Security

Is it easy to hack PeopleSoft? The answer to this question is not a simple ‘NO’. You could keep arguing on this, but let me give you some background on what I did, trying to achieve this and also provide a feature which any ERP must package along with its application.

I was into my sixth month as a PeopleSoft consultant and did not know much about PeopleSoft at this point I was reading a book on cryptanalysis (I don’t remember the name of the book, it was not any computer hacking book instead it gave a very good Mathematical analysis on the topic); my interest in hacking the PeopleSoft system could be attributed to this book. One place where I thought PeopleSoft was weak in its security offering was the Application Designer connected to the database in two-tier mode, PeopleSoft Peoplebooks has this to say about Application Designer in two-tier;

“A determined hacker could hack into the PeopleSoft system if he is provided with this.”

A first step here is to realize the simple fact that when we log on to the Application Designer we use PeopleSoft user id and password. PeopleSoft user id and password are stored in the database; PeopleSoft Application Designer must be able to establish a connection to the database before it could validate the user id and password – interesting! This is when I remembered the connect id and password, and the grant.sql in pshomes where I could set the connect id and password. The connect id and connect password are the access id and access password to the database with permissions to select from PSSTATUS, PSACCESSPRFL and PSOPRDEFN. This is where the Application Designer validates the PeopleSoft user id and retrieves the access id and password to log on to the database.

I have found the place from where I can retrieve the information but know it is encrypted (This is where you must be “determined hacker”). Application Designer has a C++ code which actually knows how to decrypt the passwords retrieved from the database (A determined hacker would be able to obtain the code by decompiling the application at this level, will also find himself behind bars for obtaining the source-code of a commercially licensed product). I realized that there is still another place, if I get the encryption logic with the key (once I get the encryption code, the key should be within the piece of code that was used for encryption.). PeopleSoft user profile creation page allows the user to enter a password and on saving a user profile it encrypts the password that we typed in. Had PeopleSoft been stupid enough (which they are absolutely not) they would have written the encryption code as a PeopleCode, but instead they provided a peoplecode built-in function “HASH” to encrypt the passwords (I would love to set a PeopleCode trace and know if the code for an inbuilt function is visible….I know for certainty that it would not be).

Can I stop my hacking desire here? No, because I remember something that was taught to me during my initial PeopleSoft Boot-Camp – we could encrypt the passwords using Data Mover (this is just an encrypt.dms which again uses a PeopleSoft inbuilt function) and cipher.bat file. Cipher.bat file interested me and made me think that I can do it now. But I outsourced this particular job to one of my friends and he told me that this bat file calls a number of java class files (I’m not certain about this and not sure whether we could decompile the class files – not a geek when it comes to programming languages). People who are interested can actually try something out here.

But if only you are a mathematical hacker you could hack the encrypted passwords and get the key used by PeopleSoft, if I do this I would probably land in RAND or behind bars (basically because PeopleSoft must be using the RSA and it has one private key which is built-in, RSA decryption is not a simple thing but we can get lots of sample data by creating our own user ids and passwords.) This is sure to take a lot of time but it is not without its benefits, read on to know how you could benefit out of this particular effort.

I have seen a lot of customers who blindly use people and peop1e to be connect id and password respectively in their PeopleSoft system (We should be through to get the encrypted passwords). PeopleSoft does provide the option of extended encryptions to Customer’s passwords, but this code (and algorithm) has to be developed by the Customer. Not even a single Customer who I came across has done this, reasons could be that you have to find a mathematician to develop the algorithm and then implement it. None of the service providers could take the pains of accomplishing this. If we could somehow obtain the PeopleSoft encryption key, we get access to almost all the PeopleSoft systems on planet Earth (remember we must have two-tier access). At the three-tier level I have a strong feeling that PeopleSoft is very secure.

So is there something that can be done about this? The solution is that an ERP should provide strong encryption algorithms (PeopleSoft already does this) along with this the Customer must be allowed to choose his private key which can only be used to decrypt the passwords. The Application Development environment (Application Designer in the case of PeopleSoft) must get the private key from the Customer and then use the inbuilt decryption algorithm to decrypt the password.

