Security Enhancements in Informatica 9.6.x

Similar documents
Business Glossary Best Practices

Configuring a JDBC Resource for IBM DB2/ iseries in Metadata Manager HotFix 2

Running PowerCenter Advanced Edition in Split Domain Mode

How to Use Full Pushdown Optimization in PowerCenter

Importing Metadata from Relational Sources in Test Data Management

Creating Column Profiles on LDAP Data Objects

Using Synchronization in Profiling

Data Validation Option Best Practices

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Code Page Configuration in PowerCenter

This document contains information on fixed and known limitations for Test Data Management.

PowerExchange for Facebook: How to Configure Open Authentication using the OAuth Utility

Informatica 9.0 PowerCenter Installation Quick Start Guide

Publishing and Subscribing to Cloud Applications with Data Integration Hub

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Configuring Secure Communication to Oracle to Import Source and Target Definitions in PowerCenter

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

This document contains information on fixed and known limitations for Test Data Management.

How to Connect to a Microsoft SQL Server Database that Uses Kerberos Authentication in Informatica 9.6.x

Creating OData Custom Composite Keys

Using Standard Generation Rules to Generate Test Data

How to Configure Big Data Management 10.1 for MapR 5.1 Security Features

Configuring a JDBC Resource for MySQL in Metadata Manager

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

How to Run a PowerCenter Workflow from SAP

Bank Infrastructure - Video - 1

Oracle Database Security and Audit. Authentication and authorization

Changing the Password of the Proactive Monitoring Database User

InterCall Virtual Environments and Webcasting

Unified Security Platform. Security Center 5.4 Hardening Guide Version: 1.0. Innovative Solutions

Evaluating the Security Risks of Static vs. Dynamic Websites

Using Two-Factor Authentication to Connect to a Kerberos-enabled Informatica Domain

Is Informatica available globally at the time of the launch?

Using MDM Big Data Relationship Management to Perform the Match Process for MDM Multidomain Edition

TIPS AND TRICKS. Johan Olivier SECURITY

McAfee epolicy Orchestrator Release Notes

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Using Data Replication with Merge Apply and Audit Apply in a Single Configuration

DocAve Software Platform v Release Notes

Oracle Healthcare Foundation

Perceptive Experience Content Apps

Informatica Corporation Proactive Monitoring for PowerCenter Operations Version 2.1 Release Notes October 2012

Creating a Subset of Production Data

Configuring a JDBC Resource for IBM DB2 for z/os in Metadata Manager

Solutions Business Manager Web Application Security Assessment

How to Migrate RFC/BAPI Function Mappings to Use a BAPI/RFC Transformation

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Implementing Data Masking and Data Subset with IMS Unload File Sources

Version Emergency Bug Fixes Fixed Limitations Known Limitations... 4 Informatica Global Customer Support...

How to Migrate Microsoft SQL Server Connections from the OLE DB to the ODBC Provider Type

Informatica Cloud Data Integration Winter 2017 December. What's New

Dynamic Data Masking: Capturing the SET QUOTED_IDENTIFER Value in a Microsoft SQL Server or Sybase Database

McAfee epolicy Orchestrator Release Notes

CA SiteMinder. Advanced Password Services Release Notes SP1

Configuring a JDBC Resource for Sybase IQ in Metadata Manager

Importing Connections from Metadata Manager to Enterprise Information Catalog

Securing Apache Tomcat for your environment. Mark Thomas March 2009

Creating an Avro to Relational Data Processor Transformation

Implementing Data Masking and Data Subset with IMS Unload File Sources

Sentry Power Manager (SPM) Software Security

Manually Defining Constraints in Enterprise Data Manager

Migrating Mappings and Mapplets from a PowerCenter Repository to a Model Repository

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Enabling Seamless Data Access for JD Edwards EnterpriseOne

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Findings for

Endpoint Security - what-if analysis 1

Configuring SAML-based Single Sign-on for Informatica Web Applications

Configure an ODBC Connection to SAP HANA

Installation of Informatica Services on Amazon EC2

Secure Development Guide

Cyber Security Advisory

How to Optimize Jobs on the Data Integration Service for Performance and Stability

WHITE PAPER. Authentication and Encryption Design

CPSC 467b: Cryptography and Computer Security

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

AccessData. Forensic Toolkit. Upgrading, Migrating, and Moving Cases. Version: 5.x

