Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 1K views

    JD Edwards Enterprise One 8.98 Security Best Practices

    Uploaded by

    Shunshi Nakagawa
    Oracle is a registered trademark of Oracle Corporation and / or its affiliates. This software and related documentation are provided under a license agreement. Subject to patent protection under one or more of the following U.S. Patents.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd

    JD Edwards Enterprise One 8.98 Security Best Practices

    Uploaded by

    Shunshi Nakagawa
    1K views36 pages
    Oracle is a registered trademark of Oracle Corporation and / or its affiliates. This software and related documentation are provided under a license agreement. Subject to patent protection under one or more of the following U.S. Patents.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Oracle is a registered trademark of Oracle Corporation and / or its affiliates. This software and related documentation are provided under a license agreement. Subject to patent protection under one or more of the following U.S. Patents.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    1K views36 pages

    JD Edwards Enterprise One 8.98 Security Best Practices

    Uploaded by

    Shunshi Nakagawa
    Oracle is a registered trademark of Oracle Corporation and / or its affiliates. This software and related documentation are provided under a license agreement. Subject to patent protection under one or more of the following U.S. Patents.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 36

    JD Edwards EnterpriseOne Tools 8.

    98 Security Best Practices

    April 2009

    Copyright Notice
    Copyright 2009, Oracle and/or its affiliates. All rights reserved.

    Trademark Notice
    Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

    License Restrictions Warranty/Consequential Damages Disclaimer


    This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. Subject to patent protection under one or more of the following U.S. patents: 5,781,908; 5,828,376; 5,950,010; 5,960,204; 5,987,497; 5,995,972; 5,987,497; and 6,223,345. Other patents pending.

    Warranty Disclaimer
    The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

    Restricted Rights Notice


    If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are commercial computer software or commercial technical data pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, duplication, disclosure, modification, and adaptation shall be subject to the restrictions and license terms set forth in the applicable Government contract, and, to the extent applicable by the terms of the Government contract, the additional rights set forth in FAR 52.227-19, Commercial Computer Software License (December 2007). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065.

    Hazardous Applications Notice


    This software is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications which may create a risk of personal injury. If you use this software in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of this software. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software in dangerous applications.

    Third Party Content, Products, and Services Disclaimer


    This software and documentation may provide access to or information on content, products and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third party content, products and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third party content, products or services. Contains GNU libgmp library; Copyright 1991 Free Software Foundation, Inc. This library is free software which can be modified and redistributed under the terms of the GNU Library General Public License. Includes Adobe PDF Library, Copyright 1993-2001 Adobe Systems, Inc. and DL Interface, Copyright 1999-2008 Datalogics Inc. All rights reserved. Adobe is a trademark of Adobe Systems Incorporated. Portions of this program contain information proprietary to Microsoft Corporation. Copyright 1985-1999 Microsoft Corporation. Portions of this program contain information proprietary to Tenberry Software, Inc. Copyright 1992-1995 Tenberry Software, Inc. Portions of this program contain information proprietary to Premia Corporation. Copyright 1993 Premia Corporation.

    This product includes code licensed from RSA Data Security. All rights reserved. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). All rights reserved. This product includes the Sentry Spelling-Checker Engine, Copyright 1993 Wintertree Software Inc. All rights reserved.

    Open Source Disclosure


    Oracle takes no responsibility for its use or distribution of any open source or shareware software or documentation and disclaims any and all liability or damages resulting from use of said software or documentation. The following open source software may be used in Oracle's JD Edwards EnterpriseOne products and the following disclaimers are provided. This product includes software developed by the Apache Software Foundation (http://www.apache.org/). Copyright (c) 1999-2000 The Apache Software Foundation. All rights reserved. THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

    Table of Contents
    Security Best Practices Overview 7

    Introduction......................................................................................................7

    JD Edwards EnterpriseOne System Components

    Common System-Wide Security Practices......................................................10


    Apply Latest Patch................................................................................................... 10 Apply Oracle Critical Patch Update ......................................................................... 10 Monitor System Activity ........................................................................................... 10 Configure Accounts Securely .................................................................................. 10 Enable Minimum Level of Logging .......................................................................... 11 Set Up Change Management Process .................................................................... 11

    Network Infrastructure Security .......................................................................11


    Overview.................................................................................................................. 11 Set Up Firewall and DMZ ........................................................................................ 11

    Database Security ...........................................................................................12


    Overview.................................................................................................................. 12 Change Default Database Installation Passwords .................................................. 12 Change Default JD Edwards EnterpriseOne Database User Passwords ............... 12 Lock Database User Accounts for Previous Releases............................................ 13 Limit Access to Query Tools.................................................................................... 13 Use SETOWAUT for iSeries.................................................................................... 13

    Deployment Server Security............................................................................13


    Overview.................................................................................................................. 13 Limit Access to System ........................................................................................... 13 Secure Configuration File ........................................................................................ 14 Secure Log Files...................................................................................................... 14

    JD Edwards EnterpriseOne Enterprise Server Security..................................14


    Overview.................................................................................................................. 14 Limit Remote Access ............................................................................................... 14 Secure Configuration File ........................................................................................ 14 Limit Access to Administer JD Edwards EnterpriseOne Services........................... 15 Secure Log Files...................................................................................................... 15 Limit Access to BSFN Trace Logs........................................................................... 15 Limit Access to PrintQueue Directory...................................................................... 15 Use Security Server................................................................................................. 15

    JD Edwards EnterpriseOne HTML Web Server Security ................................15

    Copyright 2008, Oracle. All rights reserved

    Overview.................................................................................................................. 15 Oracle Application Server........................................................................................ 16 IBM WebSphere ...................................................................................................... 16 Secure Configuration Files ...................................................................................... 16 Secure Log Files...................................................................................................... 16 J2EE Session Timeout Setting ................................................................................ 17 Limit Access to Media Object Queue Directory....................................................... 17 Set Up FTP User Access to Media Objects ............................................................ 17 Use SSL (HTTPS) Between Browser and Web Server........................................... 17 Turn Off Directory Listing......................................................................................... 18 Denial-of-Service Attacks ........................................................................................ 18

    Portal Server Security .....................................................................................18


    Overview.................................................................................................................. 18 Collaborative Portal ................................................................................................. 18 Oracle Portal............................................................................................................ 19

    Integration Server Security..............................................................................19


    Overview.................................................................................................................. 19 Limit Access of JD Edwards EnterpriseOne WSG User to EnterpriseOne Data .... 19 Secure Integration Server Access ........................................................................... 20 Set Up User IDs, Passwords, and Permissions ...................................................... 20 Disable Well-Known User Accounts ........................................................................ 20 Secure Configuration Files ...................................................................................... 20 Secure Log Files...................................................................................................... 20

    Transaction Server Security ............................................................................21


    Overview.................................................................................................................. 21 Secure Configuration Files ...................................................................................... 21 Limit Access to RTE Administration Applications.................................................... 21 Secure Log Files...................................................................................................... 21

    Connectors Security ........................................................................................22


    Overview.................................................................................................................. 22 Secure Configuration Files ...................................................................................... 22 Secure Log Files...................................................................................................... 22

    Performance Monitor Security.........................................................................22


    Overview.................................................................................................................. 22 Limit Access to Performance Administration Applications ...................................... 23 Secure Configuration Files ...................................................................................... 23 Secure Log Files...................................................................................................... 23 Disable PPMConsole............................................................................................... 23

    Desktop Security .............................................................................................25


    Overview.................................................................................................................. 25 Disable Browser Cache Setting............................................................................... 25 Update Browser ....................................................................................................... 25 Turn Off Browser AutoComplete Setting ................................................................. 25 Set Policy for Unattended PC Sessions .................................................................. 25 Turn Off Server BSFN Trace for Windows Client.................................................... 25

    JD Edwards EnterpriseOne Tools and Administration Applications Security........................................................................................................26

    Copyright 2008, Oracle. All rights reserved

    Overview.................................................................................................................. 26 Change Default JD Edwards EnterpriseOne Passwords ........................................ 26 JD Edwards EnterpriseOne Authorization Model .................................................... 26 Set Up Role-Based Authorization............................................................................ 28 Follow the Principle of Least Privilege..................................................................... 28 Secure JD Edwards EnterpriseOne Administration Applications and Reports ....... 28 Secure JD Edwards EnterpriseOne Administration Tables..................................... 28 Regularly Run Security Maintenance Reports ........................................................ 29 Set Up Password Policies ....................................................................................... 29 Enforce Security Settings Immediately.................................................................... 29 Change Password Frequently ................................................................................. 29 Set Force Immediate Password Change when Creating a User Account............... 30 Lock Out User Account After Invalid Login Attempts .............................................. 30 Enable Auditing of Security Operation..................................................................... 30 Purge Audit Table Records ..................................................................................... 30 Limit Access to Design Tools and Universal Table Browser................................... 30 Limit Access to Data Browser.................................................................................. 30 Set Up Processing Option Security ......................................................................... 31 Set Up Column Security on Work with Submitted Jobs .......................................... 31 Set Up OMW Security.............................................................................................. 31 Set Up LDAP SSL.................................................................................................... 31 Assign Role with Least Privilege for _LDAPDEFLT User........................................ 31 Set Up Single Sign-on Node.................................................................................... 32 Support of Longer User Names and Passwords ..................................................... 32 Disable the Unused User Accounts......................................................................... 32 Set Up an Independent Security Environment ........................................................ 32

    Third Party Tools Security ...............................................................................33


    Secure PIM Sync ..................................................................................................... 33 Secure Mobile Client................................................................................................ 33

    Appendix A - Default Database User Accounts Appendix B Additional Network Infrastructure Security Appendix C Useful Links

    34 35 36

    Enable Predefined JDENET Ports in JDE.INI ......................................................... 35

    Copyright 2008, Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Security Best Practices Overview


    This best practices document provides guidelines and recommendations for configuring and deploying Oracles JD Edwards EnterpriseOne to make it more secure in real-world, customer environments. This is a practical guide for technical users, installers, and system administrators who implement and maintain the JD Edwards EnterpriseOne system. This document discusses guidelines on how to address security at a customer implementation, including hardening of JD Edwards EnterpriseOne database, hardening of the JD Edwards EnterpriseOne tools and administration applications and other systemhardening configuration recommendations. This document does not cover the configuration for securing JD Edwards EnterpriseOne business applications by different vertical industries like SCM and CRM. This best practices document is a living document and will be enhanced and modified in response to the needs of JD Edwards EnterpriseOne customers. It is recommended that you fully test the security setup in a customer environment to ensure proper functionality and integrity. It is not possible to address every security scenario that might be applicable to a particular implementation and environment. Therefore, the items discussed in this document are intended to give a broad best practices baseline for securing JD Edwards EnterpriseOne.

    Introduction
    In todays environment, a properly secured computing infrastructure is critical. As companies expand, so does the complexity of their business processes. In an internet environment, the risks to valuable and sensitive data are greater than ever before. In addition, a companys computing infrastructure grows as more third-party products are integrated with its enterprise software. As a result, this type of environment can create potential security gaps. This best practices guide will help you ensure that JD Edwards EnterpriseOne and the various components involved in a JD Edwards EnterpriseOne setup are properly secured. This best practices guide provides guidance in setting up security for JD Edwards EnterpriseOne systems beyond application security. It provides information about securing the overall infrastructure of a deployed JD Edwards EnterpriseOne system. It is critical that you secure a JD Edwards EnterpriseOne environment in alignment with your companys enterprise security policies. Those policies should be created based upon your established security model. When securing a JD Edwards EnterpriseOne environment, you should take a comprehensive approach that is in concert with the overall corporate security policies, guidelines, and business requirements. This guide covers guidelines and recommendations for securing a JD Edwards EnterpriseOne environment based on security features available in JD Edwards EnterpriseOne Applications 9.0 and JD Edwards EnterpriseOne Tools 8.98.

    Copyright 2009, Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    This guide is not intended to replace the JD Edwards EnterpriseOne Tools documentation delivered with the product. It provides references to relevant information in JD Edwards EnterpriseOne Tools guides. The reader of this guide should have a well-rounded understanding of the JD Edwards EnterpriseOne system.

