Secure Installation and Configuration

This section provides information for securely installing and configuring the Oracle TMS application, including but not limited to configuring firewall settings, installing signed certificates when using HTTPS, and closing unused ports.

This section includes:

• Install Critical Patch Updates (CPUs) and Critical Patch Set
  
• Use SSL (HTTPS) Between Browser and Web Server
  
• Signed Certificates for HTTPS
  
• Disable Unused Services
  
• Replace Verbose Errors with Custom Messages
  
• Secure the WebLogic Server
  
• Provide Security for Session-Tracking Cookies
  
• Provide Security for Cross-Frame Scripting
  
• Configure Strong Passwords on the Database
  
• Hide Oracle Forms Version Numbers
  
• Secure the Reports Server
  

Install Critical Patch Updates (CPUs) and Critical Patch Set

To ensure that your installation includes up-to-date security fixes, install the latest Oracle CPUs and critical patch set.

For more information, see the Oracle Thesaurus Management System Installation Guide.

Use SSL (HTTPS) Between Browser and Web Server

Information sent over the network and across the Internet in clear text may be intercepted. Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are features that provide encryption of network traffic between the browser and the Oracle TMS web server.

For more information, see the Oracle Thesaurus Management System Installation Guide.

Signed Certificates for HTTPS

To support HTTPS for Oracle TMS, you need to request a signed certificate from a Certificate Authority (CA) vendor such as Thawte or Verisign, and then import the signed certificate into the Oracle Wallet for the Oracle Application Server.

For more information, see the Oracle Thesaurus Management System Installation Guide.

Disable Unused Services

The Oracle TMS application does not use the following services or information for any functionality:

• Simple Mail Transfer Protocol (SMTP). This protocol is an Internet standard for e-mail transmission across Internet Protocol (IP) networks.

• Identification Protocol (identd). This protocol is generally used to identify the owner of a TCP connection on UNIX.

• Simple Network Management Protocol (SNMP). This protocol is one method for managing and reporting information about different systems.

Therefore, restricting these services or information will not affect those Oracle applications. If you are not using these services for other applications, Oracle recommends that you disable these services to minimize your security exposure.

If you need SMTP, identd, or SNMP for other applications, be sure to upgrade to the latest version of the protocol to provide the most up-to-date security for your system.

In addition, Oracle recommends that you remove unused Oracle TMS user accounts if you are upgrading from earlier releases.

Replace Verbose Errors with Custom Messages

Web applications issue HTTP error messages, such as Error Code 500 (Internal Server Error) and Error Code 404 (Not Found), for servlet exceptions that occur at run time (for example, when a servlet is processing the form data). Some internal error messages are verbose and provide sensitive system information.

To tighten the security on your production systems, Oracle recommends that you replace the verbose error messages with brief customized messages.

You can create an HTML error page containing a custom message, and then use the XML error-page element and subelements in the web.xml file to specify the HTML error page to use for the servlet exceptions. You can create a different error message for each error number or use the same generic message for more than one error.

Oracle recommends that you edit the web.xml file for the Oracle TMS application.

Secure the WebLogic Server

For information on securing the WebLogic Server, see:

• Oracle Fusion Middleware Securing Oracle WebLogic Server

• Oracle Fusion Middleware Securing a Production Environment for Oracle WebLogic Server

• "Security" in Oracle Fusion Middleware Information Roadmap for Oracle WebLogic Server

Provide Security for Session-Tracking Cookies

You can use the XML session-tracking element to provide security for the TMS Lite Browser session-tracking cookies.

In the orion-web.xml file, you can configure the following flags (attributes) for the session-tracking element:

• set-secure — Requests that your Internet browser only honor the HTTPS protocol to access Web sites. If you set the secure flag to true, users must enter https:// to access Web sites. Entering http:// will not work.

• HttpOnly — Requests that your Internet browser honor only the HTTP and HTTPS protocols to access Web sites. Other protocols, such as FTP, will not work.

Note:

If you configure the secure and HttpOnly flags for session-tracking cookies, you must make the changes on all servers in a load-balanced environment.

Once you complete the above changes, access to the application using HTTP will not work. Users will be forced to use HTTPS only.

Provide Security for Cross-Frame Scripting

You can enable Oracle HTTP Server to send Content-Security-Policy "frame-ancestors" for all the TMS request.

1. Edit the httpd.conf file located under <FRDomain_Home>\config\fmwconfig\components\OHS\ohs1\ and <FRDomain_Home>\config\fmwconfig\components\OHS\instances\ohs1\.
2. Add the following in the httpd.conf file:

   <Location /tmsadf>
      <IfModule mod_headers.c>
         Header set Content-Security-Policy "frame-ancestors 'self';"
       </IfModule>
   </Location>
   

3. Restart the OHS instance.

TMS is implementing the ADF security recommendations for Cross-Site Scripting and ADF sends the X-Frame-Options Sameorigin header for the request, as needed.

Configure Strong Passwords on the Database

Although the importance of passwords is well known, the following basic rule of security management is worth repeating:

Ensure all your passwords are strong passwords.

You can strengthen passwords by creating and using password policies for your organization.

You should modify the following passwords to use your policy-compliant strings:

• Passwords for the database default accounts, such as SYS and SYSTEM.

• Passwords for the database application-specific schema accounts, such as RXC, OPA, and RXC_PD. You can run the Set Password (set_pwd) utility to set stronger passwords for the default Oracle TMS schemas. For details on using the utility, refer to the Oracle Thesaurus Management System Installation Guide.

• Password for the database listener. If you do not configure the database listener to require an authorization password, you unnecessarily expose the underlying database service names to unauthorized individuals.

For guidelines on securing passwords and for additional ways to protect passwords, refer to the Oracle Database Security Guide specific to the database release you are using.

Hide Oracle Forms Version Numbers

By default, the current version of Oracle Forms is displayed when someone accesses a forms servlet URL. This is because the form parameter in formsweb.cfg calls test.fmx, which displays the version number so that you can check the version you are running.

To change this behavior:

1. Create a new file based on test.fmx that does not display the version number.
2. In formsweb.cfg, default section, set form=your_new_file.

Secure the Reports Server

See My Oracle Support note Secure the Showjobs Web Command in a Non Secured Reports Server in Oracle Reports 11g, ID 1242614.1.