMaps
Note.YoumustsupplyuserpropertiestoSignonPeopleCodeonlyifyouintendtoauthenticateuserswithyourLDAP
directory.
Evenifyouaregoingtoauthenticateuserswiththedirectoryserver,aPeopleSoftUserProfileisstillrequired.You
canuseaUserProfileMaptoautomaticallycreatePeopleSoftUserProfilesforusersastheysignon.Thevaluesfor
thePeopleSoftUserProfilearefoundintheLDAPdirectory.SomepropertiesarerequiredwhencreatingaPeopleSoft
UserProfile,thesepropertiesappearontheMandatoryUserPropertiespage.Otherpropertiesareoptional,andthese
appearontheOptionalUserPropertiespage.
TheuserprofilemappingenablesyoutomanageyourusercacheinthePeopleSoftdatabase.Everyuserofthe
systemrequiresarowinthePeopleToolssecuritytable,PSOPRDEFN,andthepropertiesthatyouspecifyinthe
MandatoryandOptionalUserPropertiespagesarethecolumnsinPSOPRDEFNthatthesystempopulateswithuser
values.
ThispageenablesyoutotakeadvantageofLDAPinformation.PeopleSoftretrievestheLDAPinformationandcreates
alocalcacheindatabasetables.PeopleSoftapplicationsusethiscacheratherthanusingLDAPeachtimethata
transactionrequiresuserinformation.ThismeansthatafterausersignsontothesystemandtheSignonPeopleCode
executes,thereisarowforthatuserintheuserdefinitiontable.
YoudonotneedtomaintainthelocalcacheofuserinformationSignonPeopleCodemaintainsthisrowautomatically.
Anychangesmadeinthedirectoryserverarereproducedinthelocalcache.
Inthissection,wediscusshowto:
Specifythemandatoryattributesneededforsignon.
Specifyoptionaluserproperties.
PagesUsedtoCreateUserProfileMaps
Page Name
Navigation
Usage
MandatoryUserProperties
PeopleTools,Security,Directory,User
ProfileMap,MandatoryUserProperties
Specifytheattributesrequiredforsignon.
Youcanselecttohavethesystemretrieve
thesemandatoryvaluesfromthedirectory
server,oryoucanenterdefaultvalues.
OptionalUserProperties
PeopleTools,Security,Directory,User
ProfileMap,OptionalUserProperties
Specifyoptionaluserpropertiestoretrieve
fromthedirectory.
SpecifyingtheMandatoryUserProperties
AccesstheMandatoryUserPropertiespage.
7/17
21/09/2016
MandatoryUserPropertiespage
AuthenticationMap
Selecttheauthenticationmaptoassociatewiththisuserprofilemapping.
Theserversandconnectioninformationaretakenfromtheauthentication
map.
Status
Displaysthestatusoftheselecteduserprofilemap.
Note.OnlyoneUserProfilemapshouldbeActiveatanytime.
DirectoryID
DisplaysthedirectoryIDassociatedwiththeauthenticationmapping.
UserIDAttribute
ThevalueontheUserIDAttributewillbeusedtopopulatetheOPRID
(userID)fieldonPSOPRDEFN.
IDType
IDType
SimilartoSymbolicID,enterthisvalueonthispage.ThisisthedefaultID
typefornewusers,suchasEmployeeID,CustomerID,andsoon.
IDTypeAttribute
SpecifiestheLDAPattributeinthedirectorythatholdstheselectedID
value.Forinstance,theIDvaluemightbeEmployeeID.SomeIDTypes
requireadditionaldatawhencreatingaprofileofthattype.LDAPUser
ProfileManagementcanretrievethatdatafromtheLDAPdirectoryifitis
available.
DefaultRole
UseDefaultRole
Selectthisoptionifyouwanttousethedefaultrole.Ifyouenablethis
option,theDefaultRoleeditboxbecomesavailableforentrywhilethe
RoleAttributeeditboxbecomesunavailableforentry.Youeitherspecifya
DefaultRoleorspecifyanLDAPattributeontheuserentrythatholdsthe
validnameofaPeopleSoftRole.
