Deployment

1
(No Transcript)
2
George BuzsakiVice President Application
Technology Products Oracle Corporation
3
Oracle E-Business Suite Security Management
4
Agenda

• Security Management
• Principles and Policies
• Secure Deployment
• Secure Operation
• Questions and Answers

5
Security Management
Not just for paranoid wackos any more!

• Meet your new best friend Ivan the Auditor
• He has many bothersome questions.
• He doesn't trust your answers.
• He won't leave until he his happy.
• To make your new friend happy you must
• Define a viable security policy
• Explain how compliance is enforced
• Actually comply!

6
Good Security Policy

• Begins with a Secure Deployment
• Hardened Systems
• Secure Patch level
• Secure configuration
• Secure networking
• Tightly controlled system administration
• Limited scope Administrators
• Auditing of all Administrative access

7
Good Security Policy

• Incorporates Principles of Secure Operation
• Authentication
• Determine the identity of everything
• Passwords, accounts, session management
• Authorization
• Give least privilege necessary
• Justify and review periodically
• Auditing
• Record important changes in a tamper-proof way
• Focus on "judgment calls"

8
Good Security Policy

• Balances theoretical perfection with reality
• Cost versus risk/benefit
• Strict policy enforcement may be hard/annoying
• Consider "trust but verify"
• Human Nature
• Employees are not interested in security, and
  will "route around" onerous policies in
  surprising ways.
• Automate-ability
• Frame policies in ways that can be automatically
  enforced, and make computers do the work.

9
Secure Deployment

• General advice
• Stay current with patching
• Security alerts
• Recommended patch list
• Latest maintenance pack
• Follow Best Practice for secure deployment
• MetaLink 189367.1
• Mostly automated in 11.5.10
• Monitor Security Faults and Audit logs regularly

10
Patching

• Security Alerts
• Oracle Quarterly Critical Patch Update (CPU)
• Middle of January, April, July, October
• Covers all Oracle products
• http//www.oracle.com/technology/deploy/security
• Also monitor alerts for your Hardware platform.
• Operating System
• Java
• Management tools,

11
Patching

• Recommended Patch List
• Critical or recommended Apps patches certified
  for general use
• Updated as new patches are certified
• http//metalink.oracle.com - Patches
• Considered "baseline" code level for the release
• May include fixes or enhancements which improve
  security or make it easier to apply later
  security alerts.
• Integration with OAM Patch Advisor coming soon

12
Patching

• ATG Product Family Pack "H" (3438354)
• Latest technology, including
• Technology Stack (TXK Minipack B)
• AutoConfig (ADX Minipack E)
• System Management (OAM Minipack H.1)
• Foundation (FND Minipack H)
• Framework (FWK Minipack H)
• Workflow (WF Minipack H)
• In certification now for use against previous
  release levels, will be on RPL soon

13
Best Practices

• MetaLink article 189367.1
• Maintained continuously, check periodically for
  updated advice (see change log)
• Major document update released 12/06/2004
• Assumes current patch level
• 11.5.9 Recommended Patch Level or 11.5.10
• Most advice is now automated via latest
  AutoConfig and OAM
• To report trouble with advice, log a bug against
  Product 510, Component SEC_COMP

14
Oracle Database

• Get to recommended database 9.2.0.5
• Harden the database and server machine
• Check privileges on APPLSYSPUB/PUB
• FND_TOP/patch/115/sql/afpub.sql
• Change default passwords for Apps accounts
• Listed in FND_ORACLE_USERID
• Use FNDCPASS

15
Oracle Database

• Do not expose APPS password
• Create alternate accounts
• Named accounts per human/system
• Limited grants to APPS, according to role
• Audit changes to database security and setup
• Heavy auditing on human accounts, less on APPS
• Restrict access to audit information

16
Oracle Database

• Future Direction
• Support limited privilege database accounts for
• Externally facing Application Servers
• Limited Administrators
• Apps Patching through OAM / PTS Tools
• Critical Data Protection
• Stored Data Encryption
• Broad implementation of VPD access control

17
Oracle TNS Listener

• Enable listener password / admin restrictions
• Restrict access to trusted machines
• SQLNET IP Filtering via OAM H.1
• Register additional trusted servers, if any
• Run OAM "Restrict SQLNET Access" Wizard
• AutoConfig generates correct sqlnet.ora
• SQLNET Firewall, Oracle Connection Manager

18
OAM Host Management
19
OAM Trusted Host Registration
20
Application Server

• Runs the Application Business Logic
• Middle tier code (class, jsp, fmx, executables)
• Configuration files (.conf, .properties, .xml)
• Database Credentials (.dbc, ...)