Certificate Properties File Realm

System Security Features

Increasing Performance for PowerCenter Sessions that Use Partitions

Privileged Account Security: A Balanced Approach to Securing Unix Environments

Secure coding practices

Detecting Outliers in Column Profile Results in Informatica Analyst

How to Run the Big Data Management Utility Update for 10.1

Pass, No Record: An Android Password Manager

Security Provider Integration SAML Single Sign-On

Configuring an ERwin Resource in Metadata Manager 8.5 and 8.6

MANAGING LOCAL AUTHENTICATION IN WINDOWS

Container-based Authentication for MDM- ActiveVOS in WebSphere

Advanced Security Measures for Clients and Servers

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Oracle Database 11g: Security Release 2

SnapCenter Software 4.0 Concepts Guide

Karthik Bharathy Program Manager, SQL Server Microsoft

The Shortcut Guide To. Protecting Against Web Application Threats Using SSL. Dan Sullivan

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Perceptive TransForm E-Forms Manager Data Source

PowerCenter Repository Maintenance

Linux Local Security about Passwords and Data NZPAPER.BLOGSPOT.COM. Nz Paper Linux and Web Application Security. Zeeshan Khan 4/15/2013

Security Best Practices. For DNN Websites

Transcription:

Security Enhancements in Informatica 9.6.x 1993-2016 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without prior consent of Informatica Corporation. All other company and product names may be trade names or trademarks of their respective owners and/or copyrighted materials of such owners.

Abstract The following article provides an overview of the security enhancements Informatica made to its products in version 9.6.x. Supported Versions Informatica 9.6.x Table of Contents Overview.... 2 Secure Communication for the Informatica Domain.... 3 Support for Secure Communication.... 3 Keystores and Truststores.... 3 Kerberos Authentication.... 4 Web Client Security.... 4 Data Storage.... 4 Informatica Files.... 4 Passwords.... 5 Analyst Tool and Developer Tool Access.... 5 Administrator Accounts.... 5 Domain Audit Reports.... 6 Apache Tomcat.... 6 Overview In version 9.6.x, Informatica took steps to improve the security of its products in the following areas: Secure Communication for the Informatica domain Kerberos authentication Web client security Informatica files Data Storage Passwords Analyst tool and Developer tool access Administrator accounts Domain audit reports Apache Tomcat 2

Secure Communication for the Informatica Domain If a program transmits data over a network and the program does not use a secure channel, an attacker would be able to see the data in plain text. As a result, the channels are susceptible to a man-in-the-middle attack that compromises the confidentiality and integrity of the data. When secure communication is enabled, data or metadata that gets transmitted over the network is secured. Even if an attacker eavesdrops on the network, the attacker is unable to make sense of the data since it is encrypted. To improve secure communication between services in the Informatica domain, Informatica addressed the following areas in version 9.6.0: Secure communication for more components of the domain Keystores and truststores Support for Secure Communication Versions earlier than 9.6.0 Informatica supports secure communication for the following connections: Browser connections to web application services Web client connections to the Web Services Hub Any connection that uses JavaServer Faces (JSF) Informatica supports secure communication for the following connections: Browser connections to web application services Web client connections to the Web Services Hub Any connection that uses JavaServer Faces (JSF) Between the Informatica domain and PowerCenter services Between PowerCenter services Between the PowerCenter client and services Between the Informatica domain and the repository Between PowerCenter Workflow processes Additionally, Informatica certified SSL for the following native connectors for relational sources and targets: Oracle, DB2, and SQL Server. You can enable secure communication for the whole domain, for a service, or for a connection object. Keystores and Truststores Versions Earlier Than 9.6.0 Many Informatica customers use the default keystores and truststores Informatica ships with its products. All Informatica installations share the default keystores, truststores, and their associated keys. Therefore, anyone with access to an Informatica installer has access to the private key. An attacker with access to the private key could compromise the security of the domain. Informatica supports custom keystores and truststores for secure communication for the domain. Informatica strongly suggests customers use custom generated keystores and truststores. 3

