| Oracle® Retail Predictive Application Server and Applications Security Guide Release 14.1.1 E61143-01 |
|
 Previous |
 Next |
| Oracle® Retail Predictive Application Server and Applications Security Guide Release 14.1.1 E61143-01 |
|
Previous |
Next |
The Oracle Retail Predictive Application Server, or RPAS, is a platform that provides a set of common components used by a number of applications (or solutions). For these solutions, RPAS provides the infrastructure needed to store, process and produce information based on data input by the retailer.
This guide discusses security considerations around the deployment and operation of an RPAS Server deployment and interaction between that server and the set of clients deployed for the users of an RPAS application.
Where applicable, application-specific information about secure deployment of each RPAS application can be found in that application's installation guide.
RPAS itself does not have any special security requirements.
The following section provides a brief introduction to RPAS and its terminology.
RPAS: A platform that provides a foundation to run solutions used for retail planning. RPAS provides those solutions with a common interface based on wizards, templates, workbooks and batch processes.
RPAS Solution: An application running on top of RPAS that provides solutions for retail problems such financial planning or forecasting demand.
RPAS Domain: A collection of server side directories and files containing the data and procedures required to execute a specific RPAS solution. Domains may be:
Global: accessible for all users.
Local: configured so that only a subset of data is accessible for specified users.
There are two ways of accessing information in a RPAS solution:
Classic Client: A windows based thick client.
Fusion Client: A web based client
In addition, Administrators can access the Configuration Tools. This is a Windows based set of utilities used to configure and maintain a RPAS Solution.
A series of applications are required to install and run the RPAS Server. Additional software is required to install the Fusion Client or the Classic Client required by users to access and manipulate the data. Full details can be found in Chapter 1 (Introduction) of the Oracle Retail Predictive Application Server Installation Guide.
Java
Java 1.7 JDK is required for the RPAS Server, the RPAS Configuration Tools (including domain creation and patching), and for the JDBC environment. For the latest security patches, refer to the Oracle Retail Predictive Application Server Installation Guide for your current version.
Other Applications
If installing the RPAS Server on a Unix or Linux platform, an unzip utility will be required. Perl will also be required for the upgrade process.
If installing the RPAS Server on a Windows platform, Cygwin will be required. For details, see Chapter 4: Installing on a Windows Environment in the Oracle Retail Predictive Application Server Installation Guide.
If the optional Hybrid Storage Architecture (HSA) functionality will be used, an Oracle Database 12c installation will be required. For details, see the Hybrid Storage Architecture chapter in the Oracle Retail Predictive Application Server Administration Guide for the Fusion Client.
RPAS Extension Libraries
For any implementers/customers who wish to compile RPAS C++ extension libraries (custom templates, functions, or expressions), the required C++ compiler versions are listed in the Oracle Retail Predictive Application Server: RPAS Extension Development Guide (Doc ID 1926977.1) on My Oracle Support.
If using the Classic Client with WebLaunch, users are also required to install the WebLogic Server. See Table 1–2: RPAS Classic Client Hardware and Software Requirements and Chapter 7: RPAS Classic Client Web Deployment in the Oracle Retail Predictive Application Server Installation Guide for more information.
If using the Fusion Client, see Table 1–3: RPAS Fusion Client Hardware and Software Requirements in the Oracle Retail Predictive Application Server Installation Guide for more information on the Web Browser, Application Server, Supported Operating system, and Java requirements.
As well as the RPAS Security Guide, Security Guides exist for other applications such as the WebLogic server. Information on these is available on the Oracle Technology Network at the following URL:
http://www.oracle.com/technetwork/documentation
The following security guides are useful:
Oracle Retail Merchandising Security Guide
Oracle Retail Advance Science Engine (ORASE) Security Guide
The following documents provide further information on RPAS Server dependencies:
The Oracle Retail Predictive Application Server Installation Guide Chapter 1 lists the hardware and software requirements for the RPAS Server. Table 1-1 is especially useful.