21
Application Server

• Use latest certified middle tier Tech Stack
• Rapid Install 11.5.10 Tech Stack Upgrade
• MetaLink 146468.1 Upgrading to iAS 1.0.2.2
• ATG Product Family pack H (3438354)
• May require product co-req patches depending on
  your current release level.
• Will be on the Recommended Patch List soon

22
Application Server

• Use SSL (HTTPS) for Web Listener
• Recommended for internal use as well
• New SSL Setup wizard in OAM 11.5.10
• Manual Setup Metalink 123718.1, 277574.1
• Performance considerations
• mod_ssl about 15 increase in CPU load
• Hardware accelerators now supported

23
OAM SSL Configuration Wizard
24
Application Server

• Use a hardened App Server Configuration
• TXK Minipack B includes AutoConfig support
• Application Servers registered with Database
• HTTP Listener blocks requests to unused services
• Security-related Validation features enabled

25
HTTP Firewall

• Controls network access to the HTTP Server
• HTTP or HTTPS only
• specified TCP port numbers only
• Protects against vulnerabilities in OS, services
• Supported and Recommended
• Even on your internal network

26
User PC

• Runs Browser and Applet User Interface
• Generally not in your control - untrusted
• Should not run business logic
• If you are running Client/Server components
• Switch to equivalent Web components if possible
• Put client/server components on a secured server,
  use Citrix-type solution for user access
• Details in MetaLink 277535.1

27
External Server Security
External Server
External PC
Internal PC
Internal Server
Control which responsibilities are externally
available. Users accessing from outside your
firewall will see a restricted set of
Responsibilities in the Navigator.
28
External Server Security

• Mark External Servers
• Node Trust Level (Server Profile Option)
• Set to "External" for externally facing servers
• Set to "Normal" at Site level
• Mark Externally available Responsibilities
• Responsibility Trust Level (Profile Option)
• Set to "External" for externally available resps
• Set to "Normal" at Site level'
• External access restricted by security system

29
DMZ Reverse Proxy (future)

• Relays valid requests to Application Server
• Apache or WebCache
• No Applications Code on this tier
• URL filtering limits access to specific pages
• External product teams will supply URL patterns
• Mitigates the "unnecessary code" problem
• Certification in progress with early adopters
• Targeting AutoConfig support in early 2005

30
E-Business Suite Configuration

• Harden EBS Security Setup
• Check GUEST user privileges
• Review access to powerful forms (Security, SQL)
• Check settings of critical profile options
• Enable Auditing
• Sign-on Audit at the "Form" level
• Audit Trail for key security tables

31
Monitor Security through OAM

• New Security Dashboard collects relevant
  documentation, monitors and controls
• Security Diagnostics automated checks for many
  security best practices, more to come
• Security Faults possible attacks or other
  security related errors
• Security Resources links to important documents,
  updated automatically
• More content coming soon
• Setup and Auditing links, more diagnostics

32
OAM Security Dashboard
33
OAM Page Flow Logging
34
Authentication Policy

• Individuals should identify themselves with
  secret passwords that cannot be guessed
• Length, Complexity, Lifetime / Reuse
• No shared accounts, shared passwords
• Note Account Lockout is NOT recommended
• Authentication should occur
• At the beginning of every session
• again after any significant period of inactivity
• again before any critical operation

35
Authentication Policy

• Forgotten Passwords
• Manual reset by Administrator
• Alternate authentication process
• Email, manager approval, question/answer

36
Authentication Policy

• Excessive Passwords
• Too many passwords weakens all passwords
• Users compensate Easy to remember, written down,
  reluctance to change
• Difficult to enforce good policy on every system
• Consider Single Sign-on
• Single password for entire enterprise
• Integrate Apps with existing authentication
  service
• Windows, Netegrity, Certificates, Custom...