Kerberos Authentication Effective in version 9.6.0, Informatica added support for Kerberos authentication and single sign-on. Kerberos authentication is an industry standard that provides secure authentication between clients, nodes, and services. Kerberos enables centralized access controls and single sign-on capabilities for several Informatica clients, such as the Administrator tool and the Analyst tool. Additionally, Kerberos authentication is supported for native relational connections to the following databases: Oracle, DB2, SQL Server, and Sybase. Web Client Security Effective in version 9.6.0, Informatica tests the security of the Administrator tool and Analyst tool based on the Open Web Application Security Project (OWASP) Application Security Verification Standard. Effective in version 9.6.1, Informatica tests the security of MetaData Manager based on OWASP standards. As a result of this testing, Informatica addressed multiple security issues, including the OWASP Top 10 2013 vulnerabilities. For more information about the OWASP Top 10, see the following page: https://www.owasp.org/index.php/top_10. OWASP publishes the Top 10 every three years. 2013 is the most recent list. The 2010 and 2007 lists are also available at the above link. Data Storage A generic encryption key secures sensitive data stored in the domain and repository as well as XML files on nodes in the domain. Anyone with the encryption key can decrypt the data. This key ships with all Informatica products. Informatica made the following changes to address this issue: Each Informatica installation generates a unique encryption key. This change ensures that the sensitive data in the domain can only be decrypted by users who have access to the unique encryption key. Access to the XML files is restricted based on operating system permissions and privileges. This change ensures that access to the files is controlled. Informatica Files Any user who can log in to a machine where the Informatica server is installed has access to the following sensitive files: Nodemeta.xml Encryption keys Keytab files Keystores Truststores 4

Access to these files is restricted based on operating system permissions and privileges. Since access to these files is limited, sensitive information is secured. Passwords In some instances, passwords are insecurely handled within client applications. Additionally, there are instances where passwords are unnecessarily transmitted from the server to the client and then stored by the client. Informatica made design changes to PowerCenter that prevent passwords from being sent from the server to the client or being stored within client applications. Analyst Tool and Developer Tool Access Fine-grained privileges cannot be specified for the Model Repository Service. Any user can log in to the Analyst tool or Developer tool and access available Model Repository Service instances. In addition to adding fine-grained privileges to the Model Repository Service, users require additional privileges to log in to the Analyst tool or Developer tool. Administrator Accounts The account lockout that was introduced in 9.5.0 does not affect the default administrator account. This limitation allows attackers to attempt a brute-force attack to guess the default administrator's password and gain access to Informatica applications. The default administrator account belongs to all groups and has all available permissions, privileges, and roles. To create additional administrator accounts, you must manually assign permissions, privileges, groups, and roles. Informatica took the following steps to address the issue: Added a lockout for the default administrator account. Added support for an Administrator group. Since the default administrator account is subject to a lockout, the threat of brute-force attacks on the account is mitigated. If the account is locked out, Informatica provides a secure way to unlock the account. Additionally, the Administrator group makes it easier to assign the administrator permissions, privileges, groups, and roles to users. 5

Domain Audit Reports In version 9.6.0, Informatica added support for domain audit reports. A user with the Security privilege can generate an audit report based on data, including the following user information: General information, such as user ID, name, and contact information Group or groups that are assigned to users Role or roles that are assigned to users Privileges that are assigned to users Object Permissions that are assigned to users Apache Tomcat Earlier versions of Informatica use an older release of Tomcat that may be vulnerable to a security issue that is addressed in later versions. Effective in version 9.5.1, Informatica supports Tomcat 7.x. For more information about Informatica support for Tomcat 7.x, see the following statement of support: https://kb.informatica.com/proddocs/pam%20and%20eol/1/informatica%20support%20statement%20for %20Apache%20Tomcat%20Patches%20for%209%205%201%20(v1.0).pdf. Informatica is committed to updating the version of Tomcat that is shipped with its products to mitigate the potential for attacks. To ensure that your Informatica installation uses an up-to-date version of Tomcat, upgrade to the latest version of Informatica. For example, effective in version 9.6.1 HotFix 1, Informatica uses Apache Tomcat 7.0.55.0. This version of Tomcat addresses the vulnerability described in CVE-2014-0227. For a list of vulnerabilities addressed in Tomcat 7.x, see the following information from Apache: http://tomcat.apache.org/security-7.html#apache_tomcat_7.x_vulnerabilities. Author Abhishek Devendraiah Senior Software Security Engineer 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback