Upload
others
View
29
Download
1
Embed Size (px)
Citation preview
Oracle Financial Services Analytical
Applications Infrastructure
Security Guide
Release 80x
Dec 2019
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 2
OFS Analytical Applications Infrastructure Security Guide
Copyright copy 2020 Oracle andor its affiliates All rights reserved
This software and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws Except as expressly
permitted in your license agreement or allowed by law you may not use copy reproduce translate
broadcast modify license transmit distribute exhibit perform publish or display any part in any
form or by any means Reverse engineering disassembly or decompilation of this software unless
required by law for interoperability is prohibited
The information contained herein is subject to change without notice and is not warranted to be error-
free If you find any errors please report them to us in writing
If this is software or related documentation that is delivered to the US Government or anyone
licensing it on behalf of the US Government then the following notice is applicable
US GOVERNMENT END USERS Oracle programs including any operating system integrated
software any programs installed on the hardware andor documentation delivered to US
Government end users are ldquocommercial computer softwarerdquo pursuant to the applicable Federal
Acquisition Regulation and agency-specific supplemental regulations As such use duplication
disclosure modification and adaptation of the programs including any operating system integrated
software any programs installed on the hardware andor documentation shall be subject to license
terms and license restrictions applicable to the programs No other rights are granted to the US
Government
This software or hardware is developed for general use in a variety of information management
applications It is not developed or intended for use in any inherently dangerous applications
including applications that may create a risk of personal injury If you use this software or hardware in
dangerous applications then you shall be responsible to take all appropriate fail-safe backup
redundancy and other measures to ensure its safe use Oracle Corporation and its affiliates disclaim
any liability for any damages caused by use of this software or hardware in dangerous applications
Oracle and Java are registered trademarks of Oracle andor its affiliates Other names may be
trademarks of their respective owners
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation All SPARC
trademarks are used under license and are trademarks or registered trademarks of SPARC
International Inc AMD Opteron the AMD logo and the AMD Opteron logo are trademarks or
registered trademarks of Advanced Micro Devices UNIX is a registered trademark of The Open Group
This software or hardware and documentation may provide access to or information about content
products and services from third parties Oracle Corporation and its affiliates are not responsible for
and expressly disclaim all warranties of any kind with respect to third-party content products and
services unless otherwise set forth in an applicable agreement between you and Oracle Oracle
Corporation and its affiliates will not be responsible for any loss costs or damages incurred due to
your access to or use of third-party content products or services except as set forth in an applicable
agreement between you and Oracle
For information on third party licenses click here
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 3
Document Control
Version Number Revision Date Change Log
Draft January 2015
Made the document generic for all releases This
document captures the necessary security related
configurations
10 April 2015 Added section 33 Configuration to restrict file uploads
for the Ngan Hang SR 3-10413030421
20 November 2015 Added section 34 based on Bug 21810721
30 December 2015 Updated Web Application Server Security Configuration
section based on Bug 22070501
40 June 2016 Added content based on Bug 23603150
50 December 2016 Rectified the broken link in the TLS Configuration for
WebLogic section
Modified the Configuration to restrict HTTP methods
other than GETPOST section based on Bug 25308546
60 June 2017 Added section lsquoConfiguring Application Securityrsquo for Bug
25957230 25990244 and 25957206
70 August 2017 Updated for Bug 26568700
80 September 2017 Removed list of filter servlet keywords and created a
MOS document
90 May 2018 Updated for security enhancements in 80600
100 August 2018 Added back Filter Servlet chapter for Doc 28542034
110 October 2018 Updated for Doc 28672747 and Doc 28771653
120 February 2019 Updated for Doc 29288736 29352320 and 29352863
130 May 2019 Added a new chapter for Secure Database Connection
140 Aug 2019 Added generic system configuration information in
Security Configurations for Doc 30204166
Added tip to configure from SSLV3 to TLSV12 in
Enabling HTTPS Configuration for OFSAA for Doc
30171443
150 Dec 2019 Updated section Configuration to set Content Security
Policy with information for validation of webxml file
(Doc 30622153)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 4
Table of Contents
1 Preface 6
11 Summary 6
12 Audience 6
121 Prerequisites for the Audience 6
13 Related Documents 6
2 Secure Configurations 8
21 Security Configurations 8
3 Secure Header Configuration 10
31 Configuration for X-Frame-Options 10
32 Configuration to set Content Security Policy 11
33 Configuration for Referrer Header Validation 12
4 Web Application Server Security Configurations 14
41 Enabling HTTPS Configuration for OFSAA 14
42 Security Configuration for Tomcat 14
43 Security Configuration for WebSphere 15
431 Session Management Secure and HttpOnly Configuration 15
432 TLS Configuration for WebSphere 18
433 Configuring Application Security 18
434 Disable Directory Listing 19
44 Security Configuration for WebLogic 19
5 Additional Security Configurations 23
51 Configuration to Restrict Access to Default Web Server Pages 23
52 Configuration to Restrict Display of the Web Server Details 24
53 Configuration to Restrict File Uploads 25
54 Configuration to restrict HTTP methods other than GETPOST 25
55 Configuration to enable unlimited cryptographic policy for Java 26
6 Secure Database Connection 27
61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS) 27
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 5
7 Appendix A - Filter Servlet 28
71 Introduction 28
72 Security and Access 28
73 Vulnerability Checks 28
74 Cross Site Scripting 28
75 SQL Injection 29
76 Filter Servlet Configurations 29
761 Checking for XSS Vulnerability 29
762 Exclusion of Keywords Key Characters 29
763 DebugLogs 29
PREFACE
SUMMARY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6
1 Preface
This Preface provides supporting information for the Oracle Financial Services Analytical
Applications Infrastructure Security Guide and includes the following topics
Secure Configurations
Secure Header Configurations
Web Application Server Security Configurations
Additional Security Configurations
11 Summary
The information contained in this document is intended to give you a quick exposure and
an understanding of the security configurations required after the installation of Oracle
Financial Services Analytical Application Infrastructure
12 Audience
This guide is intended for System Administrators (SA) who are instrumental in installing
and performing secure configurations for OFS Analytical Applications Infrastructure It is
assumed that the SAs are technically sound and proficient in UNIX Database
Administration and Web Application Administration to install and configure OFSAAI in the
released environment
121 Prerequisites for the Audience
This document assumes that you have experience in installing Enterprise components
and basic knowledge about the following
OFS AAAI pack components
OFSAA Architecture
UNIX Commands
Database Concepts
Web serverWeb application server
13 Related Documents
This section identifies additional documents related to OFSAA Infrastructure
Oracle Financial Services Advanced Analytical Applications Infrastructure
Application Pack Installation and Configuration Guide
Oracle Financial Services Analytical Applications Environment Check Utility Guide
PREFACE
RELATED DOCUMENTS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7
Oracle Financial Services Analytical Applications Infrastructure Administration
Guide
Oracle Financial Services Analytical Applications Infrastructure User Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8
2 Secure Configurations
Refer to the following subsections to configure security parameters in OFSAAI
21 Security Configurations
To have a secure environment for OFSAA installation there are a set of configurations that need to be
accomplished The configurations are discussed in the following sections in this document For more
information see OFSAAI Administration Guide
Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the
protection of data It is used to mask (redact) sensitive data shown to the user in real time To
enable this option during installation see Enabling Data Redaction section in the OFSAAI
Installation and Configuration Guide To enable post installation see the Data Redaction section
in the OFSAAI Administration Guide
TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when
stored in Oracle DB To configure TDE during installation see Transparent Data Encryption
(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after
installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration
Guide
Key Management - OFSAA configuration schema (CONFIG) is the repository to store
passwords for users and application database schemas centrally These values are AES-256 bit
encrypted using an encryption key uniquely generated for each OFSAA instance during the
installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a
new encryption key if needed
The Key Management section in the OFSAAI Administration Guide explains how to generate
and store this key in a Java Key Store
NOTE Integration with any other Key management solution is out of scope of this release
File Encryption - OFSAA supports file encryption using AES-256 Bit format For more
information see the File Encryption section in the OFSAAI Administration Guide
Database Password Reset - Change the database password for config schema and atomic
schema periodically For more information see the Database Password Reset Change section
in the OFSAAI Administration Guide
Password Reset - Reset passwords for users if required For more information see the
Database Password Reset Change section in the OFSAAI Administration Guide
Enable and Disable Users - For more information see the Enable and Disable Users section in
the OFSAAI Administration Guide
SSO Authentication (SAML) Configuration - For more information see the SSO
Authentication (SAML) Configuration section in the OFSAAI Administration Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9
Public Key Authentication - Configure Public Key Authentication on UNIX For more
information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI
Administration Guide
Data Security and Data Privacy - Configure to protect data against unauthorized access and
data theft For more information see the Data Security and Data Privacy section in the OFSAAI
Administration Guide
Input and Output Encoding - Product is enabled with input validation and output encoding to
protect from various types of security attacks
Password rotation every 30 days - For more information see the Changing Password section
in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the
OHC
Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information
see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI
Administration Guide
System Configuration and Identity Management - Configure the following parameters from
the information in the System Configuration and Identity Management section in the relevant
version of the OFS Analytical Applications Infrastructure User Guides on the OHC
Set session timeout
Enable CSRF
Set frequency of password change
Configure password restriction details
Configure password history
Configure security questions for password reset
Configure the activation period by setting Dormant Days Inactive Days and Working Hours
SECURE HEADER CONFIGURATION
CONFIGURATION FOR X-FRAME-OPTIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10
3 Secure Header Configuration
Secure header configurations protect you from website attacks such as XSS and Clickjacking The
following subsections here describe the various methods that you can configure on your OFSAAI
system to make it secure from such attacks
Configuration for X-Frame-Options
Configuration to set Content Security Policy
Configuration for Referrer Header Validation
31 Configuration for X-Frame-Options
Configuring X-Frame-Options protect against external agencies creating attacks by embedding
content similar to your content to steal user data Perform the following steps to configure X-Frame-
Options
1 Set the following Security filters configuration for response header
webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to
set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-
OPTIONS to limit domains
X-Frame-Options
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtmodeltparam-namegt
ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt
ltinit-paramgt
ltfiltergt
NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs
X-Frame-Options is supported only on Internet Explorer browser
Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
2 Set Access-Control-Allow-Origin header in the webxml file For more information see section
Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration
Guide Release 80600
SECURE HEADER CONFIGURATION
CONFIGURATION TO SET CONTENT SECURITY POLICY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11
32 Configuration to set Content Security Policy
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross
Site Scripting (XSS)
NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series
The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers
Perform the following steps to configure CSP
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Search and find if the following tags exist If the tags do not exist in the webxml file then add
them to the file
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-
valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt
ltcontext-paramgt
WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues
If you want to maintain the default configuration retain the tags as shown in the preceding
list However if you want to custom configure the tags see the following example and
modify as required
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 2
OFS Analytical Applications Infrastructure Security Guide
Copyright copy 2020 Oracle andor its affiliates All rights reserved
This software and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws Except as expressly
permitted in your license agreement or allowed by law you may not use copy reproduce translate
broadcast modify license transmit distribute exhibit perform publish or display any part in any
form or by any means Reverse engineering disassembly or decompilation of this software unless
required by law for interoperability is prohibited
The information contained herein is subject to change without notice and is not warranted to be error-
free If you find any errors please report them to us in writing
If this is software or related documentation that is delivered to the US Government or anyone
licensing it on behalf of the US Government then the following notice is applicable
US GOVERNMENT END USERS Oracle programs including any operating system integrated
software any programs installed on the hardware andor documentation delivered to US
Government end users are ldquocommercial computer softwarerdquo pursuant to the applicable Federal
Acquisition Regulation and agency-specific supplemental regulations As such use duplication
disclosure modification and adaptation of the programs including any operating system integrated
software any programs installed on the hardware andor documentation shall be subject to license
terms and license restrictions applicable to the programs No other rights are granted to the US
Government
This software or hardware is developed for general use in a variety of information management
applications It is not developed or intended for use in any inherently dangerous applications
including applications that may create a risk of personal injury If you use this software or hardware in
dangerous applications then you shall be responsible to take all appropriate fail-safe backup
redundancy and other measures to ensure its safe use Oracle Corporation and its affiliates disclaim
any liability for any damages caused by use of this software or hardware in dangerous applications
Oracle and Java are registered trademarks of Oracle andor its affiliates Other names may be
trademarks of their respective owners
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation All SPARC
trademarks are used under license and are trademarks or registered trademarks of SPARC
International Inc AMD Opteron the AMD logo and the AMD Opteron logo are trademarks or
registered trademarks of Advanced Micro Devices UNIX is a registered trademark of The Open Group
This software or hardware and documentation may provide access to or information about content
products and services from third parties Oracle Corporation and its affiliates are not responsible for
and expressly disclaim all warranties of any kind with respect to third-party content products and
services unless otherwise set forth in an applicable agreement between you and Oracle Oracle
Corporation and its affiliates will not be responsible for any loss costs or damages incurred due to
your access to or use of third-party content products or services except as set forth in an applicable
agreement between you and Oracle
For information on third party licenses click here
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 3
Document Control
Version Number Revision Date Change Log
Draft January 2015
Made the document generic for all releases This
document captures the necessary security related
configurations
10 April 2015 Added section 33 Configuration to restrict file uploads
for the Ngan Hang SR 3-10413030421
20 November 2015 Added section 34 based on Bug 21810721
30 December 2015 Updated Web Application Server Security Configuration
section based on Bug 22070501
40 June 2016 Added content based on Bug 23603150
50 December 2016 Rectified the broken link in the TLS Configuration for
WebLogic section
Modified the Configuration to restrict HTTP methods
other than GETPOST section based on Bug 25308546
60 June 2017 Added section lsquoConfiguring Application Securityrsquo for Bug
25957230 25990244 and 25957206
70 August 2017 Updated for Bug 26568700
80 September 2017 Removed list of filter servlet keywords and created a
MOS document
90 May 2018 Updated for security enhancements in 80600
100 August 2018 Added back Filter Servlet chapter for Doc 28542034
110 October 2018 Updated for Doc 28672747 and Doc 28771653
120 February 2019 Updated for Doc 29288736 29352320 and 29352863
130 May 2019 Added a new chapter for Secure Database Connection
140 Aug 2019 Added generic system configuration information in
Security Configurations for Doc 30204166
Added tip to configure from SSLV3 to TLSV12 in
Enabling HTTPS Configuration for OFSAA for Doc
30171443
150 Dec 2019 Updated section Configuration to set Content Security
Policy with information for validation of webxml file
(Doc 30622153)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 4
Table of Contents
1 Preface 6
11 Summary 6
12 Audience 6
121 Prerequisites for the Audience 6
13 Related Documents 6
2 Secure Configurations 8
21 Security Configurations 8
3 Secure Header Configuration 10
31 Configuration for X-Frame-Options 10
32 Configuration to set Content Security Policy 11
33 Configuration for Referrer Header Validation 12
4 Web Application Server Security Configurations 14
41 Enabling HTTPS Configuration for OFSAA 14
42 Security Configuration for Tomcat 14
43 Security Configuration for WebSphere 15
431 Session Management Secure and HttpOnly Configuration 15
432 TLS Configuration for WebSphere 18
433 Configuring Application Security 18
434 Disable Directory Listing 19
44 Security Configuration for WebLogic 19
5 Additional Security Configurations 23
51 Configuration to Restrict Access to Default Web Server Pages 23
52 Configuration to Restrict Display of the Web Server Details 24
53 Configuration to Restrict File Uploads 25
54 Configuration to restrict HTTP methods other than GETPOST 25
55 Configuration to enable unlimited cryptographic policy for Java 26
6 Secure Database Connection 27
61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS) 27
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 5
7 Appendix A - Filter Servlet 28
71 Introduction 28
72 Security and Access 28
73 Vulnerability Checks 28
74 Cross Site Scripting 28
75 SQL Injection 29
76 Filter Servlet Configurations 29
761 Checking for XSS Vulnerability 29
762 Exclusion of Keywords Key Characters 29
763 DebugLogs 29
PREFACE
SUMMARY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6
1 Preface
This Preface provides supporting information for the Oracle Financial Services Analytical
Applications Infrastructure Security Guide and includes the following topics
Secure Configurations
Secure Header Configurations
Web Application Server Security Configurations
Additional Security Configurations
11 Summary
The information contained in this document is intended to give you a quick exposure and
an understanding of the security configurations required after the installation of Oracle
Financial Services Analytical Application Infrastructure
12 Audience
This guide is intended for System Administrators (SA) who are instrumental in installing
and performing secure configurations for OFS Analytical Applications Infrastructure It is
assumed that the SAs are technically sound and proficient in UNIX Database
Administration and Web Application Administration to install and configure OFSAAI in the
released environment
121 Prerequisites for the Audience
This document assumes that you have experience in installing Enterprise components
and basic knowledge about the following
OFS AAAI pack components
OFSAA Architecture
UNIX Commands
Database Concepts
Web serverWeb application server
13 Related Documents
This section identifies additional documents related to OFSAA Infrastructure
Oracle Financial Services Advanced Analytical Applications Infrastructure
Application Pack Installation and Configuration Guide
Oracle Financial Services Analytical Applications Environment Check Utility Guide
PREFACE
RELATED DOCUMENTS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7
Oracle Financial Services Analytical Applications Infrastructure Administration
Guide
Oracle Financial Services Analytical Applications Infrastructure User Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8
2 Secure Configurations
Refer to the following subsections to configure security parameters in OFSAAI
21 Security Configurations
To have a secure environment for OFSAA installation there are a set of configurations that need to be
accomplished The configurations are discussed in the following sections in this document For more
information see OFSAAI Administration Guide
Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the
protection of data It is used to mask (redact) sensitive data shown to the user in real time To
enable this option during installation see Enabling Data Redaction section in the OFSAAI
Installation and Configuration Guide To enable post installation see the Data Redaction section
in the OFSAAI Administration Guide
TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when
stored in Oracle DB To configure TDE during installation see Transparent Data Encryption
(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after
installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration
Guide
Key Management - OFSAA configuration schema (CONFIG) is the repository to store
passwords for users and application database schemas centrally These values are AES-256 bit
encrypted using an encryption key uniquely generated for each OFSAA instance during the
installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a
new encryption key if needed
The Key Management section in the OFSAAI Administration Guide explains how to generate
and store this key in a Java Key Store
NOTE Integration with any other Key management solution is out of scope of this release
File Encryption - OFSAA supports file encryption using AES-256 Bit format For more
information see the File Encryption section in the OFSAAI Administration Guide
Database Password Reset - Change the database password for config schema and atomic
schema periodically For more information see the Database Password Reset Change section
in the OFSAAI Administration Guide
Password Reset - Reset passwords for users if required For more information see the
Database Password Reset Change section in the OFSAAI Administration Guide
Enable and Disable Users - For more information see the Enable and Disable Users section in
the OFSAAI Administration Guide
SSO Authentication (SAML) Configuration - For more information see the SSO
Authentication (SAML) Configuration section in the OFSAAI Administration Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9
Public Key Authentication - Configure Public Key Authentication on UNIX For more
information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI
Administration Guide
Data Security and Data Privacy - Configure to protect data against unauthorized access and
data theft For more information see the Data Security and Data Privacy section in the OFSAAI
Administration Guide
Input and Output Encoding - Product is enabled with input validation and output encoding to
protect from various types of security attacks
Password rotation every 30 days - For more information see the Changing Password section
in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the
OHC
Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information
see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI
Administration Guide
System Configuration and Identity Management - Configure the following parameters from
the information in the System Configuration and Identity Management section in the relevant
version of the OFS Analytical Applications Infrastructure User Guides on the OHC
Set session timeout
Enable CSRF
Set frequency of password change
Configure password restriction details
Configure password history
Configure security questions for password reset
Configure the activation period by setting Dormant Days Inactive Days and Working Hours
SECURE HEADER CONFIGURATION
CONFIGURATION FOR X-FRAME-OPTIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10
