TIPS AND TRICKS Johan Olivier SECURITY
Desktop JRE versions - Back office application Integrator 3 (FMW Forms 11GR2) JRE 1.6 and 1.7 Upgrade to JRE 1.8 The server must be on Java patch level 1.7 Integrator 4.1 (FMW Forms 12c) JRE 1.8 JRE Upgrade guide obtainable from Adapt IT Page 2
Secure certificates Apache proxy SSL certificates Keep track of expiry dates Use of both server and domain certificates can be used on 4.1. JAR signing certificates Adapt IT provide this at application level Plan for downtime required when new certificate become available. Adapt IT will notify in advance. New signed jars will replace current jars on test and production servers. SIGNER CERTIFICATE X.509, CN=ADAPTIT, OU=DBA, O=ADAPTIT, L=DURBAN NORTH, ST=KWAZULU-NATAL, C=ZA [certificate is valid from 5/16/17 2:00 AM to 8/15/20 1:59 AM] (Expire 15 August 2020) X.509, CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US [certificate is valid from 12/10/13 2:00 AM to 12/10/23 1:59 AM] Page 3
Basic Architecture Page 4
Security overview The Integrator product is built on the underlying Oracle software stack. This allows AdaptIT to leverage on all the security features offered by Oracle. It has to be noted the level of security features enabled may require additional licensing from Oracle base products. It would therefore be the choice of the system owner to enable additional features. The latest version of the operating system security features can be enabled to control access. Standard infrastructure setup make use of proxy and firewall features and secure certificates. Page 5
Security overview Authentication Password policy is a requirement at operating system level, database level and application level. Password authentication at application level uses Oracle Internet Directory services. Session Validation Application rules apply on privileges which are defined at database and application level. These include update/delete and view/select privileges. These can be enhanced by Oracle data masking which allow privileged owners to view and change data of sensitive nature. OWASP (Open Web Security Project )Vulnerability Protection Numerous interrogation software both commercial and open source are available to detect vulnerabilities. https://www.owasp.org/index.php/category:vulnerability_scanning_tools Page 6
Security overview Secure Data Transmission In addition to SSL infrastructure security data can be encrypted at database level. Audit logs Standard ITS application audit logs are enabled. System owners can enable additional own defined audit logs. In addition database audit features can be enabled to make use of 12c unified audit features. Page 7
Access policies Passwords Enforce password policy determined by Institution at all levels. Enable OS password change policy including password strength. Enable DB password policy. Change administration console passwords. Standard policy rules include these minimum requirements. Minimum of 8 characters which must include one uppercase and one special character. Audit logs Please note any audit features has to be maintained by system owners Page 8
Disclaimer The information, comments and material presented in this presentation are provided for information purposes only. The presentation is not addressing all possible technical or business aspects and does not claim to be complete or exhaustive Adapt IT reserves the right to change its business or product development plans as circumstances dictate. This document may not be reproduced or distributed without the written permission of Adapt IT (Pty) Ltd.
THANK YOU Database Administrator / Johan Olivier : johan. olivier@adaptit.co.za Page 10