Sunday, October 12, 2014

PeopleSoft Copy Project To File... - Node Password Bug

I noticed a bug (or hack?) with the Copy Project to File feature.

Let us take an example of any Integration Broker Node that uses Password as the Authentication Option (E.g.: I have found that nodes like PSFT_HR, PSFT_EP, PSFT_CR, etc, especically the local node would most likely have this setup).


If you look at the password field value for this node in the database (PSMSGNODEDEFN), you will find that it is encrypted.

select USERID, IBPASSWORD from PSMSGNODEDEFN where MSGNODENAME = 'PSFT_HR';

Another place the password for such nodes would be stored is the integrationGateway.properties file. 

You can find this file in the following path in the PeopleSoft home directory of your gateway web server:
<PIA_HOME>\webserv\<DOMAIN>\applications\peoplesoft\PSIGW.war\WEB-INF\integrationGateway.properties
ig.isc.$NODENAME.serverURL=//<machine name>:<jolt port>
ig.isc.$NODENAME.userid=<application server user id>
ig.isc.$NODENAME.password=<application server password>
ig.isc.$NODENAME.toolsRel=<peopletools release version>
You can also access the contents of the properties file in the following navigation:
Main Menu > PeopleTools > Integration Broker > Configuration > Gateways (Gateway Setup Properties Link)


You will notice that the password for the node in the gateway properties file would be encrypted as well.

So far so good.

Now let us find an App Designer Project that contains this node we are investigating (hacking?!?):
select distinct PROJECTNAME from PSPROJECTITEM where objectvalue1 = 'PSFT_HR';

Note: This is to demonstrate that it is not necessary to create a NEW Project with the node concerned. I have found that most nodes (especially the local node in an environment) would have been part of a project already.

Now let us open one such project and copy the project to file using App Designer > Tools > Copy Project > To File...

Once the project is copied to file, let us open the project folder in the local directory. You will find the following files in the project folder:
<PROJECTNAME>.ini
<PROJECTNAME>.xml

Let us open the <PROJECTNAME>.xml file and search for <szIbPassword>. You will find the node password for the Default User ID in clear text!

Here are the challenges:
  1. More often than not, the Default User ID that is used in Integration Broker nodes would be a power/super user like PS or equivalent.
  2. Most developers have access to App Designer to copy project to file option.
  3. Not all developers that are employed for projects are permanent employees of the organization (think consultants who are engaged for a brief period of time).
    Note: I have nothing against consultants! I have been one myself. :)
  4. There is no way to selectively provide/revoke access to the copy project to file option using security. If anyone knows of a way to do this then please let me know.
If this is a matter of concern from a security point of view, the only workaround I see right now is to completely remove upgrade (migration) access from anyone who should not have access to this Userid/Password.

Please let me know if you have any other ideas/thoughts!

4 comments:

  1. >>You will find the node password for the Default User ID in clear text! <<

    You don't have to give the password of 'Default User Id' (in your screen shot it is PS ) in the node password. The node password given here is used to validate against the node password of the remote node.

    That said, being able to get a encrypted password in plain text is not good thing.

    ReplyDelete
  2. @Subair - Yes, I agree that node password is not a required field for configuring a node.

    Although, note that password is a required field if the "Authentication Option" is set to Password.

    In my example (right at the start), I am finding a node that uses Password as the Authentication Option.

    Thanks!

    ReplyDelete
  3. Hi Sasank,

    I get the following error when I try to do a POST from peoplesoft using your code.However, I was successful using the POSTMAN and RESTClient.
    Java Exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version: during call of org.apache.commons.httpclient.HttpClient.executeMethod. (2,763)

    Can you please help.

    Thanks

    ReplyDelete
    Replies
    1. Sorry for the delay in responding. This appears like an SSL problem. I have not run into this issue. Sharing this thread in case it helps. Thanks!

      https://stackoverflow.com/questions/31684855/java-ssl-exception-protocol-version-when-trying-to-use-httpclient-to-log-into-a

      Delete