Friday, October 31, 2008

How to avoid passwords expiring in PeopleSoft

One of the more often customer requirements regarding security is to implement password expiration. PeopleSoft provides this functionality using the Password Controls component under:

PeopleTools > Security > Password Configuration > Password Controls

This component provides the alternative to enable or disable password expiration controls for all users. Now, what happens if we want a certain user's password to never expire?

There are plenty of situations where we might want this to happen, for instance:
  • The password for the user set in the Process Scheduler or Application Server configuration should not expire or otherwise the system may not work.
  • Same happens with if a user is set as a Guest in a Web Profile.
  • Also, you may want to disable password expiration for PTWEBSERVER, the user set by default to let the Web Server recover Web Profiles from PeopleSoft environment.
Unfortunately, PeopleSoft does not provide the ability of disabling password expiration for a given user. Good news are that it is quite easy to do by setting the last password change date to a future date using the following SQL sentence:

update PSOPRDEFN
set LASTPSWDCHANGE = '2050-01-01'
where OPRID in ('SOLICITANTE', 'PS', 'PTWEBSERVER')

24 comments:

Larry said...

I found the same blog in http://www.itwisesolutions.com , Is it the same site?

Javier Delgado said...

Thanks Larry for the information. It seems itwisesolutions is a site grouping multiple Blogs using RSS. I haven't posted this entry there, but I don't mind sharing its contents.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

Good post and this fill someone in on helped me alot in my college assignement. Gratefulness you seeking your information.

ramprasath said...

To my understanding, there is one more way to avoid password Expiry for particular users

In the peoplecode of FUNCLIB_PWDCNTL adding the following customization in the function PASSWORD_CONTROLS

Function PASSWORD_CONTROLS ( );

/* START CUSTOMIZATION - this is a customization to exclude users from password controls */

If %SignonUserId = "" Or
%SignonUserId = "" Then
Exit(0);
End-If;

/* END CUSTOMIZATION */



where USER1 , USER2 are id whose password you don’t want to expire.

Javier Delgado said...

Hi Ramprasath

Thanks for your contribution.

I guess the intended code was:

(...)
If %SignonUserId = "USER1" Or
%SignonUserId = "USER2" Then
Exit(0);
End-If;
(...)

Although this approach works, it implies a customization in a PeopleTools object such as the FUNCLIB record you referred to. This is normally something you would like to avoid, as it could be affected by any PeopleTools update (which due to Oracle Security Alerts are quite common).

Again, as I said, it's a valid approach so in the end it's a matter of choosing the option you like the best.

Max Onlinetraining said...

Thanks for providing information on people soft admin
people-softadmin

Nikhil said...
This comment has been removed by the author.
Javier Delgado said...

Hi Nikhil

You could run the sentence for all users at once:

update PSOPRDEFN
set LASTPSWDCHANGE = '2050-01-01';

But probably at that point the best option would be to disable password expiration altogether. This can be done by PeopleTools Security configuration, in a page called Password Controls.

I hope this helps.
Thanks.

Nikhil said...

Hi Javier ,

Thanks for the great info.
It would work for specific users alright . But, what if I want the passwords of all the users working on a specific PeopleSoft environment to never expire even after it is refreshed.Because the navigation in PIA and selecting the "Never Expires" tab would be set to default once the environment is refreshed I guess. Is there a way to do that using a SQL query which can be added to the post refresh script?
Looking forward to your inputs/idea.:)

Javier Delgado said...

Hi Nikhil

Yes, you could use the following sentence:

update PSOPRDEFN
set LASTPSWDCHANGE = '2050-01-01';

I hope this helps!

Nikhil said...

Now that was a quick reply Javier.
Much appreciated!
Amd I am pretty sure , it would work.
So just to confirm ,

By adding the sentence you mentioned in the post refresh script , it would disable the password expiration thing for all the users in that specific environment. Am I right?

Javier Delgado said...

Yes, until 2050 :-)
If you have any issue let me know.
Cheers!

Nikhil said...

Thank you so much for your inputs.
Will try and let you know.
Good to have stumbled upon your blog! :)
Keep up the great work! :)

Nikhil said...

Hi Javier ,
The query worked. :)

And is there a way to just update the "Never Expires" tab from the back end as it should serve the purpose as well.Just checked the pplcode for the password control page.There is a lot of dependency. Some changes may have to be made at the people code level too.Nothing can be done at the SQL level alone without those changes I think.
Is there a way to enable that radio button(Never Expires) without contradicting with the peoplecode?

Javier Delgado said...

Hi Nikhil

I think the following statement would work, but I cannot test it right now:

update PSPSWDRESTICT set PSWDAGEWRK = 'N';

Let me know if it works.
Thanks!

Nikhil said...

Already tried this.
Actually "PSPSWDRESTICT" does not exist since it is a derived table. I myself am trying to figure out a way around this.
Can't seem to find one though.

Javier Delgado said...

Hi Nikhil

Try this then:

update PSSECOPTIONS set PSWDEXPIRESDAYS = 0;

You may need to delete your cache after this. I'm not sure if it's cached or not, but normally when manipulating PeopleTools tables it is a good idea.
Thanks

ykc varma said...

Hi Javier,

Need an information on how can we validate User ID and password from third party system(Java ) I am able to connect to Peoplesoft DATABASE . Can we use any SQL package ?

Regards,
Chaitanya.

Javier Delgado said...

Hi Yyc Varma

The password encryption is not done at the database level, so I'm not sure you can do it through SQL. One possible way would be to create a Component Interface in PeopleSoft and call it from Java. Another alternative would be using a Web Service, but in both cases you would need to do some development in PeopleSoft.

There is no standard way of doing this as far as I'm aware, although I haven't had the opportunity to do some deep research.

Thanks

Nikhil said...

Thank you Javier for your inputs.
Much appreciated.
The query " update PSSECOPTIONS set PSWDEXPIRESDAYS = 0; " works fine as per requirement.