| Agile Product Lifecycle Management Security Guide Release 9.3.6 E71146-01 |
|
 Previous |
 Next |
This chapter describes a recommended deployment topology for your PLM system and then provides recommendations on how to securely install and configure the Agile PLM system. This chapter is a pre-requisite to the following chapters that describe security configuration procedures.
When planning for a secure Agile PLM implementation, consider the following:
Which resources must be protected?
You must protect customer data, such as part numbers, file attachments, and so on
You must protect internal data, such as proprietary source code.
You must protect information in databases accessed by the Agile PLM server and the availability, performance, applications, and the integrity of the website.
You must protect system components from being disabled by external attacks or intentional system overloads.
Who are you protecting data from?
For example, you must protect your subscribers' data from other subscribers, but someone in your organization might need to access that data to manage it. You can analyze your workflows to determine who needs access to the data; for example, perhaps a system administrator can manage your system components without needing to access the system data.
What will happen if protections on a strategic resources fail?
In some cases, a fault in your security scheme is nothing more than an inconvenience. In other cases, a fault might cause great damage to you or your customers. Understanding the security ramifications of each resource will help you protect it properly.
The following figure depicts the general topology that is recommended for a secure Agile PLM installation.
The components included in the topology diagram are defined below:
Agile PLM Clients - Agile PLM includes three clients: a Web client, a Java client, and a Mobile client. The Web client is a thin HTML client that uses firewall-friendly protocols (HTTP/S). The Mobile client is a mobile application that also uses firewall-friendly protocols (HTTP/S). The Java client is a Java-based client that can use application server-specific protocols, such as T3 for Oracle WebLogic, to connect to the server.
(optional) Proxy - The hardware load balancer/proxy brokers client communications without compromising the security of your internal network. Clients communicate through the load balancer with the application server. There are no Agile software components running on the hardware load balancer. They are usually deployed in the Demilitarized Zone (DMZ) where it proxies requests from outside the corporate firewall to the application server in the Safe Zone.
Oracle recommends communication using HTTP over SSL (HTTPS) for the most secure deployment.
For standalone application server deployments, both the load-balancer and web server components are optional.
For deployments where the application server is clustered/redundant, a load-balancer is required and the web server is optional.
Refer to the documentation for your proxy server to determine the most secure configurations.
Agile PLM Application Server - The Agile Application Server is the center of the Agile system, the base for the PLM platform, where all common services and business logic reside for the entire solution. The Agile Application Server runs on industry-leading J2EE application servers. As the figure, "Recommended Deployment Topology" illustrates, all client servers and users connect to the Application Server either directly or indirectly. The application server connects to the components in a persistence layer where product content is stored.
Oracle recommends communication using HTTP over SSL (HTTPS) for the most secure deployment. See Chapter 4, "Performing a Secure Agile PLM Installation" for details on how to configure SSL for Agile PLM.
Agile PLM Database Server - The Agile Database Server persists or stores all product content and system settings. Agile's database server runs on Oracle 11g or 12c.
(optional) LDAP / Directory Server - In an effort to better support the industry standard authentication schemes, Agile PLM supports Lightweight Directory Access Protocol (LDAP)-based authentication. LDAP support enables you to integrate Agile with existing directory servers so user accounts can be managed in one place. Integrating with LDAP is optional. Users can be managed within Agile without a directory server. There are no Agile software components deployed on the Directory Server.
If using LDAP, Oracle recommends communication using LDAPS for the most secure deployment.
PLM File Manager / AutoVue Server - The Agile PLM File Manager component provides file upload/download functionality for the Agile PLM application. Oracle recommends communication using HTTP over SSL (HTTPS) for the most secure deployment. The AutoVue Server component provides file viewing functionality for the Agile PLM application.
PLM File Vault - The Agile PLM File Vault consists of one or more file system(s) on which the Agile PLM File Manager component stores and retrieves files uploaded/downloaded in the Agile PLM application.
|
Note: Oracle suggests that you create a similar Network Diagram to illustrate your deployment's specific network topology, including servers, routers, and firewalls This document may be requested by Oracle Support if a network connectivity issue arises. |
There are three installation flows that you can follow based on your security needs. They are as follows:
Agile installation without SSL or WSS enabled. See "Agile Setup Without SSL or WSS Enabled"
Agile installation with only SSL. See "Agile Setup With Only SSL Enabled".
Agile installation with SSL and WSS enabled. See "Agile Setup With SSL and WSS Enabled".
