3.1 Secure the Oracle FLEXCUBE Universal Banking Application

This topic explains the guidelines to secure the Oracle FLEXCUBE Universal Banking Application.

The following guidelines serve to secure the Oracle FLEXCUBE Universal Banking application deployed on Oracle WebLogic Server.

Set up Secure Flag for Cookies

The following guidelines serve to secure the Oracle FLEXCUBE Universal Banking application deployed on Oracle WebLogic Server. The following guidelines serve to secure the Oracle FLEXCUBE Universal Banking application deployed on Oracle WebLogic Server.

Below configuration has to be ensured in weblogic.xml within the deployed application ear.

1. Cookie secure flag set to true.

<wls:session-descriptor>
 <wls:cookie-secure>true</wls:cookie-secure>
 <wls:url-rewriting-enabled>false</wls:url-rewriting-enabled>
</wls:session-descriptor>

Always make sure Cookies are set with always Auth Flag enabled by default for WebLogic server and also recommended to apply the weblogic patch 10.3.5 for versions using below weblogic 10.3.5 to reflect the above changes.

Credential Over mail

To enable this feature mail server details need to be provided at the time of property file creation. Below are the required parameters:

• Host Server
• User ID
• User Password
• JNDI Name

Session time out and Token Management

Session timeout represents the event occurring when a user does not perform any action on a website during an interval (defined in application). The event, on the server side, changes the status of the user session to invalid (i.e "not used anymore") and instructs the Application/webserver to destroy it (deleting all data contained in it). The application allows defining the session time out.

Note:

The default value for session time out is 30 minutes.

The entire subsequent request within the session will be having the Authenticated and Cross-site request forgery tokens. Every request sent to the application from the browser is validated against the IsAuthenticated attribute and Cross-site request forgery token.

Two-way SSL Connection

A two-way SSL is used when the server needs to authenticate the client. In a two-way SSL connection, the client verifies the identity of the server and then passes its identity certificate to the server. The server then validates the identity certificate of the client before completing the SSL handshake.

To establish a two-way SSL connection, need to have two certificates, one for the server and the other for the client.

For Oracle FLEXCUBE Universal Banking Solutions, need to configure a single connector. This connector is related to SSL/TLS communication between the host or browser and the branch which, uses two-way authentication.

For details on implementation of Two-way SSL process, refer to the document available for Oracle FLEXCUBE Universal Banking < SSL_OR_TLS_ Configuration.doc> .