Transcription
Security GuideOracle Utilities Customer To MeterVersion 2.7.0.1 (OUAF 4.4.0.0.0)F12156-01January 2019
Security Guide, Oracle Utilities Customer To Meter, Version 2.7.0.1 (OUAF 4.4.0.0.0)F12156-01Copyright 2018 Oracle. All rights reserved.The Programs (which include both the software and documentation) contain proprietary information; they are provided under a licenseagreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrialproperty laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtaininteroperability with other independently created software or as specified by law, is prohibited.The information contained in this document is subject to change without notice. If you find any problems in the documentation, pleasereport them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your licenseagreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic ormechanical, for any purpose.If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United StatesGovernment, the following notice is applicable:U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S.Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable FederalAcquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, andadaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in theapplicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial ComputerSoftware--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shallbe the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of suchapplications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs.Oracle, JD Edwards, PeopleSoft and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may betrademarks of their respective owners.The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsiblefor the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. Ifyou choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracleis not responsible for:(a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, includingdelivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for anyloss or damage of any sort that you may incur from dealing with any third party.
Table of ContentsPreface . 2Audience . 2Documentation Accessibility . 2Access to Oracle Support . 2Related Documents . 2Conventions . 3Critical Patches. 3What's New in Security? . 4Object Erasure Support . 4REST Services now available within Inbound Web Services . 4Introducing Security . 5Security Features . 5Additional Security Resources . 5Authentication . 7About Authentication . 7Online Authentication . 7Batch Authentication . 8Web Service Authentication . 8Authorization . 9About Authorization . 9Authorization Model. 9Managing Security . 11About Managing Security . 11Managing Online Users . 11Managing Users . 12Template Users . 13Assigning To Do Types . 14Assigning User Portal Preferences . 14Assign Bookmarks . 15Assign Favorite Links . 15Assign Favorite Scripts . 16Assign User Characteristics . 16Defining Users to User Groups . 17Defining User Groups to Application Services. 18Define Users to Data Access Groups . 20User Enable and Disable . 21Managing Batch Users . 22Managing Web Services Users . 23Authentication User . 23Advanced Security . 25About Advanced Security . 25JEE Authentication Group . 25Logon Configuration. 25Data Ownership Rules . 26Configuring JMX Security . 27Default Simple File Based security . 27
SSL based Security . 28Using Other Security Sources . 28Menu Security Guidelines . 29Security Types . 29Default Generic Application Services . 30Administration Delegation . 30Secure Communications (SSL) . 31Data Masking Support . 31Securing Files . 33Password Management . 33Securing Online Debug Mode . 34Securing Online Cache Management . 35Web Services Security . 35Message Driven Bean Security . 36SOAP Security . 36Groovy Support . 37Oracle Cloud Object Storage Support . 37HTTP Proxy Support . 38SYSUSER Account . 38Audit Facilities . 40About Audit . 40Audit Configuration . 40Audit Query by Table/Field/Key . 41Audit Query By User . 41Read Auditing . 42Integrating to Audit Vault . 42Database Security . 44About Database Security . 44Database Users. 44Database Roles . 44Database Permissions. 45Using Transparent Data Encryption . 45Using Database Vault . 45Security Integration . 46About Security Integration . 46LDAP Integration . 46Single Sign On Integration . 46Kerberos Support . 46Oracle Identity Management Suite Integration. 47Keystore and Truststore Support . 48Creating the Keystore and Truststore . 48Altering the KeyStore/Truststore options . 49Synchronize Data Encryption . 50Upgrading from Legacy to Keystore. 51Importing Keystores/Truststores . 52Encryption Feature Type . 53Overview . 53Configuration of Encrypted Fields . 53Web Services Security . 55About Web Services Security . 55
