2 Security Features

This chapter describes the available security features of the Xstore Office Cloud Service.

Certificate Support for Integration Points

Note:

Retailers are responsible for using valid, certificate authority (CA) signed certificates for TLS. For more information, see My Oracle Support (Doc ID 2710163.1).

Security Model

Xstore Office Cloud Service integrates with Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) for Identity Management (that is, storing user information), for securing REST services using the Open Authorization (OAuth) 2.0 and Secure User Authentication via the OAuth 2.0 and OpenID Connect (OIDC) protocols.

A Reverse Proxy is in place that intercepts all incoming requests to Xstore Office Cloud Service and authorizes and/or authenticates the requests based on the Xstore Office Cloud Web Tier Policy defined in IDCS or OCI IAM.

Xstore Office Cloud Service Provisioning

During Xstore Office Provisioning, Xstore Office OAuth Clients (or Apps) are created in IDCS or OCI IAM with custom AppRoles. The Custom AppRoles are used to perform additional Application Level authorizations in addition to Application Level Privilege authorizations.

At the time of provisioning, a Customer Administration User is also created, who initially, is the sole user with access to the Xstore Office Cloud Service application. It is the responsibility of the Customer Administration User to create users with the appropriate privileges for functionality that will become available to them. It is recommended that users are granted the least level of access they require to perform their duties.

Authentication

Xadmin delegates the login to IDCS or OCI IAM. Therefore, it does not prompt the user to login and does not store any user credentials. Instead, when a user accesses Xadmin, the Reverse Proxy determines whether this user's session already exists in IDCS or OCI IAM. If so, it forwards to Xadmin. If this user's session does not exist, then the Reverse Proxy redirects to IDCS or OCI IAM prompting the user to enter their credentials. If the user successfully authenticates in IDCS or OCI IAM, then the request is forwarded to Xadmin. Once at Xadmin, additional application level authorization is performed to determine the user's role and privileges granted to the user in order to display the appropriate features that the user is authorized to access.

For details on how users are created and provisioned, see the Creation of Users section.

Multi-Factor Authentication (MFA)

IDCS or OCI IAM provides the ability to enable Multi-Factor Authentication. For more information on enabling Multi-Factor Authentication, see the Oracle Cloud Administering Oracle Identity Cloud Service Guide or the Oracle Cloud Infrastructure Documentation.

Note:

This note is for customers who want to enable and use Multi Factor Authentication (MFA) with XOCS and IDCS. The user whose credentials are used for these APIs MUST NOT have Multi Factor Authentication (MFA) enabled. Note also that if this process is not followed, customers will not be able to set up and use Store Enrollment, create Setup Oauth Clients or get tokens to invoke the Data Privacy API.

  • For Store Enrollment:

  • Use credentials of a user that does not have MFA enabled.

  • This same user's credentials can then be used for all Store Enrollments.

  • Whenever Store Enrollments are completed, MFA can be enabled for this user.

  • For Setup OAuth Client Creation:

    Note:

    The user whose credentials are used here MUST NOT have Multi Factor Authentication (MFA) enabled. If it is enabled, please disable MFA for only this user temporarily in order to invoke this API.

  • Once the API returns the OAuth Client credentials, re-enable MFA for this user.

  • If the API needs to be invoked at a future time, follow the same MFA disable/enable process described above for the user.

  • For Data Privacy API Token Request:

    Note:

    Note that the user whose credentials are used here MUST NOT have Multi Factor Authentication (MFA) enabled. If it is enabled, please disable MFA for only this user temporarily in order to invoke this API.

  • Once the API returns the OAuth token, re-enable MFA for this user.

  • If the token API needs to be invoked at a future time, follow the same MFA disable/enable process described above for the user.

Access Control

Xcenter REST APIs are secured with OAuth 2.0 protocols and use OAuth tokens. When Xcenter REST Services are invoked, the Reverse Proxy intercepts the requests, uses the OAuth 2.0 protocol to authorize the OAuth tokens and forwards the request to Xcenter. Xcenter then examines the tokens and performs additional application level authorization by examining the tokens to see if they were requested by an OAuth Client that was granted specific AppRoles defined in IDCS or OCI IAM when Xstore Office OAuth Clients were provisioned. If the token contains the necessary AppRole Grants, Xcenter provides access to the endpoint and the appropriate response is returned.

For details on how users are created and provisioned, see the Creation of Users section.

Security Audit

User Identity (account name or IP address) is recorded in the application logs when accessing Xadmin or invoking Xcenter REST APIs. In addition, date, time, information, software or configuration changes are also recorded in the application logs.

IDCS or OCI IAM provides several reports that are detailed in the Oracle Cloud Administering Oracle Identity Cloud Service Guide or the Oracle Cloud Infrastructure Documentation.

Credential Rotation

All credentials in use within the Xstore Office Cloud Service will be rotated on a regular schedule.