Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 4.2 E

Similar documents
Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 18.1 E

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Oracle Hospitality OPERA Exchange Interface Cloud Authentication. October 2017

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

Oracle Hospitality Cruise Meal Count System Security Guide Release 8.3 E

Oracle Hospitality Cruise Fine Dining System Security Guide Release E

Oracle Hospitality Cruise AffairWhere Security Guide Release E April 2017

Oracle Payment Interface Installation and Reference Guide Release E April 2018

Oracle Hospitality Suite8 Export to Outlook User Manual Release 8.9. July 2015

Oracle Hospitality RES 3700 Server Setup Guide Release 5.5 E May 2016

Oracle Hospitality Inventory Management Security Guide Release 9.1 E

Oracle Hospitality MICROS Commerce Platform Release Notes Release Part Number: E December 2015

Oracle MICROS Simphony Server Setup Guide Server Version 1. April 2015

Oracle Hospitality OPERA Property Management Security Guide Versions: Part Number: E

Oracle Hospitality Cruise Shipboard Property Management System Topaz Signature Device Installation Guide Release 8.00 E

Oracle Hospitality RES 3700 Security Guide Release 5.5 E May 2016

Oracle Hospitality e7 Point-of-Sale Release Notes. Release 4.2

Oracle Payment Interface Oracle Hospitality OPERA Property Management System Installation Guide Release 6.1 E

Security Guide Release 4.0

Oracle Hospitality Suite8 XML Export of Invoice Data for Hungarian Tax Authority Release and Higher E November 2016

What s New for Cloud at Customer What's New for the Cloud Services on Oracle Cloud at Customer New Documentation for Oracle Cloud at Customer

Oracle Communications Configuration Management

Oracle Hospitality e7 Point-of-Sale. Security Guide

Oracle Hospitality Simphony First Edition Venue Management (SimVen) Installation Guide Release 3.8 Part Number: E

Oracle Hospitality BellaVita Hardware Requirements. June 2016

Oracle Simphony Venue Management (SimVen) Installation Guide Release Part Number: E

Oracle Hospitality Materials Control. Server Sizing Guide

Oracle mymicros.net, icare, myinventory and mylabor Self Host Release Notes Release v April 2015

Oracle Hospitality e7 Point-of-Sale Release Notes. Release 4.4 Global

Oracle Hospitality Query and Analysis Languages and Translation Configuration Guide. March 2016

Oracle Hospitality 9700 Point-of-Sale Server Setup Guide - Server Version 2 Release 4.0 Part Number: E July 2016

Database Change Reference Release 6.3

Oracle Hospitality BellaVita Adding a New Language Release 2.7. September 2015

Microsoft Active Directory Plug-in User s Guide Release

Oracle Hospitality Simphony Venue Management Release Notes Release 3.9 E March 2017

Spend less on file attachment storage space Reliably back up your data or file attachments Use your OpenAir data in your reporting tools

Oracle. Field Service Cloud Using the Parts Catalog

Oracle Enterprise Manager Ops Center

Recipe Calculation Survey. Materials Control. Copyright by: MICROS-FIDELIO GmbH Europadamm 2-6 D Neuss Date: August 21 st 2007.

Oracle Hospitality Simphony Engagement Cloud Service Release Notes Release 2.0 E January 2016

Oracle Hospitality Simphony Venue Management Installation Guide Release 3.10 E March 2018

PeopleSoft Fluid Required Fields Standards

Oracle Hospitality Cruise Fleet Management Release Notes Release 9.0 E

Report Management and Editor!

