This chapter describes a recommended deployment topology for your PLM system and then provides recommendations on how to securely install and configure the Agile PLM system.
When planning for a secure Agile PLM implementation, consider the following:
Which resources must be protected?
You must protect customer data, such as part numbers, file attachments, and so on
You must protect internal data, such as proprietary source code.
You must protect information in databases accessed by the Agile PLM server and the availability, performance, applications, and the integrity of the Web site.
You must protect system components from being disabled by external attacks or intentional system overloads.
Who are you protecting data from?
For example, you must protect your subscribers' data from other subscribers, but someone in your organization might need to access that data to manage it. You can analyze your workflows to determine who needs access to the data; for example, perhaps a system administrator can manage your system components without needing to access the system data.
What will happen if protections on a strategic resources fail?
In some cases, a fault in your security scheme is nothing more than an inconvenience. In other cases, a fault might cause great damage to you or your customers. Understanding the security ramifications of each resource will help you protect it properly.
The following figure shows the general topology that is recommended for a secure Agile PLM installation.
The components included in the topology diagram are defined below:
Agile PLM Clients - Agile PLM includes three clients: a Web client, a Java client, and a Mobile client. The Web client is a thin HTML client that uses firewall-friendly protocols (HTTP/S). The Mobile client is a mobile application that also uses firewall-friendly protocols (HTTP/S). The Java client is a Java-based client that can use application server-specific protocols, such as T3 for Oracle WebLogic, to connect to the server.
(optional) Proxy - The hardware load balancer/proxy brokers client communications without compromising the security of your internal network. Clients communicate through the load balancer with the application server. There are no Agile software components running on the hardware load balancer. They are usually deployed in the Demilitarized Zone (DMZ) where it proxies requests from outside the corporate firewall to the application server in the Safe Zone.
Oracle recommends communication using HTTP over SSL (HTTPS) for the most secure deployment.
For standalone application server deployments, both the load-balancer and web server components are optional.
For deployments where the application server is clustered/redundant, a load-balancer is required and the web server is optional.
Refer to the documentation for your proxy server to determine the most secure configurations.
Agile PLM Application Server - The Agile Application Server is the center of the Agile system, the base for the PLM platform, where all common services and business logic reside for the entire solution. The Agile Application Server runs on industry-leading J2EE application servers. As the System Configuration Overview figure illustrates, all client servers and users connect to the Application Server either directly or indirectly. The application server connects to the components in a persistence layer where product content is stored.
Oracle recommends communication using HTTP over SSL (HTTPS) for the most secure deployment.
Agile PLM Database Server - The Agile Database Server persists or stores all product content and system settings. Agile's database server runs on Oracle 11g or 12c.
(optional) LDAP / Directory Server - In an effort to better support the industry standard authentication schemes, Agile PLM supports Lightweight Directory Access Protocol (LDAP) based authentication. LDAP support enables you to integrate Agile with existing directory servers so user accounts can be managed in one place. Integrating with LDAP is optional. Users can be managed within Agile without a directory server. There are no Agile software components deployed on the Directory Server.
If using LDAP, Oracle recommends communication using LDAPS for the most secure deployment.
PLM File Manager / AutoVue Server - The Agile PLM File Manager component provides file upload/download functionality for the Agile PLM application. Oracle recommends communication using HTTP over SSL (HTTPS) for the most secure deployment. The AutoVue Server component provides file viewing functionality for the Agile PLM application.
PLM File Vault - The Agile PLM File Vault consists of one or more file system(s) on which the Agile PLM File Manager component stores and retrieves files uploaded/downloaded in the Agile PLM application.
Note: Oracle suggests that you create a similar Network Diagram to illustrate your deployment's specific network topology, including servers, routers, and firewalls This document may be requested by Oracle Support should a network connectivity issue arise. |
Before installing Agile PLM, you must install and configure Oracle Database Server and Oracle WebLogic Server. The following sections include recommendations on how to set these products up to ensure a secure configuration.
For the latest information on installing Oracle Database Server in a secure manner, refer to the Oracle Database Security Guide and make necessary configuration changes. For additional information, refer to the "Installing Oracle Database Server" chapter in the Agile Product Lifecycle Management Database Installation Guide.
After installing the Oracle Database Server you should install the Oracle WebLogic Server.
For the latest information on how to install WebLogic Server, refer to the appropriate Oracle WebLogic Server documentation.
Additionally, Oracle recommends that you:
Deploy WebLogic Server using SSL.
After installation, change the WebLogic administrator username and password.
Secure WebLogic Server by placing it behind a proxy server.
The following WebLogic Server documents contain information that is relevant to the WebLogic Security Service:
Understanding Security for Oracle WebLogic Server - Summarizes the features of the WebLogic Security Service, including an overview of its architecture and capabilities. It is the starting point for understanding WebLogic security.
Securing Oracle WebLogic Server - Explains how to configure security for WebLogic Server and how to use Compatibility security.
Securing a Production Environment for Oracle WebLogic Server - This document highlights essential security measures for you to consider before you deploy WebLogic Server into a production environment.
This section describes best practices to be followed while using the Agile PLM and database installers.
For the latest information on installing Agile PLM, including the supported operating systems, refer to the Installing Agile PLM for WebLogic guide. The following users are created out-of-box for the application to start correctly and function as expected: admin, agileuser, etluser, ifsuser, propogation, superadmin.
Note: These OOB users should not be dropped or modified without consulting Oracle Support, as this will affect the functionality of the product. |
For the latest information on installing the Agile PLM database schema, refer to the Agile Database Installation Guide.
Additionally, Oracle recommends that you:
Use strong passwords.
Deploy with SSL.
Use the Agile PLM system for authentication.
Use Oracle Platform Components such as OID or OAM for authentication requirements.
To ensure a secure configuration, consider the following recommendations for optional components.
Refer to the AutoVue Security Guide for information about configuring AutoVue securely.
The following diagram depicts how Oracle recommends that every CAD Tool/Connector be set up for optimal security.
Oracle recommends that you configure the Engineering Collaboration Clients with HTTP(s). Refer to the "Configuring Engineering Collaboration Clients for HTTPS" section in the MCAD Connectors for Agile Engineering Collaboration Administration Guide for information about configuring MCAD Connectors securely.