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    JD Edwards EnterpriseOne System Components


    This chapter contains information on common system-wide security practices, network infrastructure security, as well as information on how to secure the following JD Edwards EnterpriseOne components:
    Databases Deployment server Enterprise (business logic) server Web application server Portal Server Integration Server Transaction Server Performance Monitor JD Edwards EnterpriseOne tools and administration applications Third-party tools

    This illustration shows the various components of a JD Edwards EnterpriseOne configuration:

    Copyright 2009, Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Common System-Wide Security Practices


    Apply Latest Patch One of the principles of good security practices is to keep all software versions and patches up-to-date. Establish a policy to keep track of all the vendorsincluding Oraclethat have supplied software for the production environment. Also, identify the latest software patches and apply them regularly. Refer to the minimum technical requirements (MTR) and any restrictions for the software you are using when applying patches. JD Edwards EnterpriseOne minimum technical requirements information is available in the JD Edwards EnterpriseOne Current MTR Index on the My Oracle Support web site. Apply Oracle Critical Patch Update Oracle releases information (and patches) for security issues for most products through quarterly, bundled, integrated Critical Patch Updates (CPU). JD Edwards EnterpriseOne Tools security patches are also released with the quarterly Oracle CPU, these patches are normal tools one-off service packs. CPUs include fixes for the most critical security issues, fixes to avoid patch conflict, or prerequisites for security fixes. The release dates for CPUs are announced a year in advance and are selected based on most customers financial calendars. Oracle tries to avoid the blackout dates during which customers generally do not touch their financial systems. Refer to the Oracle Critical Patch Updates and Security Alert website for more information: http://www.oracle.com/technology/deploy/security/alerts.htm Monitor System Activity One of the main requirements of system security is monitoring. Auditing and reviewing audit records address this requirement. Each component within a system has some degree of monitoring capability. Establish a policy to check and monitor activities in your system regularly. Refer to the database and operating system documentation for audit functionality. For JD Edwards EnterpriseOne, follow the advice in this document and regularly monitor audit records. Configure Accounts Securely Good security requires secure accounts. Establish a policy to set up strict password controls for all accounts including the database, operating system, and JD Edwards EnterpriseOne so that passwords are not compromised. Often, people use passwords associated with them, such as license plate numbers, children's names or a hobby. In addition, establish a policy to periodically change passwords.

    10

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Enable Minimum Level of Logging Always run the JD Edwards EnterpriseOne and other systems with a minimum level of logging in the production environment. Running JD Edwards EnterpriseOne with a debug level of logging in the production environment adversely impacts system performance as well as it logs unnecessary sensitive information about the environment. Furthermore, the logs can be used to exploit the system if a malicious user obtains access to the log files. Set Up Change Management Process Establish a policy to set up a change management process to keep track of all the changes in your software systems. All changes should be approved and audited.

    Network Infrastructure Security


    Overview In an internet environment, securing the network infrastructure is the foremost priority for an organization because the risks to valuable and sensitive data are greater than in a WAN environment. To eliminate potential weak points in the network infrastructure, you may opt to pass data from protocol to protocol without the complexity of decryption and encryption. To do so securely, you must have some way to securely transfer data across network protocol boundaries. The internet enables you to connect your corporate intranet to a broad public network. Although this capability provides enormous business advantages, it also poses a risk to your data and your computer system. One way of protecting the privacy and integrity of your system is to place a firewall between the public network and your intranet. Set Up Firewall and DMZ A firewall is one of the most common network devices used to secure a network environment. Set up a firewall and demilitarized zone (DMZ) to block unauthorized traffic. You should place the JD Edwards EnterpriseOne HTTP server in a DMZ configuration for internet facing systems. Keep the JD Edwards HTML Web Server, database, and enterprise (business logic) server behind a firewall. In addition, you can also place a firewall between the web application server and the database or Enterprise Server to add an additional layer of protection (see Appendix B). Firewalls provide assurance that access to these systems is restricted to a known network route that can be monitored.

    Copyright 2009, Oracle. All rights reserved

    11

    JD Edwards EnterpriseOne Security Best Practices

    This illustration shows the recommended firewall setup for JD Edwards EnterpriseOne:

    You should also install an Intrusion Detection System (IDS) and establish a policy to regularly monitor unauthorized traffic.

    Database Security
    Overview JD Edwards EnterpriseOne stores all the system and business data in a supported relational database. Therefore, it is extremely important that you carefully set up security for the database server. Change Default Database Installation Passwords Following an installation, the application database instance might contain default, open schema accounts with default passwords. These accounts and corresponding passwords are well-known, and they should be changed, especially for a database used in a production environment. Change Default JD Edwards EnterpriseOne Database User Passwords JD Edwards EnterpriseOne installation process creates various database users with a default password (Same as User). You should change these database user passwords after a successful installation or upgrade. After changing a database users password, you might have to modify configuration files for the deployment server and JD Edwards EnterpriseOne security server because these servers use information from the configuration files to connect to database. See Appendix A in this guide for a list of default database user accounts for JD Edwards EnterpriseOne 9.0.

    12

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Lock Database User Accounts for Previous Releases If you are upgrading a JD Edwards EnterpriseOne application release, delete or lock all the database accounts used by previous JD Edwards EnterpriseOne releases. Limit Access to Query Tools Database user passwords should be strong and end users should have limited access to Query Tools. Use SETOWAUT for iSeries SETOWAUT is a set of tools you can use in the end of installation to secure JD Edwards EnterpriseOne objects on your iSeries Enterprise Server. The libraries and tables delivered by the Platform Pack installation are not secured. To provide sufficient security, you should run the tool SETOWAUT which allows you to lock down libraries and IFS directories delivered by the Platform Pack installation. Use JD Edwards EnterpriseOne SETOWAUT tool to exclude public access to the JD Edwards EnterpriseOne database on an iSeries system. Refer to Working with Database Security in the JD Edwards EnterpriseOne Applications Release 9.0 Installation Guide for DB2/400 on iSeries Guide for more information on SETOWAUT.

    Deployment Server Security


    Overview The Deployment Server typically contains JD Edwards EnterpriseOne source code, package build areas, install packages, and licensing information. Limit Access to System Use these guidelines when setting up security for the deployment server:
    Only allow system administrators to log on to the deployment server. Do not place shared services such as printing or DNS services on this host. Run only JD Edwards EnterpriseOne on this machine for software installs and upgrades. Do not create user accounts on this machine. Give full access to the media object queue directory for only one user account that is accessing this directory from JD Edwards EnterpriseOne HTML Web Server when you are not accessing media objects from a Microsoft Windows client. Limit access to PrintQueue directory.

    Copyright 2009, Oracle. All rights reserved

    13

    JD Edwards EnterpriseOne Security Best Practices

    Secure Configuration File The deployment server configuration file (JDE.INI) might contain the override password for the default database user to connect to JD Edwards EnterpriseOne data sources when doing an installation, upgrade, or applying a software update. Therefore, you need to secure this file using operating system security such as Microsoft Windows security, UNIX object security, or iSeries object security. After a successful install, upgrade, or software update, remove the [DSPWD] section from JDE.INI. Secure Log Files You should give only certain users access to view deployment server log files (error and debug), as these files might contain sensitive information about the user and location of the database.

