Let’s Encrypt with PeopleSoft

Let’s Encrypt is a service provided by the Internet Security Research Group to provide free SSL certificates to anyone. The goal of the project is get the entire web encrypted. I mentioned the project in Episode 7 of The PeopleSoft Administrator Podcast and thought it would be a great exercise to try it with PeopleSoft.

Let’s Encrypt uses a client on the server to automate the certificate request process. The client will:

  • Validate that you own the web server
  • Generate a CSR
  • Download the certificate
  • Apply the certificate to the web server (limited support)
  • Automatically renew the certificate

There are a few requirements to use the Let’s Encrypt clients though:

  • The web server needs to accessible by the internet. The Let’s Encrypt site will validate that you own the server by checking for a specific file on the web server.
  • Not all operating systems are supported, yet.
  • Some web server’s have built-in support (IIS, Apache), but others do not (e.g, WebLogic). We can still generate certificates though, the automatic renewal won’t update the webserver though.

Install Let’s Encrypt Client for Windows

We’ll use the letsencrypt-win-simple command line client for Windows. Download the latest release from GitHub and extract the folder to a permanent location.

Generate a new certificate

  1. Run .letsencrypt.exe --accepttos[code lang=text]
    Let’s Encrypt (Simple Windows ACME Client)

    ACME Server: https://acme-v01.api.letsencrypt.org/
    Config Folder: C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.org
    Loading Signer from C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgSign
    er

    Getting AcmeServerDirectory
    Loading Registration from C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgRegistration

    Scanning IIS 7 Site Bindings for Hosts
    No IIS bindings with host names were found. Please add one using IIS Manager. A host name and site path are required to
    verify domain ownership.
    No targets found.

    M: Generate a certificate manually.
    A: Get certificates for all hosts
    Q: Quit
    Which host do you want to get a certificate for:
    [/code]

  2. Since we are not running IIS, we’ll generate a certificate manually.[code lang=text]
    Which host do you want to get a certificate for: M
    Enter a host name:
    [/code]
  3. Enter the DNS name for your web server.[code lang=text]
    Enter a host name: hr.psadmin.io
    Enter a site path (the web root of the host for http authentication):
    [/code]
  4. Next, enter the root path for your web server. If you are running WebLogic, that will be PORTAL.war directory on your web server.[code lang=text]
    Enter a site path (the web root of the host for http authentication): W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war
    [/code]
  5. Then, the Let’s Encrypt client will create a new file under PORTAL.war.well-knownacme-challenge. That file will be used to validate that you own the web server.[code lang=text]
    Authorizing Identifier ps92t855.psadmin.io Using Challenge Type http-01
    Writing challenge answer to W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war.well-known/acme-challenge
    /1c2yN7Y93sJwRUmRGaoG4kT-QynrIcGr4szre-3nTsQ
    Answer should now be browsable at http://ps92t855.psadmin.io/.well-known/acme-challenge/1c2yN7Y93sJwRUmRGaoG4kT-QynrIcG
    r4szre-3nTsQ
    Submitting answer
    Refreshing authorization
    Authorization Result: valid
    Deleting answer
    [/code]
  6. After the web server ownership is verfied, new certificates will generated and copied to your system. The certificates are copied to your {c42996da0de483d9bf2b340025ab4cfa9f44cf82e741bfd4bf3a12808e03291a}USERPROFILE{c42996da0de483d9bf2b340025ab4cfa9f44cf82e741bfd4bf3a12808e03291a}AppDataRoamingletsencrypt-win-simple folder in a few formats:
    • .der
    • .pem
    • .pfx

    The client will also add the certificates to the Windows Certificate Store for you. To add the certificates to WebLogic, we’ll use the .pem

    [code lang=text]
    Requesting Certificate
    Request Status: Created
    Saving Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orghr.psadmin.io-crt.der
    Saving Issuer Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgca-009813F47513E5750B43E7431E971E44BD-crt.pem
    Saving Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orghr.psadmin.io-all.pfx (with no password set)
    Opened Certificate Store “WebHosting”
    Adding Certificate to Store
    Closing Certificate Store
    WARNING: Unable to configure server software.
    Creating Task letsencrypt-win-simple httpsacme-v01.api.letsencrypt.org with Windows Task Scheduler at 9am every day.
    Renewal Scheduled Manual hr.psadmin.io (W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war) Renew A
    fter 2/9/2016
    Press enter to continue.
    [/code]

Create a New pskey Keystore

Now that we have certificates, let’s create a new pskey file with the certificates. We’ll use Keystore Explorer to quickly generate the file.

