# Your PeopleSoft Nodes Probably Don't Have Passwords

> Most PeopleSoft environments have active message nodes with no authentication configured (AUTHOPTN='N'). How to check PSMSGNODEDEFN, why it matters, and what to fix first.

---

LLMS index: [llms.txt](/llms.txt)

---

Here is a finding from a delivered Campus Solutions 9.2 development image: **62 active message nodes, 58 of them with no authentication configured.** That is not an unusual environment. It is what delivered images look like, and refreshed non-prod environments inherit it.

## Why It Matters

A message node with `AUTHOPTN = 'N'` accepts messages without authenticating the sender. Any system that can reach your Integration Broker gateway can send messages to or through that node. Whether that is exploitable depends on what routings and service operations the node participates in — but "unauthenticated by default and nobody has looked" is not a posture you want to explain to an auditor.

A prime example is the delivered `ANONYMOUS` node, which exists in all PeopleSoft databases. It acts as a fallback for inbound integrations when the incoming request does not specify a node or credentials. If the `ANONYMOUS` node is active, is associated with a high-privilege Default User ID, and has active any-to-local routings, anyone who can reach the gateway can run those service operations. For a detailed guide on securing this fallback mechanism, see [Properly Securing the ANONYMOUS IB Node](https://ib.books.cedarhillsgroup.com/security/anonymous-node-security/) in *Integration Broker: The Missing Manual*.

Node authentication has three settings in `PSMSGNODEDEFN.AUTHOPTN`:

- **`N`** — none. No authentication.
- **`P`** — password. The node authenticates with a stored password.
- **`C`** — certificate. The node authenticates with a certificate.

## How to Check

```sql
SELECT MSGNODENAME, DESCR, NODE_TYPE, AUTHOPTN
FROM   PSMSGNODEDEFN
WHERE  ACTIVE_NODE = 1
AND    AUTHOPTN = 'N'
ORDER  BY MSGNODENAME;
```

Two follow-up checks worth running while you are there:

1. **Nodes with password auth but no password set.** `AUTHOPTN = 'P'` with an empty password is functionally the same as no auth.
2. **Inactive nodes with no auth.** Lower priority, but they are one activation away from being the first finding.

## Tracing Which Service Operations Can Run

Even if you identify an unauthenticated node, understanding your actual exposure is difficult. You have to ask: *What service operations can actually run through this node?*

Answering this in native PeopleSoft is tedious because node authorization is split across two areas:
1. **Routings:** The service operations that have explicit or any-to-local routings associated with the node.
2. **User Security:** The service operations authorized to the node's **Default User ID** (defined in `PSMSGNODEDEFN.USERID`).

To trace the user's security manually, you would have to query the database to join the node's User ID (`PSOPRDEFN`) to its assigned roles (`PSROLEUSER`), join those roles to their permission lists (`PSROLECLASS`), and then join those permission lists to authorized web services (`PSAUTHWS`).

### How psLens Simplifies the Audit

psLens does the heavy lifting for you. Since every object in the catalog is deep-linkable, you can navigate from a node to its service operations in a single click:

* **User's Service Operations Toggle:** From any Message Node detail page, if a Default User ID is assigned, you can toggle **User's Service Operations** in the sidebar. psLens instantly lists all service operations authorized for that user ID.

<figure><img src="/images/screenshots/ib/node-user-service-operations.png"
    alt="User&#39;s Service Operations in psLens"><figcaption>
      <p>Message Node detail page showing properties and User&rsquo;s Service Operations toggle in psLens</p>
    </figcaption>
</figure>


* **Deep Links:** Click on the User ID to inspect its full security configuration, or click any service operation in the list to navigate to its details and inspect its handlers and active routings.
* **Automated Audit Report:** The built-in [Unauthenticated Node Service Operations report](/docs/reports/integration-broker/ib-noauth-node-svcops/) searches your entire environment for active no-auth nodes and maps them directly to the fully-active service operations they can run.

## What to Fix First

Start with active nodes that participate in inbound routings — those are reachable from outside. Set `AUTHOPTN` to password or certificate and configure the credential on both sides of each integration. Do it in DEV first; a node password mismatch is a quiet way to break an integration.


## Running This as a Repeatable Audit

psLens ships this exact check as the [Nodes Without Passwords report](/docs/reports/security/security-nodes-no-password/): it categorizes active no-auth nodes, active nodes with auth but no password, and inactive no-auth nodes, and exports the findings as Markdown with links back to each node's detail page. Results are stored for 90 days, so the next audit cycle can show the trend rather than a point-in-time screenshot.

<figure><img src="/images/screenshots/unauthenticated-nodes-report.png"
    alt="Nodes with No Password report"><figcaption>
      <p>Nodes with No Password report dashboard in psLens</p>
    </figcaption>
</figure>


You can read [the exact output it produces](/docs/reports/sample-output/) — including the 62-node dev-image run above — before installing anything.

---

### Subscribe for Updates

If you found this article helpful, subscribe to get notified of new PeopleSoft technical notes and psLens updates.











<div class="card bg-light border-0 border-start border-primary border-3 my-4 shadow-sm">
    <div class="card-body p-3">
        <form action="https://subscribe.cedarhillsgroup.com/subscribe" method="POST" class="row align-items-center g-3">
            
            <input type="text" name="website" style="position: absolute; left: -5000px;" tabindex="-1"
                autocomplete="off">
            <input type="hidden" name="redirect_to" value="https://pslens.com/subscribed/">
            <input type="hidden" name="topic_id" value="pslens">

            <div class="col-lg-5">
                <h6 class="mb-1 text-dark fw-bold">Stay Updated</h6>
                <p class="mb-0 text-muted small" style="font-size: 0.85rem;">Receive new articles directly in your inbox.</p>
            </div>

            <div class="col-md-6 col-lg-3">
                <input type="text" name="first_name" placeholder="First Name (optional)"
                    class="form-control form-control-sm">
            </div>

            <div class="col-md-6 col-lg-3">
                <input type="email" name="email" required placeholder="Email Address"
                    class="form-control form-control-sm">
            </div>

            <div class="col-12 col-lg-1">
                <button type="submit" class="btn btn-primary btn-sm w-100">Join</button>
            </div>
        </form>
    </div>
</div>