    JD Edwards EnterpriseOne Enterprise Server Security


    Overview The JD Edwards EnterpriseOne Enterprise Server (otherwise known as the business logic server) is used as middleware to run various functions such as business functions and reports. In addition, it functions as the security server. You must secure this server so that only CNC administrators have access to it. Limit Remote Access You should prohibit or severely limit remote session access and remote session control for the enterprise server. Secure Configuration File The JD Edwards EnterpriseOne Enterprise Server configuration file (JDE.INI) contains the user ID and password. Therefore, you should secure this file using operating system security such as Microsoft Windows security, UNIX object security, or iSeries object security. Caution Implementing security on these files will prevent Server Manager from modifying configuration settings within these files.

    14

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Limit Access to Administer JD Edwards EnterpriseOne Services You should give only certain users authority to start and stop JD Edwards EnterpriseOne processes and to run scripts because this authority also requires access to the JDE.INI file, which contains the database password. Do not give users access to update JD Edwards EnterpriseOne script files for starting and stopping services. Secure Log Files You should give only certain users access to log files (error and debug) on the Enterprise Server. These files might contain sensitive information about the user and the location of the database. Caution Implementing security on these files will prevent Server Manager from being able to display the logs.

    Limit Access to BSFN Trace Logs Change the ClientLog setting to 0 in the [DEBUG] section of the JDE.INI so that Call Object kernel does not send the BSFN server logs back to the workstation after executing the BSFN calls. Refer to the JD Edwards EnterpriseOne Tools Release 8.98 Server Manager Guide for more information about this setting. Limit Access to PrintQueue Directory JD Edwards EnterpriseOne Enterprise Server stores all the report output in the PrintQueue directory. You should give only certain users access to the PrintQueue directory. Use Security Server In a production environment, always use the security server. You can run business logic on the enterprise server without using a security server when logged in with a user ID that is also a database user.

    JD Edwards EnterpriseOne HTML Web Server Security


    Overview JD Edwards EnterpriseOne HTML Web Server is a critical component of the JD Edwards EnterpriseOne system. It is used as a gateway by all web users to access JD Edwards

    Copyright 2009, Oracle. All rights reserved

    15

    JD Edwards EnterpriseOne Security Best Practices

    EnterpriseOne. JD Edwards EnterpriseOne supports Oracle Application Server and IBM WebSphere Application Server for a web solution. Oracle Application Server If you have deployed an Oracle Application Server, take the steps listed on the following website to make the installation more secure: http://www.oracle.com/technology/deploy/security/as_security/index.html IBM WebSphere If you have deployed an IBM WebSphere server, follow IBMs recommendations to make the installation more secure: http://www.redbooks.ibm.com/abstracts/sg246573.html (WebSphere V5) http://www.redbooks.ibm.com/abstracts/sg246316.html (WebSphere V6.1) Secure Configuration Files JD Edwards EnterpriseOne HTML Web Server uses these configuration files:
    JAS.INI JDBj.INI JDELOG.PROPERTIES

    In addition, the web server can have a Tokengen.ini in a single sign-on environment. These files contain sensitive information that should not be available to all users, so you should use operating system security to secure the files. Caution Implementing security on these files will prevent Server Manager from modifying configuration settings within these files.

    Secure Log Files You should give only certain users access to log files (error and debug) on the JD Edwards EnterpriseOne HTML Web Server. These files might contain sensitive information about the user and the location of the database. Caution Implementing security on these files will prevent Server Manager from being able to display the logs.

    16

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    J2EE Session Timeout Setting After a user signs in, he or she can stay connected as long as the sign-in time allows and as long as the browser does not sit idle for longer than the timeout interval. A timeout interval specifies how long the users machine can remain idle before J2EE Application server automatically disconnects the user from the application. Set up the policy for inactive session timeout and set this value accordingly. For the web application server, this value is 30 minutes by default. Refer to the JD Edwards EnterpriseOne Tools 8.98 HTML Web Server Reference Guide for more information on setting the timeout values. Limit Access to Media Object Queue Directory The JD Edwards EnterpriseOne HTML Web Server caches the media object files under /jde/moqueue/ directory of the installed web application. The operating system user for whom the web application server process is running must have full access to this directory. Secure access for all other users to this directory on the web server. You should use media object security in JD Edwards EnterpriseOne to secure access to media object attachments from JD Edwards EnterpriseOne applications. Refer to Working with Security Workbench in the JD Edwards EnterpriseOne Tools Release 8.98 Security Administration Guide for more information on setting up media object security. Set Up FTP User Access to Media Objects You can configure the system to use Windows NT Share or FTP protocol to access media object files from media object queue directories. The FTP user ID and password should be provided in the JAS.INI file to access media object queue directories. The FTP user or operating system user (in case of Windows NT Share) for whom the web server process is running should have full access to media object queue directories. You should limit the access to any other directories on the server where the media object queue directories are located for this FTP user or operating system user. All other users should not have access to media object queue directories when users are not accessing media objects from the Windows client. Use SSL (HTTPS) Between Browser and Web Server Information sent over the network and across the internet in clear text can be intercepted. The Secure Socket Layer (SSL) protocol, developed by Netscape Corporation, is an industry-accepted standard for network transport layer security. SSL is supported by all currently available web servers and web browsers. You should configure SSL on JD Edwards EnterpriseOne HTML Web Server, especially in an internet environment. Refer to Configuring Secure Socket Layer for JAS in the JD Edwards EnterpriseOne Tools 8.98 HTML Web Server Reference Guide for more information on setting up SSL with JD Edwards EnterpriseOne HTML Web Server running on the Oracle Application Server or IBM WebSphere Application Server.

    Copyright 2009, Oracle. All rights reserved

    17

    JD Edwards EnterpriseOne Security Best Practices

    Disable non-secure HTTP on the web application server after making sure that HTTPS is set up and working properly. Refer to the Network Infrastructure Security section in this guide for information about setting up network security in an internet environment. Turn Off Directory Listing Directory indexes display the contents of a directory if there is no index.html or similar file available. Disabling this entry prevents an intruder from viewing the files in a directory and potentially finding a file that could provide access to the system. Refer to the HTTP Server documentation to disable this feature in the web server configuration file. Denial-of-Service Attacks Denial-of-service (DOS) attacks can occur when a large number of poorly formed requests are sent to servlets. You can reduce the impact of Dos attacks, but it is impossible to prevent them. If an attacker throws enough data at a server to continuously use all the available network bandwidth, it will crowd out legitimate traffic, regardless of how the software is configured. Denial of service can only be handled at an application server level. To configure to reduce the impact of denial of service attacks, refer to the security documentation for your application server.

    Portal Server Security


    Overview JD Edwards EnterpriseOne provides single sign-on support from the Collaborative Portal and Oracle Portal. Both portals use token-based authentication for achieving single signon with JD Edwards EnterpriseOne. Refer to the following chapters in the JD Edwards EnterpriseOne Tools Release 8.98 Security Administration Guide:
    Understanding JD Edwards EnterpriseOne Single Sign-On Setting Up EnterpriseOne Single Sign-On

    Collaborative Portal Note the following items when setting up single sign-on for Collaborative Portal:
    A single sign-on token is generated by Collaborative Portal. You should set up a new node to support single sign-on for the Collaborative Portal server. You can create a single sign-on node configuration using the JD Edwards EnterpriseOne SSO application. TokenGen.ini, which is located in following directory should be modified with the node name and node password:

    For WebSphere 5.0: AppServer\properties


    18 Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    For WebSphere 6.0: AppServer\profiles\<profile_name>\properties Oracle Portal Note the following items when setting up single sign-on for Oracle Portal:
    Single sign-on token is generated by the JD Edwards EnterpriseOne provider server. The provider server can be either WebSphere Application Server or Oracle Application Server and can be used as a standalone HTML server. You should set up a new node for supporting single sign-on from provider server. You should create a single sign-on node configuration using the JD Edwards EnterpriseOne SSO application. TokenGen.ini, located in the /system/generator directory, should be modified with the node name and node password before generating the Portlets. Refer to Generating the Required Portlets to the WebClient_Oracle_Portal.war File in the JD Edwards EnterpriseOne Tools Release 8.98 Portal Reference Guide for All Portals and Platforms for more information on setting up TokenGen.ini.

    The TokenGen.ini file contains node name and node password in plain text. You need to secure this file using operating system security. In addition to the above guidelines, follow all the instructions in the JD Edwards EnterpriseOne HTML Web Server Security section in this guide to secure your web environment.

    Integration Server Security


    Overview JD Edwards EnterpriseOne Web Services Gateway (WSG) is designed only for point-topoint scenarios, and JD Edwards EnterpriseOne must be one of the points. It is not to be used as an integration hub. WSG provides interoperability with Oracle Business Process Execution Language Process Manager (BPEL-PM). Interoperability consists of web services that are created in WSG and consumed by Oracle BPEL PM, as well as web services that are provided by Oracle BPEL PM and consumed by WSG. Limit Access of JD Edwards EnterpriseOne WSG User to EnterpriseOne Data A JD Edwards EnterpriseOne user or role is used in the configuration of the JD Edwards EnterpriseOne adapter. The adapter has read access to the same tables as this JD Edwards EnterpriseOne user or role. It is recommended that you set up JD Edwards EnterpriseOne row security for tables that contain secure data and JD Edwards EnterpriseOne system information. Refer to JD Edwards EnterpriseOne Tools Release 8.98 Web Services Gateway Installation and Setup Guide for more information.

    Copyright 2009, Oracle. All rights reserved

    19

    JD Edwards EnterpriseOne Security Best Practices

    Secure Integration Server Access It is recommended that you allow an administrator access to the server so that he or she can develop and update packages, as well as secure Integration Server ports. Refer to Managing Server Security in the webMethods Integration Server Administrators Guide. Set Up User IDs, Passwords, and Permissions Ask the database administrator to set up the user IDs, passwords, and database permissions required for Integration Server to connect to the database. Integration Server requires create, update, and delete permissions. The first time Configuration Editor is accessed, it creates new tables or modifies existing tables. Initially, the database user needs administrative privileges; however you should limit these privileges once Configuration Editor has created the tables. Disable Well-Known User Accounts WSG Integration Server uses the default passwords for privileged user accounts such as Administrator and Developer. It is recommended that you change these passwords or disable these accounts immediately after installation. Refer to Managing Users and Groups in the webMethods Integration Server Administrators Guide. Secure Configuration Files WSG stores the JD Edwards EnterpriseOne user ID and password in plain text in the jdeinterop.ini file to connect to JD Edwards EnterpriseOne. An administrator should secure this file as well as other configuration files (JDBj.INI and JDELOG.PROPERTIES) so that only certain users have read and write access to them. Caution Implementing security on these files will prevent Server Manager from modifying configuration settings within these files.

    Secure Log Files You should give only certain users access to view Integration Server log files (error and debug), as these files might contain sensitive information about the user and location of the database. Caution Implementing security on these files will prevent Server Manager from being able to display the logs.

    20

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Transaction Server Security


    Overview JD Edwards EnterpriseOne event functionality provides an infrastructure that can capture JD Edwards EnterpriseOne transactions in various ways and provides real-time notification to third-party software, end users, and other Oracle systems such as Web Services Gateway (WSG) and Customer Relationship Management (CRM). Secure Configuration Files Transaction Server uses the bootstrap user and password from JDBj.INI in install_directory/E1TranSrv/cfg directory. Secure this file, as well as other configuration files (JAS.INI and JDELOG.PROPERTIES), using operating system security. Caution Implementing security on these files will prevent Server Manager from modifying configuration settings within these files.

    Limit Access to RTE Administration Applications Use JD Edwards EnterpriseOne Application security to limit access to the following JD Edwards EnterpriseOne applications to administrators only:
    P90701A (Event definition and activation) P90702A (subscriber and subscription) R90706 (Convert Event Subscriptions) to create Queue Entries

    Refer to Using Guaranteed Events in the JD Edwards EnterpriseOne Tools 8.98 Interoperability Guide for more information. Secure Log Files You should give only certain users access to view Transaction Server log files (error and debug), as these files might contain sensitive information about the user and location of the database. Caution Implementing security on these files will prevent Server Manager from being able to display the logs.

    Copyright 2009, Oracle. All rights reserved

    21

    JD Edwards EnterpriseOne Security Best Practices

    Connectors Security
    Overview Connectors are point-to-point component-based interoperability models that enable thirdparty applications and JD Edwards EnterpriseOne to share logic and data. JD Edwards EnterpriseOne connector architecture includes Java, Dynamic Java, and Component Object Model (COM) connectors and provides access to JD Edwards EnterpriseOne business logic and data. Secure Configuration Files Java connector and COM connector use configuration files to connect to a JD Edwards EnterpriseOne environment. Secure JDBj.ini, interop.ini and JDELOG.PROPERTIES using operating system security. Caution Implementing security on these files will prevent Server Manager from modifying configuration settings within these files.

    Secure Log Files You should give only certain users access to view connector log files (error and debug), as these files might contain sensitive information about the user and location of the database. Refer to JD Edwards EnterpriseOne Tools 8.98 Connectors Guide for more information about connectors.

    Caution Implementing security on these files will prevent Server Manager from being able to display the logs.

    Performance Monitor Security


    Overview

    22

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Oracles JD Edwards EnterpriseOne Performance Monitor enables you to view real-time and historical performance data of your JD Edwards systems. JD Edwards EnterpriseOne Performance Monitor provides the information that you need to solve immediate performance issues and analyze trends in system performance. By default, JD Edwards EnterpriseOne Performance Monitor is disabled on a new JD Edwards EnterpriseOne installation. Limit Access to Performance Administration Applications Use JD Edwards EnterpriseOne Application security to limit access to the following applications to administrators:
    P95900 Global Administration P9500 Agent Related

    Refer to Administering JD Edwards EnterpriseOne Performance Monitor in the JD Edwards EnterpriseOne Tools 8.98 Performance Monitor Guide for more information on administration applications. Secure Configuration Files Performance Monitor uses the bootstrap user and password from JDBj.INI in install_directory/E1TranSrv/cfg directory. Secure this file, as well as other configuration files (JAS.INI and JDELOG.PROPERTIES), using operating system security. Caution Implementing security on these files will prevent Server Manager from modifying configuration settings within these files.

    Secure Log Files You should give only certain users access to view Transaction Server log files (error and debug), as these files might contain sensitive information about the user and location of the database. Caution Implementing security on these files will prevent Server Manager from being able to display the logs.

    Disable PPMConsole The PPMConsole setting under the [PERFMON] section of the JAS.INI file controls whether or not users can view the monitor servlets status. If true, then users can check

    Copyright 2009, Oracle. All rights reserved

    23

    JD Edwards EnterpriseOne Security Best Practices

    the monitor servlets status. Some HTML pages can be used to view the status of different PerfMon Servlets and E1PmJavaAdapter process. By default, this setting is set to False. If the setting was enabled to troubleshoot during the installation, you should set it to False to make sure end users can not access the PPMConsole.

    24

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Desktop Security
    Overview In the context of JD Edwards EnterpriseOne, a desktop is considered the working environment for end users when accessing JD Edwards EnterpriseOne from the Microsoft Windows client or web browser. Disable Browser Cache Setting A browser caches various pages and states in memory to increase performance. It may be necessary to disable these performance features on the browser for security reasons, especially for a kiosk environment. Refer to the JD Edwards EnterpriseOne Tools 8.98 HTML Web Server Reference Guide for information about configuring the browser to disable caching. Update Browser Update the browser when new versions are released because they often include new security features. Refer to the minimum technical requirements on Customer Connection for information regarding JD Edwards EnterpriseOne supported browsers. Turn Off Browser AutoComplete Setting For kiosk machines, turn off the autocomplete setting for the browser. Although desirable for frequently accessed pages, this feature should be disabled for privacy and security reasons. Even for an intranet environment, do not enable the autocomplete setting to store passwords. Set Policy for Unattended PC Sessions You should create a corporate policy for handling unattended PC sessions. Users are recommended to use the password-locked screen savers feature on all PCs. Turn Off Server BSFN Trace for Windows Client Change the ServerLog setting to 0 in the [DEBUG] section of JDE.INI file so that the Windows client does not request the BSFN server logs from Call Object kernel. Refer to the JD Edwards EnterpriseOne Tools 8.98 Server Manager Guide for more information about this setting.

    Copyright 2009, Oracle. All rights reserved

    25

    JD Edwards EnterpriseOne Security Best Practices

    JD Edwards EnterpriseOne Tools and Administration Applications Security


    Overview It is critical that JD Edwards EnterpriseOne applications deliver data in a secure and reliable fashion. Data integrity, confidentiality, and availability must be maintained. In addition, JD Edwards EnterpriseOne Tools must be installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service. Change Default JD Edwards EnterpriseOne Passwords Following an installation, JD Edwards EnterpriseOne creates default JD Edwards EnterpriseOne user IDs and password. You must immediately change the default passwords or disable the user accounts. JD Edwards EnterpriseOne Authorization Model The JD Edwards EnterpriseOne authorization security model is not secured by default. You should explicitly lock down all users by setting up different types of JD Edwards EnterpriseOne security for *PUBLIC, and then set up inclusive security to grant rights to roles. JD Edwards EnterpriseOne applies authorization security in the following sequence for the signed-in user:

    User

    Roles

    *PUBLIC

    The types of authorization security supported by JD Edwards EnterpriseOne include:


    Application Security Secures users out of and into JD Edwards EnterpriseOne applications, forms and reports. This is high level security.

    26

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Action Security Secures users from performing certain actions when in JD Edwards EnterpriseOne applications or forms. Security can be set on OK, Select, Add, Copy, Delete, and so forth (Toolbar exits). Row Security Secures users from certain actions on specific records in a table. For example, you can secure a user from seeing profile records that belong to other users. Also, you can secure users from accessing a particular range or list of data in any table. Column Security Secures users from certain actions on specific columns in tables, applications, or forms. For example, you can secure a user from viewing all salary-related fields in a table. Processing Option Security Secures users from viewing or modifying values in processing options. Tab Security Secures users from viewing or modifying values on tab forms. Exit Security Secures users from using hyper exits. Exclusive Application Security Secures users into an application when all other securities are set up against objects associated with that application. External Calls Security Secures users from running executables from within JD Edwards EnterpriseOne. Portal Security Secures users from performing certain Portal actions such as Personalization or Modifying Relationships. Solution Explorer Security Secures users from performing and viewing certain features within Solution Explorer, such as Fine Cut and Fast Path. Media Object Security Secures user from updating, viewing, creating, or deleting media object attachments. Button, Image & Link Security - Secures user from viewing and enabling button, image, and link objects. Data Browser Security - Secures user from accessing the Data Browser program. You can also use it to secure users from accessing an individual table or business view when creating queries.

    Refer to Using Security Workbench in the JD Edwards EnterpriseOne Tools Release 8.98 Security Administration Guide for more information on JD Edwards EnterpriseOne authorization security.
    Business Unit Security - JD Edwards EnterpriseOne business unit security provides the ability to filter data by business unit for UDCs and for transaction tables. For UDCs, you create subgroups of values that can be shared among various business units or might be unique to one particular business unit. This is referred to as UDC sharing. For transaction tables, business unit security enables you to limit the transaction records that a user can access based on business unit. This is called transaction security.

    With UDC sharing, JD Edwards EnterpriseOne provides the ability to control or regulate how organizational data among different business units is shared. Transaction security enables you to determine the transaction records a user can view. Transaction security ensures that users can only access and modify transaction data for the business unit to which they are associated.
    Copyright 2009, Oracle. All rights reserved 27

    JD Edwards EnterpriseOne Security Best Practices

    You should set up business unit security when users are allowed to access data only for their business unit. Refer to Setting up Business Unit Security in the JD Edwards EnterpriseOne Tools Release 8.98 Security Administration Guide for more information on business unit security. Set Up Role-Based Authorization Administrators prefer to set up security that can be easily managed and maintained. The easiest way to manage security in JD Edwards EnterpriseOne is by applying security to roles. Role-based authorization prevents you from having to set up a large number of security records for each individual user. Instead of having to revise multiple security records when a user moves to another position or responsibility, you only have to assign that user to a different role that already contains the required security for that position. Follow the Principle of Least Privilege The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Over ambitious granting of responsibilities, roles, and permissions, especially when people are few and work needs to be done quickly, often leaves a system wide open for abuse. You should initially establish a policy to determine and assign least privileges to users. Periodically review user privileges to determine relevance to current job responsibilities. Secure JD Edwards EnterpriseOne Administration Applications and Reports Use application security to allow only CNC administrators access, at a minimum, to the following applications and reports:
    Applications under the System Administration Tools menu. Applications under the Package and Deployment Tools menu. Applications under the System Installation Tools menu.

    You can also obtain a list of all JD Edwards EnterpriseOne Tools-related applications by searching in Object Management Workbench (OMW) for H9* system code. Secure JD Edwards EnterpriseOne Administration Tables Use row security to allow only CNC administrators the ability to insert and modify data, at a minimum, from these system administration tables:
    Table Description Security Workbench Sign-on security Table Name F00950 F98OWSEC

    28

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    System user security OCM Data Source Master OMW User Roles User Profile User Preferences User-Role Relationship

    F98OWPU F986101 F98611 F98220 F0092 F00921 F95921

    Regularly Run Security Maintenance Reports Run the following security reports to analyze the security setup and access rights for user, groups, and *PUBLIC in JD Edwards EnterpriseOne:
    Security Analyzer by Data Source Report (R98OWSECA) Security Analyzer by User or Role Report (R98OWSECB) Security Audit Report by Object (R009501) Security Audit Report by User/Role (R009502)

    Set Up Password Policies If you are managing user IDs and passwords in a JD Edwards EnterpriseOne database, you are strongly encouraged to create strict password policies to avoid passwords that can be easily compromised. Refer to Setting Processing Options for P98OWSEC in the JD Edwards EnterpriseOne Tools Release 8.98 Security Administration Guide for more information on setting up password policies. Enforce Security Settings Immediately If a system administrator makes any changes to the security records using the Security Workbench application, those changes may not be enforced for the user when he signs in because security records are cached by JD Edwards EnterpriseOne HTML Web Server. Enforce security changes immediately by performing one of these actions:
    Restart the JD Edwards EnterpriseOne Application Server instance. Clean up the JDBj security cache using Security Administration Workbench (SAW).

    Change Password Frequently Set up the Password Change Frequency value in the User Security (P98OWSEC) application to ensure that users frequently change their passwords. Refer to Setting up

    Copyright 2009, Oracle. All rights reserved

    29

    JD Edwards EnterpriseOne Security Best Practices

    User Security in the JD Edwards EnterpriseOne Tools Release 8.98 Security Administration Guide for more information on setting up the password policies. Set Force Immediate Password Change when Creating a User Account Select the Force change password for user option when creating a new user account so that the system will prompt the user to change the password on the next sign-in. Refer to Setting up User Security in the JD Edwards EnterpriseOne Tools 8.98 Security Administration Guide for more information on setting up the password policies. Lock Out User Account After Invalid Login Attempts Limit the number of invalid password attempts (usually three) before a user account is disabled. Refer to Setting up User Security in the JD Edwards EnterpriseOne Tools 8.98 Security Administration Guide for more information on setting up password policies. Enable Auditing of Security Operation Set the history setting to 1 under the [SECURITY] section of the JDE.INI file on the security server. This setting turns on the auditing for users login and logoff actions. Use the Security History form exit from the Work with User Security application (P98OWSEC) to review this history or audit records regularly according to your organizations security policy. Purge Audit Table Records Security audit records can grow quickly and increase the size of the database. Therefore, you should set up a policy to purge security audit records regularly from the Security History table (F9312) using database tools. Keep a copy of these records for audit purposes. Limit Access to Design Tools and Universal Table Browser Set up External Calls security using Security Workbench to limit access to Windowsbased design toolsFDA.exe, TDA.exe, and RDA.exeand UTBrowse.exe. Refer to Using Security Workbench in the JD Edwards EnterpriseOne Tools 8.98 Security Administration Guide for more information on External Call security. Limit Access to Data Browser Set up Data Browser security to limit access to the Data Browser application as this can be used to easily access sensitive data from different data sources. Refer to Using Security Workbench in JD Edwards EnterpriseOne Tools 8.98 Security Administration Guide for more information on Data Browser security.

    30

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Set Up Processing Option Security Set up Processing Option security to limit access to the User Security application (P98OWSEC). JD Edwards EnterpriseOne password policies are managed as processing options for P98OWSEC. Refer to Using Security Workbench in the JD Edwards EnterpriseOne Tools 8.98 Security Administration Guide for more information on Processing Option security. Set Up Column Security on Work with Submitted Jobs Set up Column security on the User field of the Submitted Job Search form (W986110BA). When you set up this security, only the user that is logged in and submitted the batch job can view the records in the grid that are a result of the batch job. The user cannot see batch jobs submitted by other users and more importantly, the output from those batch jobs. Refer to Using Security Workbench in the JD Edwards EnterpriseOne Tools 8.98 Security Administration Guide for more information on Column security. Set Up OMW Security Administrators should configure roles and allowed actions for a JD Edwards EnterpriseOne developer. Refer to Configuring User Roles and Allowed Actions in the JD Edwards EnterpriseOne Tools 8.98 Object Management Workbench Guide for more information on setting up OMW security. Set Up LDAP SSL If LDAP authentication is enabled in JD Edwards EnterpriseOne, you should securely configure LDAP access from the JD Edwards EnterpriseOne security server by using LDAP over SSL (LDAPS). Refer to Using LDAP Over SSL in the JD Edwards EnterpriseOne Tools 8.98 Security Administration Guide for more information. Assign Role with Least Privilege for _LDAPDEFLT User If LDAP authentication is enabled and user-role relationships are being managed in JD Edwards EnterpriseOne, you must set up a default role relationship for the _LDAPDEFLT user. All new users who are synchronized from LDAP to JD Edwards EnterpriseOne database will be assigned the default user-role relationship. It is recommended that you assign a default role to _LDAPDEFLT user that has least privilege. An administrator can assign or remove other roles using JD Edwards EnterpriseOne User Role Relationship application (P95921) at a later time. Refer to Modifying the LDAP Default User Profile Settings in the JD Edwards EnterpriseOne Tools 8.98 Security Administration Guide for more information.

    Copyright 2009, Oracle. All rights reserved

    31

    JD Edwards EnterpriseOne Security Best Practices

    Set Up Single Sign-on Node Change the default node password for _GLOBALNODE even when you are not using single sign-on from Collaborative Portal or Oracle Portal. It is recommended that you set up a unique single sign-on node with a trusted relationship if you are using multiple security servers on different machines in your environment. Refer to Understanding JD Edwards EnterpriseOne Single Sign-On and Setting Up EnterpriseOne Single SignOn in the JD Edwards EnterpriseOne Tools 8.98 Security Administration Guide for more information on setting up single sign-on nodes. Support of Longer User Names and Passwords JD Edwards EnterpriseOne does not support more than 10 characters in a user name or password for sign-on. If you want to use more than 10 characters for a user name or password due to compliance issues for web users, you should use Oracle Single Sign-on or Collaborative Portal Single Sign-on with JD Edwards EnterpriseOne. In this solution, Oracle Single Sign-on server or Collaborative Portal is responsible for authenticating a longer user name and password. JD Edwards EnterpriseOne uses the single sign-on token to validate the user. You can configure the JD Edwards EnterpriseOne security server to use the same LDAP Server used by the single sign-on server. User mappings from longer user names to JD Edwards EnterpriseOne user names can be provided in LDAP Server. However, in this case, JD Edwards EnterpriseOne non-web users (such as Windows client, WSG, and Java Connector users) will not be able to log in with more than 10 character user names and passwords. Refer to the following chapters in the JD Edwards EnterpriseOne Tools 8.98 Security Administration Guide for more information:
    Understanding JD Edwards EnterpriseOne Single Sign-On Setting Up EnterpriseOne Single Sign-On Understanding Single Sign-On between JD Edwards EnterpriseOne and Oracle

    Disable the Unused User Accounts It is difficult to monitor and administer accounts that are not in use. An administrator should disable these accounts to stop unauthorized access to JD Edwards EnterpriseOne. Refer to Setting up User Security in the JD Edwards EnterpriseOne Tools 8.98 Security Administration Guide for more information to disable an account. Set Up an Independent Security Environment Set up a separate environment to design and test security before deploying it to the production environment. When testing, start with the least privileges and add more rights as required.

    32

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Third Party Tools Security


    Secure PIM Sync For JD Edwards EnterpriseOne CRM users, you can install and configure the PIM servlet and the Intellisync Server to synchronize information (tasks, appointments, and contacts) from Lotus Notes Domino or Microsoft Exchange applications with EnterpriseOne CRM applications. The PIM Sync servlet and Intellisync Server are necessary components of a larger configuration that includes JD Edwards EnterpriseOne and an Oracle Application Server (OAS). Use operating system security to limit access to the JAS.INI file because this file contains the JD Edwards EnterpriseOne user and password that enables access to the database and JD Edwards EnterpriseOne enterprise (business logic) server. Secure Mobile Client The JD Edwards EnterpriseOne mobile server is a Microsoft Windows machine that hosts Intellisync software, including Intellisync Data Sync server, Intellisync Mobile Suite, and Intellisync Mobile Suite database. Intellisync is responsible for data synchronization between the JD Edwards EnterpriseOne server and the mobile client. Use operating system security to limit access to the PostSync.ini file because it contains the user and password that enables you to connect to Intellisync database. This file also contains the JD Edwards EnterpriseOne user and password to connect to JD Edwards EnterpriseOne enterprise (business logic) server.

    Copyright 2009, Oracle. All rights reserved

    33

    JD Edwards EnterpriseOne Security Best Practices

    Appendix A - Default Database User Accounts


    The following list contains the default database accounts created and used by JD Edwards EnterpriseOne 9.0:
    APPLEAD TESTCTL JDEDBA DV900 PD900 PRODUSER CRPCTL PRODCTL PRODDTA TESTDTA JDE DEVUSER CRPDTA PS900 PY900 DD900 SVM900 SY900 OL900 PS900DTA PS900CTL

    34

    Copyright 2009 Oracle. All rights reserved

    JD Edwards EnterpriseOne Security Best Practices

    Appendix B Additional Network Infrastructure Security


    For an internet facing system, it is recommended that you place the HTTP server in a DMZ zone and keep the JD Edwards EnterpriseOne HTML Web Server (web application server), database, and enterprise (business logic) server behind a firewall. In addition, you can add an additional layer of protection by placing a firewall between the web application server and the database or Enterprise Server.

    Enable Predefined JDENET Ports in JDE.INI When there is a firewall between the JD Edwards EnterpriseOne HTML Web Server and an enterprise (business logic) server, set the PredfinedJDENETPorts setting to 1 in the JDE.INI file of the Enterprise Server. This setting enables JDENET network process to use a predefined range of TCP/IP ports. This port range starts at the port number that is specified by serviceNameListen and ends at the port that is calculated by the equation serviceNameListen = maxNetProcesses 1. You must open these ports in a firewall setup to successfully connect the JD Edwards EnterpriseOne HTML Web Server to the Enterprise Server.

    Copyright 2009, Oracle. All rights reserved

    35

    JD Edwards EnterpriseOne Security Best Practices

    Appendix C Useful Links


    JD Edwards EnterpriseOne Current MTR Index on My Oracle Support:
    https://metalink3.oracle.com/od/faces/secure/km/DocumentDisplay.jspx?id=747323.1&h=Y# REF_TEXT

    Oracle Critical Patch Updates and Security Alert:


    http://www.oracle.com/technology/deploy/security/alerts.htm

    Oracle Application Server Security:


    http://www.oracle.com/technology/deploy/security/as_security/index.html

    IBM Application Server Security:


    http://www.redbooks.ibm.com/abstracts/sg246573.html (WebSphere V5) http://www.redbooks.ibm.com/abstracts/sg246316.html (WebSphere V6.1)

    36

    Copyright 2009 Oracle. All rights reserved

    You might also like