Skip Headers
Oracle® Retail Merchandising Security Guide
Release 15.0
E65442-01
  Go To Table Of Contents
Contents

Previous
Previous
 
Next
Next
 

14 General Security Considerations

This chapter discusses how to securely install the Oracle Retail Invoice Matching (ReIM) application. To obtain a secure configuration, follow the instructions and advice provided below.

The ReIM application is installed on the server, but is used in the distributed environment. Both client and server security should be taken into consideration when hardening application deployment. You need to reference your desktop and server operation system security guides, if available for more information on reinforcing security for the execution environment.

In particular, only valid users should have access to the client workstations running clients for the application. The reasonable locking policy should be established to lock out computer screens after some time of inactivity. The Security policy should be established at the desktop level to monitor unsuccessful login attempts. The System administrator should guarantee that the operation system has the latest mandatory update patches.

You should use only the supported browsers to access the application. The browsers should be patched with all the mandatory security updates dictated by the browser's vendor. Browser auto-complete feature should be disabled by the system administrator. It is advised to add the server ReIM is deployed at to the list of sites for Local Intranet in the Web browser. The browser should be allowed to open pop-ups initiated by the Invoice Matching application. In addition, the browser should allow submitting non-encrypted form data.

For more information on how to secure the internal network used to access Invoice Matching server(s), see the Network Security Configuration Guide. This should include both physical and logical security of the network. Only SSL enabled communication should be used. Please make sure that browsers have certificates verification turned on.

Only the desktops on the intranet should be allowed to access the application server. The best approach is to limit the set of client computers on the network that can access the application server. That can be done at the network level to prevent guest users on the local network from even seeing the application server. In addition, the server can be configured to serve requests from the specified set of network addresses.

Only system administrators should have access to the application server(s). Business users (even power users) should not have accounts to the application server computers. If such accounts do exist, the OS account privileges should prevent business user from accessing application server files/directories associated with the Invoice Matching application.

The users running batches should never be OS system administrators and WebLogic administrator. The best approach is to have a single dedicated user for running batches, rather than having multiple users running batches ad hoc. The user running batches should have ReIM application administrator privileges. The user should be setup with access to all locations (see location Security section below).

Only authorized users should be able to upload/download files consumed/produced by the Invoice Matching application. The directory structure for incoming EDI files should be accessible to the OS user running batches as read-only. It is recommended to keep outbound files in a separate directory. The outbound files directory should allow write access. It is also recommended to have separate write accessible directories for rejected files and for audit files. Please note that the system maintains the reference to the locations of the intended loads rejection and will attempt o write to that location at the later load retries. As such, the locations should be accessible for writing even after initial load attempt.

It is recommended to keep audit copies of the processed files. It is up to the retailer to provide the process for that. Audit copies should be created prior to supplying the files for ReIM processing. The files can be kept in an audit directory or using any other appropriate document management system that would allow easy retrieval later on.


Note:

ReIM processes files that have been supplied by vendors or that have been supplied by RMS. Secure file transfer should be deployed in both cases.

It is also recommended to keep copies of the physical documents sent by vendors and manually entered into the system via the Document Entry screen, so that potential data integrity issues related to data entry can be resolved.