1. Using the Oracle Visual Builder Add-in for Excel in Oracle Integration
  2. Security Best Practices

14 Security Best Practices

Ensure that you manage data that you download to Excel workbooks securely.

Security Guidelines

Follow these best practices:
  • Update the Oracle Visual Builder Add-in for Excel to the latest version available.
  • Restrict access to Excel documents containing sensitive data.
  • Consider adding passwords to workbooks to further reduce exposure.
  • Always use HTTPS endpoints instead of HTTP.
  • Do not use basic authentication.
  • Ensure that the latest Windows updates and security patches have been applied to the computers where you install the Oracle Visual Builder Add-in for Excel.
  • Turn off older obsolete security protocols such as SSL.
  • Also, consider using Excel's Inspect Workbook feature to review and remove your personal information from the workbook before you distribute it. Do this for un-published workbooks. You access the Inspect Workbook feature from Excel's File menu. Clear the checkbox beside the Hidden Worksheets entry in the Document Inspector where you choose the content to inspect and potentially remove. You must not remove hidden worksheets from the Excel workbook that you distribute. The Oracle Visual Builder Add-in uses hidden worksheets to integrate the Excel workbook with the REST service.

Basic Authentication

The add-in supports basic authentication. When using REST service endpoints protected by basic authentication, end users are automatically prompted for credentials when the add-in connects to the endpoint. When used with HTTP, basic authentication is not secure. Basic authentication should only be used with HTTPS, and preferably only in non-production environments.

JSON Web Token

In addition to basic authentication, the add-in also supports authentication for REST services exposed by Fusion applications that use the JSON Web Token (JWT) relay servlet. No configuration is required by you. The add-in automatically detects whether the Fusion application's REST service has the /anticsrf and /tokenrelay endpoints configured. The add-in then displays a popup browser window and navigates to the hosting web application's login page. When the end user provides valid credentials, the popup browser window automatically closes and access to the REST services can proceed, using the token obtained during the login sequence.

Use of the JSON Web Token (JWT) relay servlet is only available for Fusion applications, as the path to the token relay service that the add-in uses is specific to Fusion applications.

Note:

In this release of the add-in, using self-signed certificates with the JWT relay servlet will not work. A valid certificate issued from a well-known root certificate authority should work fine with the JWT relay servlet.