Deliverable Specification
/conversion/tmp/scratch/390310481.doc 1 of 20
Last Updated: 6/20/2018 03:02:00 PM
Contents
Document Control...................................................................................................................3
Functional Overview...............................................................................................................4
Intended Users/Roles......................................................................................................4
Frequency...........................................................................................................................4
Specific Operational Requirements...............................................................................5
Technical Overview.................................................................................................................6
Setup and/or Maintenance...........................................................................................14
Process Flow...........................................................................................................................15
/conversion/tmp/scratch/390310481.doc 2 of 20
Last Updated: 6/20/2018 03:02:00 PM
Document Control
Change Record
/conversion/tmp/scratch/390310481.doc 3 of 20
Last Updated: 6/20/2018 03:02:00 PM
Functional Overview
Development Type Online (Page) Batch Process
Intended Users/Roles
This functionality will be used by all the self-service users including Applicants, Students and Faculty.
Frequency
There is a dependency on a UVa custom interface process that provides applicant information to WhoIS. The WhoIS
system creates the ComputingID and sends this back along with the University ID (Campus ID) to Enterprise Portal.
WhoIs shares the CompID with Netbadge or in other words NetBadge uses the same CompID created by WhoIS.
Requirements:
There are changes required on both the Peoplesoft and NetBadging system and they are described as below.
/conversion/tmp/scratch/390310481.doc 4 of 20
Last Updated: 6/20/2018 03:02:00 PM
Technical Overview
The Enterprise Portal log-in page will contain a new button called ‘Login to Netbadge’ (subject to change) that will
take a user to a NetBadge authentication page. Upon a successful log-in attempt a NetBadge cookie will be assigned
by the Netbadge Login Application to the user browser and the browser will be re-directed to the Campus Solutions
default page as a GUEST user. A login entry as a GUEST allows the signon PeopleCode to be invoked and perform
the verification checks it needs to before handing over the session to the real user. If the verification checks are met
the session is handed over from the GUEST user to the real user (Computing ID). If the checks are not met the log-in
fails and an error is written to a custom table. The security managers will have access through a custom UVa page /
component to view the filed logins and the error message.
In Summary: The complete process entails authentication by NetBadge, sending of credentials through a form
mehod, a pass through entry into PeopleSoft as a Guest to invoke the Signon PeopleCode which does a seemless re-
authentication of the user credentials passed and a collection process for all the failed log-ins.
A step by step flow of these events have been explained in the Flow Chart section of this document.
This user ID only requires the permission to log into the Enterprise Portal / Campus Solutions application. It is
recommended to create a long and difficult to guess password.
Create a Web Profile or if one already exists (‘DEV’) ensure that “Allow Public Access” is checked with the user
(‘GUEST’) you just created. After NetBadge authenticates a user and redirects the user browser to a direct access
page (default page http://c2cd1.admin.virginia.edu:8240/psp/epdev/EMPLOYEE/EMPL/h/?
tab=DEFAULT) the GUEST user account is used. However the connection is only temporary to intitiate a secure
connection to the application server. The application server then determines the real user using the signon
Peoplecode.
/conversion/tmp/scratch/390310481.doc 5 of 20
Last Updated: 6/20/2018 03:02:00 PM
Create Algorithm Chain
navigation: PeopleTools Security Encryption Algorithm Chain
Use the delivered sha1_generate Algorithm ID or Keyset (hashing / encryption method) in the algorithm chain. A
Hex encode is used right after sha1_generate to ensure that the digest (digital signature) created using this algorithm
chain will match what is sent over by NetBadge.
Use the Algorithm Chain you created in the previous step. The Encryption Profile created here will be used in the
PeopleCode to create a digest / digital signature.
/conversion/tmp/scratch/390310481.doc 6 of 20
Last Updated: 6/20/2018 03:02:00 PM
Develop UV NetBadge specific Signon PeopleCode
navigation: Through App Designer open FUNCLIB_LDAP.LDAPAUTH.FieldDefault PeopleCode and add a new
UVa function as described on the next page. The code is documented (in green) to explain what it does.
Signon PeopleCode executes whenever a user signs onto Peoplesoft. However when the user signs-on through the
NetBadging system the Signon PeopleCode invokes a different function of the Signon PeopleCode which does
verification checks to ensure that the credentials passed over the internet and received via a form method is not
tampered in any way. The verification process checks for the various parameters (COMPID, TIMESTAMP,
RANDOM and DIGEST) passed in the form. It ensures that a User Profile exist in Campus Solutions to that
matching with the COMPID, the credentials are not older by 10 seconds and the DIGEST generated by the sha1
encryption (hashing) in Campus Solutions matches that with the DIGEST sent by the NetBadge. The Digest created
using the sha1 encryption (hashing) uses the following algorithm:
myDigest = sha1(COMPID + TIMESTAMP + SECRET + RANDOM). The Secret is something that is not sent over
but is known by both the Campus Solutions and the NetBadge system.