Wink

Firstly, I apologize for the non-erp post but was not able to resist writing about the new software that I found on the web, WINK. This is an amazing software which allows you to create a Flash Presentation in no time and very user-friendly. Took me a couple of minutes to understand it; the user-forum dedicated for the application solves most of our problems. Although I’ve not used multiple call-outs on a single page, it can be done. Steps for that,

After we finish our recording, save the project as “.wnk”
Export the file to HTML
Open the folder containing the images for the HTML document.
Edit the required image with MSPAINT
Delete the existing thumb-nail for the image in WINK
Create a blank thumb-nail in its place
Copy-Paste the image file that we edited in step 4

I did find these steps from the user-forum, posted it here just to make sure that you don’t overlook it. This application is just great. I’ve created a flash presentation for Customization Analyzer (You can find it in the side-bar, it is not complete...will post the complete presentation soon). It makes the job of presentations so much easier, that I enjoyed doing this one. Did I forget something? What is the price of this application? It’s a freeware!

Almost forgot the attribution part. WINK is a product of DebugMode Software.

Version Control

This post is intended in documenting one of the most important aspects of MY ERP. This morning I saw my post and found a valuable suggestion from Brent Martin, a very valuable suggestion which I did overlook. Brent did give another link to look into before knowing the exact problem, Grey Sparling

As we all know Grey Sparling Solutions is an organization run by able x-PeopleSoft employees. I thought I better read it before I make any suggestions out here. The biggest challenge when it comes to version control in PeopleSoft’s case was this, PeopleTools release means changes to Source code at the Application Designer level and Application Server level. I think this should be very easy (as the source code is in text format), we could use any commercially available Version Control application for this purpose. Although this piece of version control requires third-party tools, it will only be internal as we will not package this to the Customer.

The biggest challenge to PeopleSoft is in tracking the object level changes. Chris Heller (refer to Grey Sparling link above) has mentioned that they achieve this by using SUBVERSION, i.e. a text format result for these changes on database objects. Once the SUBVERSION is available it should again be easy for us to establish version control. PeopleSoft provides a Compare process which allows the user to compare objects in the database and generate reports. But as I’ve always thought, one of the main draw-backs of the PeopleSoft Compare process is that it is not PeopleTools compatible. I did develop a couple of tools to help an Upgrade Consultant; Reapply Customization was one of them. Reapply Customization will compare, analyze and then reapply the customizations and I made it PeopleTools compatible. It will compare databases between different releases and then reapply customizations; all this was achieved only with the rel-scripts at my disposal. PeopleSoft could have made their Compare process PeopleTools independent (from any new release to any old release) this would have allowed us to generate the database object level compare report in text format.

Having said all this, the Compare process independent of Tools gets a tick for MY ERP. It is a feature which must be present.

MY ERP Architecture

Before I really start working on MY ERP I have another important step which is finalizing the Architecture for this product. This reminds me of a presentation which I made to the ‘Architects of Oracle Fusion’* (*this was how they were introduced to me) six months ago. The presentation was intended in giving the Architects an overview of PeopleSoft Architecture. The most striking feature of PeopleSoft’s architecture is their ‘Meta-Data Driven’ part. I was always fascinated by the fact that an ERP chose this approach (Whether they were the first? I can’t answer this question). The database companies today spend valuable amount of effort in making the data retrieval process of the database to be quick and efficient, PeopleSoft did not have to worry about the efficiency of data-retrieval as they chose the Meta-Data Driven approach. As an application package ERP’s should always worry about end-user efficiency. When you choose a Meta-Data approach, the system will certainly become more efficient with time as you will only be storing required information.

One of the first questions which I recall from my session is, “Wouldn’t storing all information in a database make it in-efficient?” And I said there is always a trade-off. Here is an example, a user designs a page using the application’s development environment (Application Designer incase of PeopleSoft), let us assume that the development environment is not meta-data driven. Now, the development environment will create a file for this page, the next time when the user wants to view the page, the development environment has to retrieve information from the file-server instead of a simple SQL (like: SELECT * FROM PSPNLFIELD WHERE blah-blah). The file-server version will definitely prove to be more inefficient. We can still make it efficient by adding the Application Server layer to our development environment, but there is no guarantee that this would prove to be more efficient.

The Meta-Data Driven approach is not without its disadvantage, customers will not relish the fact that half (not literally) of their database space is occupied by the application. As I said before there is always a trade-off. One thing is for certain I’ll surely not think about Batch Programs (Application Engine in PeopleSoft’s terms) residing in the database. They are better left as SQRs in a file-server. It was a great idea to allow users code their batch programs from the development environment, but I think they should have been left to the file server from where the development environment could have accessed them.

I think I’ll stay with the Meta-Data driven architecture with lots of tweaks to it. But before I do so I would just love to hear opinions on this. What do you think should I choose - an approach similar to PeopleSoft (The Title says it, “Driven by PeopleSoft….’) or is there something better?

My Mentor

He is very important to me just for the fact that he has insights. HE is my mentor. I asked him to go through my posts last week and guess what? He gave me a perfect solution to the trial roll-out of MY ERP’s coding interface. The solution goes as below,

We could call the drop-down coding interface to be the non-geek (functional) coding interface and the MY ERP’s complete code interface to be the geek (Technical) interface. This should keep the geeks and the non-geeks happy. But the basic idea of this ERP lies in eliminating the geeks (including me) and let the non-geeks build their requirements and test it. But it is still a long way to go. Planning to start my alpha version build as quickly as possible. Let you know how things proceed. I’m running out of time. Can somebody make the days run for another dozen hours?

MY ERP Upgrade!

An important aspect to consider when you set out to build an ERP will be presented to the reader. My experience with ERP industry has been upgrades probably that drove me here. No awards for guessing the content of this post, but I certainly wish to share some thoughts on how to achieve what we desire.

Today’s ERP industry is quickly becoming a legacy system. When I set out to build MY ERP my first priority would be to look at how well the application will provide the upgrades. The question which arises to the user is, “How can you estimate your upgrade when you have not built your first release?” (Appreciate your attention!). I plan to take the non-traditional route.

When my business process specialists build the functional pieces of MY ERP, I would like them to look into other competitors and ensure that we provide all the features provided by our competitors. Once the essential pieces of my applications architecture has been built, I want the people in my organization to come up with an upgrade path from one of our competitors to our application. This application upgrade path should be 75% more efficient than our competitors upgrade path from his old release to his new release. The most important trick here is to ensure that we do not loose any valuable Customer data. Our upgrade application must have conversion scripts which will ensure smooth migration of our client from one ERP segment to the other. As always the next section will give you an example, so that my vision does not get blurred through your eyes.

The Customer is running PeopleSoft and using the HRMS application. The Customer makes use of the HRMS product of PeopleSoft to store and manipulate his data. Our business process analysts will determine the exact location in our application where the PeopleSoft data can be used (Tedious job! But nevertheless it should not be left to the Customer). Then we will create conversion scripts to move the data from the PeopleSoft system to MY ERP. All features provided by PeopleSoft which do not exist in our system will be added to our system as Customizations. This particular script will be utilized by an upgrade Tool (Conversion Aide) which will parse the script and provide user interfaces that will ease the job of upgrade. If there are any Customizations made to the PeopleSoft system (Why did I put an ‘If’?) then the Conversion Aide would provide suggestions to the Upgrader to handle the Customizations. E.g.: If the Customer adds a field to a particular table the Conversion Aide will identify this to be a feature which would be lost during the upgrade and hence will provide the user information related to this. It will provide the user a segment of the Conversion Road Map, which includes a pictographic representation of “how and where” the data from the Customized table gets converted. Then he will be given the option of retaining or retiring the Customization ( The Customer will require some effort to look into why the Customization was done, so the Conversion Aide will also provide him the Customization plan which would be generated by the Conversion Aide to determine “Why were the Customizations made? What is the Customization?” This would not be possible without understanding the complete architecture of PeopleSoft and what are the details to look into?). If he wishes to retain the Customization he will be prompted with another interface to apply the Customization to MY ERP. The Conversion Aide will track the Customization made by the Customer and it will make the necessary changes to the conversion script. Now the Customer should be able to verify the validity of the changes made by the Tool, hence it will provide a Compare Interface to validate and edit the changes.

Most of the thoughts in the previous paragraph are targeted at Customer Modified objects, what about the Customer Added objects. Here I’ll concentrate on the other aspect of Customization, the first step in handling Customer added objects is to perform a check on, why the customization was done? The Conversion Aide will start with this simple question on a user interface which will be indexed. Now when the Customer types in the reason for the Customization the Tool will search and retrieve the business process available within MY ERP for the requirement. If the Customer is satisfied with the business process provided by MY ERP then the Conversion Aide will assist him to generate the scripts required for the conversion. Else the Customer Added object from PeopleSoft will get converted into Customer Added object in MY ERP.