DefaultRole
Enterthenameofadefaultroletobeassignedtonewusers.Thisvalue
appliestousersthefirsttimethattheysignonandhavenothadanyroles
dynamicallyassignedtothem.Typically,thisrolehasonlybasicaccess
authorizations,suchasforonlytheselfservicepages.Usersshouldget
mostoftheirpermissionsthroughdynamicallyassignedroles.
RoleAttribute
Insteadofspecifyingonlyasingledefaultroleforeachandeveryuser,
youcanentertheLDAPattributethatholdsthenameaPeopleSoftRole
tobeassignedtotheuser.
Language
UseDefaultLanguageCode
Selectifyoudonotmaintainlanguagecodesinthedirectory.
LanguageCode
Ifthedefaultlanguagecodeisnotstoredinthedirectory,thenselecta
defaultvaluefromthedropdownlistbox.
8/17
21/09/2016
LangCDAttribute(languagecode
default)
ThenameoftheLDAPattributecontainingavalidlanguagecode.The
valueretrievedfromtheattributemustbeavalidPeopleSoftlanguage
code.
SpecifyingtheOptionalUserProperties
AccesstheUserPropertiespage.
UserProfileProperty
Selecttheuserprofilepropertyyouwanttoaddtothelocalcache.These
propertiesaredescribedinthefollowingtable.
UseConstantValue
Tosupplyacontestantvalueforeachuser,selectthisoption.
AttributeName
AddthenameoftheattributeasitisrepresentedinyourLDAPschema.
ConstantValue
AppearsonlyifyouhaveselectedUseConstantValue.
AlwaysUpdate
Selectthisoptionifyoualwayswantthesystemtoupdatethelocalusercacheto
reflectthedatastoredinthedirectoryservereverytimetheusersignson.If
AlwaysUpdateisnotcheckedthedatawillbetakenfromthedirectoryonlywhen
theprofileisfirstcreated.
ThefollowingliststheoptionaluserpropertiesthatyoucanselectfromtheUserProfilePropertysearchbutton.
CurrencyCode
Iftheuserdealswithinternationalpricessetthecurrencycodetoreflectthenative
orbasecurrencysothatvaluesappearinthecurrencywithwhichtheuseris
familiar.
EmailAddress
Selectifauserispartofyourworkflowsystemoryouhaveothersystemsthat
generateemailsforusers.
MultiLanguageEnabled
SelectiftheuserissetuptousePeopleSoftwithmultiplelanguages.
NavigatorHomePage
ThehomepageisassociatedwithPeopleSoftWorkflow(NavigatorHomepage).
PrimaryPermissionList
PeopleSoftdetermineswhichdatapermissionstograntauserbyexaminingthe
PrimaryPermissionListandRowSecurityPermissionList.Whichoneisused
variesbyapplicationanddataentity(Employee,Customer,Vendor,BusinessUnit,
andsoon).ConsultyourPeopleSoftapplicationdocumentationformoredetail.
ProcessProfilePermission
List
Theprocessprofilecontainsthepermissionsthatauserrequiresforrunningbatch
processesthroughPeopleSoftProcessScheduler.Forexample,theprocessprofile
authorizesuserstoviewoutput,updaterunlocations,restartprocesses,andsoon.
Onlytheprocessprofilecomesfromthispermissionlist,notthelistprocess
groups.
RowSecurityPermissionList SeeexplanationforPrimaryPermissionList.
SymbolicID
IftheSymbolicIDisrequiredfortheuser,selectthisoption.
UserDescription
Typically,thenameoftheuser,suchasanemployeenameoravendorname.
UserIDAlias
Insomecases,theuserIDisanaliasintheformofanemailaddress.Ifso,select
thisoption.
CreatingRoleMembershipRules
UsetheRolePolicypagetodefinetherulesthatarereadbyDynamicRoleRulePeopleCodeandpopulate
PeopleSoftroleswithmembers.TherulesreturntheDNsof"people"directoryentries,whichsupplythesystemwith
theuserIDsspecifiedontheuserprofilemapping.
PageUsedtoCreateRoleMembershipRules
Page Name
Navigation
Usage
RolePolicy
PeopleTools,Security,Directory,Role
MembershipRules
DefinetherulesthatarereadbyDynamic
RoleRulePeopleCodeandpopulate
PeopleSoftroleswithmembers.
9/17
21/09/2016
DefiningtheRoleMembershipRules
AccesstheRolePolicypage.
RolePolicypage
RuleName
Thedirectorysearchnamethatyouenteredonthesearchpage.
Description
Enterashortdescriptionoftherule.
UserProfileMap
Selecttheuserprofilemaptoassociatewiththerule.
DirectoryID
Displaysthedirectoryassociatedwiththeuserprofilemapthatyouselect.
AssigntoRole
ClickthislinktoautomaticallystarttheDynamicMemberspageintheRoles
componentoftheSecuritymenu.Onthatpage,selectDirectoryRuleEnabledand
specifytheserveronwhichtoexecutetherule.
DirectorySearchParameters
SearchBase
Entertheentry(or"container")atwhichtobeginthesearch.
SearchScope
Selectthesearchscopeforthissearchfromthefollowingoptions:
Base:ThequerysearchesonlythevalueintheSearchBasefield.
One:Thequerysearchesonlytheentriesoneleveldownfromthevalueinthe
SearchBasefield.
Sub:ThequerysearchesthevalueintheSearchBasefieldandallentriesbeneath
it.
BuildFilter
()
Parenthesesoneithersideofthefilterexpressionselectthecheckboxesbelow
theparenthesestogroupexpressions.
Attribute
Selecttheattributethatthesystemwillfilter.
Operation
Assignanoperatortoyourrulesuchas<,<=,<>,=,>,or>=.
Value
Enterthevaluetoassigntotheattributethatyouspecified.
And/Or
Toaddanotherlinetoyourrule,selectANDorORdependingonyourrulelogic.
SelectENDtosignifytheendofthesearch.SelectNONEifyouaren'tusingthis
kindoffilter.
RefreshSearchFilter
AfteryoumakechangesusingtheBuildFilteroptions,clickthisbuttontoupdate
theSearchFiltereditboxtoreflectthechanges.
10/17
21/09/2016
ClearSearchFilter
ClickthisbuttontodeleteallvaluesfromtheSearchFiltereditboxandtheBuild
Filterselections.
SearchFilter
ThefilterthatthesystemappliestothesearchfortheDNofthedefinedcontainer.
Thisvaluetypicallydisplaysthedirectoryobjectclassofthecontainerintheform
"objectclass=GroupOfUniqueNames",forexample.Thisindicateswhattypeof
containertosearch.ToretrievethecorrectcontainerDNs,thesystemaddsthe
nameofthecontainertothesearchfilteratruntime.
SearchAttributes
DirectoryAttribute
Selecttheattributethatidentifiestheusertoaddtothismembership.
Note.Technically,therolemembershipcaninvolvemorethandirectorygroup.Youcandeterminerolemembership
usinganyarbitraryLDAPsearchcriteria,suchasconditionsotherthanjustgroupmembership.Forexample,you
couldassigneveryonewhoselastnamestartswithStoarole.
DeletingDirectoryConfigurations
Usethispagetodeletetheentiredirectoryconfigurationorjustpartsofit.
PageUsedtoDeleteDirectoryConfigurations
Page Name
Navigation
Usage
DeleteDirectory
PeopleTools,Security,Directory,Delete
DirectoryConfiguration
Deletetheentiredirectoryconfigurationor
justpartsofit.
DeletingtheDirectoryConfiguration
AccesstheDeleteDirectorypage.
DeleteDirectorypage
DeleteAssociatedMaps
Deletestheauthenticationanduserprofilemapsfromtheconfiguration.
DeleteAssociatedSearches
Deletesanysearchesrelatedtothedirectoryconfiguration.
DeleteAssociatedRoleRules Deletesanyrolerulesyouhavespecifiedforaconfiguration.
DeleteAssociatedEntryRules ThisappliestothePeopleSoftDirectoryInterfaceproductonly.
DeleteDirectoryConfiguration Afteryouhavemadetheappropriatechoices,clickthisbuttontoperformthedelete
process.Ifyouclickthisbuttonwithnothingselected,thesystemdeletesonlythe
DirectoryIDandleavesalloftheotherconfigurationinformationintact.