3 Secure Header Configuration
Secure header configurations protect you from website attacks such as XSS and Clickjacking The
following subsections here describe the various methods that you can configure on your OFSAAI
system to make it secure from such attacks
Configuration for X-Frame-Options
Configuration to set Content Security Policy
Configuration for Referrer Header Validation
31 Configuration for X-Frame-Options
Configuring X-Frame-Options protect against external agencies creating attacks by embedding
content similar to your content to steal user data Perform the following steps to configure X-Frame-
Options
1 Set the following Security filters configuration for response header
webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to
set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-
OPTIONS to limit domains
X-Frame-Options
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtmodeltparam-namegt
ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt
ltinit-paramgt
ltfiltergt
NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs
X-Frame-Options is supported only on Internet Explorer browser
Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
2 Set Access-Control-Allow-Origin header in the webxml file For more information see section
Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration
Guide Release 80600
SECURE HEADER CONFIGURATION
CONFIGURATION TO SET CONTENT SECURITY POLICY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11
32 Configuration to set Content Security Policy
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross
Site Scripting (XSS)
NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series
The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers
Perform the following steps to configure CSP
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Search and find if the following tags exist If the tags do not exist in the webxml file then add
them to the file
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-
valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt
ltcontext-paramgt
WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues
If you want to maintain the default configuration retain the tags as shown in the preceding
list However if you want to custom configure the tags see the following example and
modify as required
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 3
Document Control
Version Number Revision Date Change Log
Draft January 2015
Made the document generic for all releases This
document captures the necessary security related
configurations
10 April 2015 Added section 33 Configuration to restrict file uploads
for the Ngan Hang SR 3-10413030421
20 November 2015 Added section 34 based on Bug 21810721
30 December 2015 Updated Web Application Server Security Configuration
section based on Bug 22070501
40 June 2016 Added content based on Bug 23603150
50 December 2016 Rectified the broken link in the TLS Configuration for
WebLogic section
Modified the Configuration to restrict HTTP methods
other than GETPOST section based on Bug 25308546
60 June 2017 Added section lsquoConfiguring Application Securityrsquo for Bug
25957230 25990244 and 25957206
70 August 2017 Updated for Bug 26568700
80 September 2017 Removed list of filter servlet keywords and created a
MOS document
90 May 2018 Updated for security enhancements in 80600
100 August 2018 Added back Filter Servlet chapter for Doc 28542034
110 October 2018 Updated for Doc 28672747 and Doc 28771653
120 February 2019 Updated for Doc 29288736 29352320 and 29352863
130 May 2019 Added a new chapter for Secure Database Connection
140 Aug 2019 Added generic system configuration information in
Security Configurations for Doc 30204166
Added tip to configure from SSLV3 to TLSV12 in
Enabling HTTPS Configuration for OFSAA for Doc
30171443
150 Dec 2019 Updated section Configuration to set Content Security
Policy with information for validation of webxml file
(Doc 30622153)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 4
Table of Contents
1 Preface 6
11 Summary 6
12 Audience 6
121 Prerequisites for the Audience 6
13 Related Documents 6
2 Secure Configurations 8
21 Security Configurations 8
3 Secure Header Configuration 10
31 Configuration for X-Frame-Options 10
32 Configuration to set Content Security Policy 11
33 Configuration for Referrer Header Validation 12
4 Web Application Server Security Configurations 14
41 Enabling HTTPS Configuration for OFSAA 14
42 Security Configuration for Tomcat 14
43 Security Configuration for WebSphere 15
431 Session Management Secure and HttpOnly Configuration 15
432 TLS Configuration for WebSphere 18
433 Configuring Application Security 18
434 Disable Directory Listing 19
44 Security Configuration for WebLogic 19
5 Additional Security Configurations 23
51 Configuration to Restrict Access to Default Web Server Pages 23
52 Configuration to Restrict Display of the Web Server Details 24
53 Configuration to Restrict File Uploads 25
54 Configuration to restrict HTTP methods other than GETPOST 25
55 Configuration to enable unlimited cryptographic policy for Java 26
6 Secure Database Connection 27
61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS) 27
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 5
7 Appendix A - Filter Servlet 28
71 Introduction 28
72 Security and Access 28
73 Vulnerability Checks 28
74 Cross Site Scripting 28
75 SQL Injection 29
76 Filter Servlet Configurations 29
761 Checking for XSS Vulnerability 29
762 Exclusion of Keywords Key Characters 29
763 DebugLogs 29
PREFACE
SUMMARY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6
1 Preface
This Preface provides supporting information for the Oracle Financial Services Analytical
Applications Infrastructure Security Guide and includes the following topics
Secure Configurations
Secure Header Configurations
Web Application Server Security Configurations
Additional Security Configurations
11 Summary
The information contained in this document is intended to give you a quick exposure and
an understanding of the security configurations required after the installation of Oracle
Financial Services Analytical Application Infrastructure
12 Audience
This guide is intended for System Administrators (SA) who are instrumental in installing
and performing secure configurations for OFS Analytical Applications Infrastructure It is
assumed that the SAs are technically sound and proficient in UNIX Database
Administration and Web Application Administration to install and configure OFSAAI in the
released environment
121 Prerequisites for the Audience
This document assumes that you have experience in installing Enterprise components
and basic knowledge about the following
OFS AAAI pack components
OFSAA Architecture
UNIX Commands
Database Concepts
Web serverWeb application server
13 Related Documents
This section identifies additional documents related to OFSAA Infrastructure
Oracle Financial Services Advanced Analytical Applications Infrastructure
Application Pack Installation and Configuration Guide
Oracle Financial Services Analytical Applications Environment Check Utility Guide
PREFACE
RELATED DOCUMENTS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7
Oracle Financial Services Analytical Applications Infrastructure Administration
Guide
Oracle Financial Services Analytical Applications Infrastructure User Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8
2 Secure Configurations
Refer to the following subsections to configure security parameters in OFSAAI
21 Security Configurations
To have a secure environment for OFSAA installation there are a set of configurations that need to be
accomplished The configurations are discussed in the following sections in this document For more
information see OFSAAI Administration Guide
Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the
protection of data It is used to mask (redact) sensitive data shown to the user in real time To
enable this option during installation see Enabling Data Redaction section in the OFSAAI
Installation and Configuration Guide To enable post installation see the Data Redaction section
in the OFSAAI Administration Guide
TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when
stored in Oracle DB To configure TDE during installation see Transparent Data Encryption
(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after
installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration
Guide
Key Management - OFSAA configuration schema (CONFIG) is the repository to store
passwords for users and application database schemas centrally These values are AES-256 bit
encrypted using an encryption key uniquely generated for each OFSAA instance during the
installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a
new encryption key if needed
The Key Management section in the OFSAAI Administration Guide explains how to generate
and store this key in a Java Key Store
NOTE Integration with any other Key management solution is out of scope of this release
File Encryption - OFSAA supports file encryption using AES-256 Bit format For more
information see the File Encryption section in the OFSAAI Administration Guide
Database Password Reset - Change the database password for config schema and atomic
schema periodically For more information see the Database Password Reset Change section
in the OFSAAI Administration Guide
Password Reset - Reset passwords for users if required For more information see the
Database Password Reset Change section in the OFSAAI Administration Guide
Enable and Disable Users - For more information see the Enable and Disable Users section in
the OFSAAI Administration Guide
SSO Authentication (SAML) Configuration - For more information see the SSO
Authentication (SAML) Configuration section in the OFSAAI Administration Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9
Public Key Authentication - Configure Public Key Authentication on UNIX For more
information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI
Administration Guide
Data Security and Data Privacy - Configure to protect data against unauthorized access and
data theft For more information see the Data Security and Data Privacy section in the OFSAAI
Administration Guide
Input and Output Encoding - Product is enabled with input validation and output encoding to
protect from various types of security attacks
Password rotation every 30 days - For more information see the Changing Password section
in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the
OHC
Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information
see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI
Administration Guide
System Configuration and Identity Management - Configure the following parameters from
the information in the System Configuration and Identity Management section in the relevant
version of the OFS Analytical Applications Infrastructure User Guides on the OHC
Set session timeout
Enable CSRF
Set frequency of password change
Configure password restriction details
Configure password history
Configure security questions for password reset
Configure the activation period by setting Dormant Days Inactive Days and Working Hours
SECURE HEADER CONFIGURATION
CONFIGURATION FOR X-FRAME-OPTIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10
3 Secure Header Configuration
Secure header configurations protect you from website attacks such as XSS and Clickjacking The
following subsections here describe the various methods that you can configure on your OFSAAI
system to make it secure from such attacks
Configuration for X-Frame-Options
Configuration to set Content Security Policy
Configuration for Referrer Header Validation
31 Configuration for X-Frame-Options
Configuring X-Frame-Options protect against external agencies creating attacks by embedding
content similar to your content to steal user data Perform the following steps to configure X-Frame-
Options
1 Set the following Security filters configuration for response header
webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to
set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-
OPTIONS to limit domains
X-Frame-Options
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtmodeltparam-namegt
ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt
ltinit-paramgt
ltfiltergt
NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs
X-Frame-Options is supported only on Internet Explorer browser
Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
2 Set Access-Control-Allow-Origin header in the webxml file For more information see section
Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration
Guide Release 80600
SECURE HEADER CONFIGURATION
CONFIGURATION TO SET CONTENT SECURITY POLICY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11
32 Configuration to set Content Security Policy
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross
Site Scripting (XSS)
NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series
The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers
Perform the following steps to configure CSP
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Search and find if the following tags exist If the tags do not exist in the webxml file then add
them to the file
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-
valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt
ltcontext-paramgt
WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues
If you want to maintain the default configuration retain the tags as shown in the preceding
