| Oracle® Retail Mobile Merchandising Security Guide Release 15.0 E65652-01 |
|
 Previous |
 Next |
This chapter outlines the planning process for a secure installation and describes several recommended deployment topologies for the systems.
To better understand security needs, review the following questions:
What resources am I protecting?
Many resources in the production environment can be protected. This includes information in databases accessed by the Mobile application through Web Services and the integrity of the Mobile application. Identify the resources that need protection when deciding the level of security you must provide.
From whom am I protecting the resources?
For most Mobile applications, resources must be protected from everyone having access to the Mobile device.
Should your employees/specific roles have access to the resources within the Mobile Application?
Consider giving access to highly confidential data or strategic resources to only a few well trusted roles.
Should system administrators have access to all Mobile resources?
Consider restricting the access of system administrators to the data or resources.
What will happen if the protections on strategic resources fail?
In some cases, a fault in your security scheme is easily detected and causes nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use the Mobile application. Understanding the security ramifications of each resource helps you protect it properly.
This section describes the recommended architectures for deploying Oracle Retail Mobile Merchandising to secure its access.
In the absence of the Enterprise SSO solution, a single domain deployment is recommended to enable SSO control of the features. Since Basic Auth App and all the services reside in the same domain, the user credentials generated by Basic Auth App are valid for all the services deployed in the domain. This allows users to navigate between different features without feature specific login prompts.
Multiple domain deployment is the most common deployment scenario where each application feature and its services reside in their own domain. Multiple domain deployment supports feature level authentication where each feature within the Mobile application can be configured to have their own login server. In a non-SSO environment, users are prompted for logins while navigating between the features. In the SSO environment, single login allows users to navigate between the features even though they reside in different domains/servers.
This section describes steps to install and configure an infrastructure component securely.
The Oracle WebLogic Server is primarily used as a Middleware component to deploy Retail Application Services, RetailAppsMobileSecurity, and RetailAppsRESTServices. All the server side components used by the Retail Mobile Merchandising application rely on the security setup used in the Middleware. For more information, see the 'Pre-installation of Retail Infrastructure in WebLogic' section in Oracle Retail Merchandising Security Guide.
The Oracle Retail Application Services, Retail Apps REST Services, and Retail Apps Mobile Access Service uses the Oracle database as the back-end data store. For complete environment security, the database should be secured. For more information, see the 'Post Installation of Retail Infrastructure in Database' section in the Oracle Retail Merchandising Security Guide.
Allocation Web Services are packaged as a part of the Allocation's Enterprise Archive (EAR) file as a Web Archive (WAR) within the EAR file. These Web services are installed by default. Allocation Web Services use the J2EE authorization security model. These Web services use the oracle/http_basic_auth_over_ssl_client_policy or oracle/http_http_cookie_client_policy to support SSL/TSL. For information on the steps related to the installation of Allocation services in secured environment, see Chapter 24 in the Oracle Retail Allocation Installation Guide.
The Oracle Retail Sales Audit (ReSA) Web Services are packaged as a part of the ReSA's Enterprise Archive (EAR) file as a Web Archive (WAR) within the EAR file. These Web services are installed by default. ReSA Web Services use the J2EE authorization security model. These Web services use the oracle/http_basic_auth_over_ssl_client_policy or oracle/http_http_cookie_client_policy to support SSL/TSL. For information on steps related to the installation of ReSA services in secured environment, see Chapter 24 in the Oracle Retail Sales Audit Installation Guide.
The Oracle Retail Invoice Matching (ReIM) Web Services are packaged as a part of the ReIM's Enterprise Archive (EAR) file. These services are packaged as a Web Archive (WAR) within the EAR file. These Web services are installed by default. The ReIM Web Services use J2EE authorization security model. These Web services use oracle/http_basic_auth_over_ssl_client_policy or oracle/http_cookie_client_policy to support SSL/TSL. For information on steps related to the installation of ReIM services in secured environment, see Chapter 14 in Oracle Retail Invoice Matching Installation Guide.
The Oracle Retail Merchandising System (RMS) common Web Services are packaged as a part of the RMS's Enterprise Archive (EAR) file. These services are packaged as a Web Archive (WAR) within the EAR file. These Web services are installed by default. The RMS common Web Services use J2EE authorization security model. These Web services use oracle/http_basic_auth_over_ssl_client_policy or oracle/http_cookie_client_policy to support SSL/TSL. For information on steps related to the installation of the RMS common services in a secured environment, see Chapter 11 in Oracle Retail Merchandising System Installation Guide.
Platform Mobile Security is used to support Authentication and Authorization features of Retail Mobile Merchandising application. Platform Mobile Security is installed as part of the retail applications. For more information, see the Retail Application's installation guide.
The Retail Mobile Merchandising application is packaged as the MerchMobileArchive.maa file. Deploying Oracle Retail Mobile Merchandising for use on an iOS device requires that you have a computer running Mac OS X set up for iOS development. For more information on the set up, including secure provisioning profiles and certificates, see Apple's documentation at https://developer.apple.com/. For more Oracle specific information, see the Oracle Retail Mobile Merchandising Installation Guide.
The Mobile Merchandising application provides a configuration feature to update the connections.xml file on a mobile device after the application has been installed. It is necessary to host the connections.xml file at a secured location (HTTP Basic authentication) with SSL/TSL setup.
The hosted connections.xml file should contain valid URLs for all connections being used by the application (including the ConfigService and ConfigServiceLogin connections). All the URLs specified in the connections.xml are added to the white list in the application. For more information on securing your configuration, see the Oracle Retail Mobile Merchandising Implementation Guide.