  1. Open Keystore Explorer. (If it’s first time you’ve used it, follow the instructions to download the Unlimited Strength files).
  2. Create a new keystore file.
  3. Select the file type of “JKS”.
  4. Select “Tools > Import Key Pair”.
  5. Select the “OpenSSL” option.
  6. Deselect “Encrypted Private Key”.
  7. For the “OpenSSL Private Key File”, select the file hr.psadmin.io-key.pem.
  8. For the “Certificate(s) File”, select hr.psadmin.io-cert.pem
  9. Click “Import”.
  10. Enter an alias name that is descriptive. I used hr.psadmin.io-2015-12.
  11. Since the prive key was delivered without a password, we’ll want to enter one. Enter a password for the key pair.

Now you have the private and public key for your DNS entry in the keystore. Next, we need to add the root (and intermediate) certificates so that a chain of trust is established.

  1. In Keystore Explorer in our new keystore file, right-click on our certificate. Select “Edit Certificate Chain > Append Certificate”.
  2. Select the file ca-GUID-crt.pem and click “Append”.
  3. Save the file, give the keystore a password, and name the file pskey-2015-12.

Load Keystore into WebLogic

After importing the certificates into pskey-2015-12, we need to copy the file to the web server and tell WebLogic to use the new file. The integrationGateway.properties file will need to know about the new keystore as well.

  1. Copy the pskey-2015-12 file to your web server directory {c42996da0de483d9bf2b340025ab4cfa9f44cf82e741bfd4bf3a12808e03291a}PS_CFG_HOME{c42996da0de483d9bf2b340025ab4cfa9f44cf82e741bfd4bf3a12808e03291a}webservpeoplesoftpiaconfigkeystore.
  2. Log into the WebLogic console.
  3. Navigate to “Environment > Servers > PIA > Keystores”.
  4. Click the “Lock & Edit” button to allow editing.
  5. Click the “Change” button for the Keystores option.
  6. Select “Custom Identity and Custom Trust” and “Save”.
  7. In the “Custom Identity Keystore” box, change the file name to piaconfig/keystore/pskey-2015-12.
  8. In the “Custom Identity Keystore Passphrase” boxes, enter the keystore password you entered when saving the file in Keystore Explorer.
  9. In the “Custom Trust Keystore” box, change the file name to piaconfig/keystore/pskey-2015-12.
  10. In the “Custom Trust Keystore Passphrase” boxes, enter the keystore password you entered when saving the file in Keystore Explorer.
  11. Click Save.

WebLogic will look at the new keystore file. Next, we need to tell WebLogic certificate it should serve to users.

  1. Click on the “SSL” tab.
  2. Change the “Private Key Alias” to hr.psadmin.io-2015-12.
  3. In the “Private Key Passphrase” boxes, enter the password you gave the hr-psadmin.io-2015-12 keypair.
  4. Click Save.
  5. Click the “Activate Changes” button.

Update integrationGateway.properties

Before we reboot the WebLogic domain, we need to update the integrationGateway.properties file.

  1. On your web server, open the integrationGateway.properties file under {c42996da0de483d9bf2b340025ab4cfa9f44cf82e741bfd4bf3a12808e03291a}PS_CFG_HOME{c42996da0de483d9bf2b340025ab4cfa9f44cf82e741bfd4bf3a12808e03291a}webservpeoplesoftapplicationspeoplesoftPSIGW.warWEB-INF.
  2. Find the line secureFileKeystorePath and change file name to pskey-2015-12.
  3. If the password you gave the keystore is different than the previous file, you’ll need to update that parameter in the file.
    1. Open a command prompt and go to {c42996da0de483d9bf2b340025ab4cfa9f44cf82e741bfd4bf3a12808e03291a}PS_CFG_HOME{c42996da0de483d9bf2b340025ab4cfa9f44cf82e741bfd4bf3a12808e03291a}webservpeoplesoftbin.
    2. Run the command setEnv.cmd to set the environment variables.
    3. Go to the folder piabin.
    4. Run the command PSCipher to get the encrypted text.
  4. Restart your WebLogic domain.

Test your HTTPS Connection

As WebLogic is starting up, make sure to check the logs to verify that the server started with your new certificate. Once the server has started, open a browser and go test the site. You should see a secure connection in the browser to your site.

0 thoughts on “Let’s Encrypt with PeopleSoft”

  1. Pingback: #8 – PeopleTools 8.55 Hands-on | psadmin.io

Leave a Reply

Your email address will not be published. Required fields are marked *

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax