1. Security Guide
  2. Prerequisite

3 Prerequisite

This topic explains the list of prerequisites for this manual.

Operating Environment Security

Please refer to the vendor-specific documentation for making the environment more safe and secure.

Network Security

Please refer to the vendor-specific documentation for making the environment more safe and secure.

Oracle Database Security

Please refer to the Oracle Database Security specification document for making the environment more safe and secure.

Oracle FLEXCUBE Recommended configuration

This section contains security recommendations for the Database used for the Oracle FLEXCUBE Universal Banking Application.

To audit the events, login through sqlplus as SYSTEM and issue the commands.

Application Server Security

Please refer to the Oracle Weblogic Security specification document for making the environment more safe and secure.

Apart from the Oracle Weblogic Security specification, the Oracle FLEXCUBE UBS Application recommends implementing the below security specifications.
  • Support for Single Sign on (SSO)

    Oracle FLEXCUBE Universal Banking Solution supports Single sign-on capability with SAML (Security Assertion Markup Language) authentication.

    For details on configuration, refer to the document FCUBS_V.UM_OAM_Integration_Enabling_SSO.zip.

  • Support for LDAP (External Password Authentication)

    FLEXCUBE UBS also supports authentication through LDAP/MSAD without the use of SSO.

    Depending on the value of the property EXT_USERLOGIN in fcubs.properties file, the length of the User ID field in the login screen will change. If the value is Y, the user will be able to input up to 30 characters in the User ID field. Otherwise, the User ID field will allow only 12 characters.

    Depending on the value PASSWORD_EXTERNAL in fcubs.properties file, the password will be validated with LDAP/MSAD or FCUBS Application.

    For details on configuration of LDAP, refer to Oracle FLEXCUBE Universal Banking Installation Guide document (Sec 1.4) Oracle FLEXCUBE Universal Banking Installation Guide document.

  • Support for SSL (Secure Transformation of Data)

    The Oracle FLEXCUBE Universal Banking Installer allows a deployer to configure that all HTTP connections to the application are over SSL/TLS. In other words, all HTTP traffic in the clear will be prohibited; only HTTPS traffic will be allowed. It is recommended to enable this option in a production environment when WebLogic Server acts as the SSL terminator.

    For details on configuration of SSL, refer to Oracle FLEXCUBE Universal Banking Installation Guide document (Sec 1.4.1 for Weblogic, Sec 1.4.2 for WebSphere) Oracle FLEXCUBE Universal Banking Installation Guide document

  • Support for SMTPS (Mail communication)

    Also, mail session configuration is required in an Application Server. Sample details for creating a mail session are listed in the below:

    Name: FCUBSMailSession

    JNDI Name: mail/FCUBSMail (The same need to be maintained in property file creation.)

    For SMTPS protocol, refer to the below Java Mail Properties.
    • mail.host=<HOST_MAIL_SERVER>
    • mail.smtps.port=<SMTPS_SERVER_PORT>
    • mail.transport.protocol=smtps mail.smtps.auth=true
    • mail.smtps.host==<HOST_SMTPS_MAIL_SERVER>

    For details on configuration of Mail Session process, refer to the document Resource_Creation_WL.doc for weblogic.

Third-party Applications

Support for OWSM (Securing Web services)

Oracle FLEXCUBE Universal Banking supports to the WebLogic Server WS-Policies for enforcing security for Web services. Customer can implement any Oracle WSM WS-Security policies and use them with WebLogic Web services.

The Oracle WSM policies are documented in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services < http://docs.oracle.com/cd/E21764_01/web.1111/b32511/toc.htm>

Choice of the SSL Cipher Suite

Oracle WebLogic Server allows for SSL clients to initiate an SSL connection with a null cipher suite. The null cipher suite does not employ any bulk encryption algorithm, thus resulting in the transmission of all data in clear text over the wire.

The default configuration of the Oracle WebLogic Server is to disable the null cipher suite. Ensure that the usage of the null cipher suite is disabled, preventing any client from negotiating an insecure SSL connection.

Furthermore, for installations having regulatory requirements requiring the use of only ‘high’ cipher suites, Oracle WebLogic Server can be configured to support only certain cipher suites. The restriction can be done in config.xml of the WebLogic domain. Provided below is an example config.xml restricting the cipher suites to those supporting 256-bit symmetric keys or higher and using RSA for key exchange.

<ssl>
     <enabled>true</enabled>
     <ciphersuite>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</ciphersuite>
</ssl>
  • configuration of WebLogic Server to support the above defined cipher suites might also require an additional command line argument to be passed to WebLogic Server so that a FIPS 140-2 compliant crypto module is utilized. This is done by adding Dweblogic.security.SSL.nojce=true as a JVM argument.
  • The restriction on cipher suites needs to be performed for every managed server.
  • The order of cipher suites is important. Oracle WebLogic Server chooses the first available cipher suite in the list, which is also supported by the client.
  • Cipher suites with RC4 are enabled despite it being second best to AES. This is primarily for older clients that do not support AES (for instance, Microsoft Internet Explorer 6, 7, and 8 on Windows XP).