Security Administration Guide

Previous Next JavaScript must be enabled to correctly display this content

Title and Copyright Information
Preface
1 Introduction to EnterpriseOne Security
- Understanding this Guide
- Introduction to EnterpriseOne Security
- Concepts and Terminology
2 General Principles of Security
- General Principles of Security
- Apply Latest Patch
- Apply Oracle Critical Patch Update
- Monitor System Activity
- Configure Accounts Securely
- Follow the Principle of Least Privilege
- Enable Minimum Level of Logging
- Set Up Change Management Process
3 Pre-Installation Security Considerations
- Recommendations for Deploying and Configuring JD Edwards EnterpriseOne in a Secure Environment
- EnterpriseOne Upgrade Security Considerations
  - Lock Database User Accounts for Previous Releases
- Network Infrastructure Security
- Set Up Firewall and DMZ
- Additional Network Infrastructure Security
  - Enable Predefined JDENET Ports in JDE.INI
4 Securing EnterpriseOne System Components
- Overview of JD Edwards EnterpriseOne System Components
- Database Security
  - Revoke PUBLIC Access to Installed EnterpriseOne Database Tables
  - Limit Access to Query Tools
- File System Security
- Encryption of Sensitive Information in Configuration Files
- Deployment Server Security
- JD Edwards EnterpriseOne Enterprise Server Security
- JD Edwards EnterpriseOne HTML Server Security
- Portal Server Security
  - Collaborative Portal
  - Oracle WebCenter Spaces
- Transaction Server Security
  - Secure Configuration Files
  - Secure Log Files
- Business Services Server Security
  - Configuring the Business Services Server to User Secure File Transfer Protocol (SFTP) for Media Objects
  - Secure Log Files
- Oracle BI Publisher Server Security
  - Additional BI Publisher Server Security Considerations
- Application Interface Services (AIS) Server and AIS Client Security
- Connectors Security
  - Secure Configuration Files
  - Secure Log Files
- Desktop Security
- Framebusting
5 Post-Installation Security Configurations
- Change Default EnterpriseOne User Passwords
- Change Default Database Installation Passwords
- Change Default EnterpriseOne System User Passwords for the Database
- Enabling the Long DB Proxy Password (Tools Release 9.2.4.3)
- Enabling the Short DB Proxy Password (Tools Release 9.2.4.3)
- Set Up an Independent Security Environment
- Applying Security to JD Edwards EnterpriseOne Tools Administration Applications
- Set Up Object Management Workbench (OMW) Security
- Set Up User Sign-In Policies
- Enable Auditing of Security Operation
- Security Considerations When Using LDAP to Manage Users
  - Assign Role with Least Privilege for _LDAPDEFLT User
- Set Up Single Sign-on Node
- Support of Longer User Names and Passwords
- Implement Security for Server Manager After an EnterpriseOne Tools 9.2 Upgrade
- Enable Access to EnterpriseOne User Defined Object Security and Administration Applications
6 Security for Custom Map Viewers
- Understanding Security for Custom Map Viewers
7 Managing Data Source Security
- Understanding Data Source Security for EnterpriseOne Tables
  - How Data Source Security is Applied in an Install Versus Upgrade
  - Before Performing Table Conversions
- Adding, Reviewing, and Modifying Data Source Security
8 Encrypting Sensitive Data in EnterpriseOne
- Understanding the Encryption of Sensitive Data in EnterpriseOne
  - Sensitive Data in INI Files Managed by Server Manager
- Understanding the Generation of Site Keys for Use with AES Encryption
- Prerequisites
- Setting Up Site Keys on the Security Server
- Recovering Site Key Values
- Encrypting Sensitive INI File Data Using the Deployment Server
  - Encrypting Sensitive INI File Data for the Deployment Server and EnterpriseOne Windows Client Machines
- Encrypting Database Proxy User Passwords (Release 9.2.1)
  - Encrypting Database Proxy User Password Considerations
- Commands for Encrypting Passwords Used by RUNUBE and RUNUBEXML