Annotation Security . 55Oracle WebLogic WS-Policy Support . 55Oracle Web Services Manager Support . 56Access Control Support . 56Support for Multiple Policies . 56Importing Certificates for Inbound Web Services . 57Whitelist Support . 58About Whitelist Support . 58URL Whitelist . 58Implementing a Custom URL Whitelists . 59SQL Whitelist . 59HTML WhiteList . 60Implementing a Custom HTML Whitelist . 60Groovy Whitelist . 60Custom Authentication Service Provider . 61What does this Security Provider do? . 61Where would I use this Security Provider? . 61Implementing the Security Provider . 61Federated Security Support. 63Suggested References . 63Federated Architecture. 63Prerequisites for Federated Security . 64Process Flow . 64Federated Online Authentication . 66Overview . 66Identity Provider Configuration. 67Oracle HTTP Server/WebGate Configuration . 68Define Identity Provider Partner in Oracle Access Manager . 68Enable Just In Time Provisioning in Identity Federation . 69Define WebGate Agent . 70Copy WebGate Agent Configuration to OHS/WebGate. 70Define Authentication Policy for the Product Domain. 70Export the OAM SAML Metadata (optional) . 71Configure the Product Identity Asserter and Authenticators . 71Configure CLIENT-CERT . 72Federated Web Services . 73Overview . 73Process Flow . 73Set Up OAuth Service . 74Configure WebGate for SOAP/REST communications. 74Create OAuth Client . 74Using Keystores and Credentials . 75Enable OAuth on Product . 78Use Oracle Web Service Manager Policies . 78Federated Outbound Messages. 79Overview . 79OAuth Policies . 80Extendable Lookup Configuration . 80Message Sender Configuration . 81Securing JNDI Access . 82Overview . 82Securing Product Access . 82Providing Additional Access to the JNDI. 83
Object Erasure Support. 84Object Erasure Overview . 84Configuration Of Object Erasure . 84
Oracle Utilities Customer To Meter, Version 2.7.0.1PrefaceWelcome to Oracle Utilities Customer To Meter Security Guide. This guide describes how youcan configure security for Oracle Utilities Customer To Meter by using the default features.This preface contains these topics: Audience Documentation Accessibility Related Documents ConventionsAudienceOracle Utilities Customer To Meter Security Guide is intended for product administrators,security administrators, application developers, and others tasked with performing thefollowing operations securely and efficiently: Designing and implementing security policies to protect the data of an organization,users, and applications from accidental, inappropriate, or unauthorized actions Creating and enforcing policies and practices of auditing and accountability forinappropriate or unauthorized actions Creating, maintaining, and terminating user accounts, passwords, roles, andprivileges Developing interfaces that provide desired services securely in a variety ofcomputational models, leveraging product and directory services to maximize bothefficiency and ease of useTo use this document, you need a basic understanding of how the product works, and basicfamiliarity with the security aspects of the Oracle WebLogic and Database security.Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the Oracle AccessibilityProgram website at http://www.oracle.com/pls/topic/lookup?ctx acc&id docacc.Access to Oracle SupportOracle customers have access to electronic support through My Oracle Support. Forinformation, visit http://www.oracle.com/pls/topic/lookup?ctx acc&id info or visithttp://www.oracle.com/pls/topic/lookup?ctx acc&id trs if you are hearing impaired.Related DocumentsFor more security-related information, see these Oracle resources: Oracle Utilities Customer To Meter Server Administration Guide Oracle Utilities Customer To Meter Batch Server Administration Guide Oracle Utilities Customer To Meter DBA Guide2 - Security Guide
Oracle Utilities Customer To Meter, Version 2.7.0.1 Oracle Database Security Guide Oracle Utilities Application Framework Advanced Security (Doc Id: 1375615.1) Technical Best Practices for Oracle Utilities Application Framework Based Products (Doc Id:560367.1) Batch Best Practices for Oracle Utilities Application Framework based products (Doc Id:836362.1) Production Environment Configuration Guidelines (Doc Id: 1068958.1) Database Vault Integration (Doc Id: 1290700.1) Oracle Identity Management Suite Integration with Oracle Utilities Application Frameworkbased products (Doc Id: 1375600.1) ConfigTools Best Practices (Doc Id: 1929040.1) Web Services Best Practices (Doc Id: 2214375.1)These documents are available from My Oracle Support and/or Oracle Delivery Cloud.ConventionsThe following text conventions are used in this document:ConventionMeaningboldfaceBoldface type indicates graphical user interface elements associatedwith an action, or terms defined in text or the glossary.italicItalic type indicates book titles, emphasis, or placeholder variables forwhich you supply particular values.monospaceMonospace type indicates commands within a paragraph, URLs, codein examples, text that appears on the screen, or text that you enter.Note: Screen images in this document are for illustrative purposes only.Note: Menu options in
To support data privacy requirements for master data, object erasure functionality has been added to complement the Information Lifecycle Management capabilities for transaction data. The capability is a set of functionality and capability to define and manage object erasure of important data including data obfuscation.
