Showing posts with label certificate. Show all posts
Showing posts with label certificate. Show all posts

Friday, February 17, 2023

Securing PDF

Following is a way to secure pdf files generated via non-BI Publisher technology like SQR. For this test I am running PT 8.59.x. Should be available in slightly older Peopletools releases too, like PT 8.56.x

Oracle provides java classes that can be used for securing a pdf file. This method will add a password to the pdf file, so that a password is prompted to the user while opening the pdf as well as adds a digital signature to the pdf. This class does both so if the requirement is to only password protect a pdf file, we still have to add a signature but make it small or invisible. 

This method also requires a digital certificate signed by one of the approved adobe certificate authorities called as AATL. The certificate has to be pfx format (can be converted using tools like openssl). If a self-signed certificate is used, the process still works but the end user will receive a warning banner in adobe reader once the document is opened and will have to manually trust the certificate by adding it to the adbobe trust store. 

The solution uses two java classes that are delivered with PeopleTools

1. java.util.Properties

2. oracle.xdo.common.pdf.signature.PDFSignature


Local JavaObject &jProp = CreateJavaObject("java.util.Properties");

&jProp.setProperty("signature-enable", "True");
&jProp.setProperty("pdf-security", "True");
&jProp.setProperty("pdf-open-password", &EncryptPswd);
&jProp.setProperty("pdf-permissions-password", &EncryptPswd);
&jProp.setProperty("pdf-changes-allowed", "0");

&EncryptPswd is the password that will be used to open the pdf file. 

&inFile is the complete path to the source pdf file and &outFile is the complete path of the secured pdf file. 

Local JavaObject &pdfSignature = CreateJavaObject("oracle.xdo.common.pdf.signature.PDFSignature", &inFile, &outFile);
   
&pdfSignature.setConfig(&jProp);
&pdfSignature.setLocale("en");

&digPswd is the password of the pfx digitial certificate file and &digSign is the complete path to the pfx file. Make sure the paths use "//" insread of "/" or "\\" instead of "\".

&pdfSignature.init(&digPswd, &digSign);

Following plots the signature in the pdf file. If a signature is not needed then make it small or invisible. Adjust the values as required. 
&xCord = 0;
&yCord = 0;
&width = 0;
&height = 0;
&pageIndex = 1;
&sReason can be some text or blank if none is required.
      
Local JavaObject &jFloatArray = CreateJavaObject("float[]", &xCord, &yCord, &width, &height);
&pdfSignature.addSignatureField(&pageIndex, &jFloatArray, "PSoftSign");
&pdfSignature.sign("PSoftSign", &sReason);
&pdfSignature.cleanup();

clean-up memory once done.
&jProp = Null;
&pdfSignature = Null;
&jFloatArray = Null;

/* delete the un-encrypted file */
Local object &delFile = CreateJavaObject("java.io.File", &inFile);
&delFile.delete();


Saturday, June 30, 2018

Wildcard SSL Certificates (CN/SAN)

We had a need to enable SSL on all our non-production PeopleSoft environments. So decided to implement or create one SSL certificate which would be applicable for all the environments. 

Following are the details of this exercise.
I am running PT 8.56.xx on HCM 9.2 and Weblogic 12c on a Windows 2016 VM but this should work for any release. 

So in my case I have two webservers (web1.mycompany.com and web2.mycompany.com) in my non-production PeopleSoft landscape and I wish to use the same certificate on both the webservers. 

PeopleSoft delivers a wrapper called as pskeymanager.cmd (or .sh) which essentially runs the keytool java command to create a java keystore. 

When you use the wrapper to generate a new store or to generate a new certificate request it prompts for the CN (common name) value which generally is the VM name - so in my case it would be web1.mycompany.com or web2.mycompany.com. So if I generate it as web1.comycompany.com then I won't be able to use this certificate on web2 and vice-versa. So the plan is to provide the value for CN as *.mycompany.com, which is essentially a wildcard value. So any webserver in mycompany.com would be able to use this SSL certificate.

When we do this there is another attribute called as SAN (Subject Alternate Name) that needs to be populated. In my experience I noticed that a browser like Chrome uses this to verify the validity of the certificate but a browser like IE doesn't use it.

The vanilla pskeymanager.cmd doesn't use the san attribute so we have to customize this script as follows.

Search for string :gencsr and then a few lines below this would be the keytool command to generate a CSR (Certificate Signing Request). Towards the end of that command add 

-ext san=dns:web1.mycompany.com,dns:web2.mycompany.com

or

-ext san=dns:*.mycompany.com

Now use the pskeymanager.cmd command to create a new keystore and generate the CSR. Then provide the CSR to your CA (Certificate Authority) for signing and once your receive the response certificate verify that the SAN value is populated.

Load this to weblogic and test. Now you can use the same SSL certificate on all the webservers in the mycompany.com domain.