PeopleTools Encryption

PeopleCode Built-in Encryption Functions

The following functions are provided as built-in functions in PeopleCode for encryption/decryption:

  • Encrypt/Decrypt
  • Hash
  • EncryptNodePswd

The syntax for these functions (as provided in PeopleBooks) is:

  • Encrypt (KeyString, ClearText) returns CipherText
  • Decrypt (KeyString, CipherText) returns ClearText
  • Hash (ClearText) returns CipherText
  • EncryptNodePswd(ClearText) returns CipherText

Ciphertext is the term used in cryptography to refer to text once it has been encrypted.
Cleartext is the plain text before any encryption is applied.

The Encrypt and Decrypt functions rely on a key string which is used as part of the encryption. Note that the key string can be blank so you can simply issue the commands Encrypt(ClearText) and Decrypt(CipherText). It is a good idea to trim spaces from the start and finish of your clear text. Spaces are included in the encryption so the cipher text will be different if your clear text includes a space to if it didn't include a space. Use rtrim and ltrim like this to remove spaces:

&strCipherText = encrypt("", rtrim(ltrim(&strClearText)));

The Hash function can only be used to encrypt clear text - PeopleSoft doesn't provide the equivalent decryption function (for good reason). The Hash function is the same algorithm (and key) that is used to encrypt the passwords in the OPERPSWD field in the PSOPRDEFN table (user passwords).

Similarly EncryptNodePswd can only be used to encrypt clear text. It is used to encrypt the password used by Integration Broker nodes. This is the encrypted password stored in the IBPASSWORD field in the PSMSGNODEDEFN table.

Other encrypted passwords

The encrypted ACCESSID and ACCESSPSWD stored in PSACCESSPRFL use whatever algorithm is run when issuing the CHANGE_ACCESS_PASSWORD command in data mover. The ACCESSID is used as the key for the encryption algorithm. This is the symbolic ID configured when installing PeopleSoft.

The encrypted passwords stored in the application server configuration (psappsrv.cfg) and process scheduler configuration (psprcs.cfg) files use the same internal algorithm as the CHANGE_ACCESS_PASSWORD command in data mover.

I believe this is common to other applications such as configuration manager and application designer but I could be wrong.

The integrationGateway.properties file contains encrypted passwords for each node. When accessing this through advanced gateway properties, you are provided with an area to generate passwords. Alternatively you can run the delivered password encryption utility, PSCipher. This is a Java program found on your PeopleSoft web server.

The syntax for encryption is (Windows and Unix):

pscipher.bat ClearText
pascipher.sh ClearText

For security reasons you should generate a unique PSCipher encryption key using:

pscipher.bat -buildkey
pascipher.sh -buildkey

Note that the key version is presented at the start of the encrypted password: {V1.1} if a unique key has not built (default). Otherwise it will be {V1.2} or above.

Search for PSCipher in PeopleBooks for more information.

Further Information

Some more useful articles on PeopleSoft security, and security in general:

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License