oracle epm security: how safe are you? march 11, 2015 mark wirth, principal

Oracle EPM Security: How Safe Are You? March 11, 2015 Mark Wirth, Principal

3 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. FREAK Factoring RSA Export Keys Dates to the 1990s, when the Clinton administration required weak keys to be used in any software or hardware that was exported out of the US. Commercial-grade keys when used in the US and export-grade keys when used elsewhere. Enables SSL Man-in-the-Middle attacks 36% websites vulnerable New technologies emerge, cryptography hardens, BUT many simply add on new solutions but do not remove outdated and vulnerable technologies. Affects Microsoft Windows 7, 8, 8.1 and 2003 but not 2008 or 2013 (dont support obsolete SSL export ciphers) Affects Apple Mountain Lion, Mavericks, Yosemite Vulnerable - Chrome versions before 41, Internet Explorer, Safari, Android Browser and Blackberry Browser. Not Firefox.

4 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Security is More Than Authentication and authorization Complex passwords with change policies Physical securing of the data center Firewalls and VLANs Encryption of data Use of RSA tokens and VPN Penetration tests Security is all of this and much more. Security is a structured process 24 x 7 x 365

5 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Firewalls A firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted or between tiers of servers/clients (client tier, web tier, application server tier, database tier, etc.).

7 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Cryptography Practice and study of techniques for secure communication in the presence of third parties (called adversaries) HUG User Group Chaska, MN MuHnoltd3rGYke+NlCoLdzsMe0J4jkd4TvZeKYE= Plain text Cipher text Encryption Algorithm

8 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. SSL Serves 2 Purposes Encryption Hiding what is sent from one computer to another Identification Making sure the computer your are speaking to you trust Computers agree how to encrypt Server send certificate Client says encrypt Server says encrypt Communication is encrypted Company asks CA for a certificate CA creates certificate and signs it Certificate installed on server Browser issued with root certificates Browser trusts correctly signed certificates

9 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Certificates Company asks for a certificate from trusted th Web Server Company Name Where located Other Certificate authority checks correctness and authenticity of company. CA creates certificate and signs it. Signature created by condensing all details into a number (through hash function MD5). Then encrypting that number with a private key. Certificate is installed on server. The web server is configured to use the certificate. Browser issued with root certificates Browser trusts correctly signed certificates Verified

10 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. How SSL works 1 Send secure information2 Unencrypted presents security issues 3 Initial SSL connection4 Client SSL Hello

11 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. How SSL works 5 Server SSL Hello response 6 Server SSL certificate (public key) 7 Server Hello Done8 Certificate verified

12 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. How SSL works 9 Data will now be encrypted from browser10 Digest of all messages. Server validates no tampering. 11 Data will now be encrypted from server12 Digest of all messages. Browser validates no tampering.

13 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. How SSL works 13 SSL Handshake complete. Browser generates symmetric key for session and encrypts with server public key. 14 All data encrypted with new symmetric session key. Any validation fails, data out of order, or doesnt contain right data then SSL is terminated and a new one started.

14 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. How secure is out-of-the-box Oracle EPM? Access Control The password will be encode in clear text while passing this from user browser to the webserver. Clear Text that is base64 encoded. This is to support non-HTTP characters in user name and password. Shared Services and the security subsystem of EPM System use 128-bit AES encryption algorithm that are stored in the Shared Services repository. WebLogic Server Demo SSL Certificate Default deployments of Essbase components in secure mode uses self- signed certificates to enable SSL communication, mainly for testing purposes. Use SSL Third party certificates

15 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Supported SSL Scenarios SSL Offload Full SSL

16 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. SSL Offload Easier and less time consuming to configure and troubleshoot Secure communication from client to load balancer but not server to server Reduced overhead and performance hit Easier to maintain with SSL updates, certificate expirations Easier to support (Oracle) Less expensive with limited certificates (2)

17 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Full SSL More difficult and time consuming to configure and troubleshoot Secure communication from client to load balancer, load balancer to server and server to server. Greater overhead and performance hit More difficult to maintain with SSL updates, certificate expirations Potentially more difficult to support (Oracle). Few technicians in support have experience with SSL environments More expensive with additional certificates

18 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Capable SSL Components SSL Offloader - HTTPS Oracle WebLogic Server (Admin Server, NodeManager) HTTPS Oracle HTTP Server - HTTPS User Directories - LDAPS Oracle Internet Directory Sun Java System Directory Server Active Directory Microsoft Windows Server 2008 Active Directory Microsoft Windows Server 2003 Active Directory Novell eDirectory Databases - JDBCS Internet Information Services HTTPS Mail Server SMTPS

19 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Certificates required for Oracle EPM Root CA Certificate - The root CA certificate verifies the validity of the certificate that is used to support SSL. It contains the public key against which the private key that was used to sign the certificate is matched to verify the certificate. You can obtain the root CA certificate from the certificate authority that signed your SSL certificates. You need not install a root CA certificate in the Java keystore if you are using certificates from a well-known third-party CA whose root certificate is already installed in the Java keystore. Firefox and Internet Explorer are preloaded with certificates of well-known third-party CAs. If you are acting as your own CA, you must import your CA root certificate into the keystore used by the clients accessed from such browsers. Certificates - Each Oracle HTTP Server, WebLogic Server, Database Server, Directory Server, Mail Server in your deployment. Two Certificates for the SSL Offloader. One of these certificates is for external communication and the other is for internal communication

20 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Capable SSL Components Financial Reporting Studio Encrypted RMI Essbase

21 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM SSL Implementation Requirements SSL Certificates Well-known third-party CA FQDN (Fully Qualified Domain Names) Keytool or Oracle Wallet Create custom keystore - Generate certificate request - Import into keystore Backup certificates Monitor certificate expiration dates Security Expertise Windows WebLogic Java IIS Penetration testing Toolbox Network Sniffer Telnet or Netstat/Active Ports

22 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Web Identity Management Systems (SSO) Oracle Single Sign-on (OSSO) Oracle Access Manager Kerberos SiteMinder Users try to access a SiteMinder-protected EPM System resource. They use a URL that connects them to the web server that front-ends the SiteMinder policy server; for example, http://WebAgent_Web_Server_Name:WebAgent_Web_ ServerPort/interop/index.jsp The web server redirects users to the policy server, which challenges users for credentials. After verifying credentials against configured user directories, the policy server passes the credentials to the web server that hosts the SiteMinder Web Agent. The web server that hosts the SiteMinder Web Agent redirects the request to the Oracle HTTP Server that front-ends EPM System. Oracle HTTP Server redirects users to the requested application deployed on WebLogic Server or IIS Server. The EPM System component checks provisioning information and serves up content. For this process to work, the user directories that SiteMinder uses to authenticate users must be configured as external user directories in the EPM System and configured as trusted.

23 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Security Best Practices Implement SSL Change Shared Services Native admin password Complex passwords for all users No hyper10n Change database passwords Separate database user/password for each database/schema Change service account/DCOM passwords Secure database drive file system Use transparent data encryption for SQL Server and Oracle Server Do not distribute install/service/DCOM credentials Secure RAF, OHS shares -> deny to all except service Secure FDM, LCM share -> per user Maintain documentation on certificate expiration dates

24 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Security Best Practices Check integrity of static folders EPMSystem11R1, ORACLE_COMMON, OHS, ODI, JAVA/JRockit Secure Cookies - EPM System web applications set a cookie to track the session. While setting a cookie, especially a session cookie, the server can set the secure flag, which forces the browser to send the cookie over a secure channel. This behavior reduces the risk of session hijacking. Reduce SSO Token Timeout - Default SSO token timeout is 480 minutes. You should reduce the SSO token timeout, for example, to 60 minutes, to minimize token reuse if it is exposed. Reviewing Security Reports - The Security Report contains audit information related to the security tasks for which auditing is configured. Generate and review this report from Shared Services Console on a regular basis, especially to identify failed login attempts across EPM System products and provisioning changes.