37
SSO Integration Availability

• E-Business Suite integration with Application
  Server 10g Single Sign-on
• Requirements
• Application Server 10g Identity Management
• EBS 11.5.9 or later plus interop patch(es)
• In Early Adopter phase, some customers live
• More info
• MetaLink 207159.1
• Contact your Account Manager to join the EAP

38
Authorization Policy

• Access rights are derived from the roles that an
  individual has within your enterprise
• Some roles are implied from information already
  known about the individual
• Internal Job / Position (HR)
• External company affiliation (TCA)
• Other roles are authorized at the discretion of
  the responsible organization or individual
• Justification and approval chain may be required
• Ongoing periodic review required

39
EBS Role-based Access Control

• Powerful new model for access control
• Based on the industry standard RBAC model
• http//csrc.nist.gov/rbac/
• Extensions for backward compatibility with
  "classic" Function Security
• Separation of Security from Navigation Menus
• Oracle User Management - new product
• Advanced User and Role Management
• Delegated Administration
• Self-service requests with Workflow approval

40
EBS RBAC Model - Users
User
User

• Users can be
• Humans
• Internal Employees
• External Customers
• Systems
• Internal integrated applications (A2A)
• External trading partners (B2B)

User
User
User
User
User
User
41
EBS RBAC Model - Roles
User
User
Role

• Roles can be
• Apps Responsibilities
• HR Positions
• TCA Groups
• LDAP Roles
• Security Roles
• Hierarchical

User
Role
User
Role
User
Role
User
User
User
Role
42
EBS RBAC Model - Permissions
Permission
User
User
Permission
Role

• Permissions can be
• Screens/Flows
• APIs/Services
• Data Operations

Permission
User
Role
Permission
User
Role
Permission
User
Role
Permission
User
Permission
User
Permission
User
Role
43
EBS RBAC Model - Permission Sets
Permission
User
Permission Sets are defined as Menu structures
Set
User
Permission
Role
Permission
User
Role
Permission
User
Role
Permission
Set
User
Role
Permission
User
Set
Permission
User
Set
Permission
User
Role
44
EBS RBAC Model - Grants
Grants tie Roles to Application Permissions
Permission
User
Set
User
Permission
Role
Permission
User
Grant
Role
Permission
User
Role
Grant
Permission
Set
User
Role
Permission
User
Grant
Set
Permission
User
Set
Grant
Permission
User
Role
45
Separation of Menus and Grants
Permission
Menu
Permission
Menu
Responsibility
Permission
Permission
A Responsibility is a role that also gives access
to a navigation menu, and can include default
access to some of the menu choices
Permission
Menu
Permission
Permission
Menu
Permission
46
Separation of Menus and Grants
Permission
Menu
Permission
Menu
Responsibility
Permission
Role
Permission
Grant
Permission
Menu
Permission
Additional access can be tied to more privileged
roles. Only authorized choices are visible in
the Navigator.
Permission
Menu
Permission
47
Role Hierarchies
Developer
Development Manager
Expenses
Training
Employee
HR Manager
Procurement
Sales Manager
Hierarchies let you define higher level roles
more efficiently by re-using lower level setups
Sales Rep
48
EBS RBAC Model Benefits

• Complete permission repository
• Full registry of what is available
• Administration at the business level
• Roles simplify administration
• Grants to Roles represent policy, rarely change
• Hierarchical Roles reuse common setup
• Allows for delegated administration
• Security Administrator defines Role Permissions
• Role Administrators manage Role Membership

49
Role Management

• Direct Administration
• Ad-hoc management of user and roles
• Restricted/Delegated Administration
• Uses Data Security to restrict scope of admin
• Automated Policy-based Administration
• Users request accounts and roles in Self Service
• Approval and Implementation policies automated
  through Oracle Workflow

50
Direct Administration
51
Policy-based Administration

• Define the role
• Included roles
• Direct grants
• Define eligibility requirements for requestors
• Prerequisite roles
• Define the registration process
• Additional information that should be collected
• Approval process (Workflow)
• Sit back and relax

52
Self-Service Access Request

• Users browse available access roles by category
• Shopping cart metaphor makes it easy

53
Self-Service Access Request
After selecting roles, users provide
justification and submit their request
54
Self-Service Access Request
Users can monitor their request status, which may
be pending approval or additional information
55
RBAC - Future Plans

• Reorganize default security setup around Role
  Based Access Control
• Business Roles, Roles Hierarchies, Grants
• Responsibilities with full navigation menus
• Integration with Enterprise Roles from LDAP
• Service Bean interface and XML Publisher based
  reporting on security setup
• Workflows to automated user and role management
  according to best practice policy

56
Security Management Summary

• Release 11.5.10 offers major advances in
• Secure deployment
• Secure operation
• Focus of on-going development is on
• Increasing depth of protection for critical data
• Automation of all aspects of security management
• Better status reporting, auditing, monitoring
• We ask you to
• Implement the best practices, give feedback!

57
A
58
(No Transcript)