2 Performing a Secure OSM Installation

This chapter presents planning information for your Order and Service Management (OSM) installation.

For information about installing OSM, see OSM Installation Guide.

Pre-Installation Configuration

OSM depends on a database instance and Oracle WebLogic Server domain that have been properly configured. See "Operating System Security," "Oracle Database Security," and "WebLogic Server Security" for details on secure file system, database, and WebLogic Server domain configuration.

About the O7_DICTIONARY_ACCESSIBILITY Parameter

If you intend to use the sys user when the OSM installer prompts for database administrator credentials, you have two options:

  • Ensure that the O7_DICTIONARY_ACCESSIBILITY parameter is set to TRUE in the database before running the OSM installer. If you choose this option, you should consider setting the parameter back to the default of FALSE after you have finished installing OSM.

  • When prompted for the database administrator user name in the OSM installer, append as sysdba to the user name.

For more information, see the information about installing and configuring the database in OSM Installation Guide.

Installing OSM Securely

This section describes ways of ensuring that OSM is installed securely and information that you can use to secure installed components after installation.

Installation Type

You can perform a custom installation or a typical installation. Perform a custom installation to avoid installing options and products you do not need. If you perform a typical installation, remove or disable features that you do not need after the installation.

Password Policies

The OSM installer creates database schema and WebLogic Server domain application user accounts. The installer requires you to specify the password (and in some cases, user name) for these users. Oracle recommends the following password policies for these users, as well as users you create in the future:

  • The password should be between eight and 24 characters long.

  • The password should contain at least one letter, one number, and one special character.

  • The password should not contain the user name.

  • The user's account should be temporarily disabled after five login failures.

These recommended password policies are not implemented by default in the OSM installer, but should be configured manually after the installation. See Oracle Database Security Guide for information about implementing user security for Oracle Database users. For information about configuring the policies for WebLogic Server users, see the information about customizing the default security configuration in Oracle Fusion Middleware Administering Security for Oracle WebLogic Server.

Users and Groups

The OSM installer creates various users and groups in the database and in WebLogic Server. For information about the users and groups created by the OSM installer, see the information about installed components in OSM System Administrator's Guide.

The OSM installer creates the WebLogic Server users and groups listed in OSM System Administrator's Guide. If you intend to use another security implementation, such as LDAP, you must manually create those users and groups and assign the users to the groups.

Security-Relevant Installation Steps

Some steps in the installation process have security implications that you should keep in mind.

  • In the WebLogic Server Connection Information window of the OSM installer, you can choose to connect to WebLogic Server over SSL, which encrypts all communications between the installer and the WebLogic administration server, including the user names and passwords that the installer creates.

  • In the Order and Service Management Session Information window of the OSM installer, you can set the Session Timeout value for the OSM Web clients. It is a security risk to leave a session active for an extended period of time. Oracle recommends updating this setting to the lowest value that meets your business needs.

  • In the Configuration Overview window of the OSM installer, you can choose to save the information you entered in the OSM installer to a configuration file, so that you can use it to perform a silent installation later. If you save the configuration, you also have the option of saving the passwords in the configuration file, but Oracle recommends that you do not select this option, because the passwords would be saved in plain text. If you are going to perform a silent installation, you should edit the file to enter the passwords immediately before running the silent installation and remove them when you are done.