list However if you want to custom configure the tags see the following example and
modify as required
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 4
Table of Contents
1 Preface 6
11 Summary 6
12 Audience 6
121 Prerequisites for the Audience 6
13 Related Documents 6
2 Secure Configurations 8
21 Security Configurations 8
3 Secure Header Configuration 10
31 Configuration for X-Frame-Options 10
32 Configuration to set Content Security Policy 11
33 Configuration for Referrer Header Validation 12
4 Web Application Server Security Configurations 14
41 Enabling HTTPS Configuration for OFSAA 14
42 Security Configuration for Tomcat 14
43 Security Configuration for WebSphere 15
431 Session Management Secure and HttpOnly Configuration 15
432 TLS Configuration for WebSphere 18
433 Configuring Application Security 18
434 Disable Directory Listing 19
44 Security Configuration for WebLogic 19
5 Additional Security Configurations 23
51 Configuration to Restrict Access to Default Web Server Pages 23
52 Configuration to Restrict Display of the Web Server Details 24
53 Configuration to Restrict File Uploads 25
54 Configuration to restrict HTTP methods other than GETPOST 25
55 Configuration to enable unlimited cryptographic policy for Java 26
6 Secure Database Connection 27
61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS) 27
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 5
7 Appendix A - Filter Servlet 28
71 Introduction 28
72 Security and Access 28
73 Vulnerability Checks 28
74 Cross Site Scripting 28
75 SQL Injection 29
76 Filter Servlet Configurations 29
761 Checking for XSS Vulnerability 29
762 Exclusion of Keywords Key Characters 29
763 DebugLogs 29
PREFACE
SUMMARY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6
1 Preface
This Preface provides supporting information for the Oracle Financial Services Analytical
Applications Infrastructure Security Guide and includes the following topics
Secure Configurations
Secure Header Configurations
Web Application Server Security Configurations
Additional Security Configurations
11 Summary
The information contained in this document is intended to give you a quick exposure and
an understanding of the security configurations required after the installation of Oracle
Financial Services Analytical Application Infrastructure
12 Audience
This guide is intended for System Administrators (SA) who are instrumental in installing
and performing secure configurations for OFS Analytical Applications Infrastructure It is
assumed that the SAs are technically sound and proficient in UNIX Database
Administration and Web Application Administration to install and configure OFSAAI in the
released environment
121 Prerequisites for the Audience
This document assumes that you have experience in installing Enterprise components
and basic knowledge about the following
OFS AAAI pack components
OFSAA Architecture
UNIX Commands
Database Concepts
Web serverWeb application server
13 Related Documents
This section identifies additional documents related to OFSAA Infrastructure
Oracle Financial Services Advanced Analytical Applications Infrastructure
Application Pack Installation and Configuration Guide
Oracle Financial Services Analytical Applications Environment Check Utility Guide
PREFACE
RELATED DOCUMENTS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7
Oracle Financial Services Analytical Applications Infrastructure Administration
Guide
Oracle Financial Services Analytical Applications Infrastructure User Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8
2 Secure Configurations
Refer to the following subsections to configure security parameters in OFSAAI
21 Security Configurations
To have a secure environment for OFSAA installation there are a set of configurations that need to be
accomplished The configurations are discussed in the following sections in this document For more
information see OFSAAI Administration Guide
Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the
protection of data It is used to mask (redact) sensitive data shown to the user in real time To
enable this option during installation see Enabling Data Redaction section in the OFSAAI
Installation and Configuration Guide To enable post installation see the Data Redaction section
in the OFSAAI Administration Guide
TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when
stored in Oracle DB To configure TDE during installation see Transparent Data Encryption
(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after
installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration
Guide
Key Management - OFSAA configuration schema (CONFIG) is the repository to store
passwords for users and application database schemas centrally These values are AES-256 bit
encrypted using an encryption key uniquely generated for each OFSAA instance during the
installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a
new encryption key if needed
The Key Management section in the OFSAAI Administration Guide explains how to generate
and store this key in a Java Key Store
NOTE Integration with any other Key management solution is out of scope of this release
File Encryption - OFSAA supports file encryption using AES-256 Bit format For more
information see the File Encryption section in the OFSAAI Administration Guide
Database Password Reset - Change the database password for config schema and atomic
schema periodically For more information see the Database Password Reset Change section
in the OFSAAI Administration Guide
Password Reset - Reset passwords for users if required For more information see the
Database Password Reset Change section in the OFSAAI Administration Guide
Enable and Disable Users - For more information see the Enable and Disable Users section in
the OFSAAI Administration Guide
SSO Authentication (SAML) Configuration - For more information see the SSO
Authentication (SAML) Configuration section in the OFSAAI Administration Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9
Public Key Authentication - Configure Public Key Authentication on UNIX For more
information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI
Administration Guide
Data Security and Data Privacy - Configure to protect data against unauthorized access and
data theft For more information see the Data Security and Data Privacy section in the OFSAAI
Administration Guide
Input and Output Encoding - Product is enabled with input validation and output encoding to
protect from various types of security attacks
Password rotation every 30 days - For more information see the Changing Password section
in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the
OHC
Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information
see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI
Administration Guide
System Configuration and Identity Management - Configure the following parameters from
the information in the System Configuration and Identity Management section in the relevant
version of the OFS Analytical Applications Infrastructure User Guides on the OHC
Set session timeout
Enable CSRF
Set frequency of password change
Configure password restriction details
Configure password history
Configure security questions for password reset
Configure the activation period by setting Dormant Days Inactive Days and Working Hours
SECURE HEADER CONFIGURATION
CONFIGURATION FOR X-FRAME-OPTIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10
3 Secure Header Configuration
Secure header configurations protect you from website attacks such as XSS and Clickjacking The
following subsections here describe the various methods that you can configure on your OFSAAI
system to make it secure from such attacks
Configuration for X-Frame-Options
Configuration to set Content Security Policy
Configuration for Referrer Header Validation
31 Configuration for X-Frame-Options
Configuring X-Frame-Options protect against external agencies creating attacks by embedding
content similar to your content to steal user data Perform the following steps to configure X-Frame-
Options
1 Set the following Security filters configuration for response header
webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to
set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-
OPTIONS to limit domains
X-Frame-Options
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtmodeltparam-namegt
ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt
ltinit-paramgt
ltfiltergt
NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs
X-Frame-Options is supported only on Internet Explorer browser
Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
2 Set Access-Control-Allow-Origin header in the webxml file For more information see section
Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration
Guide Release 80600
SECURE HEADER CONFIGURATION
CONFIGURATION TO SET CONTENT SECURITY POLICY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11
32 Configuration to set Content Security Policy
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross
Site Scripting (XSS)
NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series
The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers
Perform the following steps to configure CSP
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Search and find if the following tags exist If the tags do not exist in the webxml file then add
them to the file
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-
valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt
ltcontext-paramgt
WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues
If you want to maintain the default configuration retain the tags as shown in the preceding
list However if you want to custom configure the tags see the following example and
modify as required
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 5
7 Appendix A - Filter Servlet 28
71 Introduction 28
72 Security and Access 28
73 Vulnerability Checks 28
74 Cross Site Scripting 28
75 SQL Injection 29
76 Filter Servlet Configurations 29
761 Checking for XSS Vulnerability 29
762 Exclusion of Keywords Key Characters 29
763 DebugLogs 29
PREFACE
SUMMARY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6
1 Preface
This Preface provides supporting information for the Oracle Financial Services Analytical
Applications Infrastructure Security Guide and includes the following topics
Secure Configurations
Secure Header Configurations
Web Application Server Security Configurations
Additional Security Configurations
11 Summary
The information contained in this document is intended to give you a quick exposure and
an understanding of the security configurations required after the installation of Oracle
Financial Services Analytical Application Infrastructure
12 Audience
This guide is intended for System Administrators (SA) who are instrumental in installing
and performing secure configurations for OFS Analytical Applications Infrastructure It is
assumed that the SAs are technically sound and proficient in UNIX Database
Administration and Web Application Administration to install and configure OFSAAI in the
released environment
121 Prerequisites for the Audience
This document assumes that you have experience in installing Enterprise components
and basic knowledge about the following
OFS AAAI pack components
OFSAA Architecture
UNIX Commands
Database Concepts
Web serverWeb application server
13 Related Documents
This section identifies additional documents related to OFSAA Infrastructure
Oracle Financial Services Advanced Analytical Applications Infrastructure
Application Pack Installation and Configuration Guide
Oracle Financial Services Analytical Applications Environment Check Utility Guide
PREFACE
RELATED DOCUMENTS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7
Oracle Financial Services Analytical Applications Infrastructure Administration
Guide
Oracle Financial Services Analytical Applications Infrastructure User Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8
2 Secure Configurations
Refer to the following subsections to configure security parameters in OFSAAI
21 Security Configurations
To have a secure environment for OFSAA installation there are a set of configurations that need to be
accomplished The configurations are discussed in the following sections in this document For more
information see OFSAAI Administration Guide
Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the
protection of data It is used to mask (redact) sensitive data shown to the user in real time To
enable this option during installation see Enabling Data Redaction section in the OFSAAI
Installation and Configuration Guide To enable post installation see the Data Redaction section
in the OFSAAI Administration Guide
TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when
stored in Oracle DB To configure TDE during installation see Transparent Data Encryption
(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after
installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration
Guide
Key Management - OFSAA configuration schema (CONFIG) is the repository to store
passwords for users and application database schemas centrally These values are AES-256 bit
encrypted using an encryption key uniquely generated for each OFSAA instance during the
installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a
new encryption key if needed
The Key Management section in the OFSAAI Administration Guide explains how to generate
and store this key in a Java Key Store
NOTE Integration with any other Key management solution is out of scope of this release
