Encrypting passwords is a common activity for PeopleSoft administrators. For many of us, we take for granted that passwords are encrypted by the system. In this post, I want to look at password encryption for web server configuration files and how that works.
Encrypting with pscipher
pscipher
is a PeopleTools utility that encrypts passwords using 3DES encryption. The utility is a wrapper for a Java class that handles the encryption and decryption of passwords. If you look at the passwords stored in the configuration.properties
file, or produced by pscipher
, they look something like this: {V1.1}IsZtCVg15Ls=
To encrypt a password with pscipher:
- Navigate to your web server’s
[PS_CFG_HOME]\webserver\[domain]\piabin
folder. - Run
.\pscipher.bat [password]
pscipher
will return the encrypted output:
.\PSCipher.bat password
Your environment has been set.
Encrypted text: {V1.1}7m4OtVwXFNyLc1j6pZG69Q==
You can copy/paste the encrypted text into your web server config files. For example, below is the pskey
configuration in the integrationGateway.properties
file using an encrypted password:
secureFileKeystorePath=e:/psft/cfg/LM014-8.55.09/webserv/peoplesoft1/piaconfig/keystore/pskey
secureFileKeystorePasswd={V1.1}7m4OtVwXFNyLc1j6pZG69Q==
You can also encrypt passwords with pscipher through the PIA too. Navigate to PeopleTools > IB > Configuration > Gateways. Select your a gateway and click “Gateway Setup Properties”. After you log into the gateway, select the link “Advanced Properties Page”. This page lets you modify the integrationGateway.properties
file directly, but it also has a Password Encryption section. This Password Encryption tool calls pscipher on your application server to encrypt passwords.
Building New Keys
The {V1.1}
at the beginning of the password denotes which key pscipher
uses. 1.1
means your passwords are using the default key. I highly recommend you change the key. To create a new key, run the command pscipher -buildkey
. A new key will be appended to the file psvault
. The pscipher
command will now generate {V1.2}
passwords. Appended is important here. This means that you can still use {V1.1}
encrypted passwords in your configuration files and the newer {V1.2}
encrypted passwords.
psvault Locations
The psvault
file is stored under [PS_CFG_HOME]\webserv\[domain]\piaconfig\properties\psvault
. When you run -buildkey
, that is the file pscipher
updates. After you update the key to {V1.2}
, you need to copy the updated psvault
file to any other web and app servers that you want to decrypt the new passwords.
- For web servers, copy the updated
psvault
file to[PS_CFG_HOME\webserv\[domain]\piaconfig\properties\psvault
. - For app servers, copy file to
[PS_HOME]\secvault\psvault
.
You should copy the updated psvault
file to your app servers. When you update your integrationGateway.properties
file online (PeopleTools > IB > Configuration > Gateways), any passwords you encrypt using the online pages are encrypted with the app server’s copy of psvault
.
So far, I haven’t been able to get the Tuxedo domains to recognize the psvault
file under PS_CFG_HOME
, and a Oracle confirmed with me that PS_CFG_HOME
is not supported with psvault
and the app server. If you are using decoupled homes, this breaks some of the benefits of having a separate and shared PS_HOME
codeline. I created an Idea on the Oracle Community site to add support for PS_CFG_HOME
and psvault
; go vote for the idea if would like decopupled home support too.
Pingback: #104 – Page and Field Configurator
Pingback: #172 – PsMPPIAInstall
Thanks for the post, Dan. I am working on automating the keystore password update in the integrationGateway.properties file after deploying a domain for PT 8.57. Since the new version uses AES algorithm, can we still use PSCipher.sh script to generate the encrypted password and update the file?
The earlier 3DES algorithm would have generated the same encrypted text every time but with AES, it’s a different encrypted text every time the script is executed. I just wanted to find out if we can still use PSCipher.sh to generate the encrypted password in PT 8.57.
Hi Prantik – using PSChiper.sh is still the best way to generate passwords for use with your PIA domain (both
configuration.properties
andintegration.properties
files).Pingback: #269 – Excel Add-in Tools
Pingback: #331 – psst