Minimum Security Configuration Guide
Release 8.1.1
E88811-01
September 2017
This guide describes essential security management options for the following applications:
Oracle Argus Analytics
Oracle Business Intelligence Enterprise Edition
This guide presents the following security guidelines and recommendations:
Although the importance of passwords is well-known, the following basic rule of security management is worth repeating:
Make sure all your passwords are strong passwords.
You can strengthen passwords by creating and using password policies for your organization.
For guidelines on securing passwords and for additional ways to protect passwords, refer to the Oracle Database Security Guide specific to the database release you are using.You should modify the following passwords to use your policy-compliant strings:
Passwords for the database default accounts, such as SYS and SYSTEM.
Passwords for the Weblogic Server default accounts, such as weblogic.
Password for the database listener. If you do not configure the database listener to require an authorization password, you unnecessarily expose the underlying database service names to unauthorized individuals.
Keep only a minimum number of ports open. You should close all ports that are not in use.
The Argus Analytics application does not use the Telnet service. Telnet listens on port 23 by default.If the Telnet service is available on the Argus Analytics host machine, Oracle recommends that you disable Telnet in favor of Secure Shell (ssh).
Telnet, which sends clear-text passwords and user names through a login, is a security risk to your servers. Disabling Telnet tightens and protects your system security.
In addition to not using Telnet, the Argus Analytics application does not use the following services or information for any functionality:
Simple Mail Transfer Protocol (SMTP)—This protocol is an Internet standard for E-mail transmission across Internet Protocol (IP) networks.
Identification Protocol (identd)—This protocol is generally used to identify the owner of a TCP connection on UNIX.
Simple Network Management Protocol (SNMP)—This protocol is one method for managing and reporting information about different systems.
Therefore, restricting these services or information will not affect the Argus Analytics application. If you are not using these services for other applications, Oracle recommends that you disable these services to minimize your security exposure.
If you need SMTP, identd, or SNMP for other applications, be sure to upgrade to the latest version of the protocol to provide the most up-to-date security for your system.
In Argus Analytics, you can add customized links to the Home page, Dashboards, Report pages, and the Help icons. Any information that can be made available through a URL can be made accessible to Argus Analytics Onsite users.
In addition, your customized links support passing session parameters, such as login user ID and user role, to a URL. By passing these session parameters, you can create target Web pages that switch the content according to the user login ID, user role, study, and site. You can create links that access websites relevant to your business.
However, be aware that in some situations, such as links that access external websites, passing account data and session information may pose a security risk. In these cases, you can define the link to pass no session parameters to the URL.
Besides this, the parameters that are passed as part of the URL links should not be trusted by the URLs receiving them. They should be securely coded, including by verifying their identity.
This section comprises the following sub-sections:
To enable SSL, refer to the Oracle® Argus Analytics Installation Guide > Configuring SSL for Oracle Argus Analytics in OBIEE.
Refer to the MOS Note How to set up Secure Cookies on WebLogic Server section (Doc ID 1267117.1) to set up the secure SSL cookie.
To configure the user session timeout in OBIEE, refer to the Oracle® Fusion Middleware System Administrator's Guide for Oracle Business Intelligence Enterprise Edition > Section 5.3.2 Using Fusion Middleware Control to Set the User Session Log-Off Period from the following link:
http://docs.oracle.com/middleware/1221/biee/BIESG/querycaching.htm#BIESG226
Query logging level defines the exposure of database queries to OBIEE users. By default, each user account's Logging Level is set to 0 (zero), which is no logging. Implement the following steps to set the levels for a user:
Open BI Administration tool, and click Manage > Identity.
Double-click the name of the user to select, and update the logging level in the pop-up menu.
Enter the following information in the Logging Level:
Level 0—No Logging
Level 1—Logged details are SQL statements, query response durations, user id, session id, request id.
Level 2—Everything Logged in level 1 with additional information such as repository name, business model name, subject area name, no of rows returned, etc.
Level 3—Everything Logged in level 2 with additional information such as logical query plan, purged cache, etc.
Level 4—Everything Logged in level 3 with additional information of query execution plan.
Level 5—Everything Logged in level 4 with detailed query execution plan
A security realm can optionally include Identity Assertion, Auditing, and Certificate Registry providers. If your new security realm includes two or more providers of the same type (for example, more than one Authentication provider or more than one Authorization provider), you need to determine how these providers should interact with each other.
Custom Authorization and Role Mapping providers may or may not support parallel security policy and role modification, respectively, in the security provider database.
If your custom Authorization and Role Mapping security providers do not support parallel modification, the WebLogic Security framework can enforce a synchronization mechanism that results in each application and module being placed in a queue and deployed sequentially. To do this, set the Deployable Provider Synchronization Enabled and Deployable Provider Synchronization Timeout controls for the realm.
OBIEE Mapviewer component comes with some demo code.
Hence, it is recommended that you delete the Mapviewer component by using the following steps:
Login to the OBIEE Administrator Console.
Navigate to Deployments > Control tab, and click the Next hyperlink till the Mapviewer application is displayed.
Select the check box against the deployed Mapviewer application [Mapviewer].
Click the Stop > When Work Completes button to shutdown the Mapviewer application.
When the operation completes:
Click Lock & Edit, and navigate to the Configuration tab.
Continue click on the hyperlink till the Mapviewer application appears.
Select the Mapviewer application [Mapviewer] check box, and click Delete to remove the application from the Domain Configuration.
Click Yes to confirm.
Activate the pending changes by clicking Activate Changes to completely delete the Mapviewer application.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Oracle Argus Analytics Security Configuration Guide, Release 8.1.1
E88811-01
Copyright © 2017, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.