Unauthenticated Node Service Operations

Categories:
Tags:
Tailored Operational Context
  • Target Database:
  • Context Type:
  • Alert Severity:
  • Triggered Time:
  • Firing Context:

Unauthenticated Node Service Operations

Report ID: ib-noauth-node-svcops Category: Integration Broker

Purpose

This report identifies active nodes with no authentication configured (AUTHOPTN='N') and then determines which fully-active service operations are reachable through those nodes. A service operation is considered fully active only when it meets all three criteria: an active version, an active routing, and an active handler.

Any operation reachable through one of these nodes can be invoked without credentials.

What It Captures

For each active node with no authentication:

  • Node metadata (name, description, user ID)
  • All fully-active service operations routed through that node
  • The routing that links the operation to the node
  • Operation type (REST/HTTP Post, Sync/Async)

Tables Queried

PSMSGNODEDEFN — Message Node Definitions

Paginated to discover all nodes. Filtered to active nodes with AUTHOPTN = 'N'.

FieldDescriptionFilter
MSGNODENAMENode name (primary key)
ACTIVE_NODEActive statusMust be '1' (active)
AUTHOPTNAuthentication optionMust be 'N' (none)
USERIDPeopleSoft user ID for node
DESCRShort description

PSOPERATION — Service Operation Definitions

Paginated to discover all operations.

FieldDescription
IB_OPERATIONNAMEOperation name (primary key)
RTNGTYPERouting type (S=Sync, A=Async)
IB_REST_SERVICEREST indicator (0=SOAP, 1/2=REST)

PSOPRVERDFN — Operation Version Definitions

FieldDescriptionFilter
ACTIVE_FLAGVersion active statusAt least one must be 'A'

PSOPRHDLR — Operation Handlers

FieldDescriptionFilter
ACTIVE_FLAGHandler active statusAt least one must be 'A'

PSIBRTNGDEFN — Integration Broker Routing Definitions

FieldDescriptionFilter
ROUTINGDEFNNAMERouting definition name
SENDERNODENAMESender nodeChecked against no-auth node list
RECEIVERNODENAMEReceiver nodeChecked against no-auth node list
EFF_STATUSEffective statusMust be 'A' (active)

Data Flow

1. Paginate through all PSMSGNODEDEFN records
   -> Filter to active nodes with AUTHOPTN = 'N'
   -> Build set of no-auth node names
        |
        v
2. Paginate through all PSOPERATION records
   (batches of 300)
        |
        v
3. For each operation, fetch full details
   (versions, handlers, routings)
        |
        v
4. Filter to "fully active" operations:
   - At least one active version
   - At least one active handler
   - At least one active routing
        |
        v
5. Check if any active routing references
   a no-auth node (as sender OR receiver)
        |
        v
6. Generate report grouped by node

Report Output

The generated report contains:

  • Header with database name and generation timestamp
  • Summary with counts of no-auth nodes, total operations checked, and matching operations
  • No-Auth Nodes table listing each unauthenticated node with its user ID and count of reachable operations
  • Per-node sections with a table of all service operations accessible through that node, including operation type and routing name
  • Recommendations for remediation

Interpreting Results

  • Nodes with many accessible operations are higher risk and should be prioritized for remediation
  • The User ID on each node indicates what PeopleSoft user context is used for operations through that node. Review its privileges
  • REST operations are typically more easily exploitable from external systems than HTTP Post (SOAP) operations
  • If no nodes are found with AUTHOPTN='N', the report exits early with a clean result

Recommendations

  1. Configure authentication (AUTHOPTN = 'P' or 'C') on all active nodes
  2. Set internal and/or external passwords on nodes that require password authentication
  3. Review the PeopleSoft user ID associated with each no-auth node for excessive privileges
  4. Consider deactivating routings that should not be accessible without authentication