Oracle Tuxedo Security Best Practises
Hi,
I am new in Oracle Tuxedo. I searching about Tuxedo Security best practises. I found many informations in Tuxedo Documentation but if anybody have more informations, i am very interested.
Such as:
- ULOG files permissions => The Tuxedo administrator must not have write acces on this files but if I remove this right, does Tuxedo can write in this files ?
- tlisten.pw => What is the encryption type and can i add only one user password or more ? It's true that there is no user login ?
- tpsysadm and tpsysop => What do they serve ? and where are stored their passwords ant how can i change it ?
- Use of LLE/SSL => What is the best practise, use of LLE and SSL or just LLE, just SSL ?
Thanks a lot !
Best regards
Hi,
welcome to the wonderful (and sometimes byzantine) world of Tuxedo!
You have a couple of interesting questions and I'll try to shed some light on some of them. Disclaimer: I'll assume that you run Tuxedo on some flavor of Linux or Unix. If you're running on Windows, some of these thoughts won't make much sense to you, sorry about that.
When I install the Tuxedo software, I usually let a dedicated user (e g "tuxedo") be the owner of the installed software and files (include files, FML field definitions and so on).
When I create a Tuxedo application, I have a separate user account (e g "some_application") running each application. In this way, an application running wild cannot overwrite or delete any Tuxedo system files, neither another application's files, only its own files, due to file system permissions. In this case, "some_application" will execute your Tuxedo servers and also need to be the owner of the directory where the ULOG will reside (remember that the application need to be able to create a new file every new day).
The tlisten.pw file is not for "user" passwords, it's primary use is to authenticate the different (physical) machines working together in a bridged (clustered) Tuxedo application. It is also used in conjunction with TSAM monitoring, although I have no first-hand experience with that (yet). I've had problems trying to have more than one secret in the tlisten.pw file, your mileage may vary...
When it comes to tpsysadm and tpsysop, you should think of them more as roles rather than actual users. These roles may perform special actions (such as starting/stopping/re-configuring) in your application. Depending on your security settings, any user may (try to) act as tpsysadm and/or tpsysop. Any user passwords you may have are connected to the actual users rather than the roles tpsysadm or tpsysop. All this depends on your settings for SECURITY and AUTHSVC in your ubbconfig. There is no simple/easy answer here, I'm afraid... it all depends on how you have set up your security (USER_AUTH is a good start, but you need to supply an AUTHSVC in that case).
When it comes to encryption, my experience is only with LLE. It simply works. Using SSL I suspect there will be more challenges setting up certificates and such things. The way I understand it you either use LLE or SSL for a given type of communication (i e WSL or TDOMAIN), you can't use both simultaneously.
Hope this helps and I may be able to elaborate further if there's a particular area that seems particularly foggy :-)
/Per
Similar Messages
-
Project site security best practise - project server 2010
I have following requirement
environment:
project server 2010
project sites created out of project site templates. So they follow project server security model.
requirement:
the are users who do not needs to see any thing except the content on project site. The user does not need to access project \pwa
Question:
what is the best approach
create sharepoint based groups for the projectsite?
Create project server based group?pgshah570,
If you are using the automatic synchronization for project site permissions, then the permissions are granted based on the following rules:
Project managers who have published a project or who have Save Project permissions on a project are added to the Project Managers (Microsoft Project Server) site group.
Team members with assignments in a project are added to the Team members (Microsoft Project Server) site group.
Other Project Server users who have View Project Site permission on a project are added to the Readers (Microsoft Project Server) site group.
If you are NOT using the automatic synchronization, then project sites are like any other SharePoint Sites, and you can use SharePoint groups or AD groups. I recommend using AD groups to grant permissions. The Project Server Security groups in this scenario
do not have any impact on Project Site permissions.
Cheers,
Prasanna Adavi, Project MVP
Blog:
Podcast:
Twitter:
LinkedIn:
-
A Brand New Breed of FREE, Online Events for Oracle Tuxedo Users
Sorry for the plug, but I'll be giving the keynote at this virtual conference. :-) I would encourage you to register as I believe there will be a lot of new and interesting material covered, as well as some instructional hands on labs. You will be able to download a VirtualBox VM with all the necessary components on it, or run the labs in the Rackspace hosting environment.
Oracle Tuxedo, a strategic component of Oracle Fusion Middleware, has significantly evolved during last several years to meet requirements of today's enterprise applications. With introduction of features such as, native Web services, an extremely easy-to-use new programming model, metadata driven development, support for Python/Ruby programming languages and much more, Oracle Tuxedo provides a complete platform for enterprise application development. How do you keep up with all the advances in Oracle Tuxedo?
