Deployment

1
(No Transcript)
2
Brent MosherSenior Sales Consultant Applications
Technology Oracle Corporation
3
Oracle E-Business Suite Security Management
4
Agenda

• Security Guidelines
• Secure Architectures
• 11i.10 User Management
• Questions and Answers

5
SecurityGuidelines
6
Security Policy
Not just for the paranoid any more!

• Authentication
• Authorization
• Auditing

7
Patching

• Security Alerts
• Oracle Quarterly Critical Patch Update (CPU)
• Middle of January, April, July, October
• Covers all Oracle products
• http//www.oracle.com/technology/deploy/security
• Also monitor alerts for your Hardware platform.
• Operating System
• Java
• Management tools,

8
11i Security Best Practices

• MetaLink article 189367.1
• Maintained continuously, check periodically for
  updated advice (see change log)
• Major document update released 12/06/2004
• Assumes current patch level
• 11.5.9 Recommended Patch Level or 11.5.10
• Most advice is now automated via latest
  AutoConfig and OAM

9
Oracle Database

• Get to recommended database 9.2.0.5
• Harden the database and server machine
• Check privileges on APPLSYSPUB/PUB
• FND_TOP/patch/115/sql/afpub.sql
• Change default passwords for Apps accounts
• Listed in FND_ORACLE_USERID
• Use FNDCPASS

10
Oracle Database

• Do not expose APPS password
• Create alternate accounts
• Named accounts per human/system
• Limited grants to APPS, according to role
• Audit changes to database security and setup
• Heavy auditing on human accounts, less on APPS
• Restrict access to audit information

11
OAM Trusted Host Registration
12
OAM Security Dashboard
13
OAM Page Flow Logging
14
SecureArchitectures
15
Application Server

• Use SSL (HTTPS) for Web Listener
• Recommended for internal use as well
• New SSL Setup wizard in OAM 11.5.10
• Manual Setup Metalink 123718.1, 277574.1
• Performance considerations
• mod_ssl about 15 increase in CPU load
• Hardware accelerators now supported

16
OAM SSL Configuration Wizard
17
External Server Security
External Server
External PC
Internal PC
Internal Server
Control which responsibilities are externally
available. Users accessing from outside your
firewall will see a restricted set of
Responsibilities in the Navigator.
18
External Server Security

• Mark External Servers
• Node Trust Level (Server Profile Option)
• Set to "External" for externally facing servers
• Set to "Normal" at Site level
• Mark Externally available Responsibilities
• Responsibility Trust Level (Profile Option)
• Set to "External" for externally available resps
• Set to "Normal" at Site level'
• External access restricted by security system

19
DMZ Reverse Proxy (future)

• Relays valid requests to Application Server
• Apache or WebCache
• No Applications Code on this tier
• URL filtering limits access to specific pages
• External product teams will supply URL patterns
• Mitigates the "unnecessary code" problem
• Certification in progress
• Look for white paper in process note 287176.1

20
E-Business Suite Configuration

• Harden EBS Security Setup
• Check GUEST user privileges
• Review access to powerful forms (Security, SQL)
• Check settings of critical profile options
• Enable Auditing
• Sign-on Audit at the "Form" level
• Audit Trail for key security tables

21
11i.10UserManagement
22
11i Basic Security

• Responsibility ? User
• Menu(s)
• Function(s)

Resp
Resp
Resp
Resp
Resp
23
New Model User Management

• Optional 11i.10 permission repository
• Full registry of what is available
• Administration at the business level
• Roles simplify administration
• Grants to Roles represent policy, rarely change
• Hierarchical Roles reuse common setup
• Allows for delegated administration
• Security Administrator defines Role Permissions
• Role Administrators manage Role Membership

24
Role Based Access Control

• A Role is the actions and activities assigned to
  a person or group.
• A role can be modeled using
• Responsibilities
• Permissions
• Function Security Policies
• Data Security Policies
• A user can be assigned several roles.
• A role can be assigned to several users.

25
Role Based Access Control Description
Permissions
Responsibilities
Roles
Data Security Rules
Function Security Rules
26
User Management Key Features

• Role Based Management
• Role Inheritance
• Self Service Registration
• Delegated User Management

27
Role Based Management
28
Registration ProcessDescription

• Types of Registration Processes
• Self Service Account Requests
• Requests for Additional Access
• Account Creation and Access Role Assignment by
  Administrators

29
Registration Process
Link generated using User Managements
registration link generator
30
Request Access
31
Delegated Administration

• Create a role that that represents a set of local
  administrators
• Identify the subset of users the admin can manage
  and the administrative functions that can
  performed on this user set
• Identify the organizational relationships the
  admin can manage
• Choose roles that the administrator can
  administer
• Grant any other permissions if necessary

32
Delegated Administration
Create Role
33
Delegated Administration
34
Delegated Administration
Org A
Reseller of
Partner Admin Of Org A
Org B
35
Delegated AdministrationHow to Setup this Feature
36
Resources
37
User Management Strategic Implementation Program

• Ensure smooth implementations for new products
• Requires willingness and commitment
• Discuss with local applications sales team

38
Oracle Metalink Notes

• Note 258281.1 - About User Management
• Note 189367.1 Security Best Practices
• Note 287176.1 DMZ Configuration
• RBAC http//csrc.nist.gov/rbac/rbac-std-ncits.pdf

39
A
40
(No Transcript)