Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 18.1 E68585-02 May 2018
Copyright 2010, 2018, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle. 2
Contents Preface... 4 Audience... 4 Customer Support... 4 Documentation... 4 Revision History... 4 1 ecommerce Integration Cloud Service Security Overview... 5 Basic Security Considerations... 5 Overview of ecommerce Integration Cloud Service Security... 6 2 Implementing ecommerce Integration Cloud Service Security... 7 Data Encryption... 7 Database Security... 7 Automatic Key Encryption... 7 Delete Historical Data... 7 Purge Cardholder Data... 8 Scheduling a Purge Job on the Oracle 12c Database Server... 8 Purging Cardholder Data Manually... 8 Audit... 8 Using the Audit Trail Tracking Tool... 8 Searching for User Actions... 9 Purging the Audit Trail... 9 Logging... 9 Log Retention... 9 Appendix A Secure Deployment Checklist... 10 Contents 3
Audience Preface This document provides security reference and guidance for ecommerce Integration Cloud Service. This document is intended for: Customer Support Documentation Revision History System administrators installing ecommerce Integration Cloud Service. End users of ecommerce Integration Cloud Service. To contact Oracle Customer Support, access My Oracle Support at the following URL: https://support.oracle.com When contacting Customer Support, please provide the following: Product version and program/module name Functional and technical description of the problem (include business impact) Detailed step-by-step instructions to re-create Exact error message received and any associated log files Screen shots of each step you take Oracle Hospitality product documentation is available on the Oracle Help Center at http://docs.oracle.com/en/industries/hospitality/ Date Description of Change March 2018 Initial publication May 2018 Updated Chapters 1 and 2 4 Preface
1 ecommerce Integration Cloud Service Security Overview This chapter provides an overview of Oracle Hospitality ecommerce Integration Cloud Service security and explains the general principles of application security. Basic Security Considerations The following principles are fundamental to using any application securely: Keep software up to date. This includes the latest product release and any patches that apply to it. Monitor system activity. Establish who should access which system components, and how often, and monitor those components. Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements. Learn about and use the ecommerce Integration Cloud Service security features. See Implementing ecommerce Integration Cloud Service Security for more information. Keep up to date on security information. Oracle regularly issues securityrelated patch updates and security alerts. You must install all security patches as soon as possible. See the Critical Patch Updates and Security Alerts website: http://www.oracle.com/technetwork/topics/security/alerts-086861.html. Use secure development practices. For example, take advantage of existing database security functionality instead of creating your own application security. ecommerce Integration Cloud Service Security Overview 5
Overview of ecommerce Integration Cloud Service Security The Oracle Hospitality ecommerce Integration Cloud Service contains several components deployed in the Oracle Hospitality Cloud. The application contains the main ordering application that communicates with the Oracle Database. The application runs through a web server to expose several web services that interact with client applications. PA-DSS validated applications should reference the application s PA-DSS 3.1 Implementation Guide, specifically Chapter 2: Executive Summary, sections including the Typical Network Implementation and the Credit/Debit Cardholder Dataflow Diagram to complete this section. 6 Preface
2 Implementing ecommerce Integration Cloud Service Security Data Encryption Database Security This chapter explains implementation of the Oracle Hospitality ecommerce Integration Cloud Service security features and how to maintain a secure environment. To keep the application secure, you must: Follow Oracle Database security recommendations Create and update user names and passwords Maintain automatic credit card key encryption Delete customer data Assign and manage Roles and Privileges Monitor user s activities in the Audit Log Data is transmitted via HTTPS and TLS 1.2 encryption is used by default for secure data communication. The database is encrypted using Transparent Data Encryption on all tablespaces. For more information about Transparent Data Encryption see https://docs.oracle.com/database/121/asoag/asopart1.htm#asoag600. See the Oracle Database Security Guide (located at https://docs.oracle.com/database/121/asoag/toc.htm) for more information about Oracle Database security. Automatic Key Encryption By default, the application uses automatic key encryption. Automatic key encryption rotates the encryption key each time the credit card data is encrypted. When the credit card encryption is requested, a new encryption key automatically generates to encrypt the data. After encryption is complete, the encryption key is not persisted anywhere and another new key generates when the next credit card data encryption request is received. In this way, the encryption key is automatically rotated with every new credit card data encryption request. The key is never stored in the database or on the hard disk, and there is no need for manual key rotation. As another layer of security, the encryption key is encrypted as well. Delete Historical Data The application never stores magnetic stripe data, card validation codes, PINs, or PIN blocks. Prior to using version 18.1, you must remove stored encrypted history using the purge utility in the System Administration Tools section of the application. Implementing ecommerce Integration Cloud Service Security 7