Join us at this free, online, multi-language event series to learn how you can get the most out of your existing Tuxedo services and quickly develop new Web applications.
• Learn new Oracle Tuxedo features from the comfort of your laptop
• Learn what Python, Ruby, and PHP have to do with Oracle Tuxedo
• Get Hands-on either locally with VirtualBox or hosted via the Cloud
• Network Online with Peers, Oracle Tuxedo architects and developers worldwide
• Live Chat in virtual chatroom
• Sessions, Labs, and Live Help in LOCAL Language!
• Post-event access to conference material
• Cloud Hands on Labs powered by Rackspace
Review the agenda details, dates, and language support options.
Space is limited, so register for this event now!
For information and to register go to: http://www.oracle.com/goto/otnvdd
Regards,
Todd Little
Oracle Tuxedo Chief ArchitectHi,
Tuxedo is unable to make any HTTPS calls other than SOAP/HTTPS. So if you are using web services, then SALT can perform SOAP/HTTPS calls, although I don't believe we support the message signing feature of WS-Security (although you might want to check the SALT 10gR3 or later documentation.)
We are considering adding support for HTTP/HTTPS directly in Tuxedo, but that feature is not available in any current version of Tuxedo. What exactly are you trying to accomplish?
Regards,
Todd Little
Oracle Tuxedo Chief Architect
PS It would have been better to start a new thread for this question. :-) -
BEST PRACTISE on users deletions HR/SU01
Hi
we use CUA/SSO.
The records are fed from HR records and sent to Active Directory (AD)
AD brings backs the records and creates/changes users in SU01
A function module populates the CVR (timesheet) parameter dependent on whether you are an employee or a contractor
Occasionally, our HR department request records to be deleted from the SAP Support team - for example if the employee or contractor hasn't in fact joined the company.
Until some time ago, the deletion was causing problems because:
a) the record does not get deleted in AD and there is no way to send the deletion across after
b) when AD tries to reprocess that specific record, LDAP connector will not find it as HR record so what happens in SU01 for some reasons, the VALID from field gets wiped out and the CVR parameter for Timesheet also...
We have changed the process for the deletion however, I would like to ask if you know what is the best practise for this?? HR want to delete the record so it can be re-utilised
I cannot delete those records from UMR unless I am 100% sure they have never used the system (will have to check that)
I hope I have provided enough info on what the issue is..
Thank you
NadiaBest practice is not to delete.
> HR want to delete the record so it can be re-utilised
So many people with the same name? Perhaps a suffix of 2 numbers when the ID naming convention produces a clash. Besides, do your AD admins not want unique names in the AD as well?
E.g. (just an imperfect example)
MUSTERMA = Alfred MUSTERMan
MUSTERMM = Manfred MUSTERMan
MUSTER01 = Mechtilde MUSTERMuller
> I cannot delete those records from UMR unless I am 100% sure they have never used the system (will have to check that)
Surest way is to determine that they have never logged on before. But that does not exclude that records might exist for them, which may eventually do a "user existence check" to be read. One such example is the Security Audit Log, e.g. there may have been failed login attempts.
Good luck,
Julius -
SAP Business One 2007 - SQL Security best practice
I have a client with a large user base running SAP Business One 2007.
We are concerned over the use of the sql sa user and the ability to change the password of this ID from the logon of SAP Business One.
We therefore want to move to use Windows Authentication (ie Trusted Connection) from the SAP BO logon. It appears however that this can only work by granting the window IDs (of the SAP users) sysadmin access in SQL.
Does anyone have a better method of securing SAP Business One or is there a recommended best practice. Any help would be appreciated.
DamianSee Administrators Guide for best practise.
U can use SQL Authentication mode Don't tick Remember password.
Also check this thread
SQL Authentication Mode
Edited by: Jeyakanthan A on Aug 28, 2009 3:57 PM -
4400 Controllers - Best Practise for connecting to wired network
At one time the best practise recommendation for wireless was to treat the traffic as untrusted and separate it from the wired network by firewalls and intrusion detection. A lot of the reason for this was the weakness of WEP. Now with strong authentication and encryption (e.g., WPA2 and EAP-TLS) in use, and the use of wireless controllers, I'm wondering what the industry is recommending (and doing in case the actions aren't the same as the recommendations).
Are organizations connecting the wireless controllers directly to the internal network or are they separating them with a firewall and IDS infrastructure? If the latter, what does the architecture look like? Are there documents on the Cisco site or on the Internet that show how the controllers could be firewalled? Everthing I've seen shows connections directly to the internal network. Is firewalling the controller an overreaction to the historical paranoia from the WEP days?The argument would be that regardless of what security you put on the wireless, you still don't have the physical security - i.e. someone doesn't need to walk into your building to use your network.
