Why you should have different local node passwords

I was doing an assessment of a Peoplesoft installation recently when I noticed that the node passwords were the same across all environments of the same application type. While this might not seem like it is a big deal, it can open up a production environment to unauthorized access or accidental data entry. If this sounds like your environment perhaps some of your developers or users may have already realized that this allows them to access production with out a password from a non production environment, especially if they use bookmarks or direct URLs.

The problem here is related to a mechanism of Peoplesoft’s authentication. The PS_TOKEN cookie which is used for authentication is created from among other things the issuing systems default local node and password. If this data is the same across say, all your HCM environments, then a PS_TOKEN created in a development environment can also be valid in the corresponding production environment.

My recommendation is simple enough, force the node passwords to be different for every database in your install via your refresh script or process. This will ensure the PS_TOKEN is not valid across multiple instances of the same application and prevent this rather undesirable “feature” that I know several developers have enjoyed and even relied on in the past.

Leave a Reply

Your email address will not be published. Required fields are marked *