| Oracle® Retail Integration Bus Security Guide Release 15.0.2 E90647-01 |
|
 Previous |
 Next |
|
Caution: Oracle is not responsible for the security compliance of any product customization performed by a retailer, system integrator, or reseller. |
The relevant security features fall into one or more of the following categories. For information on these categories, see the following sections:
Securing Sensitive Data
Securing the Application
Securing the Application Environment and Configuration
The protection of sensitive data during transit, processing, and storage is paramount. Sensitive data includes personally identifiable information such as credit card number, Social Security number, checking account number, and positive ID such as driver's license number. The Oracle Retail Integration Bus focuses on protecting sensitive data.
RIB, being an integration application, does not store credit card data. The applications getting integrated through RIB handle all access to cardholder data and supply tokens to use in place of actual cardholder data.
An additional layer of communication security is provided for web application (example: OMS). These applications require the use of a Secure Socket Layer (SSL) to access them.SSL provides an additional layer of encryption and security of the information sent to and received from these applications.
Securing access to the application against malicious attacks and auditing secure events are accomplished with passwords, additional testing of Web applications, and additional examination of source code.
The RIB administration user interface username and password for accessing the user interface are created and stored inside the WebLogic Server security realm, and are protected by your WebLogic security configuration. For more information, see the Oracle Retail Integration Bus Installation Guide.
RIB applications do not contain any default accounts, user IDs, or passwords. An application username and password are entered by the user during the installation process.
RIB uses the Fortify 360 tool to scan for security issues. As with any tool, the output of this tool should be analyzed in detail since the output may contain false positive warnings. You can use any tools that you choose. No recommendation of the following tool is intended or implied. Fortify 360 is a tool that analyzes software for vulnerabilities. The static analysis component examines an application's source code for potentially exploitable vulnerabilities. The dynamic analysis component identifies vulnerabilities that can be found only when an application is running. All vulnerabilities can be ranked according to their relevance. Fortify can be found at the following website: http://www.fortify.com
Securing the application environment and configuration covers the following areas:
Database
If sensitive data is stored in a database, that data must be protected from unauthorized access. Oracle Retail provides the following recommendations protecting data:
Access to the stored procedures used in the data purge scripts should be restricted.
Authentication to the database should be done with a different user ID than authentication to the applications.
RIB does not populate the database with any pre-defined users. An administrative user is created during installation.