Beyond that if you're using strong auth/enc you can currently be considered safe, we have customers using that direct into their LANs (but then, we also have customers with WEP direct into their LANs!)...
If you are concerned or really need belt 'n' braces security, then go down the firewall/IDS route - there's no harm in it if you have the money. It really depends how much functionality and ease of use you need to balance against it.
Aaron
Please rate helpful posts -
Request for howto - error processing best practise
Hi JDev Team. Something I would like to see in a future HOWTO would be error handling in a BC4J/JSP application. What is best practise? How do we make sure that when a database error occurs, we can trap the error and provide a friendly error message, or failing that, at least ensure the standard error is usable by a maintenance programmer. For eg. the following error occurs if a referential constraint restricts the delete:
javax.servlet.jsp.JspException: JBO-26041: Failed to post data to database during "Delete": SQL Statement " DELETE FROM TECHTRANSFER.TTSITES Sites WHERE SITEID=:1".
in fact the same error message is displayed for almost any database error - the programmer can't fix the problem when he has no idea what it is!! (same with update and insert)
I wasn't going to request this until I had read all of the help available on error processing but the way this project is going I won't get time. If you think that it is adequately covered in the help, then fine, just let me know where.
Thanks,
SimonYou can enclose your bc4j/jsp code with a try / catch expression. That way if a failure occurs, you can trap it, display a friendy error, and do whatever you want with the exception.
What I have been doing for develpment purposes, is send via email a modified errorpage.jsp. Here is what gets emailed to me (*'s in potentially sensitive data) and displayed to the screen (I'm eventually going to replace all the displayed garbage with something friendly):
An error occured in application PDC User Administration
User Session Properties:
Sesion ID: *********
App ID: *********
User Name: *********
User ID: *********
Priv Role: *********
Password: *********
Org No: *********
First Name: skunitzer
Last Name: ANALYST
App Title : PDC User Administration
Current Url: insertNewUser.jsp
Specific error is javax.servlet.jsp.JspException: JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
Parameters:
LastName
Kunitzer
EmailAddress
[email protected]
FirstName
SteveLiveTest
OrgNo
PhoneWorkNo
I have no phone #
ExpireDate
2001-04-26
ExpireDateString
jRQiIsFGANIbrGlihGTl[epofZmSNgEkGqbHN@iErHNPRi
UserID
UserPrivs
Exception:
javax.servlet.jsp.JspException: JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
Message:
JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
Localized Message:
JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
Stack Trace:
javax.servlet.jsp.JspException: JBO-25013: Too many objects match the primary key oracle.jbo.Key[1423 ].
at java.lang.Throwable.fillInStackTrace(Native Method)
at java.lang.Throwable.fillInStackTrace(Compiled Code)
at java.lang.Throwable.<init>(Compiled Code)
at java.lang.Exception.<init>(Compiled Code)
...Stack Trace goes on but I won't bother with it anymore...
While not always as specific as I would like, I have not had too much trouble hunting down the errors.
null -
Best practise BW Query design for Crystal Reports integration
Hi all,
I am looking for a guide on best practices when designing a BW Query to be used as data foundation for a Crystal Report.
The scenario is that I am responsible for developing the Crystal Reports part, but not the BW Query part, therefore I would like to provide a list of best practises to the person who is responsible for the Query, this way make sure that the integration will work as good as possible. The setup is of course using BO Integration Kit for SAP.
An example is how to use authorization variables in the query to provide data security. This is just one example, there are problably a number of other things to be aware of. A document containing suggestions for best practices is what I am looking for, or if the document does not exist, input to what should be on such a list.
Thank you in advance.
Regards,
RasmusHi Rasmus,
in regards to the Best Practices for Crystal Reports you can leverage all the knowledge you have on the Query Design today already. if you not the person for designing the query I think it is important to make sure people designing the queries do understand how Crystal Reports is leveraging the elements from the BI Query.
/people/ingo.hilgefort/blog/2008/02/19/businessobjects-and-sap-part-2
You should try to put as much as possible into the BI query from the logic point of view.
and you can also build common BI queries - there is no need to build a BI query for each report.
ingo -
Best practises for install BPEL
We are planning to start to use BPEL, but we are having problems finding any documents on best practise on the install of the product.
1. Sould we install in Lunix or Windows.
2. In prodcution we will need fault tollerance can BPEL do this well.
3. Does the BPEL monitoring work well.
We want to install this right first time rather than just install from the CD's then try to fix the issues we wrong design later, we have been burnt by do this way before.
