Brent MosherSenior Sales ConsultantApplications TechnologyOracle Corporation

Oracle E-Business SuiteSecurity Management

Agenda

Security Guidelines Secure Architectures 11i.10 User Management Questions and Answers

SecuritySecurityGuidelineGuideline

ss

Security Policy

Authentication

Authorization

Auditing

Not just for the

paranoid any more!

Not just for the

paranoid any more!

Patching

Security Alerts– Oracle Quarterly Critical Patch Update (CPU)

Middle of January, April, July, October Covers all Oracle products http://www.oracle.com/technology/deploy/security

– Also monitor alerts for your Hardware platform. Operating System Java Management tools, …

11i Security Best Practices

MetaLink article 189367.1– Maintained continuously, check periodically for

updated advice (see change log) Major document update released 12/06/2004

– Assumes current patch level 11.5.9 + Recommended Patch Level or 11.5.10

– Most advice is now automated via latest AutoConfig and OAM

Oracle Database

Get to recommended database: 9.2.0.5+ Harden the database and server machine… Check privileges on APPLSYSPUB/PUB

– $FND_TOP/patch/115/sql/afpub.sql Change default passwords for Apps accounts

– Listed in FND_ORACLE_USERID– Use FNDCPASS

Oracle Database

Do not expose APPS password– Create alternate accounts

Named accounts per human/system Limited grants to APPS, according to role

Audit changes to database security and setup– Heavy auditing on human accounts, less on APPS– Restrict access to audit information

OAM Trusted Host Registration

OAM Security Dashboard

OAM Page Flow Logging

SecureSecureArchitectArchitect

uresures

Application Server

Use SSL (HTTPS) for Web Listener– Recommended for internal use as well– New SSL Setup wizard in OAM 11.5.10– Manual Setup: Metalink 123718.1, 277574.1– Performance considerations

mod_ssl: about 15% increase in CPU load Hardware accelerators now supported

OAM SSL Configuration Wizard

External Server Security

External Server

Internal Server

External PC

Internal PC

Control which responsibilities are externally available. Users accessing from outside your firewall will see a restricted set of Responsibilities in the Navigator.

External Server Security

Mark External Servers– Node Trust Level (Server Profile Option)

Set to "External" for externally facing servers Set to "Normal" at Site level

Mark Externally available Responsibilities– Responsibility Trust Level (Profile Option)

Set to "External" for externally available resps Set to "Normal" at Site level'

External access restricted by security system

DMZ Reverse Proxy (future)

Relays valid requests to Application Server– Apache or WebCache

No Applications Code on this tier

– URL filtering limits access to specific pages External product teams will supply URL patterns Mitigates the "unnecessary code" problem

Certification in progress– Look for white paper in process note 287176.1

E-Business Suite Configuration

Harden EBS Security Setup– Check GUEST user privileges– Review access to powerful forms (Security, SQL)– Check settings of critical profile options– Enable Auditing

Sign-on Audit at the "Form" level Audit Trail for key security tables

11i.1011i.10UserUser

ManagemManagementent

11i Basic Security

Responsibility User– Menu(s)

Function(s)

Resp

Resp

Resp

Resp

Resp

New Model: User Management

Optional 11i.10 permission repository– Full registry of what is available– Administration at the business level

Roles simplify administration– Grants to Roles represent policy, rarely change– Hierarchical Roles reuse common setup

Allows for delegated administration– Security Administrator defines Role Permissions– Role Administrators manage Role Membership

Role Based Access Control

– A Role is the actions and activities assigned to a person or group.

– A role can be modeled using Responsibilities Permissions Function Security Policies Data Security Policies

– A user can be assigned several roles.– A role can be assigned to several users.

Role Based Access Control Description

Roles

Function

Security Rules

Data Security

Rules

Permissions Responsibilities

User Management Key Features

– Role Based Management– Role Inheritance– Self Service Registration– Delegated User Management

Role Based Role Based ManagementManagement

Registration ProcessDescription

Types of Registration Processes– Self Service Account Requests– Requests for Additional Access – Account Creation and Access Role

Assignment by Administrators

Registration Process

Link generated using User Management’s registration

link generator

Link generated using User Management’s registration

link generator

Request Access

Delegated Administration

1. Create a role that that represents a set of local administrators

2. Identify the subset of users the admin can manage and the administrative functions that can performed on this user set

3. Identify the organizational relationships the admin can manage

4. Choose roles that the administrator can administer

5. Grant any other permissions if necessary

Delegated Administration

Create Role

Delegated Administration

Delegated Administration

Org A

Org BPartner Admin

Of Org A

Reseller of

Delegated AdministrationHow to Setup this Feature

ResourceResourcess

User Management Strategic Implementation Program

Ensure smooth implementations for new products

Requires willingness and commitment Discuss with local applications sales team

Oracle Metalink Notes

Note 258281.1 - About User Management Note 189367.1 – Security Best Practices Note 287176.1 – DMZ Configuration RBAC

http://csrc.nist.gov/rbac/rbac-std-ncits.pdf

AQ&Q U E S T I O N SQ U E S T I O N S

A N S W E R SA N S W E R S