Oracle EPM Security: How Safe Are You? March 11, 2015 Mark
Wirth, Principal
Slide 2
2 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Has Anyone Heard of FREAK?
Slide 3
3 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. FREAK Factoring RSA Export Keys
Dates to the 1990s, when the Clinton administration required weak
keys to be used in any software or hardware that was exported out
of the US. Commercial-grade keys when used in the US and
export-grade keys when used elsewhere. Enables SSL
Man-in-the-Middle attacks 36% websites vulnerable New technologies
emerge, cryptography hardens, BUT many simply add on new solutions
but do not remove outdated and vulnerable technologies. Affects
Microsoft Windows 7, 8, 8.1 and 2003 but not 2008 or 2013 (dont
support obsolete SSL export ciphers) Affects Apple Mountain Lion,
Mavericks, Yosemite Vulnerable - Chrome versions before 41,
Internet Explorer, Safari, Android Browser and Blackberry Browser.
Not Firefox.
Slide 4
4 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Security is More Than Authentication
and authorization Complex passwords with change policies Physical
securing of the data center Firewalls and VLANs Encryption of data
Use of RSA tokens and VPN Penetration tests Security is all of this
and much more. Security is a structured process 24 x 7 x 365
Slide 5
5 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Firewalls A firewall is a network
security system that controls the incoming and outgoing network
traffic based on an applied rule set. A firewall establishes a
barrier between a trusted, secure internal network and another
network (e.g., the Internet) that is assumed not to be secure and
trusted or between tiers of servers/clients (client tier, web tier,
application server tier, database tier, etc.).
Slide 6
6 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Firewalls
Slide 7
7 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Cryptography Practice and study of
techniques for secure communication in the presence of third
parties (called adversaries) HUG User Group Chaska, MN
MuHnoltd3rGYke+NlCoLdzsMe0J4jkd4TvZeKYE= Plain text Cipher text
Encryption Algorithm
Slide 8
8 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. SSL Serves 2 Purposes Encryption
Hiding what is sent from one computer to another Identification
Making sure the computer your are speaking to you trust Computers
agree how to encrypt Server send certificate Client says encrypt
Server says encrypt Communication is encrypted Company asks CA for
a certificate CA creates certificate and signs it Certificate
installed on server Browser issued with root certificates Browser
trusts correctly signed certificates
Slide 9
9 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Certificates Company asks for a
certificate from trusted th Web Server Company Name Where located
Other Certificate authority checks correctness and authenticity of
company. CA creates certificate and signs it. Signature created by
condensing all details into a number (through hash function MD5).
Then encrypting that number with a private key. Certificate is
installed on server. The web server is configured to use the
certificate. Browser issued with root certificates Browser trusts
correctly signed certificates Verified
Slide 10
10 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. How SSL works 1 Send secure
information2 Unencrypted presents security issues 3 Initial SSL
connection4 Client SSL Hello
Slide 11
11 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. How SSL works 5 Server SSL Hello
response 6 Server SSL certificate (public key) 7 Server Hello Done8
Certificate verified
Slide 12
12 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. How SSL works 9 Data will now be
encrypted from browser10 Digest of all messages. Server validates
no tampering. 11 Data will now be encrypted from server12 Digest of
all messages. Browser validates no tampering.
Slide 13
13 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. How SSL works 13 SSL Handshake
complete. Browser generates symmetric key for session and encrypts
with server public key. 14 All data encrypted with new symmetric
session key. Any validation fails, data out of order, or doesnt
contain right data then SSL is terminated and a new one
started.
