General Security Principles

This section provides general security recommendations for securing any application.

The most critical resource to protect is the Oracle TMS database, which contains information that is both sensitive and critical to the performance of your business. Oracle recommends that you protect most of your computing resources from unauthorized access, manipulation, or destruction from both internal and external parties.

For Web enablement, you must protect resources from unauthorized access via the Internet. In addition, access to highly confidential data or strategic resources should be available to only a few trusted users or system administrators.

This section includes:

• Restrict Network Access to Critical Services
  
• Monitor System Activity
  
• Set Up a Change Management Process
  
• Change Passwords Periodically
  
• Keep Passwords Private and Secure
  
• Use Profiles
  
• Lock Computers to Protect Data
  
• Close All Open Ports Not in Use
  
• Secure the Environment
  
• Provide Only the Necessary Rights to Perform an Operation
  

Restrict Network Access to Critical Services

Oracle recommends that you install a firewall between the database and application servers. In addition, if you are using Web Tier, consider placing a firewall between the Oracle HTTP Server (OHS) and the WebLogic Server. The firewalls provide assurance that access to these systems is restricted to a known network route, which can be monitored and restricted, if necessary. As an alternative, a firewall router substitutes for multiple, independent firewalls.

Monitor System Activity

One of the main requirements of system security is monitoring. Auditing and reviewing audit records address this requirement. Each component within a system has some degree of monitoring capability. Oracle recommends that you establish a policy to check and monitor activities in your system regularly. Refer to the database and application server documentation for audit functionality.

Set Up a Change Management Process

Oracle recommends that you establish a policy to set up a change management process to keep track of all the changes in your software systems. All changes to software should be approved and audited.

Change Passwords Periodically

It is good practice to change both system account passwords and user passwords periodically. Follow your organization's operating procedures for the frequency of making changes.

Keep Passwords Private and Secure

All users should change their passwords when they log in for the first time.

Tell users never to share passwords, write down passwords, or store passwords in files on their computers.

Encourage users to choose password-reset questions and answers that are easy for them to remember, but difficult for someone else to guess.

Use Profiles

In the Oracle database, a profile is a named set of resource limits and password parameters that restrict database usage and instance resources for a user. By default, every Oracle TMS user is assigned the DEFAULT profile. You can change its limitations on resources or password use or assign a separate profile to each user or user role. Each user can have only one profile. For more information, see the Oracle Thesaurus Management System Installation Guide and the Oracle Database Security Guide.

Lock Computers to Protect Data

Encourage users to lock computers that are left unattended.

Close All Open Ports Not in Use

Keep only the minimum number of ports open. You should close all ports not in use.

Secure the Environment

To ensure security in the Oracle TMS application, carefully configure all components, including the following third-party components:

• Web browsers

• Firewalls

• Load balancers

• Virtual Private Networks (VPNs)

For more information, see the documentation for the application you are configuring.

Provide Only the Necessary Rights to Perform an Operation

Assign database roles or custom roles so that users can perform only the tasks necessary for their jobs.