File Encryption - OFSAA supports file encryption using AES-256 Bit format For more
information see the File Encryption section in the OFSAAI Administration Guide
Database Password Reset - Change the database password for config schema and atomic
schema periodically For more information see the Database Password Reset Change section
in the OFSAAI Administration Guide
Password Reset - Reset passwords for users if required For more information see the
Database Password Reset Change section in the OFSAAI Administration Guide
Enable and Disable Users - For more information see the Enable and Disable Users section in
the OFSAAI Administration Guide
SSO Authentication (SAML) Configuration - For more information see the SSO
Authentication (SAML) Configuration section in the OFSAAI Administration Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9
Public Key Authentication - Configure Public Key Authentication on UNIX For more
information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI
Administration Guide
Data Security and Data Privacy - Configure to protect data against unauthorized access and
data theft For more information see the Data Security and Data Privacy section in the OFSAAI
Administration Guide
Input and Output Encoding - Product is enabled with input validation and output encoding to
protect from various types of security attacks
Password rotation every 30 days - For more information see the Changing Password section
in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the
OHC
Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information
see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI
Administration Guide
System Configuration and Identity Management - Configure the following parameters from
the information in the System Configuration and Identity Management section in the relevant
version of the OFS Analytical Applications Infrastructure User Guides on the OHC
Set session timeout
Enable CSRF
Set frequency of password change
Configure password restriction details
Configure password history
Configure security questions for password reset
Configure the activation period by setting Dormant Days Inactive Days and Working Hours
SECURE HEADER CONFIGURATION
CONFIGURATION FOR X-FRAME-OPTIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10
3 Secure Header Configuration
Secure header configurations protect you from website attacks such as XSS and Clickjacking The
following subsections here describe the various methods that you can configure on your OFSAAI
system to make it secure from such attacks
Configuration for X-Frame-Options
Configuration to set Content Security Policy
Configuration for Referrer Header Validation
31 Configuration for X-Frame-Options
Configuring X-Frame-Options protect against external agencies creating attacks by embedding
content similar to your content to steal user data Perform the following steps to configure X-Frame-
Options
1 Set the following Security filters configuration for response header
webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to
set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-
OPTIONS to limit domains
X-Frame-Options
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtmodeltparam-namegt
ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt
ltinit-paramgt
ltfiltergt
NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs
X-Frame-Options is supported only on Internet Explorer browser
Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
2 Set Access-Control-Allow-Origin header in the webxml file For more information see section
Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration
Guide Release 80600
SECURE HEADER CONFIGURATION
CONFIGURATION TO SET CONTENT SECURITY POLICY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11
32 Configuration to set Content Security Policy
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross
Site Scripting (XSS)
NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series
The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers
Perform the following steps to configure CSP
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Search and find if the following tags exist If the tags do not exist in the webxml file then add
them to the file
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-
valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt
ltcontext-paramgt
WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues
If you want to maintain the default configuration retain the tags as shown in the preceding
list However if you want to custom configure the tags see the following example and
modify as required
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
PREFACE
SUMMARY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6
1 Preface
This Preface provides supporting information for the Oracle Financial Services Analytical
Applications Infrastructure Security Guide and includes the following topics
Secure Configurations
Secure Header Configurations
Web Application Server Security Configurations
Additional Security Configurations
11 Summary
The information contained in this document is intended to give you a quick exposure and
an understanding of the security configurations required after the installation of Oracle
Financial Services Analytical Application Infrastructure
12 Audience
This guide is intended for System Administrators (SA) who are instrumental in installing
and performing secure configurations for OFS Analytical Applications Infrastructure It is
assumed that the SAs are technically sound and proficient in UNIX Database
Administration and Web Application Administration to install and configure OFSAAI in the
released environment
121 Prerequisites for the Audience
This document assumes that you have experience in installing Enterprise components
and basic knowledge about the following
OFS AAAI pack components
OFSAA Architecture
UNIX Commands
Database Concepts
Web serverWeb application server
13 Related Documents
This section identifies additional documents related to OFSAA Infrastructure
Oracle Financial Services Advanced Analytical Applications Infrastructure
Application Pack Installation and Configuration Guide
Oracle Financial Services Analytical Applications Environment Check Utility Guide
PREFACE
RELATED DOCUMENTS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7
Oracle Financial Services Analytical Applications Infrastructure Administration
Guide
Oracle Financial Services Analytical Applications Infrastructure User Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8
2 Secure Configurations
Refer to the following subsections to configure security parameters in OFSAAI
21 Security Configurations
To have a secure environment for OFSAA installation there are a set of configurations that need to be
accomplished The configurations are discussed in the following sections in this document For more
information see OFSAAI Administration Guide
Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the
protection of data It is used to mask (redact) sensitive data shown to the user in real time To
enable this option during installation see Enabling Data Redaction section in the OFSAAI
Installation and Configuration Guide To enable post installation see the Data Redaction section
in the OFSAAI Administration Guide
TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when
stored in Oracle DB To configure TDE during installation see Transparent Data Encryption
(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after
installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration
Guide
Key Management - OFSAA configuration schema (CONFIG) is the repository to store
passwords for users and application database schemas centrally These values are AES-256 bit
encrypted using an encryption key uniquely generated for each OFSAA instance during the
installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a
new encryption key if needed
The Key Management section in the OFSAAI Administration Guide explains how to generate
and store this key in a Java Key Store
NOTE Integration with any other Key management solution is out of scope of this release
File Encryption - OFSAA supports file encryption using AES-256 Bit format For more
information see the File Encryption section in the OFSAAI Administration Guide
Database Password Reset - Change the database password for config schema and atomic
schema periodically For more information see the Database Password Reset Change section
in the OFSAAI Administration Guide
Password Reset - Reset passwords for users if required For more information see the
Database Password Reset Change section in the OFSAAI Administration Guide
Enable and Disable Users - For more information see the Enable and Disable Users section in
the OFSAAI Administration Guide
SSO Authentication (SAML) Configuration - For more information see the SSO
Authentication (SAML) Configuration section in the OFSAAI Administration Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9
Public Key Authentication - Configure Public Key Authentication on UNIX For more
information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI
Administration Guide
Data Security and Data Privacy - Configure to protect data against unauthorized access and
data theft For more information see the Data Security and Data Privacy section in the OFSAAI
Administration Guide
Input and Output Encoding - Product is enabled with input validation and output encoding to
protect from various types of security attacks
Password rotation every 30 days - For more information see the Changing Password section
in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the
OHC
Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information
see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI
Administration Guide
System Configuration and Identity Management - Configure the following parameters from
the information in the System Configuration and Identity Management section in the relevant
version of the OFS Analytical Applications Infrastructure User Guides on the OHC
Set session timeout
Enable CSRF
Set frequency of password change
Configure password restriction details
Configure password history
Configure security questions for password reset
Configure the activation period by setting Dormant Days Inactive Days and Working Hours
SECURE HEADER CONFIGURATION
CONFIGURATION FOR X-FRAME-OPTIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10
3 Secure Header Configuration
Secure header configurations protect you from website attacks such as XSS and Clickjacking The
following subsections here describe the various methods that you can configure on your OFSAAI
system to make it secure from such attacks
Configuration for X-Frame-Options
Configuration to set Content Security Policy
Configuration for Referrer Header Validation
31 Configuration for X-Frame-Options
Configuring X-Frame-Options protect against external agencies creating attacks by embedding
content similar to your content to steal user data Perform the following steps to configure X-Frame-
Options
1 Set the following Security filters configuration for response header
webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to
set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-
OPTIONS to limit domains
X-Frame-Options
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtmodeltparam-namegt
ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt
ltinit-paramgt
ltfiltergt
NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs
X-Frame-Options is supported only on Internet Explorer browser
Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
2 Set Access-Control-Allow-Origin header in the webxml file For more information see section
Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration
Guide Release 80600
SECURE HEADER CONFIGURATION
CONFIGURATION TO SET CONTENT SECURITY POLICY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11
32 Configuration to set Content Security Policy
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross
Site Scripting (XSS)
NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series
The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers
Perform the following steps to configure CSP
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Search and find if the following tags exist If the tags do not exist in the webxml file then add
them to the file
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-
valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt
ltcontext-paramgt
WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues
If you want to maintain the default configuration retain the tags as shown in the preceding
list However if you want to custom configure the tags see the following example and
modify as required
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
PREFACE
RELATED DOCUMENTS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7
Oracle Financial Services Analytical Applications Infrastructure Administration
Guide
Oracle Financial Services Analytical Applications Infrastructure User Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8
2 Secure Configurations
Refer to the following subsections to configure security parameters in OFSAAI
21 Security Configurations
To have a secure environment for OFSAA installation there are a set of configurations that need to be
accomplished The configurations are discussed in the following sections in this document For more
information see OFSAAI Administration Guide
Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the
protection of data It is used to mask (redact) sensitive data shown to the user in real time To
enable this option during installation see Enabling Data Redaction section in the OFSAAI
Installation and Configuration Guide To enable post installation see the Data Redaction section
in the OFSAAI Administration Guide
TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when
stored in Oracle DB To configure TDE during installation see Transparent Data Encryption
(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after
installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration
Guide
Key Management - OFSAA configuration schema (CONFIG) is the repository to store
passwords for users and application database schemas centrally These values are AES-256 bit
encrypted using an encryption key uniquely generated for each OFSAA instance during the
installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a
new encryption key if needed
The Key Management section in the OFSAAI Administration Guide explains how to generate
and store this key in a Java Key Store
NOTE Integration with any other Key management solution is out of scope of this release
File Encryption - OFSAA supports file encryption using AES-256 Bit format For more
information see the File Encryption section in the OFSAAI Administration Guide
Database Password Reset - Change the database password for config schema and atomic
schema periodically For more information see the Database Password Reset Change section
in the OFSAAI Administration Guide
Password Reset - Reset passwords for users if required For more information see the
Database Password Reset Change section in the OFSAAI Administration Guide
Enable and Disable Users - For more information see the Enable and Disable Users section in
the OFSAAI Administration Guide
SSO Authentication (SAML) Configuration - For more information see the SSO
Authentication (SAML) Configuration section in the OFSAAI Administration Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9
Public Key Authentication - Configure Public Key Authentication on UNIX For more
information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI
Administration Guide
Data Security and Data Privacy - Configure to protect data against unauthorized access and
data theft For more information see the Data Security and Data Privacy section in the OFSAAI
Administration Guide
Input and Output Encoding - Product is enabled with input validation and output encoding to
protect from various types of security attacks
Password rotation every 30 days - For more information see the Changing Password section
in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the
OHC
Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information
see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI
Administration Guide
System Configuration and Identity Management - Configure the following parameters from
the information in the System Configuration and Identity Management section in the relevant
version of the OFS Analytical Applications Infrastructure User Guides on the OHC
Set session timeout
Enable CSRF
Set frequency of password change
Configure password restriction details
Configure password history
Configure security questions for password reset
Configure the activation period by setting Dormant Days Inactive Days and Working Hours
SECURE HEADER CONFIGURATION
CONFIGURATION FOR X-FRAME-OPTIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10
3 Secure Header Configuration
Secure header configurations protect you from website attacks such as XSS and Clickjacking The
following subsections here describe the various methods that you can configure on your OFSAAI
system to make it secure from such attacks
Configuration for X-Frame-Options
Configuration to set Content Security Policy
Configuration for Referrer Header Validation
31 Configuration for X-Frame-Options
Configuring X-Frame-Options protect against external agencies creating attacks by embedding
content similar to your content to steal user data Perform the following steps to configure X-Frame-
Options
1 Set the following Security filters configuration for response header
webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to
set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-
OPTIONS to limit domains
X-Frame-Options
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtmodeltparam-namegt
ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt
ltinit-paramgt
ltfiltergt
NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs
X-Frame-Options is supported only on Internet Explorer browser
Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
2 Set Access-Control-Allow-Origin header in the webxml file For more information see section
Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration
Guide Release 80600
SECURE HEADER CONFIGURATION
CONFIGURATION TO SET CONTENT SECURITY POLICY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11
32 Configuration to set Content Security Policy
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross
Site Scripting (XSS)
NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series
The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers
Perform the following steps to configure CSP
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Search and find if the following tags exist If the tags do not exist in the webxml file then add
them to the file
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-
valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt
ltcontext-paramgt
WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues
If you want to maintain the default configuration retain the tags as shown in the preceding
list However if you want to custom configure the tags see the following example and
modify as required
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8
2 Secure Configurations
Refer to the following subsections to configure security parameters in OFSAAI
21 Security Configurations
To have a secure environment for OFSAA installation there are a set of configurations that need to be
accomplished The configurations are discussed in the following sections in this document For more
information see OFSAAI Administration Guide
Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the
protection of data It is used to mask (redact) sensitive data shown to the user in real time To
enable this option during installation see Enabling Data Redaction section in the OFSAAI
Installation and Configuration Guide To enable post installation see the Data Redaction section
in the OFSAAI Administration Guide
TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when
stored in Oracle DB To configure TDE during installation see Transparent Data Encryption
(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after
installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration
Guide
Key Management - OFSAA configuration schema (CONFIG) is the repository to store
passwords for users and application database schemas centrally These values are AES-256 bit
encrypted using an encryption key uniquely generated for each OFSAA instance during the
installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a
new encryption key if needed
The Key Management section in the OFSAAI Administration Guide explains how to generate
and store this key in a Java Key Store
NOTE Integration with any other Key management solution is out of scope of this release
File Encryption - OFSAA supports file encryption using AES-256 Bit format For more
information see the File Encryption section in the OFSAAI Administration Guide
Database Password Reset - Change the database password for config schema and atomic
schema periodically For more information see the Database Password Reset Change section
in the OFSAAI Administration Guide
Password Reset - Reset passwords for users if required For more information see the
Database Password Reset Change section in the OFSAAI Administration Guide
Enable and Disable Users - For more information see the Enable and Disable Users section in
the OFSAAI Administration Guide
SSO Authentication (SAML) Configuration - For more information see the SSO
Authentication (SAML) Configuration section in the OFSAAI Administration Guide
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9
Public Key Authentication - Configure Public Key Authentication on UNIX For more
information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI
Administration Guide
Data Security and Data Privacy - Configure to protect data against unauthorized access and
data theft For more information see the Data Security and Data Privacy section in the OFSAAI
Administration Guide
Input and Output Encoding - Product is enabled with input validation and output encoding to
protect from various types of security attacks
Password rotation every 30 days - For more information see the Changing Password section
in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the
OHC
Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information
see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI
Administration Guide
System Configuration and Identity Management - Configure the following parameters from
the information in the System Configuration and Identity Management section in the relevant
version of the OFS Analytical Applications Infrastructure User Guides on the OHC
Set session timeout
Enable CSRF
Set frequency of password change
Configure password restriction details
Configure password history
Configure security questions for password reset
Configure the activation period by setting Dormant Days Inactive Days and Working Hours
SECURE HEADER CONFIGURATION
CONFIGURATION FOR X-FRAME-OPTIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10
3 Secure Header Configuration
Secure header configurations protect you from website attacks such as XSS and Clickjacking The
following subsections here describe the various methods that you can configure on your OFSAAI
system to make it secure from such attacks
Configuration for X-Frame-Options
Configuration to set Content Security Policy
Configuration for Referrer Header Validation
31 Configuration for X-Frame-Options
Configuring X-Frame-Options protect against external agencies creating attacks by embedding
content similar to your content to steal user data Perform the following steps to configure X-Frame-
Options
1 Set the following Security filters configuration for response header
webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to
set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-
OPTIONS to limit domains
X-Frame-Options
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtmodeltparam-namegt
ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt
ltinit-paramgt
ltfiltergt
NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs
X-Frame-Options is supported only on Internet Explorer browser
Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
2 Set Access-Control-Allow-Origin header in the webxml file For more information see section
Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration
Guide Release 80600
SECURE HEADER CONFIGURATION
CONFIGURATION TO SET CONTENT SECURITY POLICY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11
32 Configuration to set Content Security Policy
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross
Site Scripting (XSS)
NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series
The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers
Perform the following steps to configure CSP
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Search and find if the following tags exist If the tags do not exist in the webxml file then add
them to the file
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-
valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt
ltcontext-paramgt
WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues
If you want to maintain the default configuration retain the tags as shown in the preceding
list However if you want to custom configure the tags see the following example and
modify as required
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
SECURE CONFIGURATIONS
SECURITY CONFIGURATIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9
Public Key Authentication - Configure Public Key Authentication on UNIX For more
information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI
Administration Guide
Data Security and Data Privacy - Configure to protect data against unauthorized access and
data theft For more information see the Data Security and Data Privacy section in the OFSAAI
Administration Guide
Input and Output Encoding - Product is enabled with input validation and output encoding to
protect from various types of security attacks
Password rotation every 30 days - For more information see the Changing Password section
in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the
OHC
Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information
see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI
Administration Guide
System Configuration and Identity Management - Configure the following parameters from
the information in the System Configuration and Identity Management section in the relevant
version of the OFS Analytical Applications Infrastructure User Guides on the OHC
Set session timeout
Enable CSRF
Set frequency of password change
Configure password restriction details
Configure password history
Configure security questions for password reset
Configure the activation period by setting Dormant Days Inactive Days and Working Hours
