Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oracle EPM Security: How Safe Are You? March 11, 2015 Mark Wirth, Principal.

Published byReginald Webster Modified over 8 years ago

Similar presentations

Presentation on theme: "Oracle EPM Security: How Safe Are You? March 11, 2015 Mark Wirth, Principal."— Presentation transcript:

1 Oracle EPM Security: How Safe Are You? March 11, 2015 Mark Wirth, Principal

2 2 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Has Anyone Heard of FREAK?

3 3 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. FREAK  Factoring RSA Export Keys  Dates to the 1990s, when the Clinton administration required weak keys to be used in any software or hardware that was exported out of the US. Commercial-grade keys when used in the US and export-grade keys when used elsewhere.  Enables SSL Man-in-the-Middle attacks – 36% websites vulnerable  New technologies emerge, cryptography hardens, BUT many simply add on new solutions but do not remove outdated and vulnerable technologies.  Affects Microsoft Windows 7, 8, 8.1 and 2003 but not 2008 or 2013 (don’t support obsolete SSL export ciphers)  Affects Apple Mountain Lion, Mavericks, Yosemite  Vulnerable - Chrome versions before 41, Internet Explorer, Safari, Android Browser and Blackberry Browser. Not Firefox.

4 4 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Security is More Than…  Authentication and authorization  Complex passwords with change policies  Physical securing of the data center  Firewalls and VLANs  Encryption of data  Use of RSA tokens and VPN  Penetration tests Security is all of this and much more. Security is a structured process – 24 x 7 x 365

5 5 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Firewalls  A firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted or between tiers of servers/clients (client tier, web tier, application server tier, database tier, etc.).

6 6 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Firewalls

7 7 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Cryptography  Practice and study of techniques for secure communication in the presence of third parties (called adversaries) “HUG User Group – Chaska, MN” “MuHnoltd3rGYke+NlCoLdzsMe0J4jkd4TvZeKYE=” Plain text Cipher text Encryption Algorithm

8 8 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. SSL Serves 2 Purposes… Encryption – Hiding what is sent from one computer to another Identification – Making sure the computer your are speaking to you trust  Computers agree how to encrypt  Server send certificate  Client says encrypt  Server says encrypt  Communication is encrypted  Company asks CA for a certificate  CA creates certificate and signs it  Certificate installed on server  Browser issued with root certificates  Browser trusts correctly signed certificates

9 9 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Certificates  Company asks for a certificate from trusted th –Web Server –Company Name –Where located –Other  Certificate authority checks correctness and authenticity of company.  CA creates certificate and signs it. Signature created by condensing all details into a number (through hash function – MD5). Then encrypting that number with a private key.  Certificate is installed on server. The web server is configured to use the certificate.  Browser issued with root certificates  Browser trusts correctly signed certificates Verified

10 10 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. How SSL works 1 – Send secure information2 – Unencrypted presents security issues 3 – Initial SSL connection4 – Client SSL Hello

11 11 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. How SSL works 5 – Server SSL Hello response 6 – Server SSL certificate (public key) 7 – Server Hello Done8 – Certificate verified

12 12 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. How SSL works 9 – Data will now be encrypted from browser10 – Digest of all messages. Server validates no tampering. 11 – Data will now be encrypted from server12 – Digest of all messages. Browser validates no tampering.

13 13 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. How SSL works 13 – SSL Handshake complete. Browser generates symmetric key for session and encrypts with server public key. 14 – All data encrypted with new symmetric session key. Any validation fails, data out of order, or doesn’t contain right data then SSL is terminated and a new one started.

14 14 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. How secure is out-of-the-box Oracle EPM?  Access Control  The password will be encode in clear text while passing this from user browser to the webserver. Clear Text that is base64 encoded. This is to support non-HTTP characters in user name and password.  Shared Services and the security subsystem of EPM System use 128-bit AES encryption algorithm that are stored in the Shared Services repository.  WebLogic Server – Demo SSL Certificate  Default deployments of Essbase components in secure mode uses self- signed certificates to enable SSL communication, mainly for testing purposes.  Use SSL – Third party certificates

15 15 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Supported SSL Scenarios SSL Offload Full SSL

16 16 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. SSL Offload  Easier and less time consuming to configure and troubleshoot  Secure communication from client to load balancer but not server to server  Reduced overhead and performance hit  Easier to maintain with SSL updates, certificate expirations  Easier to support (Oracle)  Less expensive with limited certificates (2)

17 17 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Full SSL  More difficult and time consuming to configure and troubleshoot  Secure communication from client to load balancer, load balancer to server and server to server.  Greater overhead and performance hit  More difficult to maintain with SSL updates, certificate expirations  Potentially more difficult to support (Oracle). Few technicians in support have experience with SSL environments  More expensive with additional certificates

18 18 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Capable SSL Components  SSL Offloader - HTTPS  Oracle WebLogic Server (Admin Server, NodeManager) – HTTPS  Oracle HTTP Server - HTTPS  User Directories - LDAPS –Oracle Internet Directory –Sun Java System Directory Server –Active Directory  Microsoft Windows Server 2008 Active Directory  Microsoft Windows Server 2003 Active Directory –Novell eDirectory  Databases - JDBCS  Internet Information Services – HTTPS  Mail Server – SMTPS

19 19 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Certificates required for Oracle EPM  Root CA Certificate - The root CA certificate verifies the validity of the certificate that is used to support SSL. It contains the public key against which the private key that was used to sign the certificate is matched to verify the certificate. You can obtain the root CA certificate from the certificate authority that signed your SSL certificates. You need not install a root CA certificate in the Java keystore if you are using certificates from a well-known third-party CA whose root certificate is already installed in the Java keystore. Firefox and Internet Explorer are preloaded with certificates of well-known third-party CAs. If you are acting as your own CA, you must import your CA root certificate into the keystore used by the clients accessed from such browsers.  Certificates - Each Oracle HTTP Server, WebLogic Server, Database Server, Directory Server, Mail Server in your deployment.  Two Certificates for the SSL Offloader. One of these certificates is for external communication and the other is for internal communication

20 20 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Capable SSL Components  Financial Reporting Studio – Encrypted RMI  Essbase

21 21 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM SSL Implementation Requirements  SSL Certificates –Well-known third-party CA –FQDN (Fully Qualified Domain Names) –Keytool or Oracle Wallet  Create custom keystore - Generate certificate request - Import into keystore –Backup certificates –Monitor certificate expiration dates  Security Expertise –Windows –WebLogic –Java –IIS –Penetration testing  Toolbox –Network Sniffer –Telnet or Netstat/Active Ports

22 22 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Web Identity Management Systems (SSO)  Oracle Single Sign-on (OSSO)  Oracle Access Manager  Kerberos  SiteMinder Users try to access a SiteMinder-protected EPM System resource. They use a URL that connects them to the web server that front-ends the SiteMinder policy server; for example, http://WebAgent_Web_Server_Name:WebAgent_Web_ ServerPort/interop/index.jsp The web server redirects users to the policy server, which challenges users for credentials. After verifying credentials against configured user directories, the policy server passes the credentials to the web server that hosts the SiteMinder Web Agent. The web server that hosts the SiteMinder Web Agent redirects the request to the Oracle HTTP Server that front-ends EPM System. Oracle HTTP Server redirects users to the requested application deployed on WebLogic Server or IIS Server. The EPM System component checks provisioning information and serves up content. For this process to work, the user directories that SiteMinder uses to authenticate users must be configured as external user directories in the EPM System and configured as trusted.

23 23 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Security Best Practices  Implement SSL  Change Shared Services Native “admin” password  Complex passwords for all users – No “hyper10n”  Change database passwords  Separate database user/password for each database/schema  Change service account/DCOM passwords  Secure database drive file system  Use transparent data encryption for SQL Server and Oracle Server  Do not distribute install/service/DCOM credentials  Secure RAF, OHS shares -> deny to all except service  Secure FDM, LCM share -> per user  Maintain documentation on certificate expiration dates

24 24 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Security Best Practices  Check integrity of static folders –EPMSystem11R1, ORACLE_COMMON, OHS, ODI, JAVA/JRockit  Secure Cookies - EPM System web applications set a cookie to track the session. While setting a cookie, especially a session cookie, the server can set the secure flag, which forces the browser to send the cookie over a secure channel. This behavior reduces the risk of session hijacking.  Reduce SSO Token Timeout - Default SSO token timeout is 480 minutes. You should reduce the SSO token timeout, for example, to 60 minutes, to minimize token reuse if it is exposed.  Reviewing Security Reports - The Security Report contains audit information related to the security tasks for which auditing is configured. Generate and review this report from Shared Services Console on a regular basis, especially to identify failed login attempts across EPM System products and provisioning changes.

25 25 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Security Best Practices  Customizing Authentication System for Strong Authentication - Use a custom authentication module to add strong authentication to EPM System. For example, you can use RSA SecurID two-factor authentication in non-challenge response mode. The custom authentication module is transparent for thin and thick clients and does not require client-side deployment changes.  Turning off Detailed Financial Management Error Messages - You can hide detailed Financial Management error messages containing technical information from users by updating Windows registry entries.  Encrypting UDL File (Financial Management) - While configuring Financial Management, EPM System Configurator creates an unencrypted UDL file by default. You can encrypt this file by selecting an option in the Advanced Database Options page of the Oracle Hyperion Enterprise Performance Management System Configurator or by running the EncryptHFMUDL utility after configuration is complete.

26 26 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Security Best Practices  Customizing Authentication System for Strong Authentication - Use a custom authentication module to add strong authentication to EPM System. For example, you can use RSA SecurID two-factor authentication in non-challenge response mode. The custom authentication module is transparent for thin and thick clients and does not require client-side deployment changes.  Turning off Detailed Financial Management Error Messages - You can hide detailed Financial Management error messages containing technical information from users by updating Windows registry entries.  Encrypting UDL File (Financial Management) - While configuring Financial Management, EPM System Configurator creates an unencrypted UDL file by default. You can encrypt this file by selecting an option in the Advanced Database Options page of the Oracle Hyperion Enterprise Performance Management System Configurator or by running the EncryptHFMUDL utility after configuration is complete.

27 27 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Security Best Practices  Changing Default Web Server Error Pages - When application servers are not available to accept requests, the web server plug-in for the back- end application server (for example, Oracle HTTP Server plug-in for Oracle WebLogic Server) returns a default error page that displays plug- in build information. Web servers display their default error page on other occasions as well. Attackers can use this information to find known vulnerabilities from public web sites.  Regenerate Encryption Keys –Single Sign On Token encryption key, used to encrypt and decrypt EPM System SSO tokens. This key is stored in Shared Services Registry. –Trusted Services key, used by EPM System components to verify the authenticity of the service that is requesting an SSO token. –Provider Configuration encryption key, used to encrypt the password (user DN password for LDAP-enabled user directories) that EPM System security uses to bind with a configured external user directory. This password is set while configuring an external user directory.

28 28 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Security Patches  Critical Patch Updates, Security Alerts and Third Party Bulletin http://www.oracle.com/technetwork/topics/security/alerts-086861.html  Select correct versions for patching –WebLogic Server –Java –JRockit –Oracle HTTP Server –SOA Suite –Coherence

29 29 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. System Patches  Oracle EPM Patches http://support.oracle.com

30 30 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Better safe than sorry…  Backup Oracle EPM System databases  Backup Oracle EPM Server file systems –user_projects/domains –user_projects/ /httpConfig –cacerts and keystones –IIS metabase

31 31 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. How Secure Are You?

32 32 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Amsterdam | Atlanta | Chicago | Frankfurt | Hyderabad | London | Miami Montevideo | New York | Paris | Philadelphia | San Francisco | Sydney | Vancouver Contact Information Mark T. Wirth Principal 864-525-4682 | o 864-525-4682 | m mwirth@thehackettgroup.com

33 33 © 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Statement of Confidentiality and Usage Restrictions This document contains trade secrets and information that is sensitive, proprietary, and confidential to The Hackett Group the disclosure of which would provide a competitive advantage to others. As a result, the information contained herein, including, information relating to The Hackett Group’s data, equipment, apparatus, programs, software, security keys, specifications, drawings, business information, pricing, tools, taxonomy, questionnaires, deliverables, including without limitation any benchmark reports, and the data and calculations contained therein, may not be duplicated or otherwise distributed without The Hackett Group Inc.’s express written approval. www.thehackettgroup.com

Download ppt "Oracle EPM Security: How Safe Are You? March 11, 2015 Mark Wirth, Principal."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.

Chapter 10 Securing Windows Server 2008 MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Similar presentations

Ads by Google