JD Edwards Security Best Practices

Similar documents
Addressing Cyber Security in Oracle Utilities Applications

A brief on Two-Factor Authentication

Centrify Cloud Connector Deployment Guide

THE OPEN UNIVERSITY OF TANZANIA

Centralized Oracle Database Authentication and Authorization in a Directory

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

NetIQ Access Manager 3.2 integration

Getting Started with AD/LDAP SSO

Oracle IDM Integration with E-Business Suite & Middleware Technologies

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Compliance & Data Protection in the Big Data Age - MongoDB Security Architecture

Where every interaction matters.

An Oracle White Paper Dec Oracle Access Management Security Token Service

IBM Connections Cloud Security

SchoolBooking SSO Integration Guide

Application Security Testing

Trust but Verify: Best Practices for Monitoring Privileged Users

Query JD Edwards EnterpriseOne Customer Credit using Oracle BPEL Process Manager

Enabling Single Sign-On for Oracle Applications Oracle Applications Users Group PAGE 1

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Application Interface Services Server for Mobile Enterprise Applications Configuration Guide Tools Release 9.2

PortWise Access Management Suite

JD Edwards EnterpriseOne 9.1 Clustering Best Practices with Oracle WebLogic Server

Securing Data in Oracle Database 12c

Passing PCI Compliance How to Address the Application Security Mandates

Microsoft Enterprise Mobility Suite

ManageEngine ADSelfService Plus. Evaluator s Guide

Intelligent Security Design, Development and Acquisition

CA Performance Center

RSA SecurID Two-factor Authentication

Employee Active Directory Self-Service Quick Setup Guide

Oracle Privileged Account Manager 11gR2. Karsten Müller-Corbach

The Top 5 Federated Single Sign-On Scenarios

WordPress Security Scan Configuration

Oracle Directory Services Integration with Database Enterprise User Security O R A C L E W H I T E P A P E R F E B R U A R Y

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

IIS, FTP Server and Windows

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Long User ID and Password Support In JD Edwards EnterpriseOne

Media Shuttle s Defense-in- Depth Security Strategy

Extranet Access Management Web Access Control for New Business Services

Dell World Software User Forum 2013

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Cisco Cloud Web Security

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

Assuring Application Security: Deploying Code that Keeps Data Safe

DirX Identity V8.4. Secure and flexible Password Management. Technical Data Sheet

Oracle Identity Manager (OIM) as Enterprise Security Platform - A Real World Implementation Approach for Success

Network Security Audit. Vulnerability Assessment (VA)

Arisant s Identity Management (IdM) for K-12 Education

An Oracle White Paper September Directory Services Integration with Database Enterprise User Security

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Using Foundstone CookieDigger to Analyze Web Session Management

Install and Configure Fusion Applications - DBA perspective. Masthan Babu Phani Kottapalli AST Corporation August 14, 2014

How Oracle MAF & Oracle Mobile Cloud can Accelerate Mobile App Development

NCSU SSO. Case Study

IT Security & Compliance. On Time. On Budget. On Demand.

Certified Identity and Access Manager (CIAM) Overview & Curriculum

Preparing for GO!Enterprise MDM On-Demand Service

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

Copyright

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Secure Messaging Server Console... 2

Vladimir Yordanov Director of Technology F5 Networks, Asia Pacific Developments in Web Application and Cloud Security

Seven Things To Consider When Evaluating Privileged Account Security Solutions

OBIEE 11g Security it s as easy as 1-2-3!

Kenneth Hee Director, Business Development Security & Identity Management. Oracle Identity Management 11g R2 Securing The New Digital Experience

Client Security Guide

Ensuring the security of your mobile business intelligence

WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8

User Management Guide

Sun and Oracle: Joining Forces in Identity Management

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Authentication Integration

Configuring Salesforce

ITAR Compliant Data Exchange

FORBIDDEN - Ethical Hacking Workshop Duration

Administration Guide. BlackBerry Enterprise Service 12. Version 12.0

Identity as a Service Powered by NetIQ IdentityAccess Service Configuration and Administration Guide

Secret Server Qualys Integration Guide

Authentication Methods

Using Voltage Secur

SaaS at Pfizer. Challenges, Solutions, Recommendations. Worldwide Business Technology

Configuring SuccessFactors

DreamFactory on Microsoft SQL Azure

Identity Centric Security: Control Identity Sprawl to Remove a Growing Risk

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Oracle Platform Security Services & Authorization Policy Manager. Vinay Shukla July 2010

Managed Security Services

Connected Data. Connected Data requirements for SSO

Leading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

FireEye App for Splunk Enterprise

<Insert Picture Here> Oracle WebCenter Spaces and Oracle BI Applications Configuration

Google Apps Deployment Guide

Transcription:

JD Edwards Security Best Practices Manish Somani Director, Software Engineering Oracle JD Edwards Marcelo Tamassia Founding Partner EmeraldCube Solutions October 01, 2014

Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.

Program Agenda 1 2 3 4 5 Why do I care about Security? Oracle Software Security Assurance Security in EnterpriseOne: Built-in, Not Bolt-On!! Oracle Security Products OAM Case Studies

Security : Is it a choice? In 2004, it was discovered that crackers gained almost complete access to Nortel's systems. Thought to have originated in 2000, for nearly ten years they accessed documents including emails, technical papers, research, development reports, and business plans. "I have no doubt that extensive cyber attacks contributed to our downfall and bankruptcy in 2009. - Brian Shields, the former senior systems security adviser at Nortel

Multi-Dimensional Aspects Of Security IP theft and economic espionage Financial fraud and organized crime Sophisticated hackers Opportunistic insiders Today s threats What s at stake Intellectual property Customer, employee, citizen, corporate data Financial loss Reputational loss Fines & penalties Internal and external audits Supply chain security Changing regulatory landscape Data and systems consolidation Changing environments (mobile devices, cloud, etc.) Other challenges

Oracle Software Security Assurance

Oracle Software Security Assurance (OSSA) Encompasses all the continuously improving processes, procedures, and technologies Implemented by Oracle to ensure that Oracle s products are meeting our customers security requirements, while providing for the most cost-effective ownership experience.

Oracle Software Security Assurance Maintaining the security posture of ALL Oracle customers is one of the greatest priorities of Oracle Applies to ALL Oracle software products throughout their lifecycle, and constantly evolving to adapt to new technologies, threats, and product use cases Oracle security programs affect the entire product lifecycle

Secure Development Standards Coding guidelines Secure coding principles Examples of what not to do Requirements to use previously vetted security code Minimum secure design requirements Mandatory training for all employees

Product Definition Security requirements are expressed as early as design phase Security requirements Include requirements from Secure Coding Standards Product-specific requirements Established security criteria must be satisfied and reviewed at each step of process

Product Development Ongoing reviews to validate compliance with: Secure Coding Standards Additional design reviews for security Extensive use of scanning and testing tools to provide ongoing feedback to development team in regards to quality of produced code

Ongoing Assurance Security testing takes place throughout useful life of the product Pre-release security scanning and testing Post-release security activities: Ethical hacking Updated secure configuration recommendations are available online

Security in JD Edwards EnterpriseOne Built-in, Not Bolt-On!!

JD Edwards EnterpriseOne Security Deployment Server Windows Client Data across Data Data in trust at flight rest boundaries Business Services Server JAS/HTML Server Enterprise Server BI Publisher Server (OVR) Database Server Transaction Server

Secure Data in Flight Support HTTPS between Web Browser and HTML Server between E1 HTML Server and BI Server for One View Reports Support SSL between HTML Server and Enterprise Server Support SSL between Deployment Server and Enterprise Server

Secure Data at Rest Password in all configuration files Jas.ini, jdbj.ini, jde.ini and jdeinterop.ini Configured via server manager User passwords in Security Tables are encrypted using One-way Hash Application Business Table Data are encrypted using TripleDes

Secure Data Across Trust Boundary Secured File Upload Allowed only for a white list Validate File content Secured Download Security Prevents in line opening of file Prevent Click Jacking and HTML frame injection Prevent Cross Site Scripting and java script injection

Security Testing for EnterpriseOne Static Code Analysis HP Fortify tools is integrated in the build process to scan for security issues Dynamic Test Analysis HP Web Inspect is part of test cycle to scan for security issues for HTML client Fuzz Testing JDENET testing XML Parser Testing

Security Guide update for EnterpriseOne Update security guide as per OSSA standard Integrate Security Best practice into security admin guide Integrate database public shutdown paper for all supported databases.

