| Oracle® Retail Store Inventory Management Security Guide Release 15.0 E68593-01 |
|
 Previous |
 Next |
| Oracle® Retail Store Inventory Management Security Guide Release 15.0 E68593-01 |
|
Previous |
Next |
This chapter discusses the security architecture and provides guidance for securing the Oracle Retail Store Inventory Management (SIM) application. Although each retailer must determine the detailed security methods that best suit its organization, this chapter outlines best practice for securing Store Inventory Management.
When considering how to make SIM secure, general security principles should be bourn in mind.
Oracle Software
Oracle releases Critical Patch Updates for security related issues on a regular schedule four times a year. For more urgent vulnerabilities, Oracle issues Security Alerts for fixes deemed too critical to wait for the next Critical Patch Update. Information on these patches is available on the Oracle website and is also distributed by e-mail. It is strongly recommended that these patches be applied as soon as possible in order to address the identified vulnerabilities.
Third Party Software
Oracle software is often used in conjunction with third party software such as operating systems or drivers. It is strongly recommended that users regularly check for patches or updates that address security vulnerabilities in this software.
Users should also regularly stay up to date with security information and alerts which can report on vulnerabilities in third party operating systems, algorithms or recommended configurations.
Security fundamentals should be applied during security planning and while managing activities across all security related components.
When hardening security for a SIM deployment, the complete application architecture and operational environment should be considered. See the relevant security documentation for detailed information on securing system components such as operating systems, Java runtime environment, WebLogic application server, Oracle database server, Oracle Internet Directory.
The Java runtime environment should be maintained using the current Oracle security baseline. The client machine should have the correct certificates installed and Java runtime configuration for executing a signed trusted WebStart application launched using a JNLP file over SSL communication.
The environment can be made secure by minimizing the attack surface to reduce attack vectors. Methods of achieving this include:
The client machine, application server machine, database server machine, and LDAP server machine should all be protected by firewalls and use separate user accounts and credentials.
The environment can be further secured by removing or disabling all unnecessary components. For example, if the wireless server is not used then it should be shut down and removed post installation.
As WebLogic server supports one active security realm per domain it is important to ensure that all applications deployed to the same domain share the same identity management solution. For example, if multiple applications use different identity stores then they should be deployed to separate domains with their respective security providers.
The severity of potential security breaches can be limited by separating the different system components. Hosting the application and database servers on two different machines would mean a security breach on one machine would not necessarily lead to a security breach on the other. For example, if the batch client WebLogic server was compromised, by using a separate user with access limited to SIM services, other web logic resources such as the database server would remain protected.
The separation of duties with respect to resources provides the opportunity to implement layered security, often referred to as defense-in-depth. As SIM uses a multi-tier architecture it is recommended to secure each layer separately. Although this increases the security complexity it improves the applications resilience against different forms of attack and reduces the risk of a single point of failure.
For example, the batch client should use an operating system user that does not have Administrator's privileges. That user should only have the access rights required to execute the batch client runtime, read and write batch files, network access limited to the SIM server. The WebLogic user account should not have Administrator's privileges and should only have access to the SIM server deployment.
Access to the network should be restricted as much as possible. For example, use of network address white lists, firewalls, software/hardware VPN, encrypted connections, and user access restrictions can be used to limit access to the deployment at the network level.
SIM supports several user security modes and single sign on (SSO) authentication by using the WebLogic security services.
Identity management is the management of users and their associated authentication, authorisation and privileges within a software deployment. Correct configuration and management of those identity management solutions is important to maintaining a secure application deployment
User accounts should be carefully configured to provide the least amount of privilege required to perform their specific operations. This includes users and access to all areas of the application infrastructure. User privileges should be maintained actively and reviewed periodically to determine if changes are required.
System security should be continually monitored and maintained during operation. There are many potential causes for security breaches, even in secure systems, such as undiscovered vulnerabilities, technology advancements, user account abuse or theft. In order to quickly and effectively detect intrusions and mitigate risk it is important to audit activity and regularly monitor audit records.
The SIM PC and wireless handheld clients are intended for use in a retail store environment. Due to the risk of unauthorized users gaining physical access to the client device additional security measures are recommended. This includes device access restrictions such as a screen lock based on inactivity protected by password or two factor authentication. For example, the PC client machine should be configured to lock the screen after a period of inactivity and require user password authentication to be unlocked.