SECURE HEADER CONFIGURATION
CONFIGURATION FOR X-FRAME-OPTIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10
3 Secure Header Configuration
Secure header configurations protect you from website attacks such as XSS and Clickjacking The
following subsections here describe the various methods that you can configure on your OFSAAI
system to make it secure from such attacks
Configuration for X-Frame-Options
Configuration to set Content Security Policy
Configuration for Referrer Header Validation
31 Configuration for X-Frame-Options
Configuring X-Frame-Options protect against external agencies creating attacks by embedding
content similar to your content to steal user data Perform the following steps to configure X-Frame-
Options
1 Set the following Security filters configuration for response header
webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to
set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-
OPTIONS to limit domains
X-Frame-Options
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtmodeltparam-namegt
ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt
ltinit-paramgt
ltfiltergt
NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs
X-Frame-Options is supported only on Internet Explorer browser
Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
2 Set Access-Control-Allow-Origin header in the webxml file For more information see section
Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration
Guide Release 80600
SECURE HEADER CONFIGURATION
CONFIGURATION TO SET CONTENT SECURITY POLICY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11
32 Configuration to set Content Security Policy
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross
Site Scripting (XSS)
NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series
The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers
Perform the following steps to configure CSP
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Search and find if the following tags exist If the tags do not exist in the webxml file then add
them to the file
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-
valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt
ltcontext-paramgt
WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues
If you want to maintain the default configuration retain the tags as shown in the preceding
list However if you want to custom configure the tags see the following example and
modify as required
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
SECURE HEADER CONFIGURATION
CONFIGURATION FOR X-FRAME-OPTIONS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10
3 Secure Header Configuration
Secure header configurations protect you from website attacks such as XSS and Clickjacking The
following subsections here describe the various methods that you can configure on your OFSAAI
system to make it secure from such attacks
Configuration for X-Frame-Options
Configuration to set Content Security Policy
Configuration for Referrer Header Validation
31 Configuration for X-Frame-Options
Configuring X-Frame-Options protect against external agencies creating attacks by embedding
content similar to your content to steal user data Perform the following steps to configure X-Frame-
Options
1 Set the following Security filters configuration for response header
webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to
set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-
OPTIONS to limit domains
X-Frame-Options
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtmodeltparam-namegt
ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt
ltinit-paramgt
ltfiltergt
NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs
X-Frame-Options is supported only on Internet Explorer browser
Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
2 Set Access-Control-Allow-Origin header in the webxml file For more information see section
Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration
Guide Release 80600
SECURE HEADER CONFIGURATION
CONFIGURATION TO SET CONTENT SECURITY POLICY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11
32 Configuration to set Content Security Policy
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross
Site Scripting (XSS)
NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series
The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers
Perform the following steps to configure CSP
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Search and find if the following tags exist If the tags do not exist in the webxml file then add
them to the file
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-
valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt
ltcontext-paramgt
WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues
If you want to maintain the default configuration retain the tags as shown in the preceding
list However if you want to custom configure the tags see the following example and
modify as required
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
SECURE HEADER CONFIGURATION
CONFIGURATION TO SET CONTENT SECURITY POLICY
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11
32 Configuration to set Content Security Policy
Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross
Site Scripting (XSS)
NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series
The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers
Perform the following steps to configure CSP
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Search and find if the following tags exist If the tags do not exist in the webxml file then add
them to the file
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-
valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt
ltcontext-paramgt
WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues
If you want to maintain the default configuration retain the tags as shown in the preceding
list However if you want to custom configure the tags see the following example and
modify as required
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12
ltcontext-paramgt
ltparam-namegtdefault-srcltparam-namegt
ltparam-valuegtdefault-src selfltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtscript-srcltparam-namegt
ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-
evalltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtimg-srcltparam-namegt
ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt
ltcontext-paramgt
ltcontext-paramgt
ltparam-namegtstyle-srcltparam-namegt
ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt
ltcontext-paramgt
In the previous example you have to define the policy by replacing
default-src - with no value This value sets it to self
ltSCRURLgt - with the URL of the script that you want to allow to run which will
prevent any other script from running
ltIMGURLgt - with the image URLs from trusted sources from where you want to load
images and prevent images from untrusted sources
ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified
stylesheet and to prevent from others sources
33 Configuration for Referrer Header Validation
Referrer Header Validation protects against CSRF attacks by allowing validated host URLs
Perform the following steps to configure referrer header validation
1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF
2 Add the following tag
ltfiltergt
ltfilter-namegtFilterServletltfilter-namegt
ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt
ltinit-paramgt
ltparam-namegtAllowHostsltparam-namegt
ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
SECURE HEADER CONFIGURATION
CONFIGURATION FOR REFERRER HEADER VALIDATION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13
ltinit-paramgt
ltfiltergt
NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
ENABLING HTTPS CONFIGURATION FOR OFSAA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14
4 Web Application Server Security Configurations
Refer to the following sections depending on your configured web application server Alternatively
you may refer to your web application server specific administration guide for additional details
Enabling HTTPS Configuration for OFSAA
Security Configuration for Tomcat
Security Configuration for WebSphere
Security Configuration for WebLogic
41 Enabling HTTPS Configuration for OFSAA
HTTPS is recommended during OFSAA installation by default This configuration creates an
encrypted environment and functions as a secure environment for client-server communications
TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC
To enable HTTPS post installation
To view configurations related to SSLv3 and TLS12
42 Security Configuration for Tomcat
Perform the following security configurations for Tomcat
1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL
Connector tag of $CATALINA_HOMEconfserverxml file
2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following
example
TIP Multiple cipher suites have to be comma-separated
For example
ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo
For more details on TLS12 supported ciphers and recommendations see the following
links
httpswwwowasporgindexphpSecuring_tomcat
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15
3 Add the following session attributes under lsquoContextrsquo tag of
$CATALINA_HOMEconfserverxml file
sessionCookiePath= ldquoltcontextgtrdquo
sessionCookieDomain= ldquoltdomaingtrdquo
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
4 Configure for secure and HttpOnly using the following procedure
a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to
lsquoContextrsquo tag
b Add secure=true attribute to lsquoConnectorrsquo tag section of
$CATALINA_HOMEconfserverxml file
c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file
ltcookie-configgt
lthttp-onlygttruelthttp-onlygt
ltsecuregttrueltsecuregt
ltcookie-configgt
5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to
the servlet section
ltinit-paramgt
ltparam-namegtlistingsltparam-namegt
ltparam-valuegtfalseltparam-valuegt
ltinit-paramgt
6 Post configuration restart the tomcat service
43 Security Configuration for WebSphere
In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions
Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS
configuration and configure application security The subsections describe the procedures in detail
431 Session Management Secure and HttpOnly Configuration
In Session Management Configuration restrict cookies to HTTPS Sessions
Perform the following procedure for session management configuration
1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server
Types gt WebSphere application servers
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16
2 Select the configured Application Server from the list by clicking on the Server Name
3 In the Configuration tab click Session Management link in Container Settings section
4 In the General Properties tab click the Enable Cookies link
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17
5 Enter the following details
Cookie Name - JSESSIONID
Cookie domain - ltdomaingt
Cookie Path - ltcontextgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
6 Make sure the following checkboxes are selected
Restrict Cookies to HTTPS Sessions
Set session cookies to HTTPOnly to prevent cross-site scripting attacks
7 Click Apply and save the changes
8 Restart Application Server through the console
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBSPHERE
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18
432 TLS Configuration for WebSphere
Following are the steps to configure TLS protocol in WebSphere
1 Log on to the console (httphostadminportibmconsole)
2 Under the Security menu select SSL certificate and key management SSL configurations
NodeDefaultSSLSettings and Quality of protection (QoP) settings
3 Change the Protocol value to TLSv12
This ensures that WebSphere server will accept only TLSv12 connections That is when the web server
acts as a server (inbound) or as client (outbound) the SSL connections will be established through the
TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS
handshakes only
For more information see Configuring WebSphere Application Server to support TLS 12
For cipher suite configuration see
httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip
hersuitehtm
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-
_Only_Support_Strong_Cryptographic_Ciphers
433 Configuring Application Security
Enable Application security to secure your server from unauthorized users and allow access only to
authenticated users It prevents unauthorized access of configuration files in directories
Following is the procedure to enable Application security
1 Log in to WebSphere with administrator credentials
2 Click Security from the left menu and click Global security to display the Global security
window
3 Select Enable administrative security and Enable application security
4 Click Apply and save configuration
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19
434 Disable Directory Listing
NOTE This section is applicable for release 80600 and later
Directory listing is disabled by default ie directoryBrowsingEnabled is set to false
For additional information see
httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo
caerwlp_config_webContainerhtml
44 Security Configuration for WebLogic
In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not
secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic
console by disabling it first and then re-enabling it for secure cookies You will then need to create a