General Security Principles

StorageTek Linear Tape File System, Library Edition

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need. Creating vservers 12c Release 1 ( )

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need. Hardware and Software Configuration

Microsoft Internet Information Services (IIS) Plug-in User s Guide Release

Managing Personally Identifiable Information in P6 Professional

Materials Control. Account Classes. Product Version Account Classes. Document Title: Joerg Trommeschlaeger

Oracle Enterprise Manager

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need

Oracle Hospitality Hotel Mobile Release Notes. Release (1.30)

1 Understanding the Cross Reference Facility

Oracle Hospitality Materials Control Release Notes. Release 8.32

Oracle Enterprise Manager Ops Center

Oracle Hospitality Simphony Cloud Services Post-Installation or Upgrade Guide Release 2.10 E July 2018

Oracle Enterprise Manager Ops Center. Introduction. What You Will Need. Installing and Updating Local Software Packages 12c Release

Oracle Enterprise Manager Ops Center. Introduction. Creating Oracle Solaris 11 Zones 12c Release 2 ( )

Oracle Hospitality OPERA Exchange Interface HTTP Communication Specification for Business Event XML Retrieval. October 2017

Managing Zone Configuration

JavaFX. JavaFX System Requirements Release E

Oracle Utilities Opower Custom URL Configuration

PeopleSoft Fluid Icon Standards

Oracle Cloud What's New for Oracle WebCenter Portal Cloud Service

Oracle Hospitality Hotel Mobile OPERA Web Services Server Installation Guide Release 1.1 E May 2017

Oracle. Field Service Cloud Using Android and ios Mobile Applications 18B

Oracle Hospitality Cruise Shipboard Property Management System DESKO Penta Installation Guide Release 8.00 F

What s New for Oracle Cloud Stack Manager. Topics: July Oracle Cloud. What's New for Oracle Cloud Stack Release

Defining Constants and Variables for Oracle Java CAPS Environments

Oracle Retail MICROS Stores2 Functional Document Sales - Receipt List Screen Release September 2015

Oracle Hospitality Cruise Shipboard Property Management System

Oracle Linux. UEFI Secure Boot Signing Key Update Notice

Oracle Hospitality Materials Control Mobile Solutions. Installation and Configuration Guide

Oracle Hospitality Cruise Silverwhere Release Notes for GDF Interface and Template Release 8.0. March 2016

Export generates an empty file

Oracle Utilities Customer Self Service

Oracle Hospitality Simphony First Edition Server Setup Guide - Version 2.0 Release 1.7 Part Number: E February 2016

Microsoft.NET Framework Plug-in User s Guide Release

Oracle MICROS Self Host Release Notes Release v March 2015

Secure Configuration Guide

User's Guide Release

Taleo Enterprise Deep Linking Configuration Guide Release 17

Copyright 1998, 2009, Oracle and/or its affiliates. All rights reserved.

JD Edwards EnterpriseOne Licensing

Oracle Human Capital Management Cloud Using the HCM Mobile Application. Release 13 (update 18C)

Oracle Enterprise Manager Ops Center. Overview. What You Need. Create Oracle Solaris 10 Zones 12c Release 3 ( )

Oracle Configuration Manager

Oracle Hospitality Cruise Shipboard Property Management System E

Oracle Retail MICROS Stores2 Functional Document Stores2 for Portugal Disaster Recovery Release

Oracle Hospitality Cruise Shipboard Property Management System OHC ADPI User Guide Release E

Oracle Hospitality Cruise Shipboard Property Management System Fargo HDP5000 Printer Installation Guide Release 8.0 E

Oracle Identity Manager Connector Guide for Dropbox. Release

Oracle Communications Services Gatekeeper

Oracle Hospitality Materials Control Server Sizing Guide Release 8.31 E February 2017

Oracle Cloud E

Quick Start for Coders and Approvers

Oracle Cloud E

Oracle Argus Safety. 1 Configuration. 1.1 Configuring a Reporting Destination for the emdr Profile. emdr Best Practices Document Release 8.0.

Transcription:

Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 4.2 E96343-01 May 2018

Copyright 2010, 2018, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle. 2

Contents Preface... 4 Audience... 4 Customer Support... 4 Documentation... 4 Revision History... 4 1 ecommerce Integration Cloud Service Security Overview... 5 Basic Security Considerations... 5 Overview of ecommerce Integration Cloud Service Security... 6 2 Implementing ecommerce Integration Cloud Service Security... 7 Data Encryption... 7 Database Security... 7 Automatic Key Encryption... 7 Delete Historical Data... 7 Purge Cardholder Data... 8 Scheduling a Purge Job on the Microsoft SQL Database Server... 8 Purging Cardholder Data Manually... 8 Audit... 8 Using the Audit Trail Tracking Tool... 8 Searching for User Actions... 8 Audit Purge... 9 Logging... 9 Appendix A Secure Deployment Checklist... 10 Contents 3

Audience Preface This document provides security reference and guidance for ecommerce Integration Cloud Service. This document is intended for: Customer Support Documentation Revision History System administrators installing ecommerce Integration Cloud Service. End users of ecommerce Integration Cloud Service. To contact Oracle Customer Support, access My Oracle Support at the following URL: https://support.oracle.com When contacting Customer Support, please provide the following: Product version and program/module name Functional and technical description of the problem (include business impact) Detailed step-by-step instructions to re-create Exact error message received and any associated log files Screen shots of each step you take Oracle Hospitality product documentation is available on the Oracle Help Center at http://docs.oracle.com/en/industries/hospitality/ Date Description of Change May 2018 Initial publication 4 Preface

1 ecommerce Integration Cloud Service Security Overview This chapter provides an overview of Oracle Hospitality ecommerce Integration Cloud Service security and explains the general principles of application security. Basic Security Considerations The following principles are fundamental to using any application securely: Keep software up to date. This includes the latest product release and any patches that apply to it. Monitor system activity. Establish who should access which system components, and how often, and monitor those components. Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements. Install software securely. For example, use firewalls, secure protocols using TLS (SSL), and secure passwords. Learn about and use the ecommerce Integration Cloud Service security features. See Implementing ecommerce Integration Cloud Service Security for more information. Keep up to date on security information. Oracle regularly issues securityrelated patch updates and security alerts. You must install all security patches as soon as possible. See the Critical Patch Updates and Security Alerts website: http://www.oracle.com/technetwork/topics/security/alerts-086861.html. Use secure development practices. For example, take advantage of existing database security functionality instead of creating your own application security. ecommerce Integration Cloud Service Security Overview 5

Overview of ecommerce Integration Cloud Service Security The Oracle Hospitality ecommerce Integration Cloud Service contains several components deployed in the Oracle Hospitality Cloud. The application contains the main ordering application that communicates with the Microsoft SQL database. The application runs through a web server to expose several web services that interact with client applications. 6 Preface

2 Implementing ecommerce Integration Cloud Service Security Data Encryption Database Security This chapter explains implementation of the Oracle Hospitality ecommerce Integration Cloud Service security features and how to maintain a secure environment. To keep the application secure, you must: Create and update user names and passwords Maintain automatic credit card key encryption Delete customer data Assign and manage Roles and Privileges Monitor user s activities in the Audit Log Data is transmitted via HTTPS and TLS 1.2 encryption is used by default for secure data communication. See the Microsoft SQL Server Security Best Practices Whitepaper (located at https://social.msdn.microsoft.com/search/en- US?query=Best%20Practices%20Whitepaper) for more information about Microsoft SQL Server security. Automatic Key Encryption By default, the application uses automatic key encryption. Automatic key encryption rotates the encryption key each time the credit card data is encrypted. When the credit card encryption is requested, a new encryption key automatically generates to encrypt the data. After encryption is complete, the encryption key is not persisted anywhere and another new key generates when the next credit card data encryption request is received. In this way, the encryption key is automatically rotated with every new credit card data encryption request. The key is never stored in the database or on the hard disk, and there is no need for manual key rotation. As another layer of security, the encryption key is encrypted as well. Delete Historical Data The application never stores magnetic stripe data, card validation codes, PINs, or PIN blocks. You must remove stored encrypted history using the purge utility in the System Administration Tools section of the application. To instantly delete historical data: 1. Go to the System Administration Tools. 2. In the Client section, click the ClientPassword button. Implementing ecommerce Integration Cloud Service Security 7

