| Oracle® Retail Process Orchestration and Monitoring Security Guide Release 19.1 F34939-02 |
|
 Previous |
 Next |
| Oracle® Retail Process Orchestration and Monitoring Security Guide Release 19.1 F34939-02 |
|
Previous |
Next |
Process Orchestration and Monitoring (POM) Cloud Service is a Java based application deployed on Oracle's Global Business Unit Cloud Services 3.x Platform Services. It is used by other retail cloud services to set up, administer, execute and monitor their batch schedules. The applications are deployed in a highly available, high performance, horizontally scalable architecture. As of release 19.0.001, POM Cloud Services uses Oracle Identity Cloud Service (IDCS) as its identity provider (IDP). Information about logical, physical and data architecture in this document focuses on how the architecture supports security.
|
Note: Some Oracle Retail Process Orchestration and Monitoring Cloud Service deployments currently on versions 19.0 and lower use an instance of Oracle Identity Management (IDM) Suite as an identity provider. As these deployments are upgraded to 19.0.001 and transitioned to GBUCS3, their respective customers' authentication will be transitioned to use IDCS. Oracle Retail will move any user and group information currently on IDM suite to the customer's IDCS tenancy. |
This section does not explain the complete architecture of the Process Orchestration and Monitoring Cloud Service, but instead focuses on the high-level aspects that relate to security.
Most customer access to the Process Orchestration and Monitoring (POM) Cloud Service is through the web tier. The web tier contains the perimeter network services that protect the Process Orchestration and Monitoring application and associated applications from the internet at large. All traffic from the web tier continues to the Web Tier Security Server (WTSS), which in turn uses the customer's Oracle Identity Cloud Service (IDCS) tenancy to perform authentication. More information about authentication through IDCS is provided later in this document.
The underlying container DBaaS includes one pluggable database (PDB). Applications are able to access the POM schema on the POM PDB using Oracle Net Services aka SQL*Net. Transparent data encryption (TDE) is set during provisioning.
POM Cloud Service authenticates native rest services using OAUTH2.0 through IDCS. As a common authentication pattern is used, web service users are subject to the same strong controls as application users. All rest service calls are logged in the application logs.
To reduce attack surface, access to the POM Cloud Service from the open internet is very limited. As described in the Architecture section of this document, Business Users (on a web browser) and also any other external web service endpoints access application over https/443.Network Perimeter blocks requests from certain blacklisted IPs as configured. Firewall and load balancer pass traffic to the WTSS server which in turn to requests authentication (through outbound proxy) from the customer's Identity Cloud Service (IDCS) tenancy.
Process Orchestration and Monitoring Cloud Service delegates the actual batch execution to the JOS (Job Orchestration and Scheduling) from the RTG (Retail Trade Group). All communication between core POM components and JOS happens through ReST service calls using OAUTH 2.0 if the IDCS URL is configured. If not configured, then Basic Auth is used.
Process Orchestration and Monitoring Cloud Service provides a callback feature which sends a batch job's status to the customer's system. Additionally, POM provides a facility for the customer to create or modify the URL and credentials for that system. This feature uses Basic Authentication for calling the ReST endpoint for which the URL was configured. The credentials provided are stored in the WebLogic credentials store.
Readers should refer to the following links for additional information about Oracle Cloud delivery and IDCS.
https://www.oracle.com/assets/ocloud-hosting-delivery-policies-3089853.pdf
