This chapter presents planning information for your Fleet Management installation.
For information about installing Fleet Management, see the Oracle Hospitality Cruise Fleet Management Installation Guide.
Before installing the Fleet Management, perform the following tasks:
Apply critical security patches to the operating system.
Apply critical security patches to the database server application.
Create the required Oracle Database objects per the instructions in the Oracle Hospitality Cruise Fleet Management Installation Guide, available at Oracle Help Center
Acquire Secure Sockets Layer (SSL) compliant security certificate from Certification Authority and you can apply it while running the FMS Web Applications Enablement scripts.
Install Fleet Management Security Server and Configure, please check the Oracle Hospitality Cruise Fleet Management Security Server section in the Installation Guide for more information on how to install and configure.
You can perform a custom installation or a typical installation. Perform a custom installation to avoid installing options and products you do not need. If you perform a typical installation, remove or disable features that you do not need after the installation.
The installation requires the user running the installation to have administrator privileges. No other users have the required access to complete the installation.
When creating a database, enter a complex password that adheres to the database hardening guides for all users.
The following Desktop applications are required for proper operation of the system:
Fleet Management Dashboard
Report Auto Sequencer
Workflow
The following Web applications/Web services are required for proper operation of the system:
Emergency Response System (Mobile App)
Gangway Activity
OHCFMSDWS (Web Service)
OHCUCIDWS (Web Service)
The following Interfaces are required for proper operation of the system:
Fleet Management Sender
Fleet Management Receiver
Corporate Data Transfer Interface (CDTI)
Fleet Management Encryption Manager
Database Password Schema Manager
The following add-ons are installed if required:
Reservation Online
Corporate Access Module
This section explains additional security configuration steps to complete after Fleet Management is installed.
Turn On Data Execution Prevention (DEP)
Turn on DEP if required. Refer to the Microsoft product documentation library at https://technet.microsoft.com/en-us/ for instructions.
Turning Off Auto Play
Turn off Auto play if required. Refer to the Microsoft product documentation library at https://technet.microsoft.com/en-us/ for instructions.
Turning Off Remote Assistance
Turn off Remote Assistance if required. Refer to the Microsoft product documentation library at https://technet.microsoft.com/en-us/ for instructions.
Software Patches
If available, apply the latest Fleet Management patches available on My Oracle Support. Follow the deployment instructions included with the patch.
Secure Sockets Layer (SSL) certificate must be configured if required, either on load balancer or in Internet Information Server (IIS) web server for communication to web services.
Secure Sockets Layer (SSL) usage on Fleet Management Security Server is mandatory. A Self-signed certificate should only be used if the customer fails to provide one. See the Oracle Hospitality Cruise Fleet Management Installation Guide for information about secure certificates installation.
The configuration of Fleet Management product passwords is performed in the Fleet Management Administration module. Administrators should configure a strong password policy after the initial installation of the application and review the policy periodically. Password verification functions are used to ensure that user password meets the minimum requirements for complexity. Check and ensure the PASSWORD_VERIFY_FUNCTION parameter for the user profile created in the Database is not NULL.
Ensure that passwords adhere to the following strength requirements:
The password must be at least 8 characters long.
The password must contain letters and numbers.
Must not equal to the last 3 passwords used.
Fleet Management is installed with a default administrative user and password. Change the default administrative user password in the Fleet Management, following the above guidelines, after logging in for the first time.
Password expiration is used to ensure that users change their passwords on a regular basis. It also provides a mechanism to automatically disable temporary accounts. Set the PASSWORD_LIFE_TIME parameter for the user profile in the Database.
When setting up users for the Fleet Management application, ensure that they are assigned the minimum privilege level required to perform their job function. Set INACTIVE_ACCOUNT_TIME in the profiles assigned to users to automatically lock accounts that have not logged in to the database instance in a specified number of days. It is also recommended to audit infrequently used accounts for unauthorized activities.
The database user by default has unlimited concurrent connections and this may result in memory resource exhaustion or Denial-of-Service attacks. It is advisable to set the SESSIONS_PER_USER for this. We recommend that you check for disabled constraints, and determine where applicable if they need to be disabled, deleted, or enabled as these are a potential cause for concern.
Fleet Management maintains a separate encryption key for each database user in a table of FidelioBK database users and stores them encrypted using Key Encryption Key (KEK). Each Fleet Management client need to connect to FidelioBK DB user to fetch passwords and encryption keys for other database users.
For better security, use MSMQ with Active Directory integration. The enabled MSMQ not only encrypt messages transferred between FMS Sender and FMS Receiver, but also to check the authentication if they are coming from a trusted source. MSMQ uses internal certificates stored in Active Directory Domain Controller for encryption and authentication purposes. Internal Certificates can be rotated as required through MSMQ console. Please note MSMQ integration with Active Directory is possible on the client machines where FMS Sender and FMS Receiver are installed, and only if they are logged in using a domain user with the required privileges and public queues are used for the transport of the messages.