Oracle® Argus Analytics

Security Configuration Guide

Release 1.1

E35208-01

May 2012

This guide describes essential security management options for the following applications:

• Oracle Argus Analytics

• Oracle Business Intelligence Enterprise Edition

Introduction

This guide presents the following security guidelines and recommendations:

• Configuring Strong Password on the Database and WLS

• Closing All Open Ports not in Use

• Disabling the Telnet Service

• Disabling Other Unused Services

• Checking External Links That May Expose Account Data

• Enabling SSL for OBIEE

• Setup Session Timeout in OBIEE

• Logging Security Restrictions

• When Creating New Security Realm

• MAPVIEWER Component in OBIEE 11g

• Documentation Accessibility

Configuring Strong Password on the Database and WLS

Although the importance of passwords is well known, the following basic rule of security management is worth repeating:

Ensure all your passwords are strong passwords.

You can strengthen passwords by creating and using password policies for your organization. For guidelines on securing passwords and for additional ways to protect passwords, refer to the Oracle Database Security Guide specific to the database release you are using.You should modify the following passwords to use your policy-compliant strings:

• Passwords for the database default accounts, such as SYS and SYSTEM.

• Passwords for the weblogic server default accounts, such as weblogic.

• Password for the database listener. If you do not configure the database listener to require an authorization password, you unnecessarily expose the underlying database service names to unauthorized individuals.

Closing All Open Ports not in Use

Keep only the minimum number of ports open. You should close all ports not in use.

Disabling the Telnet Service

The Argus Analytics application does not use the Telnet service. Telnet listens on port 23 by default.If the Telnet service is available on the Argus Analytics host machine, Oracle recommends that you disable Telnet in favor of Secure Shell (ssh). Telnet, which sends clear-text passwords and user names through a login, is a security risk to your servers. Disabling Telnet tightens and protects your system security.

Disabling Other Unused Services

In addition to not using Telnet, the Argus Analytics application do not use the following services or information for any functionality:

• Simple Mail Transfer Protocol (SMTP): This protocol is an Internet standard for E-mail transmission across Internet Protocol (IP) networks.

• Identification Protocol (identd): This protocol is generally used to identify the owner of a TCP connection on UNIX.

• Simple Network Management Protocol (SNMP): This protocol is one method for managing and reporting information about different systems.

Therefore, restricting these services or information will not affect the Argus Analytics application. If you are not using these services for other applications, Oracle recommends that you disable these services to minimize your security exposure.

If you need SMTP, identd, or SNMP for other applications, be sure to upgrade to the latest version of the protocol to provide the most up-to-date security for your system.

Checking External Links That May Expose Account Data

In Argus Analytics, you can add customized links to the Home page, Dashboards, Report pages, and the Help icons. Any information that can be made available through a URL can be made accessible to Argus Analytics Onsite users.

In addition, your customized links support passing session parameters, such as login user ID and user role, to a URL. By passing these session parameters, you can create target Web pages that switch the content according to the user login ID, user role, study, and site. You can create links that access Web sites relevant to your business.

However, be aware that in some situations, like links that access external Web sites, passing account data and session information may pose a security risk. In these cases, you can define the link to pass no session parameters to the URL.

Enabling SSL for OBIEE

This section comprises the following sub-sections:

Enabling SSL

Refer to the Configuring SSL for Oracle Argus Analytics in OBIEE section in the Oracle® Argus Analytics Installation Guide to enable SSL.

Setting up a Secure Cookie on WebLogic Server

Refer to the MOS Note How to set up Secure Cookies on WebLogic Server section (Doc ID 1267117.1) to set up the secure SSL cookie.

Setup Session Timeout in OBIEE

To configure the setup session timeout between OBI presentation service and the browser, execute the following steps:

1. Edit the instanceconfig.xml file (config\OracleBIPresentationServicesComponent\coreapplication_obips1).

2. Update the following line in the Security block: <ClientSessionExpireMinutes> 210</ClientSessionExpireMinutes>.

3. Restart OBI Presentation Services.

Note: The internal default value is 210 minutes. After these mentioned minutes, the presentation service removes browser session information from its memory.

Logging Security Restrictions

Query logging level defines the exposure of database queries to OBIEE users. By default, each user account's Logging Level is set to 0 (zero) which is no logging. Following are the steps to set the levels for a user:

1. Open BI Administration tool and click Manage > Identity.

2. Double-click the name of the user to select and update the logging level in the pop-up menu.

3. Enter the following information in the Logging Level:

4. Level 0: No Logging

5. Level 1: Logged details are SQL statements, query response durations, user id, session id , request id.

6. Level 2: Everything Logged in level 1 with additional information like repository name, business model name, subject area name, no of rows returned, etc.

7. Level 3: Everything Logged in level 2 with additional information like, logical query plan, purged cache, etc.

8. Level 4: Everything Logged in level 3 with additional information of query execution plan.

9. Level 5: Everything Logged in level 4 with detailed query execution plan

When Creating New Security Realm

A security realm can optionally include Identity Assertion, Auditing, and Certificate Registry providers. If your new security realm includes two or more providers of the same type (for example, more than one Authentication provider or more than one Authorization provider), you need to determine how these providers should interact with each other.

Custom Authorization and Role Mapping providers may or may not support parallel security policy and role modification, respectively, in the security provider database.

If your custom Authorization and Role Mapping security providers do not support parallel modification, the WebLogic Security framework can enforce a synchronization mechanism that results in each application and module being placed in a queue and deployed sequentially. To do this, set the Deployable Provider Synchronization Enabled and Deployable Provider Synchronization Timeout controls for the realm.

MAPVIEWER Component in OBIEE 11g

OBIEE 11g Mapviewer component comes with some demo code which can pose some security vulnerabilities, so it is advised to shut down the Mapviewer component by executing the following steps:

1. Login to the OBIEE 11g Enterprise Manager.

2. Navigate to the Farm_<bifoundation>_domain and expand the Application Deployments.

3. Select the MAPVIEWER application deployed.

4. In the resulting webpage, navigate to: Clustered Application Deployment -> Control -> Shutdown

   
   

5. In the resulting popup, click Shutdown and wait for confirmation till successful completion.

   
   

Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

---

Oracle Argus Analytics Security Configuration Guide, Release 1.1

E35208-01

Copyright © 2012 Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle America, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.