Wireless handheld client software is provided by Wavelink. This third party software renders SIM screens and connects to the Wavelink wireless server.
Secure Shell (SSH) is a protocol developed for transmitting private information over the Internet. SSH encrypts data that is transferred over the Telnet session. The Telnet Client supports multiple SSH versions and will automatically select the most secure protocol that the SSH server supports.
In SIM 15.0 the Wavelink client/server supports TLS transport security. The SIM wireless server should be configured for TLS security in production deployments.
This section covers the installation of SIM.
Before installation a deployment plan should be developed that considers system security in addition to application operation. There are many components and features to examine when hardening system security. By using formal planning with flowcharts and checklists there is less risk of mistakes and overlooking security vulnerabilities.
When installing each infrastructure component, such as the operating system or application server, the appropriate security documentation should be reviewed. Ensure that these components are securely configured and use appropriate security features, such as password policies and encryption.
Security options such as SSL or TLS should be required and set up using appropriate signed certificates and trusted certificate authority.
|
Note: For detailed instructions on installing the SIM application, see the SIM Implementation Guide. |
When installing the SIM application the available security features for all installed components should be enabled. For example, SSL should be enabled for all resources, and web service security policies should be applied.
It is important to only install necessary components and to disable any unused features during configuration.For example, if RIB is not used then it should be disabled during installation.
Separate user accounts should be used for each component configured by the installer. The user accounts should have access restricted to the requirements of the functions they will carry out. They should use credentials that satisfy robust password policies.
Depending on the selected identity management solution, the appropriate security providers must be installed for SIM to perform authentication and authorization operations.
If the external (OID or LDAP) or a hybrid user security mode is used then the WebLogic OID or LDAP authentication provider must be configured for the WebLogic domain.
If the internal (database) or a hybrid user security mode is used then the SIM database authentication provider must be installed and configured for the WebLogic domain.
If SSO authentication is used then the SIM SSO authentication provider must be installed and configured for the WebLogic domain.
It is recommended to install only the required security providers and remove or disable any unused providers.
For a clustered installation it is strongly recommended to use an external credential store (database or LDAP) for Oracle Fusion Middleware security services.
After installing the product the deployment and environment security should be reviewed.
All unnecessary components should be removed or disabled, including but not limited to resources, services, application features, weak protocols and insecure access points. Also ensure that appropriate file restrictions have been applied to protect any sensitive information and limit access to minimum requirements.
If an internal user security mode is used then application roles and internal user accounts should be set up. The installer creates an internal installation user who has access to configuring application settings, role management, and user account management. Once users have been set up, the internal installation user should be deleted from the system
It is good practice to determine application roles based on organization requirements and use a fine grained modular structure for role composition. As users can be granted multiple roles using these fine grained roles, this can help limit access to required functions while reducing the frequency of role management activities.
Additional declarative security can be provided using deployment descriptors, so only specific users are allowed to invoke certain EJBs.
For detailed information about SIM application role based security and user management see the Oracle Retail SIM Implementation Guides.
Web services provided and consumed by SIM can be configured with security policies by the installer. These web services are designed to participate in Retail Service Backbone (RSB) flows which support two distinct Oracle WebLogic WS-Policy configurations. These are referred to as Policy A and Policy B.
On the provider side of the communication, Policy A and Policy B are configured using one or more Oracle WebLogic WS-Policy configurations defined in the xml files included in Oracle WebLogic:
Policy A
Description:
Message must be sent over SSL and requires authentication of a plain text UsernameToken.
Configuration:
Wssp1.2-2007-Https-UsernameToken-Plain.xml
Policy B
Description:
Message body must be encrypted and signed, and requires authentication of an encrypted UsernameToken.
Configuration:
Wssp1.2-2007-Wss1.1-UsernameTokenPlain-EncryptedKey-Basic128.xml
Wssp1.2-2007-EncryptBody.xml
Non-RSB Web ServicesWssp1.2-2007-SignBody.xml
For information on where these policies are set for web service consumers see Appendix: SIM Application WebLogic Server Installer Screens in the Oracle Retail SIM Implementation Guides.
For detailed information on configuring the Oracle WebLogic security policies, see the Oracle Retail Service Backbone Security Guide.
