Upload File

oracle financial services analytical applications ... · oracle data redaction – this is an...

  • Home
  • Documents
  • Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used
31
Oracle Financial Services Analytical Applications Infrastructure Security Guide Release 8.0.x Dec 2019

Upload: others

Post on 27-May-2020

28 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

Oracle Financial Services Analytical

Applications Infrastructure

Security Guide

Release 80x

Dec 2019

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 2

OFS Analytical Applications Infrastructure Security Guide

Copyright copy 2020 Oracle andor its affiliates All rights reserved

This software and related documentation are provided under a license agreement containing

restrictions on use and disclosure and are protected by intellectual property laws Except as expressly

permitted in your license agreement or allowed by law you may not use copy reproduce translate

broadcast modify license transmit distribute exhibit perform publish or display any part in any

form or by any means Reverse engineering disassembly or decompilation of this software unless

required by law for interoperability is prohibited

The information contained herein is subject to change without notice and is not warranted to be error-

free If you find any errors please report them to us in writing

If this is software or related documentation that is delivered to the US Government or anyone

licensing it on behalf of the US Government then the following notice is applicable

US GOVERNMENT END USERS Oracle programs including any operating system integrated

software any programs installed on the hardware andor documentation delivered to US

Government end users are ldquocommercial computer softwarerdquo pursuant to the applicable Federal

Acquisition Regulation and agency-specific supplemental regulations As such use duplication

disclosure modification and adaptation of the programs including any operating system integrated

software any programs installed on the hardware andor documentation shall be subject to license

terms and license restrictions applicable to the programs No other rights are granted to the US

Government

This software or hardware is developed for general use in a variety of information management

applications It is not developed or intended for use in any inherently dangerous applications

including applications that may create a risk of personal injury If you use this software or hardware in

dangerous applications then you shall be responsible to take all appropriate fail-safe backup

redundancy and other measures to ensure its safe use Oracle Corporation and its affiliates disclaim

any liability for any damages caused by use of this software or hardware in dangerous applications

Oracle and Java are registered trademarks of Oracle andor its affiliates Other names may be

trademarks of their respective owners

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation All SPARC

trademarks are used under license and are trademarks or registered trademarks of SPARC

International Inc AMD Opteron the AMD logo and the AMD Opteron logo are trademarks or

registered trademarks of Advanced Micro Devices UNIX is a registered trademark of The Open Group

This software or hardware and documentation may provide access to or information about content

products and services from third parties Oracle Corporation and its affiliates are not responsible for

and expressly disclaim all warranties of any kind with respect to third-party content products and

services unless otherwise set forth in an applicable agreement between you and Oracle Oracle

Corporation and its affiliates will not be responsible for any loss costs or damages incurred due to

your access to or use of third-party content products or services except as set forth in an applicable

agreement between you and Oracle

For information on third party licenses click here

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 3

Document Control

Version Number Revision Date Change Log

Draft January 2015

Made the document generic for all releases This

document captures the necessary security related

configurations

10 April 2015 Added section 33 Configuration to restrict file uploads

for the Ngan Hang SR 3-10413030421

20 November 2015 Added section 34 based on Bug 21810721

30 December 2015 Updated Web Application Server Security Configuration

section based on Bug 22070501

40 June 2016 Added content based on Bug 23603150

50 December 2016 Rectified the broken link in the TLS Configuration for

WebLogic section

Modified the Configuration to restrict HTTP methods

other than GETPOST section based on Bug 25308546

60 June 2017 Added section lsquoConfiguring Application Securityrsquo for Bug

25957230 25990244 and 25957206

70 August 2017 Updated for Bug 26568700

80 September 2017 Removed list of filter servlet keywords and created a

MOS document

90 May 2018 Updated for security enhancements in 80600

100 August 2018 Added back Filter Servlet chapter for Doc 28542034

110 October 2018 Updated for Doc 28672747 and Doc 28771653

120 February 2019 Updated for Doc 29288736 29352320 and 29352863

130 May 2019 Added a new chapter for Secure Database Connection

140 Aug 2019 Added generic system configuration information in

Security Configurations for Doc 30204166

Added tip to configure from SSLV3 to TLSV12 in

Enabling HTTPS Configuration for OFSAA for Doc

30171443

150 Dec 2019 Updated section Configuration to set Content Security

Policy with information for validation of webxml file

(Doc 30622153)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 4

Table of Contents

1 Preface 6

11 Summary 6

12 Audience 6

121 Prerequisites for the Audience 6

13 Related Documents 6

2 Secure Configurations 8

21 Security Configurations 8

3 Secure Header Configuration 10

31 Configuration for X-Frame-Options 10

32 Configuration to set Content Security Policy 11

33 Configuration for Referrer Header Validation 12

4 Web Application Server Security Configurations 14

41 Enabling HTTPS Configuration for OFSAA 14

42 Security Configuration for Tomcat 14

43 Security Configuration for WebSphere 15

431 Session Management Secure and HttpOnly Configuration 15

432 TLS Configuration for WebSphere 18

433 Configuring Application Security 18

434 Disable Directory Listing 19

44 Security Configuration for WebLogic 19

5 Additional Security Configurations 23

51 Configuration to Restrict Access to Default Web Server Pages 23

52 Configuration to Restrict Display of the Web Server Details 24

53 Configuration to Restrict File Uploads 25

54 Configuration to restrict HTTP methods other than GETPOST 25

55 Configuration to enable unlimited cryptographic policy for Java 26

6 Secure Database Connection 27

61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS) 27

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 5

7 Appendix A - Filter Servlet 28

71 Introduction 28

72 Security and Access 28

73 Vulnerability Checks 28

74 Cross Site Scripting 28

75 SQL Injection 29

76 Filter Servlet Configurations 29

761 Checking for XSS Vulnerability 29

762 Exclusion of Keywords Key Characters 29

763 DebugLogs 29

PREFACE

SUMMARY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6

1 Preface

This Preface provides supporting information for the Oracle Financial Services Analytical

Applications Infrastructure Security Guide and includes the following topics

Secure Configurations

Secure Header Configurations

Web Application Server Security Configurations

Additional Security Configurations

11 Summary

The information contained in this document is intended to give you a quick exposure and

an understanding of the security configurations required after the installation of Oracle

Financial Services Analytical Application Infrastructure

12 Audience

This guide is intended for System Administrators (SA) who are instrumental in installing

and performing secure configurations for OFS Analytical Applications Infrastructure It is

assumed that the SAs are technically sound and proficient in UNIX Database

Administration and Web Application Administration to install and configure OFSAAI in the

released environment

121 Prerequisites for the Audience

This document assumes that you have experience in installing Enterprise components

and basic knowledge about the following

OFS AAAI pack components

OFSAA Architecture

UNIX Commands

Database Concepts

Web serverWeb application server

13 Related Documents

This section identifies additional documents related to OFSAA Infrastructure

Oracle Financial Services Advanced Analytical Applications Infrastructure

Application Pack Installation and Configuration Guide

Oracle Financial Services Analytical Applications Environment Check Utility Guide

PREFACE

RELATED DOCUMENTS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7

Oracle Financial Services Analytical Applications Infrastructure Administration

Guide

Oracle Financial Services Analytical Applications Infrastructure User Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8

2 Secure Configurations

Refer to the following subsections to configure security parameters in OFSAAI

21 Security Configurations

To have a secure environment for OFSAA installation there are a set of configurations that need to be

accomplished The configurations are discussed in the following sections in this document For more

information see OFSAAI Administration Guide

Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the

protection of data It is used to mask (redact) sensitive data shown to the user in real time To

enable this option during installation see Enabling Data Redaction section in the OFSAAI

Installation and Configuration Guide To enable post installation see the Data Redaction section

in the OFSAAI Administration Guide

TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when

stored in Oracle DB To configure TDE during installation see Transparent Data Encryption

(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after

installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration

Guide

Key Management - OFSAA configuration schema (CONFIG) is the repository to store

passwords for users and application database schemas centrally These values are AES-256 bit

encrypted using an encryption key uniquely generated for each OFSAA instance during the

installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a

new encryption key if needed

The Key Management section in the OFSAAI Administration Guide explains how to generate

and store this key in a Java Key Store

NOTE Integration with any other Key management solution is out of scope of this release

File Encryption - OFSAA supports file encryption using AES-256 Bit format For more

information see the File Encryption section in the OFSAAI Administration Guide

Database Password Reset - Change the database password for config schema and atomic

schema periodically For more information see the Database Password Reset Change section

in the OFSAAI Administration Guide

Password Reset - Reset passwords for users if required For more information see the

Database Password Reset Change section in the OFSAAI Administration Guide

Enable and Disable Users - For more information see the Enable and Disable Users section in

the OFSAAI Administration Guide

SSO Authentication (SAML) Configuration - For more information see the SSO

Authentication (SAML) Configuration section in the OFSAAI Administration Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9

Public Key Authentication - Configure Public Key Authentication on UNIX For more

information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI

Administration Guide

Data Security and Data Privacy - Configure to protect data against unauthorized access and

data theft For more information see the Data Security and Data Privacy section in the OFSAAI

Administration Guide

Input and Output Encoding - Product is enabled with input validation and output encoding to

protect from various types of security attacks

Password rotation every 30 days - For more information see the Changing Password section

in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the

OHC

Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information

see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI

Administration Guide

System Configuration and Identity Management - Configure the following parameters from

the information in the System Configuration and Identity Management section in the relevant

version of the OFS Analytical Applications Infrastructure User Guides on the OHC

Set session timeout

Enable CSRF

Set frequency of password change

Configure password restriction details

Configure password history

Configure security questions for password reset

Configure the activation period by setting Dormant Days Inactive Days and Working Hours

SECURE HEADER CONFIGURATION

CONFIGURATION FOR X-FRAME-OPTIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10

3 Secure Header Configuration

Secure header configurations protect you from website attacks such as XSS and Clickjacking The

following subsections here describe the various methods that you can configure on your OFSAAI

system to make it secure from such attacks

Configuration for X-Frame-Options

Configuration to set Content Security Policy

Configuration for Referrer Header Validation

31 Configuration for X-Frame-Options

Configuring X-Frame-Options protect against external agencies creating attacks by embedding

content similar to your content to steal user data Perform the following steps to configure X-Frame-

Options

1 Set the following Security filters configuration for response header

webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to

set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-

OPTIONS to limit domains

X-Frame-Options

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtmodeltparam-namegt

ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt

ltinit-paramgt

ltfiltergt

NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs

X-Frame-Options is supported only on Internet Explorer browser

Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

2 Set Access-Control-Allow-Origin header in the webxml file For more information see section

Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration

Guide Release 80600

SECURE HEADER CONFIGURATION

CONFIGURATION TO SET CONTENT SECURITY POLICY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11

32 Configuration to set Content Security Policy

Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross

Site Scripting (XSS)

NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series

The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers

Perform the following steps to configure CSP

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Search and find if the following tags exist If the tags do not exist in the webxml file then add

them to the file

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-

valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt

ltcontext-paramgt

WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues

If you want to maintain the default configuration retain the tags as shown in the preceding

list However if you want to custom configure the tags see the following example and

modify as required

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 2: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 2

OFS Analytical Applications Infrastructure Security Guide

Copyright copy 2020 Oracle andor its affiliates All rights reserved

This software and related documentation are provided under a license agreement containing

restrictions on use and disclosure and are protected by intellectual property laws Except as expressly

permitted in your license agreement or allowed by law you may not use copy reproduce translate

broadcast modify license transmit distribute exhibit perform publish or display any part in any

form or by any means Reverse engineering disassembly or decompilation of this software unless

required by law for interoperability is prohibited

The information contained herein is subject to change without notice and is not warranted to be error-

free If you find any errors please report them to us in writing

If this is software or related documentation that is delivered to the US Government or anyone

licensing it on behalf of the US Government then the following notice is applicable

US GOVERNMENT END USERS Oracle programs including any operating system integrated

software any programs installed on the hardware andor documentation delivered to US

Government end users are ldquocommercial computer softwarerdquo pursuant to the applicable Federal

Acquisition Regulation and agency-specific supplemental regulations As such use duplication

disclosure modification and adaptation of the programs including any operating system integrated

software any programs installed on the hardware andor documentation shall be subject to license

terms and license restrictions applicable to the programs No other rights are granted to the US

Government

This software or hardware is developed for general use in a variety of information management

applications It is not developed or intended for use in any inherently dangerous applications

including applications that may create a risk of personal injury If you use this software or hardware in

dangerous applications then you shall be responsible to take all appropriate fail-safe backup

redundancy and other measures to ensure its safe use Oracle Corporation and its affiliates disclaim

any liability for any damages caused by use of this software or hardware in dangerous applications

Oracle and Java are registered trademarks of Oracle andor its affiliates Other names may be

trademarks of their respective owners

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation All SPARC

trademarks are used under license and are trademarks or registered trademarks of SPARC

International Inc AMD Opteron the AMD logo and the AMD Opteron logo are trademarks or

registered trademarks of Advanced Micro Devices UNIX is a registered trademark of The Open Group

This software or hardware and documentation may provide access to or information about content

products and services from third parties Oracle Corporation and its affiliates are not responsible for

and expressly disclaim all warranties of any kind with respect to third-party content products and

services unless otherwise set forth in an applicable agreement between you and Oracle Oracle

Corporation and its affiliates will not be responsible for any loss costs or damages incurred due to

your access to or use of third-party content products or services except as set forth in an applicable

agreement between you and Oracle

For information on third party licenses click here

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 3

Document Control

Version Number Revision Date Change Log

Draft January 2015

Made the document generic for all releases This

document captures the necessary security related

configurations

10 April 2015 Added section 33 Configuration to restrict file uploads

for the Ngan Hang SR 3-10413030421

20 November 2015 Added section 34 based on Bug 21810721

30 December 2015 Updated Web Application Server Security Configuration

section based on Bug 22070501

40 June 2016 Added content based on Bug 23603150

50 December 2016 Rectified the broken link in the TLS Configuration for

WebLogic section

Modified the Configuration to restrict HTTP methods

other than GETPOST section based on Bug 25308546

60 June 2017 Added section lsquoConfiguring Application Securityrsquo for Bug

25957230 25990244 and 25957206

70 August 2017 Updated for Bug 26568700

80 September 2017 Removed list of filter servlet keywords and created a

MOS document

90 May 2018 Updated for security enhancements in 80600

100 August 2018 Added back Filter Servlet chapter for Doc 28542034

110 October 2018 Updated for Doc 28672747 and Doc 28771653

120 February 2019 Updated for Doc 29288736 29352320 and 29352863

130 May 2019 Added a new chapter for Secure Database Connection

140 Aug 2019 Added generic system configuration information in

Security Configurations for Doc 30204166

Added tip to configure from SSLV3 to TLSV12 in

Enabling HTTPS Configuration for OFSAA for Doc

30171443

150 Dec 2019 Updated section Configuration to set Content Security

Policy with information for validation of webxml file

(Doc 30622153)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 4

Table of Contents

1 Preface 6

11 Summary 6

12 Audience 6

121 Prerequisites for the Audience 6

13 Related Documents 6

2 Secure Configurations 8

21 Security Configurations 8

3 Secure Header Configuration 10

31 Configuration for X-Frame-Options 10

32 Configuration to set Content Security Policy 11

33 Configuration for Referrer Header Validation 12

4 Web Application Server Security Configurations 14

41 Enabling HTTPS Configuration for OFSAA 14

42 Security Configuration for Tomcat 14

43 Security Configuration for WebSphere 15

431 Session Management Secure and HttpOnly Configuration 15

432 TLS Configuration for WebSphere 18

433 Configuring Application Security 18

434 Disable Directory Listing 19

44 Security Configuration for WebLogic 19

5 Additional Security Configurations 23

51 Configuration to Restrict Access to Default Web Server Pages 23

52 Configuration to Restrict Display of the Web Server Details 24

53 Configuration to Restrict File Uploads 25

54 Configuration to restrict HTTP methods other than GETPOST 25

55 Configuration to enable unlimited cryptographic policy for Java 26

6 Secure Database Connection 27

61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS) 27

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 5

7 Appendix A - Filter Servlet 28

71 Introduction 28

72 Security and Access 28

73 Vulnerability Checks 28

74 Cross Site Scripting 28

75 SQL Injection 29

76 Filter Servlet Configurations 29

761 Checking for XSS Vulnerability 29

762 Exclusion of Keywords Key Characters 29

763 DebugLogs 29

PREFACE

SUMMARY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6

1 Preface

This Preface provides supporting information for the Oracle Financial Services Analytical

Applications Infrastructure Security Guide and includes the following topics

Secure Configurations

Secure Header Configurations

Web Application Server Security Configurations

Additional Security Configurations

11 Summary

The information contained in this document is intended to give you a quick exposure and

an understanding of the security configurations required after the installation of Oracle

Financial Services Analytical Application Infrastructure

12 Audience

This guide is intended for System Administrators (SA) who are instrumental in installing

and performing secure configurations for OFS Analytical Applications Infrastructure It is

assumed that the SAs are technically sound and proficient in UNIX Database

Administration and Web Application Administration to install and configure OFSAAI in the

released environment

121 Prerequisites for the Audience

This document assumes that you have experience in installing Enterprise components

and basic knowledge about the following

OFS AAAI pack components

OFSAA Architecture

UNIX Commands

Database Concepts

Web serverWeb application server

13 Related Documents

This section identifies additional documents related to OFSAA Infrastructure

Oracle Financial Services Advanced Analytical Applications Infrastructure

Application Pack Installation and Configuration Guide

Oracle Financial Services Analytical Applications Environment Check Utility Guide

PREFACE

RELATED DOCUMENTS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7

Oracle Financial Services Analytical Applications Infrastructure Administration

Guide

Oracle Financial Services Analytical Applications Infrastructure User Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8

2 Secure Configurations

Refer to the following subsections to configure security parameters in OFSAAI

21 Security Configurations

To have a secure environment for OFSAA installation there are a set of configurations that need to be

accomplished The configurations are discussed in the following sections in this document For more

information see OFSAAI Administration Guide

Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the

protection of data It is used to mask (redact) sensitive data shown to the user in real time To

enable this option during installation see Enabling Data Redaction section in the OFSAAI

Installation and Configuration Guide To enable post installation see the Data Redaction section

in the OFSAAI Administration Guide

TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when

stored in Oracle DB To configure TDE during installation see Transparent Data Encryption

(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after

installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration

Guide

Key Management - OFSAA configuration schema (CONFIG) is the repository to store

passwords for users and application database schemas centrally These values are AES-256 bit

encrypted using an encryption key uniquely generated for each OFSAA instance during the

installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a

new encryption key if needed

The Key Management section in the OFSAAI Administration Guide explains how to generate

and store this key in a Java Key Store

NOTE Integration with any other Key management solution is out of scope of this release

File Encryption - OFSAA supports file encryption using AES-256 Bit format For more

information see the File Encryption section in the OFSAAI Administration Guide

Database Password Reset - Change the database password for config schema and atomic

schema periodically For more information see the Database Password Reset Change section

in the OFSAAI Administration Guide

Password Reset - Reset passwords for users if required For more information see the

Database Password Reset Change section in the OFSAAI Administration Guide

Enable and Disable Users - For more information see the Enable and Disable Users section in

the OFSAAI Administration Guide

SSO Authentication (SAML) Configuration - For more information see the SSO

Authentication (SAML) Configuration section in the OFSAAI Administration Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9

Public Key Authentication - Configure Public Key Authentication on UNIX For more

information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI

Administration Guide

Data Security and Data Privacy - Configure to protect data against unauthorized access and

data theft For more information see the Data Security and Data Privacy section in the OFSAAI

Administration Guide

Input and Output Encoding - Product is enabled with input validation and output encoding to

protect from various types of security attacks

Password rotation every 30 days - For more information see the Changing Password section

in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the

OHC

Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information

see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI

Administration Guide

System Configuration and Identity Management - Configure the following parameters from

the information in the System Configuration and Identity Management section in the relevant

version of the OFS Analytical Applications Infrastructure User Guides on the OHC

Set session timeout

Enable CSRF

Set frequency of password change

Configure password restriction details

Configure password history

Configure security questions for password reset

Configure the activation period by setting Dormant Days Inactive Days and Working Hours

SECURE HEADER CONFIGURATION

CONFIGURATION FOR X-FRAME-OPTIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10

3 Secure Header Configuration

Secure header configurations protect you from website attacks such as XSS and Clickjacking The

following subsections here describe the various methods that you can configure on your OFSAAI

system to make it secure from such attacks

Configuration for X-Frame-Options

Configuration to set Content Security Policy

Configuration for Referrer Header Validation

31 Configuration for X-Frame-Options

Configuring X-Frame-Options protect against external agencies creating attacks by embedding

content similar to your content to steal user data Perform the following steps to configure X-Frame-

Options

1 Set the following Security filters configuration for response header

webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to

set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-

OPTIONS to limit domains

X-Frame-Options

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtmodeltparam-namegt

ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt

ltinit-paramgt

ltfiltergt

NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs

X-Frame-Options is supported only on Internet Explorer browser

Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

2 Set Access-Control-Allow-Origin header in the webxml file For more information see section

Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration

Guide Release 80600

SECURE HEADER CONFIGURATION

CONFIGURATION TO SET CONTENT SECURITY POLICY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11

32 Configuration to set Content Security Policy

Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross

Site Scripting (XSS)

NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series

The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers

Perform the following steps to configure CSP

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Search and find if the following tags exist If the tags do not exist in the webxml file then add

them to the file

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-

valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt

ltcontext-paramgt

WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues

If you want to maintain the default configuration retain the tags as shown in the preceding

list However if you want to custom configure the tags see the following example and

modify as required

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 3: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 3

Document Control

Version Number Revision Date Change Log

Draft January 2015

Made the document generic for all releases This

document captures the necessary security related

configurations

10 April 2015 Added section 33 Configuration to restrict file uploads

for the Ngan Hang SR 3-10413030421

20 November 2015 Added section 34 based on Bug 21810721

30 December 2015 Updated Web Application Server Security Configuration

section based on Bug 22070501

40 June 2016 Added content based on Bug 23603150

50 December 2016 Rectified the broken link in the TLS Configuration for

WebLogic section

Modified the Configuration to restrict HTTP methods

other than GETPOST section based on Bug 25308546

60 June 2017 Added section lsquoConfiguring Application Securityrsquo for Bug

25957230 25990244 and 25957206

70 August 2017 Updated for Bug 26568700

80 September 2017 Removed list of filter servlet keywords and created a

MOS document

90 May 2018 Updated for security enhancements in 80600

100 August 2018 Added back Filter Servlet chapter for Doc 28542034

110 October 2018 Updated for Doc 28672747 and Doc 28771653

120 February 2019 Updated for Doc 29288736 29352320 and 29352863

130 May 2019 Added a new chapter for Secure Database Connection

140 Aug 2019 Added generic system configuration information in

Security Configurations for Doc 30204166

Added tip to configure from SSLV3 to TLSV12 in

Enabling HTTPS Configuration for OFSAA for Doc

30171443

150 Dec 2019 Updated section Configuration to set Content Security

Policy with information for validation of webxml file

(Doc 30622153)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 4

Table of Contents

1 Preface 6

11 Summary 6

12 Audience 6

121 Prerequisites for the Audience 6

13 Related Documents 6

2 Secure Configurations 8

21 Security Configurations 8

3 Secure Header Configuration 10

31 Configuration for X-Frame-Options 10

32 Configuration to set Content Security Policy 11

33 Configuration for Referrer Header Validation 12

4 Web Application Server Security Configurations 14

41 Enabling HTTPS Configuration for OFSAA 14

42 Security Configuration for Tomcat 14

43 Security Configuration for WebSphere 15

431 Session Management Secure and HttpOnly Configuration 15

432 TLS Configuration for WebSphere 18

433 Configuring Application Security 18

434 Disable Directory Listing 19

44 Security Configuration for WebLogic 19

5 Additional Security Configurations 23

51 Configuration to Restrict Access to Default Web Server Pages 23

52 Configuration to Restrict Display of the Web Server Details 24

53 Configuration to Restrict File Uploads 25

54 Configuration to restrict HTTP methods other than GETPOST 25

55 Configuration to enable unlimited cryptographic policy for Java 26

6 Secure Database Connection 27

61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS) 27

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 5

7 Appendix A - Filter Servlet 28

71 Introduction 28

72 Security and Access 28

73 Vulnerability Checks 28

74 Cross Site Scripting 28

75 SQL Injection 29

76 Filter Servlet Configurations 29

761 Checking for XSS Vulnerability 29

762 Exclusion of Keywords Key Characters 29

763 DebugLogs 29

PREFACE

SUMMARY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6

1 Preface

This Preface provides supporting information for the Oracle Financial Services Analytical

Applications Infrastructure Security Guide and includes the following topics

Secure Configurations

Secure Header Configurations

Web Application Server Security Configurations

Additional Security Configurations

11 Summary

The information contained in this document is intended to give you a quick exposure and

an understanding of the security configurations required after the installation of Oracle

Financial Services Analytical Application Infrastructure

12 Audience

This guide is intended for System Administrators (SA) who are instrumental in installing

and performing secure configurations for OFS Analytical Applications Infrastructure It is

assumed that the SAs are technically sound and proficient in UNIX Database

Administration and Web Application Administration to install and configure OFSAAI in the

released environment

121 Prerequisites for the Audience

This document assumes that you have experience in installing Enterprise components

and basic knowledge about the following

OFS AAAI pack components

OFSAA Architecture

UNIX Commands

Database Concepts

Web serverWeb application server

13 Related Documents

This section identifies additional documents related to OFSAA Infrastructure

Oracle Financial Services Advanced Analytical Applications Infrastructure

Application Pack Installation and Configuration Guide

Oracle Financial Services Analytical Applications Environment Check Utility Guide

PREFACE

RELATED DOCUMENTS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7

Oracle Financial Services Analytical Applications Infrastructure Administration

Guide

Oracle Financial Services Analytical Applications Infrastructure User Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8

2 Secure Configurations

Refer to the following subsections to configure security parameters in OFSAAI

21 Security Configurations

To have a secure environment for OFSAA installation there are a set of configurations that need to be

accomplished The configurations are discussed in the following sections in this document For more

information see OFSAAI Administration Guide

Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the

protection of data It is used to mask (redact) sensitive data shown to the user in real time To

enable this option during installation see Enabling Data Redaction section in the OFSAAI

Installation and Configuration Guide To enable post installation see the Data Redaction section

in the OFSAAI Administration Guide

TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when

stored in Oracle DB To configure TDE during installation see Transparent Data Encryption

(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after

installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration

Guide

Key Management - OFSAA configuration schema (CONFIG) is the repository to store

passwords for users and application database schemas centrally These values are AES-256 bit

encrypted using an encryption key uniquely generated for each OFSAA instance during the

installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a

new encryption key if needed

The Key Management section in the OFSAAI Administration Guide explains how to generate

and store this key in a Java Key Store

NOTE Integration with any other Key management solution is out of scope of this release

File Encryption - OFSAA supports file encryption using AES-256 Bit format For more

information see the File Encryption section in the OFSAAI Administration Guide

Database Password Reset - Change the database password for config schema and atomic

schema periodically For more information see the Database Password Reset Change section

in the OFSAAI Administration Guide

Password Reset - Reset passwords for users if required For more information see the

Database Password Reset Change section in the OFSAAI Administration Guide

Enable and Disable Users - For more information see the Enable and Disable Users section in

the OFSAAI Administration Guide

SSO Authentication (SAML) Configuration - For more information see the SSO

Authentication (SAML) Configuration section in the OFSAAI Administration Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9

Public Key Authentication - Configure Public Key Authentication on UNIX For more

information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI

Administration Guide

Data Security and Data Privacy - Configure to protect data against unauthorized access and

data theft For more information see the Data Security and Data Privacy section in the OFSAAI

Administration Guide

Input and Output Encoding - Product is enabled with input validation and output encoding to

protect from various types of security attacks

Password rotation every 30 days - For more information see the Changing Password section

in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the

OHC

Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information

see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI

Administration Guide

System Configuration and Identity Management - Configure the following parameters from

the information in the System Configuration and Identity Management section in the relevant

version of the OFS Analytical Applications Infrastructure User Guides on the OHC

Set session timeout

Enable CSRF

Set frequency of password change

Configure password restriction details

Configure password history

Configure security questions for password reset

Configure the activation period by setting Dormant Days Inactive Days and Working Hours

SECURE HEADER CONFIGURATION

CONFIGURATION FOR X-FRAME-OPTIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10

3 Secure Header Configuration

Secure header configurations protect you from website attacks such as XSS and Clickjacking The

following subsections here describe the various methods that you can configure on your OFSAAI

system to make it secure from such attacks

Configuration for X-Frame-Options

Configuration to set Content Security Policy

Configuration for Referrer Header Validation

31 Configuration for X-Frame-Options

Configuring X-Frame-Options protect against external agencies creating attacks by embedding

content similar to your content to steal user data Perform the following steps to configure X-Frame-

Options

1 Set the following Security filters configuration for response header

webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to

set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-

OPTIONS to limit domains

X-Frame-Options

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtmodeltparam-namegt

ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt

ltinit-paramgt

ltfiltergt

NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs

X-Frame-Options is supported only on Internet Explorer browser

Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

2 Set Access-Control-Allow-Origin header in the webxml file For more information see section

Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration

Guide Release 80600

SECURE HEADER CONFIGURATION

CONFIGURATION TO SET CONTENT SECURITY POLICY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11

32 Configuration to set Content Security Policy

Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross

Site Scripting (XSS)

NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series

The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers

Perform the following steps to configure CSP

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Search and find if the following tags exist If the tags do not exist in the webxml file then add

them to the file

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-

valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt

ltcontext-paramgt

WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues

If you want to maintain the default configuration retain the tags as shown in the preceding

list However if you want to custom configure the tags see the following example and

modify as required

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 4: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 4

Table of Contents

1 Preface 6

11 Summary 6

12 Audience 6

121 Prerequisites for the Audience 6

13 Related Documents 6

2 Secure Configurations 8

21 Security Configurations 8

3 Secure Header Configuration 10

31 Configuration for X-Frame-Options 10

32 Configuration to set Content Security Policy 11

33 Configuration for Referrer Header Validation 12

4 Web Application Server Security Configurations 14

41 Enabling HTTPS Configuration for OFSAA 14

42 Security Configuration for Tomcat 14

43 Security Configuration for WebSphere 15

431 Session Management Secure and HttpOnly Configuration 15

432 TLS Configuration for WebSphere 18

433 Configuring Application Security 18

434 Disable Directory Listing 19

44 Security Configuration for WebLogic 19

5 Additional Security Configurations 23

51 Configuration to Restrict Access to Default Web Server Pages 23

52 Configuration to Restrict Display of the Web Server Details 24

53 Configuration to Restrict File Uploads 25

54 Configuration to restrict HTTP methods other than GETPOST 25

55 Configuration to enable unlimited cryptographic policy for Java 26

6 Secure Database Connection 27

61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS) 27

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 5

7 Appendix A - Filter Servlet 28

71 Introduction 28

72 Security and Access 28

73 Vulnerability Checks 28

74 Cross Site Scripting 28

75 SQL Injection 29

76 Filter Servlet Configurations 29

761 Checking for XSS Vulnerability 29

762 Exclusion of Keywords Key Characters 29

763 DebugLogs 29

PREFACE

SUMMARY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6

1 Preface

This Preface provides supporting information for the Oracle Financial Services Analytical

Applications Infrastructure Security Guide and includes the following topics

Secure Configurations

Secure Header Configurations

Web Application Server Security Configurations

Additional Security Configurations

11 Summary

The information contained in this document is intended to give you a quick exposure and

an understanding of the security configurations required after the installation of Oracle

Financial Services Analytical Application Infrastructure

12 Audience

This guide is intended for System Administrators (SA) who are instrumental in installing

and performing secure configurations for OFS Analytical Applications Infrastructure It is

assumed that the SAs are technically sound and proficient in UNIX Database

Administration and Web Application Administration to install and configure OFSAAI in the

released environment

121 Prerequisites for the Audience

This document assumes that you have experience in installing Enterprise components

and basic knowledge about the following

OFS AAAI pack components

OFSAA Architecture

UNIX Commands

Database Concepts

Web serverWeb application server

13 Related Documents

This section identifies additional documents related to OFSAA Infrastructure

Oracle Financial Services Advanced Analytical Applications Infrastructure

Application Pack Installation and Configuration Guide

Oracle Financial Services Analytical Applications Environment Check Utility Guide

PREFACE

RELATED DOCUMENTS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7

Oracle Financial Services Analytical Applications Infrastructure Administration

Guide

Oracle Financial Services Analytical Applications Infrastructure User Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8

2 Secure Configurations

Refer to the following subsections to configure security parameters in OFSAAI

21 Security Configurations

To have a secure environment for OFSAA installation there are a set of configurations that need to be

accomplished The configurations are discussed in the following sections in this document For more

information see OFSAAI Administration Guide

Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the

protection of data It is used to mask (redact) sensitive data shown to the user in real time To

enable this option during installation see Enabling Data Redaction section in the OFSAAI

Installation and Configuration Guide To enable post installation see the Data Redaction section

in the OFSAAI Administration Guide

TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when

stored in Oracle DB To configure TDE during installation see Transparent Data Encryption

(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after

installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration

Guide

Key Management - OFSAA configuration schema (CONFIG) is the repository to store

passwords for users and application database schemas centrally These values are AES-256 bit

encrypted using an encryption key uniquely generated for each OFSAA instance during the

installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a

new encryption key if needed

The Key Management section in the OFSAAI Administration Guide explains how to generate

and store this key in a Java Key Store

NOTE Integration with any other Key management solution is out of scope of this release

File Encryption - OFSAA supports file encryption using AES-256 Bit format For more

information see the File Encryption section in the OFSAAI Administration Guide

Database Password Reset - Change the database password for config schema and atomic

schema periodically For more information see the Database Password Reset Change section

in the OFSAAI Administration Guide

Password Reset - Reset passwords for users if required For more information see the

Database Password Reset Change section in the OFSAAI Administration Guide

Enable and Disable Users - For more information see the Enable and Disable Users section in

the OFSAAI Administration Guide

SSO Authentication (SAML) Configuration - For more information see the SSO

Authentication (SAML) Configuration section in the OFSAAI Administration Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9

Public Key Authentication - Configure Public Key Authentication on UNIX For more

information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI

Administration Guide

Data Security and Data Privacy - Configure to protect data against unauthorized access and

data theft For more information see the Data Security and Data Privacy section in the OFSAAI

Administration Guide

Input and Output Encoding - Product is enabled with input validation and output encoding to

protect from various types of security attacks

Password rotation every 30 days - For more information see the Changing Password section

in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the

OHC

Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information

see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI

Administration Guide

System Configuration and Identity Management - Configure the following parameters from

the information in the System Configuration and Identity Management section in the relevant

version of the OFS Analytical Applications Infrastructure User Guides on the OHC

Set session timeout

Enable CSRF

Set frequency of password change

Configure password restriction details

Configure password history

Configure security questions for password reset

Configure the activation period by setting Dormant Days Inactive Days and Working Hours

SECURE HEADER CONFIGURATION

CONFIGURATION FOR X-FRAME-OPTIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10

3 Secure Header Configuration

Secure header configurations protect you from website attacks such as XSS and Clickjacking The

following subsections here describe the various methods that you can configure on your OFSAAI

system to make it secure from such attacks

Configuration for X-Frame-Options

Configuration to set Content Security Policy

Configuration for Referrer Header Validation

31 Configuration for X-Frame-Options

Configuring X-Frame-Options protect against external agencies creating attacks by embedding

content similar to your content to steal user data Perform the following steps to configure X-Frame-

Options

1 Set the following Security filters configuration for response header

webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to

set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-

OPTIONS to limit domains

X-Frame-Options

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtmodeltparam-namegt

ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt

ltinit-paramgt

ltfiltergt

NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs

X-Frame-Options is supported only on Internet Explorer browser

Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

2 Set Access-Control-Allow-Origin header in the webxml file For more information see section

Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration

Guide Release 80600

SECURE HEADER CONFIGURATION

CONFIGURATION TO SET CONTENT SECURITY POLICY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11

32 Configuration to set Content Security Policy

Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross

Site Scripting (XSS)

NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series

The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers

Perform the following steps to configure CSP

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Search and find if the following tags exist If the tags do not exist in the webxml file then add

them to the file

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-

valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt

ltcontext-paramgt

WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues

If you want to maintain the default configuration retain the tags as shown in the preceding

list However if you want to custom configure the tags see the following example and

modify as required

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 5: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 5

7 Appendix A - Filter Servlet 28

71 Introduction 28

72 Security and Access 28

73 Vulnerability Checks 28

74 Cross Site Scripting 28

75 SQL Injection 29

76 Filter Servlet Configurations 29

761 Checking for XSS Vulnerability 29

762 Exclusion of Keywords Key Characters 29

763 DebugLogs 29

PREFACE

SUMMARY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6

1 Preface

This Preface provides supporting information for the Oracle Financial Services Analytical

Applications Infrastructure Security Guide and includes the following topics

Secure Configurations

Secure Header Configurations

Web Application Server Security Configurations

Additional Security Configurations

11 Summary

The information contained in this document is intended to give you a quick exposure and

an understanding of the security configurations required after the installation of Oracle

Financial Services Analytical Application Infrastructure

12 Audience

This guide is intended for System Administrators (SA) who are instrumental in installing

and performing secure configurations for OFS Analytical Applications Infrastructure It is

assumed that the SAs are technically sound and proficient in UNIX Database

Administration and Web Application Administration to install and configure OFSAAI in the

released environment

121 Prerequisites for the Audience

This document assumes that you have experience in installing Enterprise components

and basic knowledge about the following

OFS AAAI pack components

OFSAA Architecture

UNIX Commands

Database Concepts

Web serverWeb application server

13 Related Documents

This section identifies additional documents related to OFSAA Infrastructure

Oracle Financial Services Advanced Analytical Applications Infrastructure

Application Pack Installation and Configuration Guide

Oracle Financial Services Analytical Applications Environment Check Utility Guide

PREFACE

RELATED DOCUMENTS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7

Oracle Financial Services Analytical Applications Infrastructure Administration

Guide

Oracle Financial Services Analytical Applications Infrastructure User Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8

2 Secure Configurations

Refer to the following subsections to configure security parameters in OFSAAI

21 Security Configurations

To have a secure environment for OFSAA installation there are a set of configurations that need to be

accomplished The configurations are discussed in the following sections in this document For more

information see OFSAAI Administration Guide

Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the

protection of data It is used to mask (redact) sensitive data shown to the user in real time To

enable this option during installation see Enabling Data Redaction section in the OFSAAI

Installation and Configuration Guide To enable post installation see the Data Redaction section

in the OFSAAI Administration Guide

TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when

stored in Oracle DB To configure TDE during installation see Transparent Data Encryption

(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after

installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration

Guide

Key Management - OFSAA configuration schema (CONFIG) is the repository to store

passwords for users and application database schemas centrally These values are AES-256 bit

encrypted using an encryption key uniquely generated for each OFSAA instance during the

installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a

new encryption key if needed

The Key Management section in the OFSAAI Administration Guide explains how to generate

and store this key in a Java Key Store

NOTE Integration with any other Key management solution is out of scope of this release

File Encryption - OFSAA supports file encryption using AES-256 Bit format For more

information see the File Encryption section in the OFSAAI Administration Guide

Database Password Reset - Change the database password for config schema and atomic

schema periodically For more information see the Database Password Reset Change section

in the OFSAAI Administration Guide

Password Reset - Reset passwords for users if required For more information see the

Database Password Reset Change section in the OFSAAI Administration Guide

Enable and Disable Users - For more information see the Enable and Disable Users section in

the OFSAAI Administration Guide

SSO Authentication (SAML) Configuration - For more information see the SSO

Authentication (SAML) Configuration section in the OFSAAI Administration Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9

Public Key Authentication - Configure Public Key Authentication on UNIX For more

information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI

Administration Guide

Data Security and Data Privacy - Configure to protect data against unauthorized access and

data theft For more information see the Data Security and Data Privacy section in the OFSAAI

Administration Guide

Input and Output Encoding - Product is enabled with input validation and output encoding to

protect from various types of security attacks

Password rotation every 30 days - For more information see the Changing Password section

in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the

OHC

Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information

see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI

Administration Guide

System Configuration and Identity Management - Configure the following parameters from

the information in the System Configuration and Identity Management section in the relevant

version of the OFS Analytical Applications Infrastructure User Guides on the OHC

Set session timeout

Enable CSRF

Set frequency of password change

Configure password restriction details

Configure password history

Configure security questions for password reset

Configure the activation period by setting Dormant Days Inactive Days and Working Hours

SECURE HEADER CONFIGURATION

CONFIGURATION FOR X-FRAME-OPTIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10

3 Secure Header Configuration

Secure header configurations protect you from website attacks such as XSS and Clickjacking The

following subsections here describe the various methods that you can configure on your OFSAAI

system to make it secure from such attacks

Configuration for X-Frame-Options

Configuration to set Content Security Policy

Configuration for Referrer Header Validation

31 Configuration for X-Frame-Options

Configuring X-Frame-Options protect against external agencies creating attacks by embedding

content similar to your content to steal user data Perform the following steps to configure X-Frame-

Options

1 Set the following Security filters configuration for response header

webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to

set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-

OPTIONS to limit domains

X-Frame-Options

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtmodeltparam-namegt

ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt

ltinit-paramgt

ltfiltergt

NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs

X-Frame-Options is supported only on Internet Explorer browser

Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

2 Set Access-Control-Allow-Origin header in the webxml file For more information see section

Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration

Guide Release 80600

SECURE HEADER CONFIGURATION

CONFIGURATION TO SET CONTENT SECURITY POLICY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11

32 Configuration to set Content Security Policy

Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross

Site Scripting (XSS)

NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series

The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers

Perform the following steps to configure CSP

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Search and find if the following tags exist If the tags do not exist in the webxml file then add

them to the file

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-

valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt

ltcontext-paramgt

WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues

If you want to maintain the default configuration retain the tags as shown in the preceding

list However if you want to custom configure the tags see the following example and

modify as required

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 6: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

PREFACE

SUMMARY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 6

1 Preface

This Preface provides supporting information for the Oracle Financial Services Analytical

Applications Infrastructure Security Guide and includes the following topics

Secure Configurations

Secure Header Configurations

Web Application Server Security Configurations

Additional Security Configurations

11 Summary

The information contained in this document is intended to give you a quick exposure and

an understanding of the security configurations required after the installation of Oracle

Financial Services Analytical Application Infrastructure

12 Audience

This guide is intended for System Administrators (SA) who are instrumental in installing

and performing secure configurations for OFS Analytical Applications Infrastructure It is

assumed that the SAs are technically sound and proficient in UNIX Database

Administration and Web Application Administration to install and configure OFSAAI in the

released environment

121 Prerequisites for the Audience

This document assumes that you have experience in installing Enterprise components

and basic knowledge about the following

OFS AAAI pack components

OFSAA Architecture

UNIX Commands

Database Concepts

Web serverWeb application server

13 Related Documents

This section identifies additional documents related to OFSAA Infrastructure

Oracle Financial Services Advanced Analytical Applications Infrastructure

Application Pack Installation and Configuration Guide

Oracle Financial Services Analytical Applications Environment Check Utility Guide

PREFACE

RELATED DOCUMENTS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7

Oracle Financial Services Analytical Applications Infrastructure Administration

Guide

Oracle Financial Services Analytical Applications Infrastructure User Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8

2 Secure Configurations

Refer to the following subsections to configure security parameters in OFSAAI

21 Security Configurations

To have a secure environment for OFSAA installation there are a set of configurations that need to be

accomplished The configurations are discussed in the following sections in this document For more

information see OFSAAI Administration Guide

Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the

protection of data It is used to mask (redact) sensitive data shown to the user in real time To

enable this option during installation see Enabling Data Redaction section in the OFSAAI

Installation and Configuration Guide To enable post installation see the Data Redaction section

in the OFSAAI Administration Guide

TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when

stored in Oracle DB To configure TDE during installation see Transparent Data Encryption

