Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
-
Upload
ilene-chambers -
Category
Documents
-
view
213 -
download
0
Transcript of Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
Brent MosherSenior Sales ConsultantApplications TechnologyOracle Corporation
Oracle E-Business SuiteSecurity Management
Agenda
Security Guidelines Secure Architectures 11i.10 User Management Questions and Answers
SecuritySecurityGuidelineGuideline
ss
Security Policy
Authentication
Authorization
Auditing
Not just for the
paranoid any more!
Not just for the
paranoid any more!
Patching
Security Alerts– Oracle Quarterly Critical Patch Update (CPU)
Middle of January, April, July, October Covers all Oracle products http://www.oracle.com/technology/deploy/security
– Also monitor alerts for your Hardware platform. Operating System Java Management tools, …
11i Security Best Practices
MetaLink article 189367.1– Maintained continuously, check periodically for
updated advice (see change log) Major document update released 12/06/2004
– Assumes current patch level 11.5.9 + Recommended Patch Level or 11.5.10
– Most advice is now automated via latest AutoConfig and OAM
Oracle Database
Get to recommended database: 9.2.0.5+ Harden the database and server machine… Check privileges on APPLSYSPUB/PUB
– $FND_TOP/patch/115/sql/afpub.sql Change default passwords for Apps accounts
– Listed in FND_ORACLE_USERID– Use FNDCPASS
Oracle Database
Do not expose APPS password– Create alternate accounts
Named accounts per human/system Limited grants to APPS, according to role
Audit changes to database security and setup– Heavy auditing on human accounts, less on APPS– Restrict access to audit information
OAM Trusted Host Registration
OAM Security Dashboard
OAM Page Flow Logging
SecureSecureArchitectArchitect
uresures
Application Server
Use SSL (HTTPS) for Web Listener– Recommended for internal use as well– New SSL Setup wizard in OAM 11.5.10– Manual Setup: Metalink 123718.1, 277574.1– Performance considerations
mod_ssl: about 15% increase in CPU load Hardware accelerators now supported
OAM SSL Configuration Wizard
External Server Security
External Server
Internal Server
External PC
Internal PC
Control which responsibilities are externally available. Users accessing from outside your firewall will see a restricted set of Responsibilities in the Navigator.
External Server Security
Mark External Servers– Node Trust Level (Server Profile Option)
Set to "External" for externally facing servers Set to "Normal" at Site level
Mark Externally available Responsibilities– Responsibility Trust Level (Profile Option)
Set to "External" for externally available resps Set to "Normal" at Site level'
External access restricted by security system
DMZ Reverse Proxy (future)
Relays valid requests to Application Server– Apache or WebCache
No Applications Code on this tier
– URL filtering limits access to specific pages External product teams will supply URL patterns Mitigates the "unnecessary code" problem
Certification in progress– Look for white paper in process note 287176.1
E-Business Suite Configuration
Harden EBS Security Setup– Check GUEST user privileges– Review access to powerful forms (Security, SQL)– Check settings of critical profile options– Enable Auditing
Sign-on Audit at the "Form" level Audit Trail for key security tables
11i.1011i.10UserUser
ManagemManagementent
11i Basic Security
Responsibility User– Menu(s)
Function(s)
Resp
Resp
Resp
Resp
Resp
New Model: User Management
Optional 11i.10 permission repository– Full registry of what is available– Administration at the business level
Roles simplify administration– Grants to Roles represent policy, rarely change– Hierarchical Roles reuse common setup
Allows for delegated administration– Security Administrator defines Role Permissions– Role Administrators manage Role Membership
Role Based Access Control
– A Role is the actions and activities assigned to a person or group.
– A role can be modeled using Responsibilities Permissions Function Security Policies Data Security Policies
– A user can be assigned several roles.– A role can be assigned to several users.
Role Based Access Control Description
Roles
Function
Security Rules
Data Security
Rules
Permissions Responsibilities
User Management Key Features
– Role Based Management– Role Inheritance– Self Service Registration– Delegated User Management
Role Based Role Based ManagementManagement
Registration ProcessDescription
Types of Registration Processes– Self Service Account Requests– Requests for Additional Access – Account Creation and Access Role
Assignment by Administrators
Registration Process
Link generated using User Management’s registration
link generator
Link generated using User Management’s registration
link generator
Request Access
Delegated Administration
1. Create a role that that represents a set of local administrators
2. Identify the subset of users the admin can manage and the administrative functions that can performed on this user set
3. Identify the organizational relationships the admin can manage
4. Choose roles that the administrator can administer
5. Grant any other permissions if necessary
Delegated Administration
Create Role
Delegated Administration
Delegated Administration
Org A
Org BPartner Admin
Of Org A
Reseller of
Delegated AdministrationHow to Setup this Feature
ResourceResourcess
User Management Strategic Implementation Program
Ensure smooth implementations for new products
Requires willingness and commitment Discuss with local applications sales team
Oracle Metalink Notes
Note 258281.1 - About User Management Note 189367.1 – Security Best Practices Note 287176.1 – DMZ Configuration RBAC
http://csrc.nist.gov/rbac/rbac-std-ncits.pdf
AQ&Q U E S T I O N SQ U E S T I O N S
A N S W E R SA N S W E R S