/conversion/tmp/scratch/390310481.doc 7 of 20
Last Updated: 6/20/2018 03:02:00 PM
/conversion/tmp/scratch/390310481.doc 8 of 20
Last Updated: 6/20/2018 03:02:00 PM
Activate UV NetBadge specific Signon PeopleCode
navigation: PeopleTools Security Security Object Signon Peoplecode
- Set the Invoke as User ID and Password fields with the PeopleSoft User ID and password of a user who has
permission to execute PeopleSoft sign in code. The “VP1” User ID is used in the following example.
- Create a new line by clicking on the ‘+’ button to the far right. Use the same parameters as the record for
‘FUNCLIB_LDAP’ except for the ‘Function Name’ column, which should be set to the new PeopleCode
function name. In the sample code described above, the PeopleCode function name is ‘UV_NetBadge’.
- Enable this new line by checking the Enable box.
- The Exec Auth Fail checkbox must not be checked.
- Click Save.
A new record, page and component need to be created to collect information on failed logins. The page could be
used by Secuirty Administrators as a means to track unsecured or unauthorized attempts to connect into the system
and to view the reason for the log-in failure.
The comments field on the page will indicate the nature of the problem and why the user was not able to log-in.
/conversion/tmp/scratch/390310481.doc 9 of 20
Last Updated: 6/20/2018 03:02:00 PM
Create a link on the Enterprise Portal Log-In page to redirect a user to NetBadge Log-In page.
1. To include information about the self-service users who can use the NetBadge log-in to connect to Enterprise
Portal
2. To redirect a user to a Enterprise Portal default page after a successful log-in. The URL to be redirected is:
http://c2cd1.admin.virginia.edu:8240/psp/epdev/EMPLOYEE/EMPL/h/?tab=DEFAULT
The redirect to Enterprise Portal site should be based on the environment the request is coming from. So if
the request comes from EPDEV the redirect should be to EPDEV site and if the request comes from EPPRD
then the redirect should be to EPPRD. This is made workable by sending the “env” value (env=<%=psHome
%>) in the query string to NetBadge and by NetBadge reading the query and re-directing to the appropriate
site.
/conversion/tmp/scratch/390310481.doc 10 of 20
Last Updated: 6/20/2018 03:02:00 PM
Setup and/or Maintenance
Impact on Low Medium Significant
Upgrade: None (e.g., Translate ) (e.g., Reports, Bolt-on ) (e.g., mod to PS delivered
(check one) objects)
For obvious reasons, we have to ensure that the Signon PeopleCode on the LDAP does not get overwritten by the
new OnExecute PeopleCode if it gets delivered in a Patch/Fix or a Bundle. If PeopleSoft delivers a new version of
this code it can be merged with the existing one or UVA changes could be applied again on the PeopleCode.
/conversion/tmp/scratch/390310481.doc 11 of 20
Last Updated: 6/20/2018 03:02:00 PM
Process Flow
4 CMS
Browser
User clicks on the NetBadge
Login Authentication Unix - Blue
NetBadge log-in
button on the 1 Application 2 Username + Password
Enterprise Portal
home page. eServices
5
3
eServices
Servlet
PS servlet receives the HTTP request,
which includes the UserID in a form Explain 1, 2, 3, 4, 5
and connects to the Application For Steve to describe.
Server using the Guest user.
Application Server
Authenticates the GUEST connection
from the webserver and executes the
SignOn PeopleCode
SignOn Peoplecode
Performs verification checks. If the
checks are met it handovers the
session to the real user or else signs
out the Guest session.
Yes
/conversion/tmp/scratch/390310481.doc 12 of 20
Last Updated: 6/20/2018 03:02:00 PM
Define PeopleSoft Objects
Project
P ROJECT
P ROJECT N AME P ROJECT DESCPITON
UV_CC_118_882_DIGITAL_SIGN UVa Single Signon/Digital Signature
Fields
F IELDS
F IELD N AME T YPE L EN F ORMAT S HORT N AME L ONG N AME
(L ABEL N AME)
UV_COMPID Char 30 Mixed UVA Comp ID UVa Computer ID
UV_DIGITAL_SIGN Char 254 Mixed UVa Digital Sign UVa Digital Signature
UV_NB_DIGITAL_SIGN Char 254 Mixed NB Digital Sign NetBadge Digital Signature
UV_NB_TIMESTAMP Char 18 Mixed NB Time Stamp NetBadge Time Stamp
UV_RANDOM Char 254 Mixed UVa Random UVa Random
UV_TIMESTAMP Char 18 Mixed UVa Time Stamp UVa Time Stamp
Database Records
UV_FAILED_LOGIN: UV A F AILED N ETBADGE L OGINS (N EW)
T ABLE TYPE T ABLE
Table Purpose Used for collecting failed log-in information and failed login paramaters send by NetBadge.