- Enhanced Scheduler Password Encryption (Release 9.2.7.3)
9 Provisioning User and Role Profiles
- Understanding User and Role Profiles
  - How Using Role Profiles Makes Setting Up User Profiles Easier
  - Tables Used by the User Profile Revisions Application
- Adding New Users
  - Adding an Individual User
  - Adding Multiple Users
- Setting Up User Profiles
- Setting Up Roles
10 Setting Up Long User IDs in EnterpriseOne
- Understanding the Long User Feature
  - Example: Comparison of P0092 and P0092L
  - EnterpriseOne Systems and Integrations that Support Long User IDs
    - Exceptions Where Long User IDs Are Not Supported
    - Considerations for an EnterpriseOne Multiple Foundation Configuration
- Enabling the Long User Feature
- Setting Up Long User IDs
  - Associating Short User IDs to New Long User IDs in Bulk
- Managing User Profiles With Long User IDs
- Configuring Collaborative Portal to Support "Limited" Long User IDs
11 Understanding Sign-in Security
- Overview
- Security Table Access
- Password Encryption
- Sign-In Security Setup
- Process Flow for Standard EnterpriseOne Windows Client Sign-in Security
  - ShowUnifiedLogon Setting
- Sign-in Security for Web Users
- Setting Processing Options for P98OWSEC
  - Default
  - Password
12 Setting Up User Sign-in Security
- Understanding User Sign-in Security
- Creating and Revising User Sign-in Security
- Enabling Self-Service on System Password Reset (Release 9.2.7)
- Reviewing User Sign-in Security History
- Tracking User Activity (9.2 Update 6)
  - Forms Used to Track User Activity
  - Tracking User Activity
- Managing Data Sources for User Sign-in Security
- Enabling and Synchronizing the jde.ini Sign-in Security Settings
- Managing Unified Logon
13 Enabling Long Passwords in EnterpriseOne
- Understanding the Long Password Feature
  - Understanding Password Policy Rules When the Long Password Feature is Enabled
  - EnterpriseOne Systems and Integrations that Support Long Passwords
    - Considerations for an EnterpriseOne Multiple Foundation Configuration
- Prerequisites for a Multiple Foundation Setup
  - Scenario 1
  - Scenario 2
- Enabling the Long Password Feature
- Changing Long Passwords
- Modifying Password Rules for Long Passwords
14 Enabling LDAP Support in JD Edwards EnterpriseOne
- Understanding LDAP Support in JD Edwards EnterpriseOne
- Configuring LDAP Support in JD Edwards EnterpriseOne
- Modifying the LDAP Default User Profile Settings
- Using LDAP Bulk Synchronization (R9200040)
  - Understanding LDAP Batch Synchronization
    - Example: LDAP Bulk Synchronization (R9200040)
  - Running the LDAP Bulk Synchronization Batch Process (R9200040)
- Using LDAP Over SSL/TLS (Release 9.2.1)
- Exporting User Data to the LDAP Server
- Setting Up Microsoft Active Directory Server
15 Setting Up JD Edwards EnterpriseOne Single Sign-On
- JD Edwards EnterpriseOne Single Sign-On Overview
- Understanding the Default Settings for the Single Sign-On Node Configuration
- Setting Up a Node Configuration
- Configuring EnterpriseOne HTML Server for JSON Web Token (JWT) (Release 9.2.3.2)
- Configuring EnterpriseOne HTML Server for JSON Web Token (JWT) (Release 9.2.0.5)
- Setting Up a Token Lifetime Configuration Record
  - Adding a Token Lifetime Configuration Record
  - Deleting a Token Lifetime Configuration Record
- Setting Up a Trusted Node Configuration
  - Adding a Trusted Node Configuration
  - Deleting a Trusted Node Configuration
- Configuring Single Sign-On for a Pre-EnterpriseOne 8.11 Release
  - Modifying jde.ini file Node Settings for Single Sign-On
  - Working with Sample jde.ini Node Settings for Single Sign-On
    - Example 1:
    - Example 2:
- Configuring Single Sign-On Without a Security Server
16 Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Management 11g Release 2
- Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Management
- Prerequisites
- Installing Oracle Identity and Access Management
- Setting Up OAM to Support an EnterpriseOne Single Sign-on Configuration
- Setting Up EnterpriseOne for Single Sign-On Integration with OAM
- Setting Up OAM SSO Validation for JD Edwards EnterpriseOne (9.2.6)
- Configuring SSO Support for EnterpriseOne AIS Server Clients
- Adding JD Edwards EnterpriseOne HTML Server User to the OID
- Creating Identity Store in OAM Console
- Testing the Single Sign-On Configuration
- Configuring Federation SSO in Content and Experience Cloud (Release 9.2.2 - Release 9.2.8)
17 Setting Up JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Management 12c
- Understanding JD Edwards EnterpriseOne Single Sign-On Through Oracle Access Management 12c
- Prerequisites
- Installing Oracle Identity and Access Management
- Setting Up OAM to Support an EnterpriseOne Single Sign-on Configuration
- Setting Up EnterpriseOne for Single Sign-On Integration with OAM
- Configuring SSO Support for EnterpriseOne AIS Server Clients
- Adding JD Edwards EnterpriseOne HTML Server User to the OID
- Creating Identity Store in OAM Console
- Testing the Sign-On Configuration
- Configuring Federation SSO in Content and Experience Cloud (Release 9.2.2 Update)
- Detaching Credential Collector Configuration
18 Using Oracle Access Manager to Enable Support for Windows Native Authentication with EnterpriseOne
- Using Oracle Access Manager to Enable Support for Windows Native Authentication with EnterpriseOne
- Understanding Windows Native Authentication Support in OAM
- Before You Begin
- Performing Prerequisite Integration Tasks
- Configuring OAM to Use Windows Native Authentication
19 Configuring Long User ID and Password Support in a Single Sign-On Configuration with Oracle Access Manager
- Understanding Long User ID and Password Support for EnterpriseOne through OAM
- Prerequisites
- Configuring LDAP for Longer User IDs
- Creating a User Mapping in EnterpriseOne
- Configuring OAM for Long User IDs
- Validating the Long ID Configuration
20 Configuring SSL/TLS for JDENET
- Understanding SSL/TLS for JDENET
- Installing SSL Programs on IBM System i
- Generating an SSL/TLS Certificate and Key File
- Configuring the Enterprise Server JDE.INI File
  - Additional Setup for TLS Support (Release 9.2.1)
  - JDENET SSL-Enable Server Authentication (Release 9.2.1)
    - Creating Certificate Store (Location Specified by sslCAFile)
- Enabling TLS v1 for Enterprise Server Prior to 9.2.5
- Configuring the Deployment Server JDE.INI File (Release 9.2.5.1)
  - JDENET SSL-Enable Server Authentication (Release 9.2.5.1)
    - Creating Certificate Store (Location Specified by sslCAFile)
21 Configuring Transport Layer Security (TLS) for the Database
- Enabling TLS on an Oracle Database
- Enabling TLS on a Microsoft SQL Server Database
- Enabling TLS on an IBM DB2 Database
22 Configuring SSL for EnterpriseOne Servers
- Understanding SSL for EnterpriseOne Servers
  - Considerations for On-Premise and One-Click Provisioning Environments
- Configuring SSL for EnterpriseOne Servers on Oracle WebLogic Server
- Configuring SSL for EnterpriseOne Servers on IBM WebSphere Application Server
- Configuring SSL Between the EnterpriseOne Enterprise Server and AIS Server
- Exchanging Certificates Between EnterpriseOne Servers
- Configuring SSL for Server Manager Console and Server Manager Agents
  - Hostname Mismatch Errors
- Disabling Weak Cipher Suites
23 Working with Transport Layer Security (Release 9.2.7.3)
- Overview
- Oracle
- Microsoft SQL Server
- IBM DB2 UDB
- Enabling TLS on the Development Client
24 Understanding Authorization Security
- JD Edwards EnterpriseOne Authorization Model
- Users, Roles, and *PUBLIC
- Object-Level Security
  - Object Level Security Types
- Authorization Security for Business Units
- Authorization Security for Notifications
- Cached Security Information
  - Clearing the Cache on a Workstation Client
  - Clearing the Cache on a Web Client Using Server Manager
25 Setting Up Authorization Security with Security Workbench
- Understanding Security Workbench
  - Role-Based Authorization
  - Enforce Security Settings Immediately
- Managing Exclusive/Inclusive Row Security
  - Understanding Exclusive/Inclusive Row Security
  - Exclusive Row Security
  - Inclusive Row Security
    - Activating Inclusive Row Security
- Creating Security Overrides
  - Understanding Security Overrides
  - Adding Security Overrides
- Managing Application Security
  - Understanding Application Security
  - Understanding Application Security for Mobile Applications
  - Reviewing the Current Application Security Settings for a User or Role
  - Adding Security to an Application
  - Securing a User or Role from All JD Edwards EnterpriseOne Objects
  - Removing Security from an Application
- Managing Action Security
  - Understanding Action Security
  - Reviewing the Current Action Security Settings
  - Adding Action Security
  - Removing Action Security
- Managing Row Security
  - Understanding Row Security
  - Prerequisite
  - Setting Up Data Dictionary Spec Files
  - Adding Row Security
  - Removing Row Security
- Managing Column Security
  - Understanding Column Security
  - Adding Column Security
  - Removing Column Security
- Managing Processing Option and Data Selection Security
  - Understanding Processing Option Security
  - Understanding Data Selection Security
  - Reviewing the Current Processing Option and Data Selection Security Settings
  - Adding Security to Processing Options and Data Selection
  - Removing Security from Processing Options and Data Selection
  - Using R009505 to Update Data Selection Security
- Managing Tab Security
  - Understanding Tab Security
  - Adding Tab Security
  - Removing Tab Security
- Managing Hyper Exit Security
  - Adding Hyper Exit Security
  - Removing Hyper Exit Security
- Managing Exclusive Application Security
  - Understanding Exclusive Application Security
  - Adding Exclusive Application Security
  - Removing Exclusive Application Access
- Managing External Calls Security
  - Understanding External Call Security
  - Adding External Call Security
  - Removing External Call Security
- Managing Miscellaneous Security
  - Understanding Read/Write Reports Security
  - Managing Miscellaneous Security Features
- Managing Push Button, Link, and Image Security
  - Understanding Push Button, Link, and Image Security
    - Push Button, Link, and Image Security on Subforms
  - Adding Push Button, Link, and Image Security
  - Removing Push Button, Link, and Image Security
- Managing Text Block Control and Chart Control Security
  - Understanding Text Block Control and Chart Control Security
  - Reviewing Current Text Block Control and Chart Control Security Settings
  - Adding Text Block Control and Chart Control Security
  - Removing Text Block Control and Chart Control Security
- Managing Media Object Security
  - Understanding Media Object Security
  - Reviewing the Media Object Security Settings
  - Adding Media Object Security For Applications
  - Adding Media Object Security For Services (9.2 Update 6)
  - Removing Media Object Security
- Managing Application Query Security
  - Understanding Application Query Security
  - Setting Up Application Query Security for Applications
  - Setting Up DataBrowser Query Security
  - Selecting Error or Warning Messages
  - Finding Existing Query Security Records
  - Editing Existing Query Security Records
  - Deleting Query Security Records
  - Enabling or Disabling Query Security Records
  - Excluding Users
  - Configuring Error Messages Using Data Dictionary Items
  - Configured Fields Option
- Managing Data Browser Security
  - Understanding Data Browser Security
  - Adding Data Browser Security
  - Adding Data Browser Security through the UDO View Security Form (Alternative Method)
  - Removing Data Browser Security
- Managing Published Business Services Security
