Additional Configuration
General/Miscellaneous
Controlling Application Stack Traces
The ability to hide stack traces from end users is controlled via a property (glog.security.stackTrace.hide=[true|false]) and the "StackTrace – View" Access Control List (ACL). The property is already set correctly by default (true). Also by default, the "StackTrace – View" ACL is not a child Access Control List of any staged parent Access Control Lists like the "ADMIN" and "DEFAULT". This means that no user or user role even one that has the top level "ADMIN" or "DEFAULT" ACL will not have the ability to view full stack traces. If you do want to allow the ability to view stack traces, then you should just grant the "StackTrace – View" ACL on the individual user or the user role.
- glog.security.stackTrace.hide
- defaults to "true"
- determines whether or not stack traces are hidden
- it is recommended not to change
- ACL: "StackTrace – View"
- Provides additional configurability for individual users and user roles when glog.security.stackTrace.hide is true.
- Is not a child Access Control List of any Access Control List like the ADMIN and DEFAULT Access Control Lists by default. Any user or user role with either of these top level Access Control Lists will not see a stack trace.
SSL/TLS Certificates
See the Inbound Integration and SSL Certificates and Outbound Integration and SSL Certificates sections of the Oracle Transportation and Global Trade Management Cloud Administration Guide for required information.
Browser Cookies Used in Oracle Transportation and Global Trade Management Cloud
The following browser cookies are used in the Oracle Transportation Management service. There are only browser cookies used for the Oracle Transportation and Global Trade Management Cloud Service.
Table 2‑2: Browser Cookies Used in Oracle Transportation and Global Trade Management Cloud
| Cookie Name | Personally Identifiable Information | Retention Policy | Effect of Refusal | Usage |
|---|---|---|---|---|
| JSESSIONID | There is no personally identifiable information collected or stored in this cookie. | The cookie only lasts as long as the browser is open; once the browser closes the cookie is discarded. | Oracle Transportation Management will not work without this. | See notes below. |
JSESSIONID
The Oracle Fusion Cloud Transportation Management and Global Trade Management does not create any HTTP cookies for use in the service; however the web container creates and sets a cookie for http session tracking purpose. By default this cookie is called JSESSIONID and has a value set to random characters. Since HTTP is a stateless protocol the web container uses this cookie to maintain session state between requests.
Trusted Hosts
The service can be configured with custom URLs to allow users to have links to other websites outside of the service. An example would be hyperlinks to a custom application or another package tracking page for a parcel carrier. However having end users click on any hyperlinks to external websites presents a potential security threat. Therefore the service has the concept of “Trusted Hosts”. These hosts are defined via a multiple value property. If a configuration user enters a URL that is not defined in such a property the service will not display the URL as a link.
- Trusted Hosts can still be specified in glog.web.security.trustedHost for
backward capability. However, you should transition and use the
glog.web.security.url.<protocol>.trustedDomain - Use
glog.web.security.url.<protocol>.trustedDomainwhere <protocol> is either http or https and the value of the property is the host name or ip address of the trusted URL. - An example for this property would be:
glog.web.security.url.https.trustDomain=http://www.oracle.com - This property is a multiple value property.
glog.web.security.url.https.trustDomain=http://www.oracle.com
glog.web.security.url.https.trustDomain=http://www.oracle.com
- A reserved domain, <all>, is used to trust all domains. This is actually the default setting which means everything is trusted by default for the http and https protocols. It is strongly recommend to change the default setting.
glog.web.security.url.http.trustedDomain=<all>
glog.web.security.url.https.trustedDomain=<all>
In certain instances, such as invalid redirect URLs, Oracle Transportation and Global Trade Management Cloud will throw a security exception.
Trusted URLs are used in:
- Text fields where the “displayAsLink” attribute is set to true.
- Remarks where the remark qualifier is set to “URL”.
- Protecting the URLs Oracle Transportation and Global Trade Management Cloud re-directs to after a user logs in.
Logging
There are different logging capabilities throughout the service components. It is recommended to review the correct documentation for that specific component on their individual logging capabilities. Please see the Oracle Transportation and Global Trade Management Cloud Administration Guide for specifics on logging and for more details, see the “Logs: System and Integration Files” help topic.
Oracle Transportation and Global Trade Management Cloud Service Log Files
The Oracle Transportation and Global Trade Management Cloud services have the ability to enable service specific debug logging. Most of this debug logging is helpful to enable during service request issue diagnosis. However, this logging is bad for performance and could expose important sensitive data to flat log files which end users could then download. In order to obtain optimal performance and prevent information leakage, it is highly recommended to keep all enabled log IDs to a minimum in a production environment.
Default Log Files
| Log | Filename | Description |
|---|---|---|
| SYSTEM | glog.app.log | An application server log file that contains all of the default enabled log IDs. |
| WEB | glog.web.log | The UI Component container log file that contains the enabled log IDs logging. |
| EXCEPTION | glog.exception.log | An application server log file that contains all of the exceptions and the full associated stack trace. |
Specific log IDs that are enabled could be logging and exposing information about the data, actual system information like URLs, user names. These important log IDs and log files should be safe-guarded. However, there are occasions that these log IDs should be enabled.