Purge Cardholder Data You must purge cardholder data exceeding the merchant-defined retention period. To accomplish this function you must request hosting to schedule a purge job. Scheduling a Purge Job on the Microsoft SQL Database Server If more than one database requires purging, you must schedule a purge job for each database. 1. Open Microsoft SQL Server Management Studio on the server. 2. Go to the SQL Server Agent section and open the Jobs folder. 3. Select the Purge Payments job and name the task accordingly. 4. Select a page header on the left, select the Schedules page, and then add the date and time for the desired cardholder data purge schedule to run. Purging Cardholder Data Manually This option purges cardholder data for all customers. 1. Log in as the System Administrator and access the System Administration Tools. 2. Navigate to the Purge Payments section, and then select Purge to delete the data. Audit The Audit log uses a database table and log files to capture all activities for the current user, including making changes in the administration tools and tracking access to personal information (PI). All changes, additions, and deletions made in the administration tools are audited. Accessing, exporting, and changing PI is captured in the audit log. Users can view each action taken on the PI record, when it was updated, who made the changes, the action performed, and a description of the action. Using the Audit Trail Tracking Tool You can view system users and their actions using the Audit Trial Log. Follow the steps in the Oracle Hospitality ecommerce Integration Cloud Service Configuration Guide (Managing Roles and Privileges section) to assign Audit Trail privileges to a role. Assign Audit Trail privileges to the user with the client administrator role assigned on brand level only. Audit Trail Privileges View_EventLog_AuditTrail: Ability to search and view the Audit Trail tracking. Purge_EventLog_AuditTrail: Ability to delete Audit Trail entries. Searching for User Actions When you use the Audit Trail Search feature with no filters applied, all users and all system activity results appear. The Audit Trail filters allow you to search using one or a combination of these options: Specific system user s actions 8 Preface

Description of the change Module where a change occurred Starting date and ending date range Audit Purge You can purge the audit trail if you have the Purge_EventLog_AuditTrail privilege. Follow these steps: 1. In the System Administration Tools, navigate to Audit Trail Search. 2. Click the Purge tab. 3. Select the date from Purge Records Before, and then click Purge. A Purge Successful confirmation message will appear. Logging All Oracle Hospitality ecommerce Integration Cloud Service logs include the timestamp, current level, message level, zone, and thread Id. By default, application logs do not contain PI. Controllers do not have access to the application logs or to configuration. Oracle Support can provide logs upon request. By default, the log level is set to 0 (no PI logged). If the log level exceeds 2, the PI is logged. This configuration can be changed only for debugging purposes. After debugging, change the log level configuration back to 0. To provide application logs where PI is captured: 1. Navigate to the UISServices log location and locate LogZone_UISupportSer.txt. 2. Edit the file, which contains three lines represented by a number. The numbers correspond to these items in the following order: a. Number of logging zones b. Name of zone c. Log level 3. Change the Log level to 2 and save the file. Implementing ecommerce Integration Cloud Service Security 9

Appendix A Secure Deployment Checklist This appendix lists actions you must perform to deploy a secure system. The following security checklist includes guidelines that help secure your database: Install only what is required. Lock and expire default user accounts. Enforce password management. Enable data dictionary protection. Practice the principle of least privilege. o Grant necessary privileges only. o Revoke unnecessary privileges from the PUBLIC user group. o Restrict permissions on run-time facilities. Enforce access controls effectively and authenticate clients stringently. Restrict network access. Apply all security patches and workarounds. o Use a firewall. o Never poke a hole through a firewall. o Protect the Oracle listener. o Monitor listener activity. o Monitor who accesses your systems. o Check network IP addresses. o Encrypt network traffic. o Harden the operating system. A-10 Implementing ecommerce Integration Cloud Service Security

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback