Oracle® Healthcare Master Person Index Configuration Guide Release 2.0.13 E25247-06 |
|
|
PDF · Mobi · ePub |
This chapter describes security configuration issues you should consider when implementing OHMPI:
The following principles are fundamental to using any application securely.
One of the principles of good security practice is to keep all software versions and patches up to date.
Oracle continually improves its software and documentation. Critical Patch Updates are the primary means of releasing security fixes for Oracle products to customers with valid support contracts. We highly recommend customers apply these patches as soon as they are released.
Although the importance of passwords is well known, the following basic rule of security management is worth repeating:
Ensure all passwords are strong passwords.
You can strengthen passwords by creating and using password policies for your organization. For guidelines on securing passwords and for additional ways to protect passwords, refer to the Oracle® Database Security Guide specific to the database release you are using.
You should modify the following passwords to use your policy-compliant strings:
Passwords for the database default accounts, such as SYS and SYSTEM.
Passwords for the database application-specific schema accounts, such as RXI.
The password for the database listener. Oracle recommends that you do not configure a password for the database listener as that will enable remote administration. For more information, refer to the section "Removing the Listener Password" of Oracle® Database Net Services Reference 11g Release 2 (11.2)
The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Overly ambitious granting of responsibilities, roles, grants — especially early on in an organization's life cycle when people are few and work needs to be done quickly — often leaves a system wide open for abuse. User privileges should be reviewed periodically to determine relevance to current job responsibilities.
Keep only the minimum number of ports open. You should close all ports not in use.
Oracle Healthcare Master Person Index standard configuration does not use the Telnet service.
Telnet listens on port 23 by default.
If the Telnet service is available on any computer, Oracle recommends that you disable Telnet in favor of Secure Shell (SSH). Telnet, which sends clear-text passwords and user names through a log-in, is a security risk to your servers. Disabling Telnet tightens and protects your system security.
In addition to not using Telnet, the Oracle Healthcare Master Person Index standard configuration does not use the following services or information for any functionality:
Simple Mail Transfer Protocol (SMTP). This protocol is an Internet standard for E-mail transmission across Internet Protocol (IP) networks.
Identification Protocol (identd). This protocol is generally used to identify the owner of a TCP connection on UNIX.
Simple Network Management Protocol (SNMP). This protocol is a method for managing and reporting information about different systems.
Restricting these services or information does not affect the use of Oracle Healthcare Master Person Index standard configuration. If you are not using these services for other applications, Oracle recommends that you disable these services to minimize your security exposure. If you need SMTP, identd, or SNMP for other applications, be sure to upgrade to the latest version of the protocol to provide the most up-to-date security for your system.
When designing a secure deployment, design multiple layers of protection. If a hacker should gain access to one layer, such as the application server, that should not automatically give them easy access to other layers, such as the database server.
Providing multiple layers of protection may include:
Enable only those ports required for communication between different tiers, for example, only allowing communication to the database tier on the port used for SQL*NET communications (1521 by default).
Place firewalls between servers so that only expected traffic can move between servers.
Consider utilizing Application Server SSL service for the MPI application. The MPI application is a standard J2EE application and it can utilize an industry standard security infrastructure and framework. There is no configuration needed on the MPI application itself. The application Server (WebLogic or GlassFish) provides SSL service. Refer to the application server's documentation to configure SSL to achieve SSL security for MPI.
For security reasons, we suggest you delete the create.sql
PL/SQL installation script that is no longer needed. This script is located here:
NetbeansProjectlocation/ProjectName/src/DatabaseScript/