  - Understanding Published Business Services Security
  - Reviewing the Current Published Business Services Security Records
  - Authorizing Access to Published Business Services
  - Adding Multiple Published Business Services Security Records at a Time
  - Deleting Published Business Services Security
- Copying Security for a User or a Role
  - Understanding How to Copy Security for a User or a Role
  - Copying All Security Records for a User or a Role
  - Copying a Single Security Record for a User or a Role
- Reviewing and Deleting Security Records on the Work With User/Role Security Form
  - Understanding How to Review Security Records
  - Reviewing Security on the Work With User/Role Security Form
  - Deleting Security on the Work With User/Role Security Form
26 Managing Security for User Defined Objects
- Understanding Security for User Defined Objects
  - Understanding the Process for Sharing UDOs
- Example of a UDO Security Implementation
- Prerequisites
  - Define Allowed Actions for UDO Types
  - Enable Access to UDO Security and Administration Applications
- Managing UDO Feature Security
- Managing UDO Action Security
- Managing UDO View Security
- Managing Content Security for Composite Application Framework
- Managing Content Security for Composite Page (Release 9.2.0.2)
27 Setting Up JD Edwards Solution Explorer Security
- Understanding JD Edwards Solution Explorer Security
- Configuring JD Edwards Solution Explorer Security
28 Setting Up Address Book Data Security
- Understanding Address Book Data Security
  - Additional Level of Private Data Security
- Prerequisites
- Setting Up Permission List Definitions
- Setting Up Permission List Relationships
- Enabling or Disabling Secured Private Data from Displaying in Other Applications and Output
29 Setting Up Business Unit Security
- Understanding Business Unit Security
  - UDC Sharing
  - Transaction Security
- Working with UDC Sharing
- Working with Transaction Security
30 Upload and Download Security
- Understanding Upload and Download Security
- Configuring Upload Security
  - System-Defined Inclusion List
  - User-Defined Inclusion List
    - Additional Rules and Restrictions for Uploading Files
- Understanding Download Security
31 Allowed Domains and Attributes for Content Security Policy
- Overview
- Creating a CSP Allowed Directive and Scheme Soft Coding Record
- Disabling Content Security Policy in JD Edwards Application
32 Configuring OMW User Roles and Allowed Actions
- Understanding User Roles and Allowed Actions
- Setting Up User Roles
- Setting Up Allowed User Actions
33 Configuring EnterpriseOne Security Auditing
- Overview of EnterpriseOne Auditing Tools
- Running a Security Analyzer Report
- Running Security Workbench Records Reports
34 Appendix A - DB Password Encryption
- Understanding the Problem
- Preparing for Installation
  - Special Instructions for Multiple Enterprise Servers Sharing the Same F98OWSEC Table
    - Creating a Separate Security Server Data Source
- Updating JD Edwards EnterpriseOne
- Reviewing the Installation
- Rolling Back the Software
- Copyright
35 Appendix B - Creating a JD Edwards EnterpriseOne LDAP Configuration for OID
- Understanding JD Edwards EnterpriseOne LDAP Configuration for OID
- Adding OID to the List of LDAP Server Types
- Creating an LDAP Configuration for OID
- Configuring the LDAP Server Settings for OID
- Configuring LDAP to JD Edwards EnterpriseOne Enterprise Server Mappings for OID
36 Appendix C - JD Edwards EnterpriseOne Cookies
- Web Runtime Cookies
37 Appendix D - Default Database User Accounts
38 Glossary
- access provisioning
- add mode
- authentication
- authorization
- data encryption
- data masking
- data privacy
- developer security
- object-level security
- power form
- *PUBLIC
- published business service
- secure by default
- Secure Socket Layer (SSL)
- security overrides
- security workbench
- serialize
- subform
- terminal server