Basic requirements of environment variables for running the RPAS Server are listed in the Oracle Retail Predictive Application Server Installation Guide Chapter 3 (for Unix) or Chapter 4 (for Windows).
A more detailed discussion of RPAS Server environment variables, including the required path variables, plus variables covering Database tuning, Log level settings, Date and Time specifiers, and control of parallel processing is found in the RPAS Administration Guides, Appendix D.
Users can connect to the RPAS solutions using one of two clients:
The primary client used by RPAS applications is the Fusion Client. The Fusion Client is a web-based application that allows access to RPAS workbooks through interaction with the web server in users' browsers.
RPAS also supports a legacy Classic Client. The Classic Client is a stand-alone desktop application deployable on Windows that interacts directly with an RPAS domain.
When deciding between the Fusion and Classic Clients, installers should take into account that the Fusion Client, based as it is upon standard Oracle technologies, allows greater assurance of a secure environment and greater flexibility in the nature of that environment. Details on deploying each of the clients can be found in the following sections:
This section contains information on how to secure a Fusion Client deployment.
This is an Application Development Framework (ADF) based 3-tier web application. The Fusion Client is deployed on the WebLogic Server. It interacts with the RPAS Server deployed as daemon processes. Typically, WebLogic and RPAS Servers are deployed on separate machines. They support the AIX, HPUX, Solaris, and Linux platforms.
The Fusion Client (running within WebLogic) and the RPAS Server are typically deployed behind a firewall. They communicate using a TCP/IP based protocol that supports encryption. More components are involved if using multiple WebLogic managed servers for scalability (hardware or software load balancer), and for supporting single-sign-on (Web tier server, OAM, load balancer).
Single Sign-On (SSO) deployment requires perimeter authentication in the Web Tier. Oracle SSO architecture calls for an Oracle HTTP Server configured as a reverse proxy and an OAM WebGate component plugged into it for intercepting and enforcing authentication on all requests. The authentication is done using Oracle Access Manager (OAM) and Oracle Internet Directory (OID).
A web tier consisting of either a reverse-proxy web server or a hardware load balancer is recommended in non-SSO deployments as well. This provides better security management and an opportunity to reduce the performance overhead of SSL by implementing it in the web tier which is often better equipped to execute SSL endpoint functions than the WebLogic Server.
This is a typical topology for deployments without SSO. The main features are as follows:
A load balancer with SSL termination capability: it provides a public URL to prevent direct access to the internal corporate network where the application servers are deployed. It also provides load-balanced connection to multiple application servers.
Application servers, such as Oracle WebLogic, are deployed inside the firewall. Multiple servers provide horizontal scaling.
A single Fusion Client deployment can provide access to multiple RPAS solutions (for example, MFP and IP) which might be hosted on separate machines with their own DomainDaemon processes. These RPAS Servers are also deployed inside the firewall. The communication between the RPAS Fusion Client instances and the RPAS processes ideally takes place over a LAN.
A typical SSO deployment has the following additional characteristics:
Perimeter authentication enforced by the Oracle Access Manager (OAM) WebGate plug-in attached to an Oracle HTTP Server instance deployed in reverse-proxy configuration.
Mod_wl_ohs is an OHS plug-in that funnels requests in a load-balanced way to the WebLogic managed servers.
The identity store (here labeled as "LDAP") is deployed inside the firewall and is used by the WebLogic Servers and the Oracle Access Manager server.
Use a web tier. In conjunction with other security measures (described below) this provides better security by allowing hiding of application data and configuration files behind a firewall.
Deploy the WebLogic Managed Servers hosting the Fusion Client behind a firewall.
SSL is required on the browser to Web Tier Internet connection. For performance reasons it is a good idea to do SSL termination at the web tier. Requests forwarded to the application servers can be unencrypted since the communication is behind the firewall.
Enable the SSL listen ports on the WebLogic Servers and turn off the non-SSL ports.
Install CA-signed SSL certificate on the WebLogic Domain.
Implement and install a WebLogic Network Connection Filter on the WebLogic Servers to accept connections only from the web tier component. This is to prevent access to the application from unauthorized sources in case the firewall is down for any reason.