Parent Table None
Query Security None
Audit Table None
Field Display
/conversion/tmp/scratch/390310481.doc 13 of 20
Last Updated: 6/20/2018 03:02:00 PM
Use Display
Edits Display
PeopleCode Display
/conversion/tmp/scratch/390310481.doc 14 of 20
Last Updated: 6/20/2018 03:02:00 PM
Pages
S CREEN I MAGE
/conversion/tmp/scratch/390310481.doc 15 of 20
Last Updated: 6/20/2018 03:02:00 PM
Components
UV_FAILED_LOGIN: (N EW)
S EARCH R ECORD <R ECORD N AME>
Add Search Record UV_FAILED_LOGIN
Detail Page UV_FAILED_LOGIN
Actions Update-Display
Default Search Action Update-Display
Default Lookup Type Basic
Toolbar Actions Return to List / Next in List / Previous in List
Other Properties Defaults
P H D
O P AGE N AME I TEM N AME I TEM L ABEL F OLDER TAB L ABEL I E
S D F
UV_FAILED_LOGIN UV_DIGITAL_SIGN UVa Failed Logins UVa Failed Logins
Menus
MAINTAIN_SECURITY: (M ODIFY )
B AR N AME I TEM N AME M ENU L ABEL T YPE C OMPONENT L OCATION
Use UV_FAILED_LOGIN UVa Login Failures UV_FAILED_LOGIN
PeopleCode
FUNCLIB_LDAP / LDAPAUTH / F IELDD EFAULT
P URPOSE
Enable Single Signon with Netbadge and authenticate using sha1 hashing
/conversion/tmp/scratch/390310481.doc 16 of 20
Last Updated: 6/20/2018 03:02:00 PM
FUNCLIB_LDAP / LDAPAUTH / F IELDD EFAULT
P URPOSE
/************************************************************************************/
/* Delv ID: 118 Issue: 882 04/30/2008 CompID: vm3m */
/* Enable Single Signon with Netbadge and authenticate using sha1 encryption */
/************************************************************************************/
/* Begin - UVa code */
Function UV_NetBadge()
/* Ensure that all the parameters are in the form and then execute else do not do anything */
If All(&NetBadgeCompID) And
All(&NetBadgeRandom) And
All(&NetBadgeTime) And
All(&NetBadgeDigitalSignature) Then
/* Another Method (less reliable in case the servers are moved to a different time zone) */
rem &UVaTime = String(%Datetime - DateTime6(1970, 1, 1, 0, 0, 0) + 14400);
/* Ensure that UserID or the CompID passed by NetBadge exists in the system */
If &UserIDPresent = "Y" Then
/* Invoke Encryption. UV_SHA1 is the Encryption Profile defined. UpdateData passes the text that needs
to be encrypted to create the Digital Signature or the Digest to the Encrytion Key */
&UVaCrypt = CreateObject("Crypt");
&UVaCrypt.Open("UV_SHA1");
&UVaCrypt.UpdateData(&NetBadgeCompID | &NetBadgeTime | "This is the SSP shared secret." | &NetBadgeRandom);
&UVaDigitalSignature = Upper(&UVaCrypt.Result);
Else
&UVaComments = "Digital Signature does not match";
End-If;
Else
&UVaComments = "Operator ID not present in Enterprise Portal : " | &NetBadgeCompID;
End-If;
Else
&UVaComments = "Credentials supplied are older than 10 seconds: " | String(Value(&NetBadgeTime) - Value(&UVaTime));
End-If;
End-If;
/* If the previous checks were not met then do nothing or in other words do noty authenticate the user and report
the Log-In failures*/
If All(&UVaComments) Then
SQLExec("insert into PS_UV_FAILED_LOGIN values (sysdate, :1, :2, :3, :4, :5, :6, :7)", &NetBadgeCompID, &NetBadgeRandom,
&NetBadgeTime, &UVaTime, &NetBadgeDigitalSignature, &UVaDigitalSignature, &UVaComments);
End-If;
/conversion/tmp/scratch/390310481.doc 17 of 20
Last Updated: 6/20/2018 03:02:00 PM
Security
/conversion/tmp/scratch/390310481.doc 18 of 20
Last Updated: 6/20/2018 03:02:00 PM
Approved Decision/Approach
There were two options we considered:
1. Use the standard delivered method and authenticate users against PeopleSoft.
We chose the second method over the first for the following reasons:
/conversion/tmp/scratch/390310481.doc 19 of 20
Last Updated: 6/20/2018 03:02:00 PM
Open and Closed Issues for this Deliverable
Open Issues
PRISM
Issue Description
Issue #
Closed Issues
PRISM
Issue Description
Issue #
/conversion/tmp/scratch/390310481.doc 20 of 20
Last Updated: 6/20/2018 03:02:00 PM