AIP supports the use of the Oracle Database 11g Release 2 (11.2.0.4). The database must be secured using the recommendations provided in the Oracle Database 11g Release 2 Security Guide. This chapter provides additional specific guidance for securing the database for use with AIP.
This chapter provides information on these topics:
Before you start setting up the database, ensure that you have installed all the critical patch updates (CPU) and patches for the database. Critical patch updates and patch sets for Oracle products are made available on the My Oracle Support Web site (https://support.oracle.com
) along with documentation or instructions on how you can install them.
The following recommendations should be considered for the schema owners:
Database Administrators should create an account to act as the schema owner for the database schema.
The schema owner should only have enough access privileges to install the application.
For more information on creating database user accounts and the specific access privileges for the schema owners, see the section ”Creating the AIP Schema Owner” in the chapter ”Installing the AIP Oracle Databases Server Components” of the Oracle Retail Advanced Inventory Planning Installation Guide.
It is recommended that the User ID and password comply with the following policies:
Do not use group, shared, or generic accounts and passwords.
Require a minimum password length of at least seven characters.
Use passwords containing both numeric and alphabetic characters.
Do not allow an individual to submit a new password that is the same as any of the last four passwords used.
Limit repeated access attempts by locking out the User ID after not more than six attempts.
Set the lockout duration to 35 minutes or until an administrator enables the User ID.
Note: You can also choose to change user passwords at least every 90 days. In case you do choose to set this policy, ensure that the passwords set up in the connection pools for the AIP data sources in the WebLogic Server Administration Console are also updated to reflect the latest password. Once updated, the WebLogic server will need to be restarted for the changes to take effect. |
The following recommendations should be considered for the database:
The database should be on its own dedicated server.
The database server should be in a private network.
The database server should be in a locked secure facility and inaccessible to non-administrator personnel.
The database should only be accessed using trusted network hosts.
The database server should have minimal use of ports and any communications should be under secure protocols.
The database server should be behind a firewall.
Any database user beyond the schema application owner should be audited.
Only minimal rights should be granted to the owner of database processes and files such that only this owner has the right to read and write from the database related files and no one else has the capability to read and write from such files.
Password policies can be enforced using database profiles. The options in the following table are based on version 11.2.0.4 of Oracle Database.
The options can be changed using a SQL statement, for example:
alter profile appsample limit
Password policies can be enforced using a password complexity verification script, for example:
UTLPWDMG.SQL
Table 2-1 Oracle Database Security Options
Option | Setting | Description |
---|---|---|
PASSWORD_LOCK_TIME |
30 |
Time account will be locked in minutes. |
FAILED_LOGIN_ATTEMPTS |
4 |
Maximum number of login attempts before the account is locked. |
PASSWORD_GRACE_TIME |
3 |
Number of days a user has to change an expired password before the account is locked. |
PASSWORD_REUSE_MAX |
10 |
Number of unique passwords the user must supply before the first password can be reused. |
PASSWORD_VERIFY_FUNCTION |
<routine_name> |
Name of the procedure that can be created to ensure the password is acceptable. |