Transcription
Security GuideOracle Utilities Customer To MeterVersion 2.7.0.3 (OUAF 4.4.0.2.0)F21754-02August 2020(Revised August 2020)
Security Guide, Oracle Utilities Customer To Meter, Version 2.7.0.3 (OUAF 4.4.0.2.0)F21754-02Copyright 2019 Oracle. All rights reserved.The Programs (which include both the software and documentation) contain proprietary information; they are provided under a licenseagreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrialproperty laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtaininteroperability with other independently created software or as specified by law, is prohibited.The information contained in this document is subject to change without notice. If you find any problems in the documentation, pleasereport them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your licenseagreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic ormechanical, for any purpose.If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United StatesGovernment, the following notice is applicable:U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S.Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable FederalAcquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, andadaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in theapplicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial ComputerSoftware--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shallbe the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of suchapplications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs.Oracle, JD Edwards, PeopleSoft and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may betrademarks of their respective owners.The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsiblefor the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. Ifyou choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracleis not responsible for:(a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, includingdelivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for anyloss or damage of any sort that you may incur from dealing with any third party.
Table of ContentsPreface . 2Audience . 2Documentation Accessibility . 2Access to Oracle Support . 2Related Documents . 2Conventions . 3Critical Patches . 3What's New in Security? . 4Manual Object Erasure Support . 4Mobile Application OAuth Support . 4User Group Services Management Portal . 4Encryption Features now in User Exit . 4Introducing Security . 5Security Features . 5Additional Security Resources . 5Authentication . 7About Authentication . 7Online Authentication . 7Batch Authentication. 8Web Service Authentication . 8Authorization . 9About Authorization . 9Authorization Model . 9Managing Security . 11About Managing Security .11Managing Online Users.11Managing Users . 12Template Users . 13Assigning To Do Types . 14Assigning User Portal Preferences . 14Assign Bookmarks . 15Assign Favorite Links . 15Assign Favorite Scripts . 16Assign User Characteristics . 16Defining Users to User Groups . 17Defining User Groups to Application Services . 17Define Users to Data Access Groups . 20User Enable and Disable . 21Managing Batch Users .22Managing Web Services Users .22Authentication User.23Advanced Security . 25About Advanced Security .25Java EE Authentication Group.25Logon Configuration .25Data Ownership Rules .26
Configuring JMX Security.27Default Simple File Based security . 27SSL based Security . 28Using Other Security Sources. 28Menu Security Guidelines.29Security Types .29Default Generic Application Services .30Administration Delegation .30Secure Communications (SSL) .30Data Masking Support .31Securing Files .33Password Management .33Securing Online Debug Mode .34Securing Online Cache Management.34Web Services Security .34Message Driven Bean Security .36SOAP Security .36Groovy Support.36Oracle Cloud Object Storage Support .37HTTP Proxy Support.37SYSUSER Account .37Audit Facilities . 39About Audit.39Audit Configuration .39Audit Query by Table/Field/Key .40Audit Query By User.40Read Auditing .41Integrating to Audit Vault.41Database Security . 43About Database Security .43Database Users .43Database Roles .43Database Permissions .44Using Transparent Data Encryption .44Using Database Vault .44Security Integration . 45About Security Integration .45LDAP Integration.45Single Sign On Integration .45Kerberos Support . 45Oracle Identity Management Suite Integration .46Keystore and Truststore Support. 47Creating the Keystore and Truststore .47Altering the KeyStore/Truststore options .48Synchronize Data Encryption .49Upgrading from Legacy to Keystore .50Importing Keystores/Truststores .51Encryption Feature Type . 52Overview .52Configuration of Encrypted Fields .52Web Services Security . 54