WorkingwiththeWorkflowAddressBook
UsetheAddressBookpageforconfiguringLDAPaddresslookupsforusewithadhocnotificationsinPeopleSoft
Workflow.Thispagecontainsthecontrolsneededtoretrievethenecessaryaddressesfromthedirectory.Thispage
onlyappliesifyoustoreuserinformationinadirectory.
Note.Eachofthesecontrolsisdiscussedelsewhereinthischapter.
11/17
21/09/2016
SeeAlso
PeopleToolsPeopleBooks:PeopleSoftWorkflow,"AddingEventsandRoutings"
EnablingSignonPeopleCodeforLDAPAuthentication
LDAPAuthenticationrunsasSignonPeopleCodethatmustbeenabledandconfiguredtoexecutewithproper
permissions.
To enable Signon PeopleCode:
1. SelectPeopleTools,Security,SecurityObjects,SignonPeopleCode.
2. OntheSignonPeopleCodepage,clicktheInvoke Asoptionthatappliestoyourconfiguration.
DoyouwanttouseadefaultuserID,ordoyouwanttheSignonPeopleCodetobeinvokedbywhoeverthe
userIDisthathappenstobesigningonthesystem?Eitherway,thevaluefortheUserIDandthepassword
mustbeavalidPeopleSoftUserIDandpassword.ForLDAPauthentication,youneedtouse"InvokeAs"
becausetheusersigningin(mostlikely)won'texistinthelocalsystem,untilSignonPeopleCoderunsand
updatesthelocalcacheofuserprofiles.
Note.TheUserIDenteredwhetheritisInvokeasusersigninginoradefaultusermustbeabletoaccess
theUserProfileComponentinapermissionlist.
3. LocatetherowfortheLDAP_AuthenticationfunctionontheRecordFUNCLIB_LDAP.
4. SelecttheEnabledcheckbox(ifitisnotalreadyselectedautomaticallybythesystem).
5. EnsurethattheExec Auth Fail checkboxisselected.
ThisreferstoifPeopleSoftauthorizationfails,thenexecutetheSignonPeopleCode.PeopleSoftauthorization
alwaysfailsifyouareusingLDAPauthentication.
6. ClickSaveatthebottomofthepage.
7. Rebootanyapplicationserversrunningagainstthelocaldatabase.
Note.IfyouintendtousetheUserProfileMap,youalsoneedtoenableLDAP_PROFILESYNCH.Thesameoptions
apply.
UsingLDAPoverSSL(LDAPS)
YoucanusetheLDAPBusinessInterlinktoestablishasecureLDAPconnectionbetweentheapplicationserverand
theLDAPserver.TheLDAPBusinessInterlinkusesNetscape'scertificatedatabase,cert7.db.Youcanobtaina
cert7.dbusingthePKCSUtilitiesdistributedbyNetscape.RefertoNetscape'sdocumentationformoreinformationon
obtainingandusingthePKCSUtilities.
ToestablishthesecureconnectionbetweenthePeopleSoftApplicationServerandtheLDAPserveryouwillneedthe
following:
Cert7.dbcertificatedatabasefromNetscape.
AServerCertificatefortheLDAPserver.
TheTrustedRootCertificatefromtheCertificateAuthoritythatissuestheServerCertificate.
To enable LDAP authentication over SSL:
1. FollowthedocumentationforyourdirectoryservertoaddtheServerCertificatetoyourdirectoryserver.
2. UsingNetscape'sPKCSUtilitiesaddtheCertificateAuthoritiesTrustedRootCertificatetothecert7.dbcertificate
database.
3. Placethecert7.dbfileinthe%PeopleTools%\bin\serverdirectoryoftheapplicationserver.
4. SelectPeopleTools,Security,Directory,ConfigureDirectory,DirectorySetuppageandmakesuretheSSLPortfield
reflectsthecorrectLDAPSportforyourdirectoryserver.
5. SelectPeopleTools,Security,Directory,AuthenticationMappageandchecktheUseSecureSocketsLayercheckbox.
12/17
21/09/2016
6. InApplicationDesigner,openthefollowingBusinessInterlinks,selecttheSettingstab,andchangetheSSLsettingto
YES.