Regards
Sean BellHi,
1) install it on the platform you know best. because
2) you can only get fault tolerance or high availability on a platform you know how to administer.
for HA look at
http://www.oracle.com/technology/products/ias/bpel/pdf/bpel-admin-webinar.pdf
3) BAM is the word you are searching for:
http://www.oracle.com/technology/products/integration/bam/index.html -
Best Practises for Backup & Recovery windows
Hi All,
Could you please let me know the following .
1. Best Practises to be followed for backup & recovery on windows server 2008
2. how to plan for the DR on windows
Regards
Mohammed. Abdul MuqeetMohammed Abdul Muqeet wrote:
Hi All,
Could you please let me know the following .
1. Best Practises to be followed for backup & recovery on windows server 2008
As far as the Oracle database is concerned, best practices on Windows server 2008 are exactly the same as for any other OS.
http://docs.oracle.com/cd/E11882_01/backup.112/e10642/toc.htm
(and my own prejudice, developed over 30+ years in this industry and working with Oracle on Windows beginning with Oracle 7.3 on windows 3.11, is that best practice is to stay as far away from Windows as possible)
2. how to plan for the DR on windowsAs far as the Oracle database is concerned, best practices on Windows server 2008 are exactly the same as for any other OS.
Backup everything. Get the backups off site. Perform regular DR drills. Document everything. Keep a copy of the documentation off site. (Doesn't do any good to have the DR manual located such that it gets destroyed in the same disaster that takes out your data center. ) Have an off-site DR site.
While it isn't in your lane as a DBA, you need to keep reminding managment that DR is about more than just the database, and even more than just the data center itself. If there is a physical disaster (ask the people in Oklahoma City about that ... over the years - multiple F5 tornadoes, plus a truck bomb) all kinds of infrastructure and documentation issues. What about important records (like the DR manual) that exist only in someone's desk drawer? Where are the business units going to set up shop and how are they going to connect to the restored database at the DR site?
I've seen DR manuals that got down to the detail of temporary housing for employees and how to get coffee at the DR site.
>
>
Regards
Mohammed. Abdul MuqeetEdited by: EdStevens on May 23, 2013 7:44 AM -
Oracle Software Security Assurance Survey Now Available!
Hi, this is Eric Maurice.
Oracle and the Independent Oracle User Group (IOUG) have recently launched a security assurance survey. The purpose of this survey is to gather feedback from as many organizations as possible about their security patching practices and to identify which security assurance topics are most relevant to Oracle customers.
The IOUG participates in Oracle's Security Customer Advisory Council and has worked with Oracle Global Product Security on this survey. The survey will provide meaningful feedback to Oracle about its security programs. For example, this iteration of the survey provides respondents with an opportunity to give feedback about Patch Set Updates (PSUs are a recently introduced type of patches which includes security and non-security fixes, and is available on the day the CPU is published). This survey also provides respondents with a chance to comment on the CPU documentation, provide feedback on how Oracle products are installed by default, etc.
Survey responses will be kept confidential, and the results will be analyzed jointly by Oracle and IOUG to evaluate Oracle's security assurance practices. The survey is hosted by IOUG's Enterprise Best Practices Special Interest Group (SIG) at http://enterprisesig.oracle.ioug.org/ (free SIG membership is required to access the survey).
I highly encourage all of you to voice your opinion with this survey!Thanks for sharing this.
regards -
I am a systems Administrator who's company has cotnracted out to a web developer to design a website for our cutomers to purchase our products and have a page that sugggests new products that might be interested in. We run an Oracle DB and build our own in house applicatiosn for access to this Oracle DB using .NET. We currently have our own application service that is built in .NET that allows our current website built in .NET to only access certain calls for data from Oracle for security purposes. Our website resides in our DMZ and our DB rsides in our LAN. What is the best pracitce without putting an Oracle client on the webserver for PHP to talk to Oracle? They want us to do a massive extract of user data onto the webserver to a mysql DB using SOAP. Which seems to me to be even less secure than what we have now. Thanks for your help.
To use one of the DB extensions, PHP needs access to local DB
libraries such as Oracle Instant Client or the MySQL client (or PHP's
inbuilt MySQL access code in the mysqlnd extension). This is
equivalent to needing ODP.NET.
What kinds of "calls" are you restricting in .NET? Because PHP is
open source, you could modify the OCI8 extension to restrict certain
statements or operations. But using DB-side access control seems a
better way to go, perhaps in conjunction with stored procedures.
The web company is probably more familiar with MySQL, but duplicating
data from Oracle will expose more "surface area" for hackers and
require two DB skill sets to secure and maintain.