To instantly delete historical data: 1. Go to the System Administration Tools. 2. In the Client section, click the Clear ClientPassword button. Purge Cardholder Data You must purge cardholder data exceeding the merchant-defined retention period. To accomplish this function you must request hosting to schedule a purge job. Scheduling a Purge Job on the Oracle 12c Database Server If more than one database requires purging, you must schedule a purge job for each database. 1. Connect to the User Schema that requires purging of data. 2. Go to the Scheduler section and open the Jobs folder. 3. Select the Purge Payments job and name the task accordingly. 4. Schedule a job using the job window in the Job Details tab, and select When to Execute Job. Purging Cardholder Data Manually This option purges cardholder data for all customers. 1. Log in as the System Administrator and access the System Administration Tools. 2. Navigate to the Purge Payments section, and then select Purge to delete the data. Audit The Audit log uses a database table and log files to capture all activities for the current user, including making changes in the administration tools and tracking access to personal information (PI). All changes, additions, and deletions made in the administration tools are audited. Accessing, exporting, and changing PI is captured in the audit log. Users can view each action taken on the PI record, when it was updated, who made the changes, the action performed, and a description of the action. Using the Audit Trail Tracking Tool You can view system users and their actions using the Audit Trial Log. Follow the steps in the Oracle Hospitality ecommerce Integration Cloud Service Configuration Guide (Managing Roles and Privileges section) to assign Audit Trail privileges to a role. Assign Audit Trail privileges to the user with the client administrator role assigned on brand level only. Audit Trail Privileges View_EventLog_AuditTrail: Ability to search and view the Audit Trail tracking. Purge_EventLog_AuditTrail: Ability to delete Audit Trail entries. 8 Preface
Searching for User Actions When you use the Audit Trail Search feature with no filters applied, all users and all system activity results appear. The Audit Trail filters allow you to search using one or a combination of these options: Specific system user s actions Description of the change Module where a change occurred Starting date and ending date range Purging the Audit Trail You can purge the audit trail if you have the Purge_EventLog_AuditTrail privilege. Follow these steps: 1. In the System Administration Tools, navigate to Audit Trail Search. 2. Click the Purge tab. 3. Select the date from Purge Records Before, and then click Purge. A Purge Successful confirmation message will appear. Logging All Oracle Hospitality ecommerce Integration Cloud Service logs include the timestamp, current level, message level, zone, and thread Id. By default, application logs do not contain PI. Controllers do not have access to the application logs or to configuration. Oracle Support can provide logs upon request. By default, the log level is set to 0 (no PI logged). If the log level exceeds 2, the PI is logged. This configuration can be changed only for debugging purposes. After debugging, change the log level configuration back to 0. To provide application logs where PI is captured: 1. Navigate to the UISServices log location and locate LogZone_UISupportSer.txt. 2. Edit the file, which contains three lines represented by a number. The numbers correspond to these items in the following order: a. Number of logging zones b. Name of zone c. Log level 3. Change the Log level to 2 and save the file. Log Retention File system logs are retained for 90 days by default. The number of days is configurable in the web.config file of UISupportService and Tools. The application automatically deletes log files that are older than the configured number of days. web.config configuration: <add key="maxlogretentiondays" value="90"/> Implementing ecommerce Integration Cloud Service Security 9
Appendix A Secure Deployment Checklist This appendix lists actions you must perform to deploy a secure system. The following security checklist includes guidelines that help secure your database: Install only what is required. Lock and expire default user accounts. Enforce password management. Enable data dictionary protection. Practice the principle of least privilege. o Grant necessary privileges only. o Revoke unnecessary privileges from the PUBLIC user group. o Restrict permissions on run-time facilities. Enforce access controls effectively and authenticate clients stringently. Restrict network access. Apply all security patches and workarounds. o Use a firewall. o Never poke a hole through a firewall. o Protect the Oracle listener. o Monitor listener activity. o Monitor who accesses your systems. o Check network IP addresses. o Encrypt network traffic. o Harden the operating system. A-10 Implementing ecommerce Integration Cloud Service Security