LDAP_SEARCH
LDAP_BIND
SettingupSSLontheDirectory(Examples)
IfyourequireSSLbetweenyourLDAPdirectoryserverandyourPeopleSoftsystem,thefollowingtopicsprovide
sampleproceduresfordoingso.
Note.Theproceduresoutlinedinthissectionareprovidedassamples.Theymaynotnecessarilyapplytoall
situations.
UnderstandingSSLandtheDirectory
SecureSocketsLayerProtocolisaprotocoldevelopedbyNetscapethatdefinesaninterfacefordataencryption
betweennetworknodes.ToestablishanSSLencryptedconnectionthenodesmustcompletetheSSLhandshake.
ThesimplifiedstepsoftheSSLhandshakeappearbelow:
Clientsendsrequesttoconnect
Serverrespondstoconnectrequestandsendssignedcertificate
ClientverifiescertificatesignerisinitsacceptableCertificateAuthority(CA)list.
Clientgeneratessessionkeytobeusedforencryptionandsendsittotheserverencryptedwiththeserver's
publickey(fromcertificatereceivedinstep2.)
Serverusesprivatekeytodecryptclientgeneratedsessionkey.
EstablishinganSSLconnectionrequirestwocertificatesonecontainingthepublickeyoftheserver(Server
Certificate/PublicKeyCertificate)andanothertoverifytheCertificateAuthoritythatissuedtheServercertificate
(TrustedRootCertificate).TheserverneedstobeconfiguredtoissuetheServerCertificatewhenaclientrequestsan
SSLconnectionandtheclientneedstobeconfiguredwiththeTrustedRootCertificateoftheCertificateAuthoritythat
issuedtheServerCertificate.
Thenatureofthoseconfigurationsdependsonboththeprotocolbeingusedandtheclientandserverplatforms.In
mostcasesyoureplaceHTTPwithLDAP.SSLisalowerlevelprotocolthantheapplicationprotocol,suchas
HTTPorLDAP.SSLworksthesameregardlessoftheapplicationprotocol.
Note.EstablishingSSLconnectionswithLDAP(LDAPS)isnotrelatedtowebservercertificatesorcertificatesused
withPeopleSoftIntegration.
SettingupSSLforNovelNDS
ThisdocdiscusseshowtoconfiguretheLDAPbusinessinterlinktoestablishSSLencryptedLDAPconnections.The
LDAPbusinessinterlinkusesacertificatedatabasethatresidesonthefilesystemofthePeopleSoftApplication
Server.Thecertificatedatabaseisafilecalledcert7.dbandneedstoresideinthefilesystemoftheapplication
server.Thecert7.dbcertificatedatabaseneedstocontaintheTrustedRootcertificateoftheCertificateAuthoritythat
issuedtheServerCertificateoftheLDAPserver.
SettinguptheCertificate
Toobtainacert7.dbyoumustdownloadNetscapeNavigator4.7.Oncethisisdownloadedandinstalled,youwillneed
tolaunchNetscapeNavigatoranditwillpromptyoutocreateauserprofile.Createauserprofilewiththenameof
PeopleSoft.Thiswillcreateafilestructureinappearsasfollows:
Netscape\Users\PeopleSoft.
UnderthePeopleSoftdirectoryfindcert7.db.
WithNetscapeNavigatoropen,gototheSecuritybuttonatthetop.ThisopenstheSecurityInformationpage.Select
CertificatesandSigners.Thisshowsthevalidcertificatesinthedatabase.Youcandeleteallofthem.Oncetheyare
deleted,clickOKandcloseNetscapeNavigator.
OnceyouhavetheCA'scertificateimportedintothecert7.dbcertificatedatabaseyouarereadytoconfigurethe
LDAPbusinessinterlinkforSSL.Therearetworelevantsettingsonalltransactionsofthebusinessinterlink
UseSSLsetting.
13/17
21/09/2016
SSL_DBlocationsetting.
AswithallbusinessinterlinkinputsthesecanbesetusingeitherApplicationDesignerorPeopleCode
UsingApplicationDesigner:
OpenanexistinginstanceoftheLDAPbusinessinterlink,orcreateanewinstance.
Selectthesettingstab.
SettingstabinApplicationDesigner
Note.ThisexampleusestheSearchtransaction,butthesameprincipleappliestoalltransactions.
SettheSSLparametertoYES.
SettheSSL_DBparametertothenameofyourcertificatedatabase(cert7.dbbydefault).
SavetheInterlink
UsingPeopleCode:
WhenyougeneratetheinterlinkPeopleCodebydraggingthedefinitionintothePeopleCodeeditorthefollowingcode
iscreated.
/*===>
ThisisadynamicallygeneratedPeopleCodetemplatetobeusedonlyasahelper
totheapplicationdeveloper.
Youneedtoreplaceallreferencesto'<*>'ORdefaultvalueswithreferencesto
PeopleCodevariablesand/oraRec.Fields.*/
/*===>Declareandinstantiate:*/
LocalInterlink&LDAP_SEARCH_1
LocalBIDocs&inDoc
LocalBIDocs&outDoc
Localboolean&RSLT
Localnumber&EXECRSLT
&LDAP_SEARCH_1=GetInterlink(INTERLINK.LDAP_SEARCH)
/*===>Youcanusethefollowingassignmentstosettheconfigurationparameters.
*/
&LDAP_SEARCH_1.SSL="NO"
&LDAP_SEARCH_1.SSL_DB="cert7.db"
&LDAP_SEARCH_1.URL="file://psio_dir.dll"
&LDAP_SEARCH_1.BIDocValidating="Off"
.....
Youmustchangethe.SSLand.SSL_DBsettingstoindicatethatSSLshouldbeusedandspecifythenameofyour
certificatedatabasefile.Forexample
&LDAP_SEARCH_1.SSL="YES"
&LDAP_SEARCH_1.SSL_DB="cert7.db"
ConfiguringyourLDAPServerforSSL
ThissectiondescribshowtoconfigureNDSeDirectoryV8.5forLDAPSusingtheOrganizationalCAbuiltintoNDS's
PKIservices.
ExporttheSelfSignedTrustedRootCertificatefromtheCertificateAuthority.
StartConsole1andnavigatetotheOrganizationalCAobjectintheSecuritycontainer.
14/17
21/09/2016
OrganizationalCA
OpenthePropertiesdialog,gototheCertificatestab,andchooseSelfSignedCertificatefromthemenu.
ClicktheExportbutton
OntheExportaCertificatedialogboxchoosebinaryDERformat,designateafilenameandlocation,andclick
Export.
Renamethisfiletoa.X509fileformat
CreateaServerCertificatetobeusedbyLDAP
InConsole1navigatetothecontainerthatholdstheServerObjectfortheLDAPServer.
Navigatingtotheserverobject
Rightclickonthecontainerentry(suchasConfig)andchooseNewObject.ScrolldownandfindNDSPKI:Key
MaterialinthelistandclickOK.
IntheCreateServerCertificatedialogboxmakesuretheservernameisthenameofthedirectoryserver
runningtheLDAPservice.Also,givethenewcertificateameaningfulname,andchoosetheStandardcreation
method,andclickNext.
Creatingcertificate
15/17
21/09/2016
ReviewtheinformationinthenextdialogandclickFinish.Youshouldnowhaveacertificatethatcontainsthe
publickeyfortheserverrunningtheLDAPservicestoredinyourdirectoryasanobject
SSLcertificate
IndicatetotheLDAPservicewhatporttouseforSSLconnectionsandtoissuethecertificatewhenaclient
requestsaconnectiononthatport.
FindtheobjectrepresentingyourLDAPServeritwillbeinthesamecontaineryoujustcreatedthe
certificateinanditwillbenamed"LDAPServer<hostname>NDS."
OpenthepropertiesdialogontheLDAPServerobjectandselecttheSSLConfigurationtab.
SSLConfigurationtab
EntertheportnumberyouwanttouseforLDAPS,andintheSSLCertificatefield,clickthebrowsebuttonto
selectthecertificateyoujustcreated.Donotcheck"EnableandRequireMutualAuthentication"unlessyou
haveconfiguredthisoption(whichisoutsidethescopeofthisdiscussion).
Note.UnderyourNovellInstallDirectorythereshouldbeafilecalledX509.REG.Thepathshouldbesimilarto
install_directory\CERTSERV\MISC\X509.REG.Takethisfileandmoveittothemachinethatyouhaveinstalled
Netscapeon.FromthemachinethatusesNetscape,runtheX509.REGfilebydoubleclickingonit.Thisupdates
yourregistrysothatNetscapecanimportthecertificate.
Importthecertificate.
LaunchNetscape,andselectFile,Open,andenterthefilelocationofthe.X509certificatethatyou
exportedfromNDS.
Netscapewilltakeyouthroughthecertificateimportprocess.Followalongwiththewizarduntilfinished.
Toconfirmproperinstallyouclickonthesecuritytab(thelock)andopenthesecurityadministratorfor
Netscape.ClickontheCertificatesSignerslinkandthiswilltakeyoutoallvalidcertificatesinthe
database.Youshouldnowseethecertificateyouimported.
Movethecert7.dbtotheappservfolder.
Aftercompletingtheprevioustasks,thesystemshouldrunningLDAPSwithNDS.
Note.YouareresponsibleforreceibingcertificatesfromaCertificateAuthority,suchasEntrust.NetorVerisign.
Note.Ifyoutrytotestthiswiththebusinessinterlinktester,theerrorcode89isoftenreported.Thisdoesnotmean
thatLDAPSisnotworking.TotestyoucanrunatraceonthedirectorytoseetheSSLhandshakeoccurring.Youcan
alsoturnoffport389andseeifauthenticationstillworks.Ifitdoes,thenthisindicatesSSLisworking.
SettingupSSLforNetscape(iPlanet)
To set up SSL on Netscape:
1. MakesureyourdirectoryisdefinedinthePeopleTools,Security,Directorycomponent.
2. ModifytheSignonPeopleCodepage.
16/17
21/09/2016
SelectPeopleTools,Security,SecurityObjects,SignonPeopleCode.
Checkthe"Invokeas"radiobutton.
EntertheUserIDandPasswordofauserwhohaspermissiontoruntheSignonPeopleCode.The
Passwordwillnotbevisibleoncethepageissaved.
Checkthe"Enabled"boxtoenabletheSignonPeopleCode
EntertheSignonPeopleCodelocationasshowninthedefaultvalues.
Checkthe"ExecAuthFail"box
ThisisbecauseSignonPeopleCodeistriggeredwhenauthenticationfailsagainstthePeopleSoft
authentication.
Savethepage.
Note.MakesurethattheUserIDenteredabovehaspermissiontoruntheComponentInterface
USER_PROFILE.
3. ModifytheLDAP_BINDandLDAP_SEARCHbusinessinterlinkdefinitions.
OpenApplicationDesigner.
OpentheLDAP_BINDdefinition.
SelecttheInputtab.
EntertheServernameandPortfortheLDAPserver.
Theotherparametersarenotrequiredforthisprocedure.
SelecttheSettingstab.
ChooseYESfromtheSSLdropdownlist.
EnterthenameoftheCertificatedatabaseinSSL_DBeditbox(usuallycert7.dbforNetscapeiPlanet).
ClickSetDefaulttosavethedefaultsettings
SaveandClosethedefinition
4. Considerthefollowingitems:
TheapplicationserverbindsasaclienttotheLDAPserveraspartoftheauthentication,soitisonly
necessarytohaveaccesstotheRootCertificates.TheLDAPadministratoratyoursiteshouldhave
alreadyinstalledaserver(Node)CertificateontheLDAPServer.
Thecert7.dbfilecanbetransferredtotheapplicationserverinbinarymodeandinstalledinthesame
directoryasPSAPPSERV.CFGandPSTUXCFGoftheapplicationserverdomain.
UsingacopyoftheLDAPserver'scert7.dbisnotasecurityrisk,astheNodeCertificatesare
encryptedstringsbasedonthehostnameandothersitespecificparameters.Theapplicationserver
accessestheRootCertificates,whicharegenerallyavailableatnochargefromtheCertificateAuthority.
5. Reboottheapplicationserverdomain.
Security
Copyright19882002PeopleSoft,Inc.AllRightsReserved.
17/17

Security (Incorporating LDAP Directory Services)

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Security (Incorporating LDAP Directory Services)

Загружено:

Авторское право:

Доступные форматы

21/09/2016

Вам также может понравиться