25 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Security Best Practices Customizing Authentication System for Strong Authentication - Use a custom authentication module to add strong authentication to EPM System. For example, you can use RSA SecurID two-factor authentication in non-challenge response mode. The custom authentication module is transparent for thin and thick clients and does not require client-side deployment changes. Turning off Detailed Financial Management Error Messages - You can hide detailed Financial Management error messages containing technical information from users by updating Windows registry entries. Encrypting UDL File (Financial Management) - While configuring Financial Management, EPM System Configurator creates an unencrypted UDL file by default. You can encrypt this file by selecting an option in the Advanced Database Options page of the Oracle Hyperion Enterprise Performance Management System Configurator or by running the EncryptHFMUDL utility after configuration is complete.

26 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Security Best Practices Customizing Authentication System for Strong Authentication - Use a custom authentication module to add strong authentication to EPM System. For example, you can use RSA SecurID two-factor authentication in non-challenge response mode. The custom authentication module is transparent for thin and thick clients and does not require client-side deployment changes. Turning off Detailed Financial Management Error Messages - You can hide detailed Financial Management error messages containing technical information from users by updating Windows registry entries. Encrypting UDL File (Financial Management) - While configuring Financial Management, EPM System Configurator creates an unencrypted UDL file by default. You can encrypt this file by selecting an option in the Advanced Database Options page of the Oracle Hyperion Enterprise Performance Management System Configurator or by running the EncryptHFMUDL utility after configuration is complete.

27 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Oracle EPM Security Best Practices Changing Default Web Server Error Pages - When application servers are not available to accept requests, the web server plug-in for the back- end application server (for example, Oracle HTTP Server plug-in for Oracle WebLogic Server) returns a default error page that displays plug- in build information. Web servers display their default error page on other occasions as well. Attackers can use this information to find known vulnerabilities from public web sites. Regenerate Encryption Keys Single Sign On Token encryption key, used to encrypt and decrypt EPM System SSO tokens. This key is stored in Shared Services Registry. Trusted Services key, used by EPM System components to verify the authenticity of the service that is requesting an SSO token. Provider Configuration encryption key, used to encrypt the password (user DN password for LDAP-enabled user directories) that EPM System security uses to bind with a configured external user directory. This password is set while configuring an external user directory.

28 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Security Patches Critical Patch Updates, Security Alerts and Third Party Bulletin http://www.oracle.com/technetwork/topics/security/alerts-086861.html Select correct versions for patching WebLogic Server Java JRockit Oracle HTTP Server SOA Suite Coherence

29 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. System Patches Oracle EPM Patches http://support.oracle.com

30 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Better safe than sorry Backup Oracle EPM System databases Backup Oracle EPM Server file systems user_projects/domains user_projects/ /httpConfig cacerts and keystones IIS metabase

33 2015 The Hackett Group, Inc. All rights reserved. Reproduction of this document or any portion thereof without prior written consent is prohibited. Statement of Confidentiality and Usage Restrictions This document contains trade secrets and information that is sensitive, proprietary, and confidential to The Hackett Group the disclosure of which would provide a competitive advantage to others. As a result, the information contained herein, including, information relating to The Hackett Groups data, equipment, apparatus, programs, software, security keys, specifications, drawings, business information, pricing, tools, taxonomy, questionnaires, deliverables, including without limitation any benchmark reports, and the data and calculations contained therein, may not be duplicated or otherwise distributed without The Hackett Group Inc.s express written approval. www.thehackettgroup.com

oracle epm security: how safe are you? march 11, 2015 mark wirth, principal

Documents