About Web Services Security .54Annotation Security.54Oracle WebLogic WS-Policy Support .54Oracle Web Services Manager Support .55Access Control Support . 55Support for Multiple Policies.55Importing Certificates for Inbound Web Services .56Whitelist Support . 57About Whitelist Support .57URL Whitelist .57Implementing a Custom URL Whitelists . 58SQL Whitelist .58HTML WhiteList .59Implementing a Custom HTML Whitelist . 59Groovy Whitelist .59Custom Authentication Service Provider . 60What does this Security Provider do? .60Where would I use this Security Provider? .60Implementing the Security Provider .60Federated Security Support . 62Suggested References .62Federated Architecture .62Prerequisites for Federated Security .63Process Flow . 63Federated Online Authentication.65Overview . 65Identity Provider Configuration . 66Oracle HTTP Server/WebGate Configuration . 67Define Identity Provider Partner in Oracle Access Manager . 67Enable Just In Time Provisioning in Identity Federation . 68Define WebGate Agent . 69Copy WebGate Agent Configuration to OHS/WebGate. 69Define Authentication Policy for the Product Domain. 69Export the OAM SAML Metadata (optional) . 70Configure the Product Identity Asserter and Authenticators . 70Configure CLIENT-CERT . 71Federated Web Services .72Overview . 72Process Flow . 72Set Up OAuth Service . 73Configure WebGate for SOAP/REST communications . 73Create OAuth Client . 73Using Keystores and Credentials . 74Enable OAuth on Product . 77Use Oracle Web Service Manager Policies . 77Federated Outbound Messages .78Overview . 78OAuth Policies . 79Extendable Lookup Configuration . 79Message Sender Configuration . 80Configuring OAuth for the Mobile Framework .80Securing JNDI Access. 81Overview .81
Securing Product Access .81Providing Additional Access to the JNDI .82Object Erasure Support . 83Object Erasure Overview .83Configuration Of Object Erasure .83
Oracle Utilities Customer To Meter, Version 2.7.0.3PrefaceWelcome to Oracle Utilities Customer To Meter Security Guide. This guide describes how youcan configure security for Oracle Utilities Customer To Meter by using the default features.This preface contains these topics: Audience Documentation Accessibility Related Documents ConventionsAudienceOracle Utilities Customer To Meter Security Guide is intended for product administrators,security administrators, application developers, and others tasked with performing thefollowing operations securely and efficiently: Designing and implementing security policies to protect the data of an organization,users, and applications from accidental, inappropriate, or unauthorized actions Creating and enforcing policies and practices of auditing and accountability forinappropriate or unauthorized actions Creating, maintaining, and terminating user accounts, passwords, roles, andprivileges Developing interfaces that provide desired services securely in a variety ofcomputational models, leveraging product and directory services to maximize bothefficiency and ease of useTo use this document, you need a basic understanding of how the product works, and basicfamiliarity with the security aspects of the Oracle WebLogic and Database security.Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the Oracle AccessibilityProgram website at http://www.oracle.com/pls/topic/lookup?ctx acc&id docacc.Access to Oracle SupportOracle customers have access to electronic support through My Oracle Support. Forinformation, visit http://www.oracle.com/pls/topic/lookup?ctx acc&id info or visithttp://www.oracle.com/pls/topic/lookup?ctx acc&id trs if you are hearing impaired.Related DocumentsFor more security-related information, see these Oracle resources: Oracle Utilities Customer To Meter Server Administration Guide Oracle Utilities Customer To Meter Batch Server Administration Guide Oracle Utilities Customer To Meter DBA Guide2 - Security Guide
Oracle Utilities Customer To Meter, Version 2.7.0.3 Oracle Database Security Guide Oracle Utilities Application Framework Advanced Security (Doc Id: 1375615.1) Technical Best Practices for Oracle Utilities Application Framework Based Products (Doc Id:560367.1) Batch Best Practices for Oracle Utilities Application Framework based products (Doc Id:836362.1) Database Vault Integration (Doc Id: 1290700.1) Oracle Identity Management Suite Integration with Oracle Utilities Application Frameworkbased products (Doc Id: 1375600.1) ConfigTools Best Practices (Doc Id: 1929040.1) Web Services Best Practices (Doc Id: 2214375.1)These documents are available from My Oracle Support and/or Oracle Delivery Cloud.ConventionsThe following text conventions are used in this document:ConventionMeaningboldfaceBoldface type indicates graphical user interface elements associatedwith an action, or terms defined in text or the glossary.italicItalic type indicates book titles, emphasis, or placeholder variables forwhich you supply values.monospaceMonospace type indicates commands within a paragraph, URLs, codein examples, text that appears on the screen,
Batch Best Practices for Oracle Utilities Application Framework based products (Doc Id: 836362.1) Database Vault Integration (Doc Id: 1290700.1) Oracle Identity Management Suite Integration with Oracle Utilities Application Framework based products (Doc Id: 1375600.1) ConfigTools Best Practices (Doc Id: 1929040.1)