Disable all web access methods on the WebLogic Servers other than HTTP.
Deploy the web tier server or Load Balancer in a DMZ. Browser requests are first received at the web tier server on a publicly accessible URL It needs to have access to the application servers located behind a firewall.
SSL is used for communication with the RPAS Server. It is generally recommended to use CA-signed SSL certificates (one for the Fusion Client and one for the RPAS server). In cases where the customer will always be in full control of the Fusion Client and RPAS Server setups, it is acceptable to use a self-signed root certificate as the certificate signing authority.
Security guides are available for the following dependent applications:
Oracle Access Manager
Oracle HTTP Server
Oracle Internet Directory
Oracle WebLogic
These Security guides may be found on the Oracle Technology Network at the following URL:
http://www.oracle.com/technetwork/documentation
This section contains information on how to secure a Classic Client deployment. Deployment can either be WebLaunch or non-WebLaunch. If the deployment is WebLaunch, then users can then decide whether to use SSO.
The Classic Client is a thick client that is installed directly on an end-user's desktop. When interacting with the RPAS Server, the Classic Client uses either SSL 1 or SSL 3, depending on the configuration of the system. In order to establish a connection with an RPAS Server, the Classic Client must provide credentials in the form of a user name and password that are validated against the user store of the domain.
The list of RPAS domains to which a client can connect can be specified through a file named foundation.fcf. Connection information can also be distributed via a standalone installation kit, or remotely installed on end-user PCs through the WebLaunch interface.
In a non-WebLaunch deployment, connection information used by the Classic Client is read by the client from a file system resource named foundation.fcf. This file, which can be managed using the eConfigure utility provided as a part of the client installation package, contains information used by the client to create connections to a RPAS Server instance and the domain used by the instance. This information includes network address information and configuration information for the connection. The following diagram provides a high-level view of a Classic Client deployment without WebLaunch:
RPAS WebLaunch is a way to centralize the distribution of the Classic Client throughout an organization. It hosts the RPAS Classic Client installer on a web server and can install or update the Classic Client on the user's Windows PC directly from a web browser. Additionally, it can centralize the management of the list of domains that are available, removing the need for storing the foundation.fcf file locally. It is available in a SSO and non-SSO environment.
For more information on Web Launch deployment, see Chapter 7: RPAS Classic Client Web Deployment in the Oracle Retail Predictive Application Server Installation Guide.
RPAS WebLaunch can be deployed in an SSO environment which is similar to that of the Fusion Client. The SSO version of Web Launch allows remote-configuration of domains with their Classic Client version from the web browser by admin-privilege authorized SSO users. Other authorized SSO users with fewer privileges can install and launch the Classic Client. These SSO users are solely for the web interface and have nothing to do with RPAS users. The Classic Client will prompt for RPAS login once it is started. The following diagram provides a high-level view of a Classic Client deployment with WebLaunch and SSO. It also displays a Multi-Domain deployment:
RPAS Web Launch in a non-SSO environment allows an RPAS user to install and launch the Classic Client and then connect to an pre-configured domain. Because of the lack of authentication available, the RPAS administrator must configure the domains on the back end by editing the domain properties file manually. The following diagram provides a high-level view of a Classic Client deployment with WebLaunch but without SSO. It also displays a Multi-Domain deployment:
In situations where more than one RPAS-based solution is deployed, these separate deployments may be set up to operate independently. In such cases, there are no additional security considerations beyond those of each application. However, it is also possible to configure applications such that they operate in a more integrated fashion.
For additional information, see Domain Daemon IP Filtering and Redundancy.
Such deployments are called multi-solution deployments and they require additional consideration in terms of the degree of integration between applications. Of primary importance is the ability to replicate the user dictionary of one domain for use in another. In multi-solution deployments, creating a unified user dictionary will allow users to work within each of the domains without the need for managing separate credentials for each domain.
For information on shared user dictionaries, see Integrating User Dictionaries in the RPAS Integration chapter.