Slide 14
14 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. How secure is out-of-the-box Oracle
EPM? Access Control The password will be encode in clear text while
passing this from user browser to the webserver. Clear Text that is
base64 encoded. This is to support non-HTTP characters in user name
and password. Shared Services and the security subsystem of EPM
System use 128-bit AES encryption algorithm that are stored in the
Shared Services repository. WebLogic Server Demo SSL Certificate
Default deployments of Essbase components in secure mode uses self-
signed certificates to enable SSL communication, mainly for testing
purposes. Use SSL Third party certificates
Slide 15
15 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Oracle EPM Supported SSL Scenarios
SSL Offload Full SSL
Slide 16
16 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. SSL Offload Easier and less time
consuming to configure and troubleshoot Secure communication from
client to load balancer but not server to server Reduced overhead
and performance hit Easier to maintain with SSL updates,
certificate expirations Easier to support (Oracle) Less expensive
with limited certificates (2)
Slide 17
17 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Full SSL More difficult and time
consuming to configure and troubleshoot Secure communication from
client to load balancer, load balancer to server and server to
server. Greater overhead and performance hit More difficult to
maintain with SSL updates, certificate expirations Potentially more
difficult to support (Oracle). Few technicians in support have
experience with SSL environments More expensive with additional
certificates
Slide 18
18 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Oracle EPM Capable SSL Components
SSL Offloader - HTTPS Oracle WebLogic Server (Admin Server,
NodeManager) HTTPS Oracle HTTP Server - HTTPS User Directories -
LDAPS Oracle Internet Directory Sun Java System Directory Server
Active Directory Microsoft Windows Server 2008 Active Directory
Microsoft Windows Server 2003 Active Directory Novell eDirectory
Databases - JDBCS Internet Information Services HTTPS Mail Server
SMTPS
Slide 19
19 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Certificates required for Oracle EPM
Root CA Certificate - The root CA certificate verifies the validity
of the certificate that is used to support SSL. It contains the
public key against which the private key that was used to sign the
certificate is matched to verify the certificate. You can obtain
the root CA certificate from the certificate authority that signed
your SSL certificates. You need not install a root CA certificate
in the Java keystore if you are using certificates from a
well-known third-party CA whose root certificate is already
installed in the Java keystore. Firefox and Internet Explorer are
preloaded with certificates of well-known third-party CAs. If you
are acting as your own CA, you must import your CA root certificate
into the keystore used by the clients accessed from such browsers.
Certificates - Each Oracle HTTP Server, WebLogic Server, Database
Server, Directory Server, Mail Server in your deployment. Two
Certificates for the SSL Offloader. One of these certificates is
for external communication and the other is for internal
communication
Slide 20
20 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Oracle EPM Capable SSL Components
Financial Reporting Studio Encrypted RMI Essbase
Slide 21
21 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Oracle EPM SSL Implementation
Requirements SSL Certificates Well-known third-party CA FQDN (Fully
Qualified Domain Names) Keytool or Oracle Wallet Create custom
keystore - Generate certificate request - Import into keystore
Backup certificates Monitor certificate expiration dates Security
Expertise Windows WebLogic Java IIS Penetration testing Toolbox
Network Sniffer Telnet or Netstat/Active Ports
Slide 22
22 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Web Identity Management Systems
(SSO) Oracle Single Sign-on (OSSO) Oracle Access Manager Kerberos
SiteMinder Users try to access a SiteMinder-protected EPM System
resource. They use a URL that connects them to the web server that
front-ends the SiteMinder policy server; for example,
http://WebAgent_Web_Server_Name:WebAgent_Web_
ServerPort/interop/index.jsp The web server redirects users to the
policy server, which challenges users for credentials. After
verifying credentials against configured user directories, the
policy server passes the credentials to the web server that hosts
the SiteMinder Web Agent. The web server that hosts the SiteMinder
Web Agent redirects the request to the Oracle HTTP Server that
front-ends EPM System. Oracle HTTP Server redirects users to the
requested application deployed on WebLogic Server or IIS Server.
The EPM System component checks provisioning information and serves
up content. For this process to work, the user directories that
SiteMinder uses to authenticate users must be configured as
external user directories in the EPM System and configured as
trusted.
Slide 23
23 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Oracle EPM Security Best Practices
Implement SSL Change Shared Services Native admin password Complex
passwords for all users No hyper10n Change database passwords
Separate database user/password for each database/schema Change
service account/DCOM passwords Secure database drive file system
Use transparent data encryption for SQL Server and Oracle Server Do
not distribute install/service/DCOM credentials Secure RAF, OHS
shares -> deny to all except service Secure FDM, LCM share ->
per user Maintain documentation on certificate expiration
dates
Slide 24
24 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Oracle EPM Security Best Practices
Check integrity of static folders EPMSystem11R1, ORACLE_COMMON,
OHS, ODI, JAVA/JRockit Secure Cookies - EPM System web applications
set a cookie to track the session. While setting a cookie,
especially a session cookie, the server can set the secure flag,
which forces the browser to send the cookie over a secure channel.
This behavior reduces the risk of session hijacking. Reduce SSO
Token Timeout - Default SSO token timeout is 480 minutes. You
should reduce the SSO token timeout, for example, to 60 minutes, to
minimize token reuse if it is exposed. Reviewing Security Reports -
The Security Report contains audit information related to the
security tasks for which auditing is configured. Generate and
review this report from Shared Services Console on a regular basis,
especially to identify failed login attempts across EPM System
products and provisioning changes.
Slide 25
25 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Oracle EPM Security Best Practices
Customizing Authentication System for Strong Authentication - Use a
custom authentication module to add strong authentication to EPM
System. For example, you can use RSA SecurID two-factor
authentication in non-challenge response mode. The custom
authentication module is transparent for thin and thick clients and
does not require client-side deployment changes. Turning off
Detailed Financial Management Error Messages - You can hide
detailed Financial Management error messages containing technical
information from users by updating Windows registry entries.
Encrypting UDL File (Financial Management) - While configuring
Financial Management, EPM System Configurator creates an
unencrypted UDL file by default. You can encrypt this file by
selecting an option in the Advanced Database Options page of the
Oracle Hyperion Enterprise Performance Management System
Configurator or by running the EncryptHFMUDL utility after
configuration is complete.
Slide 26
26 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Oracle EPM Security Best Practices
Customizing Authentication System for Strong Authentication - Use a
custom authentication module to add strong authentication to EPM
System. For example, you can use RSA SecurID two-factor
authentication in non-challenge response mode. The custom
authentication module is transparent for thin and thick clients and
does not require client-side deployment changes. Turning off
Detailed Financial Management Error Messages - You can hide
detailed Financial Management error messages containing technical
information from users by updating Windows registry entries.
Encrypting UDL File (Financial Management) - While configuring
Financial Management, EPM System Configurator creates an
unencrypted UDL file by default. You can encrypt this file by
selecting an option in the Advanced Database Options page of the
Oracle Hyperion Enterprise Performance Management System
Configurator or by running the EncryptHFMUDL utility after
configuration is complete.
Slide 27
27 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Oracle EPM Security Best Practices
Changing Default Web Server Error Pages - When application servers
are not available to accept requests, the web server plug-in for
the back- end application server (for example, Oracle HTTP Server
plug-in for Oracle WebLogic Server) returns a default error page
that displays plug- in build information. Web servers display their
default error page on other occasions as well. Attackers can use
this information to find known vulnerabilities from public web
sites. Regenerate Encryption Keys Single Sign On Token encryption
key, used to encrypt and decrypt EPM System SSO tokens. This key is
stored in Shared Services Registry. Trusted Services key, used by
EPM System components to verify the authenticity of the service
that is requesting an SSO token. Provider Configuration encryption
key, used to encrypt the password (user DN password for
LDAP-enabled user directories) that EPM System security uses to
bind with a configured external user directory. This password is
set while configuring an external user directory.
Slide 28
28 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Security Patches Critical Patch
Updates, Security Alerts and Third Party Bulletin
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Select correct versions for patching WebLogic Server Java JRockit
Oracle HTTP Server SOA Suite Coherence
Slide 29
29 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. System Patches Oracle EPM Patches
http://support.oracle.com
Slide 30
30 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Better safe than sorry Backup Oracle
EPM System databases Backup Oracle EPM Server file systems
user_projects/domains user_projects/ /httpConfig cacerts and
keystones IIS metabase
Slide 31
31 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. How Secure Are You?
Slide 32
32 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Amsterdam | Atlanta | Chicago |
Frankfurt | Hyderabad | London | Miami Montevideo | New York |
Paris | Philadelphia | San Francisco | Sydney | Vancouver Contact
Information Mark T. Wirth Principal 864-525-4682 | o 864-525-4682 |
m [email protected]
Slide 33
33 2015 The Hackett Group, Inc. All rights reserved.
Reproduction of this document or any portion thereof without prior
written consent is prohibited. Statement of Confidentiality and
Usage Restrictions This document contains trade secrets and
information that is sensitive, proprietary, and confidential to The
Hackett Group the disclosure of which would provide a competitive
advantage to others. As a result, the information contained herein,
including, information relating to The Hackett Groups data,
equipment, apparatus, programs, software, security keys,
specifications, drawings, business information, pricing, tools,
taxonomy, questionnaires, deliverables, including without
limitation any benchmark reports, and the data and calculations
contained therein, may not be duplicated or otherwise distributed
without The Hackett Group Inc.s express written approval.
www.thehackettgroup.com