Make sure the web company uses bind variables - even with MySQL - to
help prevent SQL Injection problems.
An alternative could be for PHP to access the DB via web services
http://download.oracle.com/docs/cd/E11882_01/appdev.112/e10492/xdb_web_services.htm#CHDDBCHB -
Sql query writing best practises
HI forum,
Any body is having a tutorial on sql query writing best practises...pls share with me
ThanksFor example:
[url http://download.oracle.com/docs/cd/B19306_01/server.102/b14211/toc.htm]Oracle Database Performance Tuning Guide 10g Release 2 (10.2)
[url http://people.aapt.net.au/roxsco/tuning/]Oracle SQL Tuning Guide
Gints Plivna
http://www.gplivna.eu -
Best practises Subversion and Data modeler
hello, i'am looking for some best practises regarding subversion and datamodeler.
A team of 10 analysts create several releases of our product over time.
Within one release you'll find several change requests.
The application itself contains about 700tables so performance is important.
I want to establish a lean working method were analyst can focus on their job - design.
Till now I think to create one trunk containing the db model let's call it v17.00
An analyst could create their designs in separate projects grouped by change request eg CR1234.
When development starts i would compare the trunk model with their change request to generated the alter script.
Afterwards i would import their design CR1234 into the trunk.
Note : it's possible that a change request got cancelled - that's why i opt for a design per change request.
This way of working seems much leaner than the setup of branches and merging.
My opinion, being a novice subversion user, is that setting up branches and merging is "more complex" and might causes frustration for designers.
Anyone having a simular setup or advice ?
kr
chrisHi Sam,
Let me add my two cents here, when speaking about MAN deployments the name of the game is MPLS, so I guess you are using the same on your Cat 6500s and connecting your customers on 3550s using Vlans.
Regarding your questions:
a) Upgrading Ethernet to L3 for traffic shaping: This is basically done at 3550, so I suppose that's what you intend to do, plus you will be letting Spokes talk to only Hub site, so inter Vlan, atleast between Hub and each spoke will be required, hence inter valn routing. Other way is to configure P2P circuits between Hub site with Vlan mapping (per spoke) and Spoke sites with Port mapping, in this scenario Inter Vlan routing is not a necessity.
b) Security: This depends on what exact architecure you have deployed, in my case I have simply installed a Gateway router with BGP peering with PEs, a separate VRF alongwith redistribution does the trick.
Hope I addresses the query correctly, let me know if that helped..
Cheers
~sultan -
EPM Suit Hyperion schemas best practises
Hi Experts,
I am new to hyperion. In our enviroment we are implementing EPM Suit 11.1.2.1 &
Oracle 11.2.0.2 database. I would like to know what is the best practise to create the below
schemas in hyperion. And how to create.
o HSS – Hyperion Shared Services
o BIPLUS – Hyperion Reporting & Analysis
o PLANSYS – Planning System Schema
o HFM – Hyperion HFM Application
o EPMA – Enterprise Performance Architect
o SNPM – ODI Master Repository
o SNPW – ODI Work Repository
o DIM Data Integration Manager
o EIS – Essbase Integration Server
Regards
Mohammed.Hi Gurus / Experts ,
Please advise.
Regards
Mohammed
Maybe you are looking for
-
Error during creation of SC with described requirement
Dear Expert, When I try to create SC through described requirement, I am getting error as "Enter the Company Code". We are using SRM7.0 Extended Classic Scenario. The employee has the attribute of Company code is maintained in PPOMA_BBP. Also we dont
-
Iphoto disappeared when I updated to OS X Yosemite - help!
iphoto disappeared after I updated to Yosemite. When I spotlight search it, I'm alerted my version is incompatible with Yosemite, and need to update. When I go to update, I'm told this version isn't available yet in my country (USA). The app and all
-
Equipment Hirarchy with functional location
Hi, I am trying for Equipment Hirarchy in functional location. I have one main equipment and 4 sub equipment of same type. I want to give specific description each sub equipment.Everytime when I dismantle and install this sub equipment, I want the
-
Issues with jdk1.6.0_19 and coldfusion 8
Due to a security finding, I have a need to upgrade from jdk1.6.0_17 to jdk1.6.0_19. The install is successful, however, when I try to start my content server, Coldfusion8, I get the following java exception: Exception in thread "main" java.lang.NoSu
-
Colour Problems with Lightroom 5 Export
Apologies if this has been covered before folks. I recently upgraded my laptop to a 64bit Windows 8 Asus with an IPS screen. At the same time, I upgraded from Lightroom 2 to Lightroom 5, and have upgraded to 5.2. When I export a jpeg from Lightroom,