I certainly understand that this will require lot of effort from understanding the business process and architecture of two systems, but it will certainly save a lot of time for the Customer and increase his ROI. It will also gear us up for our own upgrade. I’ve not spoken in length about the Code section (Look closely I’ve only considered objects!). I’m an optimist when it comes to me believing the fact that code modifications can also be automated (at least to a certain extent as to ease the user effort).

“Why should I migrate?” – This will be the first question asked by the Customer when you reach him, so it’s always better that we do concentrate hard on making MY ERP a better product than what the market offers and then allow the user to migrate to the better product in a better way!

Vision Statement for MY ERP

The time is ripe for me to document all that I think of, so the best place where I can do this is in a blog. If you had been a frequent visitor to my posts you will know my reasons to start this blog; to create an ERP which will be way superior to the existing ones. MY ERP -- This is where my journey began and I wish to take it somewhere.

The most essential aspect of my application is that it will not require any coding changes from the Customer end. I wish to pass all the coding arguments which the Customer would normally customize to the Properties page of each object which he creates. When a Customer intends to change the logic which drives a particular page, the application will provide the Customer a user interface where he can actually make his Customizations.

The problem with all this documentation is that I’ll have to give proper examples to ensure that I’ll understand my thoughts after a while; E.g.: I want to test my emplid before I save it, the application might provide a simple Validation Check to ensure that I do not enter any special characters to the column. I being the Customer would like to add a criterion as to check whether the number added is according to my business requirements. Now the application should provide us with the option of adding the Extra Validations to the column without opening the code; that is I should be able to open the property of the column emplid and say, “Add Criterion” à Set Field Type Column to “Type” à Select “<>” à Select “Number” à Set Action to “Error”. Then for the next criteria I say the following to the application “Add Criterion” à Set Field Type Column to “Value” à Select “Greater than Equal to” (This could be a drop down box which should also allow me to type “>=”) à and provide a value in the next column as “5000” à Set Action to “Error” (This could also point to another condition or another Set of processes which the Customer wishes to perform. E.g.: The Customer would like to provide an auto-generate option to the user which will need a message box to obtain user feedback followed by a set of calculations to determine the emplid. These will be called processes and can be added just like Criteria). Now the application should add the following code to the columns code section as follows,

If emplid.type <> “Number” then
Error
End if
If emplid.value => 5000 then
Error
End if

-- I hate the system constraining the user with the requirement of learning the syntax to use applications code section.

I think I have taken the simplest situation in Customizations, but there will be more complex customer requirements which we as developers should not ignore. E.g.: The Customer is not satisfied with the Validation Check provided by the application and prefers to comment the entire logic provided by the application and add his own criteria and processes. So we should split each and every piece of code that we put on an object into functions and allow the user to deselect the functions and create the ones that he requires. There will be instances where the Customer would choose to add some criterion at a specific point in the logic provided by the application, this should be achieved by providing our logic to the Customer in the same fashion which he will be using to create the logic. That is if the application code is also structured in the property of the object, the Customer can think about inserting his logic at any specific point in delivered code.

I totally understand that there are millions of other situations which will arise and prove to be a complication to the system but with proper specifications set to build the system developers should be able to foresee all of these (I trust the developers and I’m an optimist – at least to MY ideas). The initial versions of the applications should also provide the Customer with an editor to help him code the requirements manually, just to ensure we do not get complaints about not being able to customize our applications. We should then analyze the segments where the Customer has chosen manual code customizations and improve our product.
Although I work as a Consultant currently, I strongly believe that developers responsible for building the applications should leave no room for the Consultants to form the middle layer between the application and the Customer, even if it leaves me without a job.

Before I end this post I want to say something to the people who have read this:
If you think that this post is just a dream then you are a pessimist (According to me).
If you think it to be a Vision, I tag you as an optimist.

I belong to the pessimist sector when it comes to Oracle’s DREAM (not VISION as I’m not an optimist in this case) of building the Fusion (Coincidence “Frankenstein” also starts with “F”) with the best pieces (“Parts” also starts with “P”) from PeopleSoft, Siebel and Oracle.