weblogicxml file and deploy ear file in your Weblogic server
Perform the following configurations
1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain
Structure section
2 In the Configurations tab (selected by default) select the Web Application tab
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20
3 Scroll through the configurations options within the page and locate Auth Cookie Enabled
option By default the checkbox is selected
4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save
5 On save select the Auth Cookie Enabled checkbox and resave the change
6 Configure session Secure and HttpOnly
a If your OFSAAI version is below 80200 perform the following
Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-
INF and add the below tags
ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
ltweblogic-web-appgt
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21
b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag
under root element
ltsession-descriptorgt
ltcookie-namegtJSESSIONIDltcookie-namegt
ltcookie-domaingtltdomaingtltcookie-domaingt
ltcookie-pathgtltcontextgtltcookie-pathgt
ltcookie-http-onlygttrueltcookie-http-onlygt
ltcookie-securegttrueltcookie-securegt
ltsession-descriptorgt
7 Perform the following steps to configure TLS protocol for WebLogic
a Add the following parameters in setDomainEnvsh present under
domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -
DweblogicsecuritySSLprotocolVersion=TLS12
b Add preferred cipher suite to configxml file as shown in the following example Use only
the strong cryptographic ciphers recommended for TLS12
Example
ltsslgt
ltnamegtltservernamegtltnamegt
ltenabledgttrueltenabledgt
ltciphersuitegt
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt
ltsslgt
For more information see
httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743
For more details about strong cipher configuration see
httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_
-_Only_Support_Strong_Cryptographic_Ciphers
8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in
$FIC_HOMEficwebweblogicxml
ltindex-directory-enabledgtfalseltindex-directory-enabledgt
NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom
9 Build ear file and deploy it onto the WebLogic server
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
WEB APPLICATION SERVER SECURITY CONFIGURATIONS
SECURITY CONFIGURATION FOR WEBLOGIC
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22
10 Restart services
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23
5 Additional Security Configurations
Refer to this section to perform additional security configurations The following topics are available
Configuration to Restrict Access to Default Web Server Pages
Configuration to Restrict Display of the Web Server Details
Configuration to Restrict File Uploads
Configuration to restrict HTTP methods other than GETPOST
Configuration to enable unlimited cryptographic policy for Java
51 Configuration to Restrict Access to Default Web Server
Pages
Following are the configurations to restrict access to default web server pages in the Apache Tomcat
server
1 Start the Apache Tomcat server by executing the command startupsh
2 Log in to the Tomcat Web Application Manager
3 Undeploy the Examples application from Tomcat
Go to the Tomcat Web Application Manager screen and click the Remove link
corresponding to the Tomcat Examples application
4 Shut down the Apache Tomcat Server by executing the shutdownsh file
5 Comment the following two sections from CATALINA_HOMEconfserverxml (if
available)
Section I
ltContext path=examples docBase=examples debug=0
reloadable=true crossContext=truegt
ltLogger className=orgapachecatalinaloggerFileLogger
prefix=localhost_examples_log suffix=txt
timestamp=truegt
ltEjb name=ejbEmplRecord type=Entity
home=comwombatemplEmployeeRecordHome
remote=comwombatemplEmployeeRecordgt
Section II
ltEnvironment name=maxExemptions type=javalangInteger
value=15gt
ltParameter name=contextparamname value=contextparamvalue
override=falsegt
ltResource name=jdbcEmployeeAppDb auth=SERVLET
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24
type=javaxsqlDataSourcegt
ltResourceParams name=jdbcEmployeeAppDbgt
ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt
ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt
ltparametergtltnamegtdriverClassNameltnamegt
ltvaluegtorghsqljdbcDriverltvaluegtltparametergt
ltparametergtltnamegtdriverNameltnamegt
ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt
ltResourceParamsgt
ltResource name=mailSession auth=Container
type=javaxmailSessiongt
ltResourceParams name=mailSessiongt
ltparametergt
ltnamegtmailsmtphostltnamegt
ltvaluegtlocalhostltvaluegt
ltparametergt
ltResourceParamsgt
ltResourceLink name=linkToGlobalResource
global=simpleValue
type=javalangIntegergt
ltContextgt
6 Delete CATALINA_HOMEwebappsROOTindexjsp file
7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml
8 Comment the following two tags from CATALINA_HOMEconfwebxml file
ltwelcome-filegtindexhtmltwelcome-filegt
ltwelcome-filegtindexjspltwelcome-filegt
9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-
usersxml file
Following are some examples
ltuser username=both password=b$12 roles=tomcatrole1gt
ltuser username=tomcat password=t$12 roles=tomcatgt
ltuser username=admin password=a$12 roles=adminmanagergt
ltuser username=role1 password=r$12 roles=role1gt
52 Configuration to Restrict Display of the Web Server Details
Following are the configurations to restrict the display of the web server details from http responses
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO RESTRICT FILE UPLOADS
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25
Modify the httpdconf file and set
ldquoServerTokensrdquo parameter to ldquoProdrdquo
ldquoServerSignaturerdquo parameter to ldquooffrdquo
53 Configuration to Restrict File Uploads
Following is the configuration to restrict upload of files with certain file types This configuration is
applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The
parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo
schema holds the list of file extensions for valid file types that are allowed to be attached and
uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in
this parameter value will be blocked The current release has the below values set for the parameter
This list is extensible
DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and
jpeg
54 Configuration to restrict HTTP methods other than
GETPOST
Following configuration is required to restrict HTTP methods other than GETPOST
1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM
HTTP Server)
RewriteEngine On
RewriteCond REQUEST_METHOD ^(GET|POST)
RewriteRule - [R=405L]
2 If the application is not configured with HTTP Server perform the following steps in case of
WebLogic and WebSphere application servers
a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file
ltsecurity-constraintgt
ltweb-resource-collectiongt
ltweb-resource-namegtrestricted methodsltweb-resource-namegt
lturl-patterngtlturl-patterngt
lthttp-methodgtPUTlthttp-methodgt
lthttp-methodgtPATCHlthttp-methodgt
lthttp-methodgtHEADlthttp-methodgt
lthttp-methodgtDELETElthttp-methodgt
lthttp-methodgtOPTIONSlthttp-methodgt
lthttp-methodgtTRACElthttp-methodgt
lthttp-methodgtCONNECTlthttp-methodgt
ltweb-resource-collectiongt
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
ADDITIONAL SECURITY CONFIGURATIONS
CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26
ltauth-constraintgt
ltsecurity-constraintgt
b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server
c Execute antsh to regenerate ltCONTEXTNAMEgtearwar
d Re-deploy the EARWAR file onto your configured web application server For more
information on deploying EAR WAR file refer to the Post Installation Configuration section
in Oracle Financial Services Advanced Analytical Applications Infrastructure Application
Pack Installation and Configuration Guide
55 Configuration to enable unlimited cryptographic policy for
Java
Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For
more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical
Applications Infrastructure Administration Guide
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
SECURE DATABASE CONNECTION
CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27
6 Secure Database Connection
The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The
Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data
integrity When a network connection over SSL is initiated the client and server perform a handshake
that includes
Negotiating a cipher suite for encryption data integrity and authentication
Authenticating the client by validating its certificate
Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected
Client and server exchange key information using public key cryptography
To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet
Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can
use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12
This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin
driver with Oracle wallet having storetype as SSO with OraclePKIProvider
61 Configurations for Connecting OFSAA to Oracle Database
using Secure Database Connection (TCPS)
For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure
Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration
Guide
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
APPENDIX A - FILTER SERVLET
INTRODUCTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28
7 Appendix A - Filter Servlet
This section consists of information related to Filter Servlet and the required configurations This
section also lists out the Keywords and Key Characters
NOTE This section is applicable for releases 800xx to 805xx
71 Introduction
Filter Servlet is a controller in the web-container whose functions are the following
72 Security and Access
This functionality checks whether a user has rights to access a web page that is trying to be accessed
73 Vulnerability Checks
This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for
the following group of keywords key characters
JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to
XSS_JS_KEYWORDS13
JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to
XSS_JS_METACHARS10
SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to
XSS_SQL_KEYWORDS23
SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4
SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8
SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in
Configuration table
74 Cross Site Scripting
A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of
any JavascriptKeyWords with the JavascriptKeyChars
For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as
Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)
such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
APPENDIX A - FILTER SERVLET
SQL INJECTION
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29
75 SQL Injection
An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords
For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as
From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update
Delete Drop Truncate) for XSS check then the request is blocked displaying an error message
You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME
PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for
filtering
76 Filter Servlet Configurations
761 Checking for XSS Vulnerability
The following entry will be available in the configuration table present in the Configuration Schema
The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is
FALSE By default PARAMVALUE is set to ldquoTRUErdquo
PARAMNAME PARAMVALUE DESCRIPTION
XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be
enabled or not
762 Exclusion of Keywords Key Characters
You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and
a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME
should be higher than any other numbers in the group
For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the
PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to
XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure
that the updated number is higher than any other numbers in the group
763 DebugLogs
When the application detects a vulnerability a message is displayed on the front-end and it is logged
in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path
ltdeployed contextgtlogs It contains details for date time URL and user
You can modify the configuration to create the CSSLoggerlog file in a directory of your choice
Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the
$FIC_WEB_HOMEwebrootconfFICWebcfg file
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents
OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30
Send Us Your Comments
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication
Your input is an important part of the information used for revision
Did you find any errors
Is the information clearly presented
Do you need more information If so where
Are the examples correct Do you need more examples
What features did you like most about this manual
If you find any errors or have any other suggestions for improvement indicate the title and part
number of the documentation along with the chaptersectionpage number (if available) and contact
the Oracle Support
Before sending us your comments you might like to ensure that you have the latest version of the
document wherein any of your concerns have already been addressed You can access My Oracle
Support site which has all the revisedrecently released documents