Oracle Security Products

Oracle Security OIM products Oracle Internet Directory (OID) LDAP directory server that stores its data in an Oracle database Oracle Access Manager (OAM) provides SSO, authentication, authorization, centralized policy administration. Oracle Identity Manager(OIM) provides provisioning, reconciliation, self-service, and integration with heterogeneous identity systems through connectors

Marcelo Tamassia Founding partner @ EmeraldCube Solutions Why Prism? 18 years of tech industry experience 13 years of EnterpriseOne consulting in South and North America Planned, designed, executed, and managed over 90 E1 implementations and upgrades worldwide

EmeraldCube Solutions Focus: JDE Technology, Business Intelligence & IoT JDE & OBI focused Managed Services team On Demand and Managed Services plans Unmatched proactive, monitoring, and alerting tools Experts in BI solutions for JDE On premises and cloud-based options Choice of BI tools and platforms Subscription and traditional software acquisition models EmeraldSensor for JDEdwards EnterpriseOne IoT platform for JDE customers Complete solution - sensors, gateway & analytics

Customer Case - I

Laser Technology Denver-based industry leader in the design and manufacturing of innovative laser-based speed and distance measurement instruments including laser rangefinders, speed guns & sensors JDE Footprint Release 9.1 Tools 9.1.4 200+ Users Financials/Manufacturing/Distribution Red Stack

Laser Technology: Needs IT & Auditors Inconsistent password policies between JDE and AD High number of password related helpdesk calls Convoluted on-boarding process for new employees/ids Users Too many passwords to remember

Laser Technology: Solution Oracle Access Manager LDAP/AD Identity Store Form Authentication End-user experience User types JDE URL User gets prompted by OAM login page User types their network/ad credentials User is inside JDE

Laser Technology: Benefits Consistent password policy Significant reduction of helpdesk calls Streamlined user on-boarding Users no longer need to remember their JDE password

Customer Case - II

Silgan Containers Largest provider of metal food packaging in the United States, Silgan Containers is trusted by America s most respected brands JDE Footprint Release 9.0 Tools 9.1.4 600+ Users Financials/Manufacturing/Distribution iseries / Windows

Silgan: Needs IT & Auditors Inconsistent password policies between JDE, OBIEE, and AD High number of password related helpdesk calls Convoluted on-boarding process for new employees/ids BI using long names and JDE using short names JDE usernames did not match AD usernames (10 character limitation) Users Too many usernames to remember Too many passwords to remember

Silgan: Solution Active Directory Custom field for E1 short username (work around JDE 10 characters limitation) Oracle Access Manager LDAP/AD User Identity Store Two application domains setup on OAM (JDE and OBIEE) User Mappings / responses Kerberos / Windows Native Authentication

Silgan: Solution End-user experience User types JDE URL and user is automatically on JDE User types BI URL and user is automatically on OBIEE No more password changes inside JDE / BI

Silgan: Benefits No more passwords / usernames to memorize. Happy users! True Single-Sign On Consistent password policy across JDE, BI, and AD Significant reduction of helpdesk calls

Lessons Learned

OAM Lessons Learned OAM single point of failure (cluster) Separate production and development OAM servers? Short/Long username options Native Authentication Browser settings VPN / External Users Fallback authentication Use multiple domain controllers on the setup Triple check your response mappings JDE Security guide

Contact Information info@emerald-cube.com @EmeraldCube www.emerald-cube.com

The Right Tool for the Task Strengthen Your JD Edwards EnterpriseOne Arsenal @OracleJDEdwards JD Edwards Professionals My Oracle Support Communities JD Edwards Attitude@Altitude The Right Tool for the Task Doc ID 1918339.1 will help you find out! TheOracleJDEdwards LearnJDE.com JD Edwards Newsletters EnterpriseOne World

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information