(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after

installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration

Guide

Key Management - OFSAA configuration schema (CONFIG) is the repository to store

passwords for users and application database schemas centrally These values are AES-256 bit

encrypted using an encryption key uniquely generated for each OFSAA instance during the

installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a

new encryption key if needed

The Key Management section in the OFSAAI Administration Guide explains how to generate

and store this key in a Java Key Store

NOTE Integration with any other Key management solution is out of scope of this release

File Encryption - OFSAA supports file encryption using AES-256 Bit format For more

information see the File Encryption section in the OFSAAI Administration Guide

Database Password Reset - Change the database password for config schema and atomic

schema periodically For more information see the Database Password Reset Change section

in the OFSAAI Administration Guide

Password Reset - Reset passwords for users if required For more information see the

Database Password Reset Change section in the OFSAAI Administration Guide

Enable and Disable Users - For more information see the Enable and Disable Users section in

the OFSAAI Administration Guide

SSO Authentication (SAML) Configuration - For more information see the SSO

Authentication (SAML) Configuration section in the OFSAAI Administration Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9

Public Key Authentication - Configure Public Key Authentication on UNIX For more

information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI

Administration Guide

Data Security and Data Privacy - Configure to protect data against unauthorized access and

data theft For more information see the Data Security and Data Privacy section in the OFSAAI

Administration Guide

Input and Output Encoding - Product is enabled with input validation and output encoding to

protect from various types of security attacks

Password rotation every 30 days - For more information see the Changing Password section

in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the

OHC

Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information

see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI

Administration Guide

System Configuration and Identity Management - Configure the following parameters from

the information in the System Configuration and Identity Management section in the relevant

version of the OFS Analytical Applications Infrastructure User Guides on the OHC

Set session timeout

Enable CSRF

Set frequency of password change

Configure password restriction details

Configure password history

Configure security questions for password reset

Configure the activation period by setting Dormant Days Inactive Days and Working Hours

SECURE HEADER CONFIGURATION

CONFIGURATION FOR X-FRAME-OPTIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10

3 Secure Header Configuration

Secure header configurations protect you from website attacks such as XSS and Clickjacking The

following subsections here describe the various methods that you can configure on your OFSAAI

system to make it secure from such attacks

Configuration for X-Frame-Options

Configuration to set Content Security Policy

Configuration for Referrer Header Validation

31 Configuration for X-Frame-Options

Configuring X-Frame-Options protect against external agencies creating attacks by embedding

content similar to your content to steal user data Perform the following steps to configure X-Frame-

Options

1 Set the following Security filters configuration for response header

webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to

set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-

OPTIONS to limit domains

X-Frame-Options

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtmodeltparam-namegt

ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt

ltinit-paramgt

ltfiltergt

NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs

X-Frame-Options is supported only on Internet Explorer browser

Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

2 Set Access-Control-Allow-Origin header in the webxml file For more information see section

Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration

Guide Release 80600

SECURE HEADER CONFIGURATION

CONFIGURATION TO SET CONTENT SECURITY POLICY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11

32 Configuration to set Content Security Policy

Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross

Site Scripting (XSS)

NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series

The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers

Perform the following steps to configure CSP

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Search and find if the following tags exist If the tags do not exist in the webxml file then add

them to the file

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-

valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt

ltcontext-paramgt

WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues

If you want to maintain the default configuration retain the tags as shown in the preceding

list However if you want to custom configure the tags see the following example and

modify as required

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 7: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

PREFACE

RELATED DOCUMENTS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 7

Oracle Financial Services Analytical Applications Infrastructure Administration

Guide

Oracle Financial Services Analytical Applications Infrastructure User Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8

2 Secure Configurations

Refer to the following subsections to configure security parameters in OFSAAI

21 Security Configurations

To have a secure environment for OFSAA installation there are a set of configurations that need to be

accomplished The configurations are discussed in the following sections in this document For more

information see OFSAAI Administration Guide

Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the

protection of data It is used to mask (redact) sensitive data shown to the user in real time To

enable this option during installation see Enabling Data Redaction section in the OFSAAI

Installation and Configuration Guide To enable post installation see the Data Redaction section

in the OFSAAI Administration Guide

TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when

stored in Oracle DB To configure TDE during installation see Transparent Data Encryption

(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after

installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration

Guide

Key Management - OFSAA configuration schema (CONFIG) is the repository to store

passwords for users and application database schemas centrally These values are AES-256 bit

encrypted using an encryption key uniquely generated for each OFSAA instance during the

installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a

new encryption key if needed

The Key Management section in the OFSAAI Administration Guide explains how to generate

and store this key in a Java Key Store

NOTE Integration with any other Key management solution is out of scope of this release

File Encryption - OFSAA supports file encryption using AES-256 Bit format For more

information see the File Encryption section in the OFSAAI Administration Guide

Database Password Reset - Change the database password for config schema and atomic

schema periodically For more information see the Database Password Reset Change section

in the OFSAAI Administration Guide

Password Reset - Reset passwords for users if required For more information see the

Database Password Reset Change section in the OFSAAI Administration Guide

Enable and Disable Users - For more information see the Enable and Disable Users section in

the OFSAAI Administration Guide

SSO Authentication (SAML) Configuration - For more information see the SSO

Authentication (SAML) Configuration section in the OFSAAI Administration Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9

Public Key Authentication - Configure Public Key Authentication on UNIX For more

information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI

Administration Guide

Data Security and Data Privacy - Configure to protect data against unauthorized access and

data theft For more information see the Data Security and Data Privacy section in the OFSAAI

Administration Guide

Input and Output Encoding - Product is enabled with input validation and output encoding to

protect from various types of security attacks

Password rotation every 30 days - For more information see the Changing Password section

in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the

OHC

Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information

see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI

Administration Guide

System Configuration and Identity Management - Configure the following parameters from

the information in the System Configuration and Identity Management section in the relevant

version of the OFS Analytical Applications Infrastructure User Guides on the OHC

Set session timeout

Enable CSRF

Set frequency of password change

Configure password restriction details

Configure password history

Configure security questions for password reset

Configure the activation period by setting Dormant Days Inactive Days and Working Hours

SECURE HEADER CONFIGURATION

CONFIGURATION FOR X-FRAME-OPTIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10

3 Secure Header Configuration

Secure header configurations protect you from website attacks such as XSS and Clickjacking The

following subsections here describe the various methods that you can configure on your OFSAAI

system to make it secure from such attacks

Configuration for X-Frame-Options

Configuration to set Content Security Policy

Configuration for Referrer Header Validation

31 Configuration for X-Frame-Options

Configuring X-Frame-Options protect against external agencies creating attacks by embedding

content similar to your content to steal user data Perform the following steps to configure X-Frame-

Options

1 Set the following Security filters configuration for response header

webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to

set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-

OPTIONS to limit domains

X-Frame-Options

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtmodeltparam-namegt

ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt

ltinit-paramgt

ltfiltergt

NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs

X-Frame-Options is supported only on Internet Explorer browser

Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

2 Set Access-Control-Allow-Origin header in the webxml file For more information see section

Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration

Guide Release 80600

SECURE HEADER CONFIGURATION

CONFIGURATION TO SET CONTENT SECURITY POLICY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11

32 Configuration to set Content Security Policy

Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross

Site Scripting (XSS)

NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series

The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers

Perform the following steps to configure CSP

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Search and find if the following tags exist If the tags do not exist in the webxml file then add

them to the file

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-

valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt

ltcontext-paramgt

WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues

If you want to maintain the default configuration retain the tags as shown in the preceding

list However if you want to custom configure the tags see the following example and

modify as required

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 8: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 8

2 Secure Configurations

Refer to the following subsections to configure security parameters in OFSAAI

21 Security Configurations

To have a secure environment for OFSAA installation there are a set of configurations that need to be

accomplished The configurations are discussed in the following sections in this document For more

information see OFSAAI Administration Guide

Oracle Data Redaction ndash This is an Oracle Database Advanced Security option to enable the

protection of data It is used to mask (redact) sensitive data shown to the user in real time To

enable this option during installation see Enabling Data Redaction section in the OFSAAI

Installation and Configuration Guide To enable post installation see the Data Redaction section

in the OFSAAI Administration Guide

TDE (Transparent Data Encryption) ndash Enabling this option secures the data at rest when

stored in Oracle DB To configure TDE during installation see Transparent Data Encryption

(TDE) section in the OFSAAI Installation and Configuration Guide If you want to configure after

installation see the Transparent Data Encryption (TDE) section in the OFSAAI Administration

Guide

Key Management - OFSAA configuration schema (CONFIG) is the repository to store

passwords for users and application database schemas centrally These values are AES-256 bit

encrypted using an encryption key uniquely generated for each OFSAA instance during the

installation process The OFSAA platform provides a utility (EncryptCsh) to rotategenerate a

new encryption key if needed

The Key Management section in the OFSAAI Administration Guide explains how to generate

and store this key in a Java Key Store

NOTE Integration with any other Key management solution is out of scope of this release

File Encryption - OFSAA supports file encryption using AES-256 Bit format For more

information see the File Encryption section in the OFSAAI Administration Guide

Database Password Reset - Change the database password for config schema and atomic

schema periodically For more information see the Database Password Reset Change section

in the OFSAAI Administration Guide

Password Reset - Reset passwords for users if required For more information see the

Database Password Reset Change section in the OFSAAI Administration Guide

Enable and Disable Users - For more information see the Enable and Disable Users section in

the OFSAAI Administration Guide

SSO Authentication (SAML) Configuration - For more information see the SSO

Authentication (SAML) Configuration section in the OFSAAI Administration Guide

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9

Public Key Authentication - Configure Public Key Authentication on UNIX For more

information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI

Administration Guide

Data Security and Data Privacy - Configure to protect data against unauthorized access and

data theft For more information see the Data Security and Data Privacy section in the OFSAAI

Administration Guide

Input and Output Encoding - Product is enabled with input validation and output encoding to

protect from various types of security attacks

Password rotation every 30 days - For more information see the Changing Password section

in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the

OHC

Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information

see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI

Administration Guide

System Configuration and Identity Management - Configure the following parameters from

the information in the System Configuration and Identity Management section in the relevant

version of the OFS Analytical Applications Infrastructure User Guides on the OHC

Set session timeout

Enable CSRF

Set frequency of password change

Configure password restriction details

Configure password history

Configure security questions for password reset

Configure the activation period by setting Dormant Days Inactive Days and Working Hours

SECURE HEADER CONFIGURATION

CONFIGURATION FOR X-FRAME-OPTIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10

3 Secure Header Configuration

Secure header configurations protect you from website attacks such as XSS and Clickjacking The

following subsections here describe the various methods that you can configure on your OFSAAI

system to make it secure from such attacks

Configuration for X-Frame-Options

Configuration to set Content Security Policy

Configuration for Referrer Header Validation

31 Configuration for X-Frame-Options

Configuring X-Frame-Options protect against external agencies creating attacks by embedding

content similar to your content to steal user data Perform the following steps to configure X-Frame-

Options

1 Set the following Security filters configuration for response header

webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to

set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-

OPTIONS to limit domains

X-Frame-Options

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtmodeltparam-namegt

ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt

ltinit-paramgt

ltfiltergt

NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs

X-Frame-Options is supported only on Internet Explorer browser

Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

2 Set Access-Control-Allow-Origin header in the webxml file For more information see section

Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration

Guide Release 80600

SECURE HEADER CONFIGURATION

CONFIGURATION TO SET CONTENT SECURITY POLICY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11

32 Configuration to set Content Security Policy

Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross

Site Scripting (XSS)

NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series

The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers

Perform the following steps to configure CSP

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Search and find if the following tags exist If the tags do not exist in the webxml file then add

them to the file

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-

valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt

ltcontext-paramgt

WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues

If you want to maintain the default configuration retain the tags as shown in the preceding

list However if you want to custom configure the tags see the following example and

modify as required

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 9: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

SECURE CONFIGURATIONS

SECURITY CONFIGURATIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 9

Public Key Authentication - Configure Public Key Authentication on UNIX For more

information see the Setting Up Public Key Authentication on Client Server section in the OFSAAI

Administration Guide

Data Security and Data Privacy - Configure to protect data against unauthorized access and

data theft For more information see the Data Security and Data Privacy section in the OFSAAI

Administration Guide

Input and Output Encoding - Product is enabled with input validation and output encoding to

protect from various types of security attacks

Password rotation every 30 days - For more information see the Changing Password section

in the relevant version of the OFS Analytical Applications Infrastructure User Guides on the

OHC

Additional Cross-Origin Resource Sharing (CORS) - Configure CORS For more information

see the Knowing Additional Cross-Origin Resource Sharing (CORS) section in the OFSAAI

Administration Guide

System Configuration and Identity Management - Configure the following parameters from

the information in the System Configuration and Identity Management section in the relevant

version of the OFS Analytical Applications Infrastructure User Guides on the OHC

Set session timeout

Enable CSRF

Set frequency of password change

Configure password restriction details

Configure password history

Configure security questions for password reset

Configure the activation period by setting Dormant Days Inactive Days and Working Hours

SECURE HEADER CONFIGURATION

CONFIGURATION FOR X-FRAME-OPTIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10

3 Secure Header Configuration

Secure header configurations protect you from website attacks such as XSS and Clickjacking The

following subsections here describe the various methods that you can configure on your OFSAAI

system to make it secure from such attacks

Configuration for X-Frame-Options

Configuration to set Content Security Policy

Configuration for Referrer Header Validation

31 Configuration for X-Frame-Options

Configuring X-Frame-Options protect against external agencies creating attacks by embedding

content similar to your content to steal user data Perform the following steps to configure X-Frame-

Options

1 Set the following Security filters configuration for response header

webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to

set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-

OPTIONS to limit domains

X-Frame-Options

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtmodeltparam-namegt

ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt

ltinit-paramgt

ltfiltergt

NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs

X-Frame-Options is supported only on Internet Explorer browser

Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

2 Set Access-Control-Allow-Origin header in the webxml file For more information see section

Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration

Guide Release 80600

SECURE HEADER CONFIGURATION

CONFIGURATION TO SET CONTENT SECURITY POLICY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11

32 Configuration to set Content Security Policy

Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross

Site Scripting (XSS)

NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series

The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers

Perform the following steps to configure CSP

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Search and find if the following tags exist If the tags do not exist in the webxml file then add

them to the file

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-

valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt

ltcontext-paramgt

WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues

If you want to maintain the default configuration retain the tags as shown in the preceding

list However if you want to custom configure the tags see the following example and

modify as required

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 10: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

SECURE HEADER CONFIGURATION

CONFIGURATION FOR X-FRAME-OPTIONS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 10

3 Secure Header Configuration

Secure header configurations protect you from website attacks such as XSS and Clickjacking The

following subsections here describe the various methods that you can configure on your OFSAAI

system to make it secure from such attacks

Configuration for X-Frame-Options

Configuration to set Content Security Policy

Configuration for Referrer Header Validation

31 Configuration for X-Frame-Options

Configuring X-Frame-Options protect against external agencies creating attacks by embedding

content similar to your content to steal user data Perform the following steps to configure X-Frame-

Options

1 Set the following Security filters configuration for response header

webxml found in $FIC_HOMEficwebwebrootWEB-INF is by default configured to

set X-Frame-Options and header for response header Add ALLOW-FROM for X-FRAME-

OPTIONS to limit domains

X-Frame-Options

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtmodeltparam-namegt

ltparam-valuegtALLOW-FROM ltURL1gt ltURL2gtltparam-valuegt

ltinit-paramgt

ltfiltergt

NOTE If ALLOW-FROM is not configured then SAMEORIGIN attribute is set in response where URL1 and URL2 refers to the different domain URLs

X-Frame-Options is supported only on Internet Explorer browser

Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

2 Set Access-Control-Allow-Origin header in the webxml file For more information see section

Setting Access-Control-Allow-Origin header in the webxml file in the OFS AAI Administration

Guide Release 80600

SECURE HEADER CONFIGURATION

CONFIGURATION TO SET CONTENT SECURITY POLICY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11

32 Configuration to set Content Security Policy

Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross

Site Scripting (XSS)

NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series

The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers

Perform the following steps to configure CSP

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Search and find if the following tags exist If the tags do not exist in the webxml file then add

them to the file

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-

valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt

ltcontext-paramgt

WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues

If you want to maintain the default configuration retain the tags as shown in the preceding

list However if you want to custom configure the tags see the following example and

modify as required

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 11: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

SECURE HEADER CONFIGURATION

CONFIGURATION TO SET CONTENT SECURITY POLICY

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 11

32 Configuration to set Content Security Policy

Content Security Policy (CSP) adds a layer of security to detect and avert website attacks such as Cross

Site Scripting (XSS)

NOTE This section is applicable for release 80630 and higher versions in the 806x series and release 80710 and higher versions in the 807x series

The configurations to set Content Security Policy is supported only on Mozilla Firefox and Google Chrome browsers

Perform the following steps to configure CSP

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Search and find if the following tags exist If the tags do not exist in the webxml file then add

them to the file

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src self unsafe-inline unsafe-evalltparam-

valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src self unsafe-inlineltparam-valuegt

ltcontext-paramgt

WARNING Validate the webxml file and remove any existing duplicate tags to avoid configuration issues

If you want to maintain the default configuration retain the tags as shown in the preceding

list However if you want to custom configure the tags see the following example and

modify as required

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 12: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 12

ltcontext-paramgt

ltparam-namegtdefault-srcltparam-namegt

ltparam-valuegtdefault-src selfltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtscript-srcltparam-namegt

ltparam-valuegtscript-src ltSCRURLgt self unsafe-inline unsafe-

evalltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtimg-srcltparam-namegt

ltparam-valuegtimg-src ltIMGURLgt self dataltparam-valuegt

ltcontext-paramgt

ltcontext-paramgt

ltparam-namegtstyle-srcltparam-namegt

ltparam-valuegtstyle-src ltCSSURLgt self unsafe-inlineltparam-valuegt

ltcontext-paramgt

In the previous example you have to define the policy by replacing

default-src - with no value This value sets it to self

ltSCRURLgt - with the URL of the script that you want to allow to run which will

prevent any other script from running

ltIMGURLgt - with the image URLs from trusted sources from where you want to load

images and prevent images from untrusted sources

ltCSSURLgt - with the URL of the stylesheet to allow styles from the specified

stylesheet and to prevent from others sources

33 Configuration for Referrer Header Validation

Referrer Header Validation protects against CSRF attacks by allowing validated host URLs

Perform the following steps to configure referrer header validation

1 Navigate to webxml found in $FIC_HOMEficwebwebrootWEB-INF

2 Add the following tag

ltfiltergt

ltfilter-namegtFilterServletltfilter-namegt

ltfilter-classgtcomiflexficfiltersFilterServletltfilter-classgt

ltinit-paramgt

ltparam-namegtAllowHostsltparam-namegt

ltparam-valuegt ltURL1gt ltURL2gt ltparam-valuegt

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 13: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

SECURE HEADER CONFIGURATION

CONFIGURATION FOR REFERRER HEADER VALIDATION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 13

ltinit-paramgt

ltfiltergt

NOTE Separate ltURL1gt and ltURL2gt with a single space Adding the URLs without a space between them or adding two or more spaces between them results in errors Make sure that ltURLgt ends with a forward slash ()

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 14: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

ENABLING HTTPS CONFIGURATION FOR OFSAA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 14

4 Web Application Server Security Configurations

Refer to the following sections depending on your configured web application server Alternatively

you may refer to your web application server specific administration guide for additional details

Enabling HTTPS Configuration for OFSAA

Security Configuration for Tomcat

Security Configuration for WebSphere

Security Configuration for WebLogic

41 Enabling HTTPS Configuration for OFSAA

HTTPS is recommended during OFSAA installation by default This configuration creates an

encrypted environment and functions as a secure environment for client-server communications

TIP See the HTTPS Protocol section in the relevant version of the OFS Analytical Applications Infrastructure Administration Guides on the OHC

To enable HTTPS post installation

To view configurations related to SSLv3 and TLS12

42 Security Configuration for Tomcat

Perform the following security configurations for Tomcat

1 Add preferred cipher list to Tomcat and update the value of sslProtocol to TLS 12 in the SSL

Connector tag of $CATALINA_HOMEconfserverxml file

2 Ciphers attribute can be added to Connector tag in serverxml as shown in the following

example

TIP Multiple cipher suites have to be comma-separated

For example

ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384rdquo

For more details on TLS12 supported ciphers and recommendations see the following

links

httpswwwowasporgindexphpSecuring_tomcat

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 15: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 15

3 Add the following session attributes under lsquoContextrsquo tag of

$CATALINA_HOMEconfserverxml file

sessionCookiePath= ldquoltcontextgtrdquo

sessionCookieDomain= ldquoltdomaingtrdquo

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

4 Configure for secure and HttpOnly using the following procedure

a In $CATALINA_HOMEconfcontextxml file add lsquouseHttpOnly=truersquo attribute to

lsquoContextrsquo tag

b Add secure=true attribute to lsquoConnectorrsquo tag section of

$CATALINA_HOMEconfserverxml file

c Add below tags to session-config section of $CATALINA_HOMEconfwebxml file

ltcookie-configgt

lthttp-onlygttruelthttp-onlygt

ltsecuregttrueltsecuregt

ltcookie-configgt

5 Disable directory listing in $CATALINA_HOMEconfwebxml file Add the following lines to

the servlet section

ltinit-paramgt

ltparam-namegtlistingsltparam-namegt

ltparam-valuegtfalseltparam-valuegt

ltinit-paramgt

6 Post configuration restart the tomcat service

43 Security Configuration for WebSphere

In the WebSphere Admin console you must restrict cookies to HTTPS sessions in Sessions

Management Configuration specify JSESSIONID variable in the Web Container Settings set TLS

configuration and configure application security The subsections describe the procedures in detail

431 Session Management Secure and HttpOnly Configuration

In Session Management Configuration restrict cookies to HTTPS Sessions

Perform the following procedure for session management configuration

1 Navigate to your WebSphere Admin Console and in the LHS menu select Server gt Server

Types gt WebSphere application servers

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 16: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 16

2 Select the configured Application Server from the list by clicking on the Server Name

3 In the Configuration tab click Session Management link in Container Settings section

4 In the General Properties tab click the Enable Cookies link

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 17: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 17

5 Enter the following details

Cookie Name - JSESSIONID

Cookie domain - ltdomaingt

Cookie Path - ltcontextgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

6 Make sure the following checkboxes are selected

Restrict Cookies to HTTPS Sessions

Set session cookies to HTTPOnly to prevent cross-site scripting attacks

7 Click Apply and save the changes

8 Restart Application Server through the console

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 18: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBSPHERE

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 18

432 TLS Configuration for WebSphere

Following are the steps to configure TLS protocol in WebSphere

1 Log on to the console (httphostadminportibmconsole)

2 Under the Security menu select SSL certificate and key management SSL configurations

NodeDefaultSSLSettings and Quality of protection (QoP) settings

3 Change the Protocol value to TLSv12

This ensures that WebSphere server will accept only TLSv12 connections That is when the web server

acts as a server (inbound) or as client (outbound) the SSL connections will be established through the

TLSv12 protocol When testing from a browser make sure to check the browser settings to initiate TLS

handshakes only

For more information see Configuring WebSphere Application Server to support TLS 12

For cipher suite configuration see

httpswwwibmcomsupportknowledgecenterenlinuxonibmliaagwascryptl0wscry00_wascip

hersuitehtm

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_-

_Only_Support_Strong_Cryptographic_Ciphers

433 Configuring Application Security

Enable Application security to secure your server from unauthorized users and allow access only to

authenticated users It prevents unauthorized access of configuration files in directories

Following is the procedure to enable Application security

1 Log in to WebSphere with administrator credentials

2 Click Security from the left menu and click Global security to display the Global security

window

3 Select Enable administrative security and Enable application security

4 Click Apply and save configuration

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 19: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 19

434 Disable Directory Listing

NOTE This section is applicable for release 80600 and later

Directory listing is disabled by default ie directoryBrowsingEnabled is set to false

For additional information see

httpswwwibmcomsupportknowledgecenterenSSD28V_855comibmwebspherewlpcoredo

caerwlp_config_webContainerhtml

44 Security Configuration for WebLogic

In the WebLogic Server though the ldquoAuth Cookierdquo option is enabled by default the cookies are not

secure In-order to ensure this you need to toggle the ldquoAuth Cookie Enabledrdquo option in WebLogic

console by disabling it first and then re-enabling it for secure cookies You will then need to create a

weblogicxml file and deploy ear file in your Weblogic server

Perform the following configurations

1 Login to WebLogic Server Administrative Console and select the Domain from LHS gt Domain

Structure section

2 In the Configurations tab (selected by default) select the Web Application tab

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 20: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 20

3 Scroll through the configurations options within the page and locate Auth Cookie Enabled

option By default the checkbox is selected

4 De-select the checkbox adjacent to Auth Cookie Enabled option and click Save

5 On save select the Auth Cookie Enabled checkbox and resave the change

6 Configure session Secure and HttpOnly

a If your OFSAAI version is below 80200 perform the following

Create a file with name weblogicxml under $FIC_HOMEficwebwebrootWEB-

INF and add the below tags

ltweblogic-web-app xmlns=httpwwwbeacomnsweblogic90gt

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

ltweblogic-web-appgt

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 21: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 21

b If your OFSAAI version is 80200 or higher modify weblogicxml file and add below tag

under root element

ltsession-descriptorgt

ltcookie-namegtJSESSIONIDltcookie-namegt

ltcookie-domaingtltdomaingtltcookie-domaingt

ltcookie-pathgtltcontextgtltcookie-pathgt

ltcookie-http-onlygttrueltcookie-http-onlygt

ltcookie-securegttrueltcookie-securegt

ltsession-descriptorgt

7 Perform the following steps to configure TLS protocol for WebLogic

a Add the following parameters in setDomainEnvsh present under

domainsltDomainNamegtbin as arguments for JAVA_OPTIONS -DweblogicsecuritydisableNullCipher=true -

DweblogicsecuritySSLprotocolVersion=TLS12

b Add preferred cipher suite to configxml file as shown in the following example Use only

the strong cryptographic ciphers recommended for TLS12

Example

ltsslgt

ltnamegtltservernamegtltnamegt

ltenabledgttrueltenabledgt

ltciphersuitegt

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ltciphersuitegt

ltsslgt

For more information see

httpsdocsoraclecommiddleware1213wlsSECMGstandardshtmSECMG743

For more details about strong cipher configuration see

httpswwwowasporgindexphpTransport_Layer_Protection_Cheat_SheetRule_

-_Only_Support_Strong_Cryptographic_Ciphers

8 Disable directory listing Add the following tag under ltcontainer-descriptorgt in

$FIC_HOMEficwebweblogicxml

ltindex-directory-enabledgtfalseltindex-directory-enabledgt

NOTE ltcontextgt is OFSAAI context and ltdomaingt is domain name of the server that needs to receive the cookie For example if the application is accessed through URL as appmysitecom then it should be set to appmysitecom and not mysitecom

9 Build ear file and deploy it onto the WebLogic server

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 22: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

WEB APPLICATION SERVER SECURITY CONFIGURATIONS

SECURITY CONFIGURATION FOR WEBLOGIC

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 22

10 Restart services

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 23: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT ACCESS TO DEFAULT WEB SERVER PAGES

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 23

5 Additional Security Configurations

Refer to this section to perform additional security configurations The following topics are available

Configuration to Restrict Access to Default Web Server Pages

Configuration to Restrict Display of the Web Server Details

Configuration to Restrict File Uploads

Configuration to restrict HTTP methods other than GETPOST

Configuration to enable unlimited cryptographic policy for Java

51 Configuration to Restrict Access to Default Web Server

Pages

Following are the configurations to restrict access to default web server pages in the Apache Tomcat

server

1 Start the Apache Tomcat server by executing the command startupsh

2 Log in to the Tomcat Web Application Manager

3 Undeploy the Examples application from Tomcat

Go to the Tomcat Web Application Manager screen and click the Remove link

corresponding to the Tomcat Examples application

4 Shut down the Apache Tomcat Server by executing the shutdownsh file

5 Comment the following two sections from CATALINA_HOMEconfserverxml (if

available)

Section I

ltContext path=examples docBase=examples debug=0

reloadable=true crossContext=truegt

ltLogger className=orgapachecatalinaloggerFileLogger

prefix=localhost_examples_log suffix=txt

timestamp=truegt

ltEjb name=ejbEmplRecord type=Entity

home=comwombatemplEmployeeRecordHome

remote=comwombatemplEmployeeRecordgt

Section II

ltEnvironment name=maxExemptions type=javalangInteger

value=15gt

ltParameter name=contextparamname value=contextparamvalue

override=falsegt

ltResource name=jdbcEmployeeAppDb auth=SERVLET

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 24: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT DISPLAY OF THE WEB SERVER DETAILS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 24

type=javaxsqlDataSourcegt

ltResourceParams name=jdbcEmployeeAppDbgt

ltparametergtltnamegtuserltnamegtltvaluegtsaltvaluegtltparametergt

ltparametergtltnamegtpasswordltnamegtltvaluegtltvaluegtltparametergt

ltparametergtltnamegtdriverClassNameltnamegt

ltvaluegtorghsqljdbcDriverltvaluegtltparametergt

ltparametergtltnamegtdriverNameltnamegt

ltvaluegtjdbcHypersonicSQLdatabaseltvaluegtltparametergt

ltResourceParamsgt

ltResource name=mailSession auth=Container

type=javaxmailSessiongt

ltResourceParams name=mailSessiongt

ltparametergt

ltnamegtmailsmtphostltnamegt

ltvaluegtlocalhostltvaluegt

ltparametergt

ltResourceParamsgt

ltResourceLink name=linkToGlobalResource

global=simpleValue

type=javalangIntegergt

ltContextgt

6 Delete CATALINA_HOMEwebappsROOTindexjsp file

7 Create a blank file CATALINA_HOMEwebappsROOTindexhtml

8 Comment the following two tags from CATALINA_HOMEconfwebxml file

ltwelcome-filegtindexhtmltwelcome-filegt

ltwelcome-filegtindexjspltwelcome-filegt

9 Change the default passwords of Tomcat users in CATALINA_HOMEconftomcat-

usersxml file

Following are some examples

ltuser username=both password=b$12 roles=tomcatrole1gt

ltuser username=tomcat password=t$12 roles=tomcatgt

ltuser username=admin password=a$12 roles=adminmanagergt

ltuser username=role1 password=r$12 roles=role1gt

52 Configuration to Restrict Display of the Web Server Details

Following are the configurations to restrict the display of the web server details from http responses

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 25: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO RESTRICT FILE UPLOADS

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 25

Modify the httpdconf file and set

ldquoServerTokensrdquo parameter to ldquoProdrdquo

ldquoServerSignaturerdquo parameter to ldquooffrdquo

53 Configuration to Restrict File Uploads

Following is the configuration to restrict upload of files with certain file types This configuration is

applicable for all UIs APPs that are rendered out of the platformrsquos Forms Framework module The

parameter DOCUMENT_ALLOWED_EXTENSION in the CONFIGURATION table of the ldquoconfigurationrdquo

schema holds the list of file extensions for valid file types that are allowed to be attached and

uploaded in to OFSAA applications Any files being attached that do not have an extension as listed in

this parameter value will be blocked The current release has the below values set for the parameter

This list is extensible

DOCUMENT_ALLOWED_EXTENSION --gt txt pdf doc Doc html htm xls zip jarxml jpg bmp and

jpeg

54 Configuration to restrict HTTP methods other than

GETPOST

Following configuration is required to restrict HTTP methods other than GETPOST

1 Modify httpdconf file of HTTP Server (Apache HTTP ServerOracle HTTP ServerIBM

HTTP Server)

RewriteEngine On

RewriteCond REQUEST_METHOD ^(GET|POST)

RewriteRule - [R=405L]

2 If the application is not configured with HTTP Server perform the following steps in case of

WebLogic and WebSphere application servers

a Add the following snippet to the $FIC_HOMEficwebwebrootWEB-INFwebxml file

ltsecurity-constraintgt

ltweb-resource-collectiongt

ltweb-resource-namegtrestricted methodsltweb-resource-namegt

lturl-patterngtlturl-patterngt

lthttp-methodgtPUTlthttp-methodgt

lthttp-methodgtPATCHlthttp-methodgt

lthttp-methodgtHEADlthttp-methodgt

lthttp-methodgtDELETElthttp-methodgt

lthttp-methodgtOPTIONSlthttp-methodgt

lthttp-methodgtTRACElthttp-methodgt

lthttp-methodgtCONNECTlthttp-methodgt

ltweb-resource-collectiongt

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 26: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

ADDITIONAL SECURITY CONFIGURATIONS

CONFIGURATION TO ENABLE UNLIMITED CRYPTOGRAPHIC POLICY FOR JAVA

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 26

ltauth-constraintgt

ltsecurity-constraintgt

b Navigate to the $FIC_WEB_HOME directory on the OFSAA Installed server

c Execute antsh to regenerate ltCONTEXTNAMEgtearwar

d Re-deploy the EARWAR file onto your configured web application server For more

information on deploying EAR WAR file refer to the Post Installation Configuration section

in Oracle Financial Services Advanced Analytical Applications Infrastructure Application

Pack Installation and Configuration Guide

55 Configuration to enable unlimited cryptographic policy for

Java

Enabling unlimited cryptographic policy for Java enables you to use AES-256 keys for encryption For

more information see the Enabling Unlimited Cryptographic Policy section from the OFS Analytical

Applications Infrastructure Administration Guide

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 27: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

SECURE DATABASE CONNECTION

CONFIGURATIONS FOR CONNECTING OFSAA TO ORACLE DATABASE USING SECURE DATABASE CONNECTION (TCPS)

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 27

6 Secure Database Connection

The Oracle database product supports SSLTLS connections in its standard edition (since 12c) The

Secure Sockets Layer (SSL) protocol provides network-level authentication data encryption and data

integrity When a network connection over SSL is initiated the client and server perform a handshake

that includes

Negotiating a cipher suite for encryption data integrity and authentication

Authenticating the client by validating its certificate

Authenticating the server by verifying that itrsquos Distinguished Name (DN) is expected

Client and server exchange key information using public key cryptography

To establish an SSL connection the Oracle database sends its certificate which is stored in a wallet

Therefore on the server the configuration requires a wallet and on the client the JDBC thin driver can

use different formats to store the clientrsquos certificate and key JKS Wallet or PKCS12

This document details about steps to establish an SSL connection over TLSv12 using the JDBC thin

driver with Oracle wallet having storetype as SSO with OraclePKIProvider

61 Configurations for Connecting OFSAA to Oracle Database

using Secure Database Connection (TCPS)

For the documentation see Configurations for Connecting OFSAA to Oracle Database using Secure

Database Connection (TCPS) section in OFS Analytical Applications Infrastructure Administration

Guide

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 28: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

APPENDIX A - FILTER SERVLET

INTRODUCTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 28

7 Appendix A - Filter Servlet

This section consists of information related to Filter Servlet and the required configurations This

section also lists out the Keywords and Key Characters

NOTE This section is applicable for releases 800xx to 805xx

71 Introduction

Filter Servlet is a controller in the web-container whose functions are the following

72 Security and Access

This functionality checks whether a user has rights to access a web page that is trying to be accessed

73 Vulnerability Checks

This functionality checks for intrusion and Cross-site Scripting vulnerability Currently this check is for

the following group of keywords key characters

JavascriptKeyWords - paramname in configuration table XSS_JS_KEYWORDS1 to

XSS_JS_KEYWORDS13

JavascriptKeyChars - paramname in configuration table XSS_JS_METACHARS1 to

XSS_JS_METACHARS10

SQLKeyWords - paramname in configuration table XSS_SQL_KEYWORDS1 to

XSS_SQL_KEYWORDS23

SQLWords - paramname in configuration table XSS_SQL_WORDS1 to XSS_SQL_WORDS4

SQLTOKENS- XSS_SQL_TOKENS1 to XSS_SQL_TOKENS8

SQLOPERATORS- XSS_SQL_OPERATORS1 to XSS_SQL_OPERATORS5 are present in

Configuration table

74 Cross Site Scripting

A Cross Site Scripting vulnerability check is triggered if the HTTP request contains a combination of

any JavascriptKeyWords with the JavascriptKeyChars

For example if an HTTP request contains a combination of any of the JavascriptKeyWords (such as

Return Alert Script JavaScript or VBscript) along with any of JavascriptKeyChars (Meta Chars)

such as ldquo lsquo ( ) lt gt or then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 29: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

APPENDIX A - FILTER SERVLET

SQL INJECTION

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 29

75 SQL Injection

An SQL Injection vulnerability check filters multiple combinations of SQLKeyWords and SQLWords

For example if an HTTP request contains a combination of any of the disallowed SQLWords (such as

From Into Where table) with any of the SQLKeyWords (such as Alter Insert Select Create Update

Delete Drop Truncate) for XSS check then the request is blocked displaying an error message

You can see the My Oracle Support Document (Doc ID 23116051) containing the PARAMNAME

PARAMVALUE and DESCRIPTION to view the list of keywords and key characters scoped for

filtering

76 Filter Servlet Configurations

761 Checking for XSS Vulnerability

The following entry will be available in the configuration table present in the Configuration Schema

The Cross site Checks will not be performed if the entry is not present or the PARAMVALUE is

FALSE By default PARAMVALUE is set to ldquoTRUErdquo

PARAMNAME PARAMVALUE DESCRIPTION

XSS_IS_CHECK_REQUIRED TRUE Parameter to decide whether XSS check is to be

enabled or not

762 Exclusion of Keywords Key Characters

You can exclude the evaluation of a keyword by adding a new PARAMNAME with PARAMVALUE and

a DESCRIPTION (optional) to the configuration table The ending numeral in the new PARAMNAME

should be higher than any other numbers in the group

For example if you want to exclude the evaluation of JS keyword ldquoreturnrdquo which has the

PARAMNAME XSS_JS_KEYWORDS1 you need to update the keyword numeral to

XSS_JS_KEYWORDS12 considering the table has 11 other keywords listed under this category Ensure

that the updated number is higher than any other numbers in the group

763 DebugLogs

When the application detects a vulnerability a message is displayed on the front-end and it is logged

in the CSSLoggerlog file By default the CSSLoggerlog file is generated in the directory path

ltdeployed contextgtlogs It contains details for date time URL and user

You can modify the configuration to create the CSSLoggerlog file in a directory of your choice

Enter the directory path for the CSS Logger file in the place holder CSS_LOGGER_PATH given in the

$FIC_WEB_HOMEwebrootconfFICWebcfg file

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 30: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used

OFS ANALYTICAL APPLICATIONS INFRASTRUCTURE SECURITY GUIDE | 30

Send Us Your Comments

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication

Your input is an important part of the information used for revision

Did you find any errors

Is the information clearly presented

Do you need more information If so where

Are the examples correct Do you need more examples

What features did you like most about this manual

If you find any errors or have any other suggestions for improvement indicate the title and part

number of the documentation along with the chaptersectionpage number (if available) and contact

the Oracle Support

Before sending us your comments you might like to ensure that you have the latest version of the

document wherein any of your concerns have already been addressed You can access My Oracle

Support site which has all the revisedrecently released documents

  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs
Page 31: Oracle Financial Services Analytical Applications ... · Oracle Data Redaction – This is an Oracle Database Advanced Security option to enable the protection of data. It is used
  • 1 Preface
    • 11 Summary
    • 12 Audience
      • 121 Prerequisites for the Audience
        • 13 Related Documents
          • 2 Secure Configurations
            • 21 Security Configurations
              • 3 Secure Header Configuration
                • 31 Configuration for X-Frame-Options
                • 32 Configuration to set Content Security Policy
                • 33 Configuration for Referrer Header Validation
                  • 4 Web Application Server Security Configurations
                    • 41 Enabling HTTPS Configuration for OFSAA
                    • 42 Security Configuration for Tomcat
                    • 43 Security Configuration for WebSphere
                      • 431 Session Management Secure and HttpOnly Configuration
                      • 432 TLS Configuration for WebSphere
                      • 433 Configuring Application Security
                      • 434 Disable Directory Listing
                        • 44 Security Configuration for WebLogic
                          • 5 Additional Security Configurations
                            • 51 Configuration to Restrict Access to Default Web Server Pages
                            • 52 Configuration to Restrict Display of the Web Server Details
                            • 53 Configuration to Restrict File Uploads
                            • 54 Configuration to restrict HTTP methods other than GETPOST
                            • 55 Configuration to enable unlimited cryptographic policy for Java
                              • 6 Secure Database Connection
                                • 61 Configurations for Connecting OFSAA to Oracle Database using Secure Database Connection (TCPS)
                                  • 7 Appendix A - Filter Servlet
                                    • 71 Introduction
                                    • 72 Security and Access
                                    • 73 Vulnerability Checks
                                    • 74 Cross Site Scripting
                                    • 75 SQL Injection
                                    • 76 Filter Servlet Configurations
                                      • 761 Checking for XSS Vulnerability
                                      • 762 Exclusion of Keywords Key Characters
                                      • 763 DebugLogs

Encryption and Redaction in Oracle Database 12c with ... · Oracle Advanced Security option with Oracle Database 12c delivers two essential preventive controls covering encryption

Data Redaction - OTN TOUR LA 2015

Masking Sensitive Data in Oracle Database · The main purpose of Data Redaction is to provide different ways to mask sensitive data from end-users in production environments. Transparent

Oracle Data Redaction - EOUC

Redaction article scientifique

Data Encryption Redaction Review Oracle Advanced Security 35422

Redaction Memoire

Omnibus Filing (Redaction)

Exploring Best Practices for Protecting Sensitive Data ... · • Oracle Data Redaction enables you to mask (redact) data that is returned from queries issued by applications •

Powerful Spatial Features You Never Knew Existed - …...Transparent Data Encryption (TDE) with Oracle Spatial and Graph Data Redaction with Oracle Spatial and Graph Point at Bearing,

The Forrester Wave™ - Oracle · 2016-10-03 · Oracle Data Integrator Oracle GoldenGate Oracle Big Data Preparaon Oracle Big Data SQL Oracle Big Data Connectors Oracle NoSQL Database

Guide Redaction

NSA Redaction Procedures

Redaction Generale

Levy Affidavit (Redaction)

186949026 guide-redaction

Encryption and Redaction in Oracle Database 12c with ... · key. The data encryption keys are managed automatically by the database and are in-turn encrypted by the master encryption

ORACLE DATA SHEET Oracle Big Data Appliance X6-2 Data Sheet... · ORACLE DATA SHEET Oracle Big Data Appliance X6-2 capabilities together Oracle Big Data Appliance is a flexible, high-performance,

REDACTION KEY - vault.fbi.gov

Redaction Best Practices

Withdrawal/Redaction Sheet

METHODe redaction memoire

Oracle Data redaction - GUOB - OTN TOUR LA - 2015

Oracle Data Integration Solutions - Oracle Data · PDF fileOracle OpenWorld 2014 Oracle Data Integration Solutions (DIS) Oracle Data Integrator (ODI) Oracle ... •Easy to extend and

ERCOT/IMM/PUCT Proposal for Redaction of State Estimator Data

IBM InfoSphere Guardium Data Redaction - NDM · IBM Software Solution Brief 5 InfoSphere Guardium Data Redaction can help organizations comply with regulatory and legal requirements

Guide Redaction FINAL

Oracle Data Profiling and Oracle Data Quality for Data

Rdx Redaction Guide

IBM InfoSphere Guardium Data Redaction - Optus …optus-asia.com/wp-content/uploads/2015/04/IBM-InfoSphere...IBM Softare olution rief IBM InfoSphere Guardium Data Redaction Document

Security Architecture For Oracle Database CloudOracle Database Maximum Security Architecture Apps Transparent Data Encryption Key Vault ###-##-5100 Data Redaction Database Firewall

Oracle Data Redaction

TEAM’s Redaction Engine · 2018-10-31 · Combined with WebCenter Content, TEAM’s Redaction Engine utilizes multiple technologies to scan and identify vulnerable data and enables

Oracle Data Warehouse Pack - sematec · Oracle Data Warehouse Pack (Oracle Data warehouse Fundamentals + Oracle Data Integrator Student Guide 1,2)Oracle Data warehouse Fundamentals:هرود

oracle data integrator training | oracle data integrator training videos | oracle data integrator course