If you choose to not enable SSL or WSS, the basic process you need to follow is depicted in the following figure.
Refer to "Prerequisites Before Installing Agile PLM" and "Installing Agile PLM" for general guidance.
If you choose to enable only SSL, the basic process you need to follow is depicted in the following figure.
To set up only SSL, complete the general steps pictured above by referring to the sections mentioned below:
To complete steps A- E, refer to "Prerequisites Before Installing Agile PLM" and "Installing Agile PLM" for general guidance.
To complete steps 1-3, follow the relevant procedures in Chapter 4, "Performing a Secure Agile PLM Installation", especially "Securing Agile PLM Application Using SSL", "Configuring SSL on WebLogic Server" and "Configuring SSL in the Agile PLM Application Server".
To complete steps 4-5, follow the relevant procedures Chapter 4, "Performing a Secure Agile PLM Installation", especially "Securing Agile PLM File Manager(s) Using SSL".
To complete step 6, follow the relevant procedures Chapter 4, "Performing a Secure Agile PLM Installation", especially "Configuring SSL on AutoVue Server".
To complete the WSS and SSL configurations needed by developers, refer to Appendix B, "Checklist for Configuring Web Services Security" and Appendix B, "Checklist for Configuring Web Services Security".
If you choose to enable both SSL and WSS, the basic process you need to follow is depicted in the following figure.
To set up SSL and WSS, complete the general steps pictured above by referring to the sections mentioned below:
To complete steps A- E, refer to "Prerequisites Before Installing Agile PLM" and "Installing Agile PLM" for general guidance.
To complete steps 1-3, follow the relevant procedures in Chapter 4, "Performing a Secure Agile PLM Installation", especially "Securing Agile PLM Application Using SSL", "Configuring SSL on WebLogic Server" and "Configuring SSL in the Agile PLM Application Server".
To complete step 4, follow the relevant procedures described in Chapter 7, "Enabling Security for Web Services", especially "Configuring WSS Policy for Agile PLM Web Services".
To complete steps 5-6, follow the relevant procedures Chapter 4, "Performing a Secure Agile PLM Installation", especially "Securing Agile PLM File Manager(s) Using SSL".
To complete step 7, follow the relevant procedures described in Chapter 7, "Enabling Security for Web Services", especially "Configuring WSS Policy for File Manager Web Services".
To complete step 8, follow the relevant procedures Chapter 4, "Performing a Secure Agile PLM Installation", especially "Configuring SSL on AutoVue Server".
To complete the WSS and SSL configurations needed by developers, refer to Appendix B, "Checklist for Configuring Web Services Security" and Appendix B, "Checklist for Configuring Web Services Security".
Before installing Agile PLM, you must install and configure Oracle Database Server and Oracle Fusion Middleware. The following sections include recommendations on how to set these products up to ensure a secure configuration.
For the latest information on installing Oracle Database Server in a secure manner, refer to the Oracle Database Security Guide and make necessary configuration changes. For additional information, refer to the ”Installing Oracle Database Server” chapter in the Agile Product Lifecycle Management Database Installation Guide.
This section describes best practices to be followed while using the Agile PLM, database, and File Manager installers.
For the latest information on installing Agile PLM, including the supported operating systems, refer to the Agile Product Lifecycle Management Installation Guide. The following users are created out-of-box for the application to start correctly and function as expected: admin, agileuser, etluser, ifsuser, propogation, superadmin.
|
Note: These OOB users should not be dropped or modified without consulting Oracle Support, as this will affect the functionality of the product. |
For the latest information on installing the Agile PLM database schema, refer to the Agile Product Lifecycle Management Database Installation Guide.
Additionally, Oracle recommends that you:
Use strong passwords.
Deploy with SSL.
Use the Agile PLM system for authentication.
Use Oracle Platform Components such as OID or OAM for authentication requirements.
For the latest information on installing the File Manager, refer to the Agile Product Lifecycle Management Installation Guide.
To ensure a secure configuration, consider the following recommendations for optional components.
Refer to the AutoVue Security Guide for information about configuring AutoVue securely.
The following diagram depicts how Oracle recommends that every CAD Tool/Connector be set up for optimal security.
Oracle recommends that you configure the Engineering Collaboration Clients with HTTP(S). Refer to the ”Configuring Engineering Collaboration Clients for HTTPS” section in the MCAD Connectors for Agile Engineering Collaboration Administration Guide for information about configuring MCAD Connectors securely.
