Obiee Secured

DiscussiononvariousoptionstosecureyourBIdeployment

KiritiMukherjee Protégé SoftwareServices

Outline • Aspects of security • Ov Over ervi view ewo of fOB OBI Ise secu curi rity tyo opt ptio ions ns • How Howto toint integ egra rate tes secu ecuri rity tywi with thE E-B -Bus usin ines ess s Suite • Encr Encryp ypti tion ono of fse sens nsit itiv ive eda data ta

Security:DifferentAspects •  Authentication: Whoshouldgetaccess? •  Authorization: Whatdatamaybeaccessed? •

Monitoring: Isusagebeingaudited?

•

Integration: Doesacommonsecuritymodelneedto applybetweenyourOBIEEdepl applybetweenyourOBIEEdeploymentandeBS oymentandeBS implementation?

•

Encryption: Issensitivedataprotected?

OBIEEPlus

 Authentication • Valida lidate tel log ogon on/ /p pa ass ssw word ord • UseO UseOrac racle leBI BISec Securi urity tyMa Manag nager erto toma manag nages esecu ecurit rity y forarepository. • Setupusers/groups • LDAPusers/groups • SupportsOID,SSO

 Authorization • Manage que query exec xecutio tion • Restrictqueryaccesstospeci Restrictqueryaccesstospecificobjects,incl ficobjects,including uding rowsandcolumns,ortimeperiods • Controlrunawayqueriesbyli Controlrunawayqueriesbylimitingqueries mitingqueriestoa toa specificnumberofrowsormaximumruntime • Limitqueriesbysettingupfilters Limitqueriesbysettingupfiltersforanobject foranobject (typicallyforfacts)

 AccessRestrictions • Acce Access ssto tos sub ubje ject cta are reas as, ,co colu lumn mn-l -lev evel els sec ecur urit ity y

 AccessRestrictions • Restr Restric icta tacc ccess essto toa answ nswer ers sin inth the ecat catal alog og

DataSecurity:Objectfilters • Determine securingattribute • Create an init. blocktoretrieve allowablevalues • Assign the filter toobjectsand granttotheusers orgroups

MonitoringUsage • Track usageto to optim timize • Databaseforqueries •  Aggregationstrategies • Billingusers/groupsbasedonusage

• Two methods • Insertusagedataintodatabasetables • Insertusagedataintologfiles

MonitoringUsage • Mod Modify ifyN NQSConfig.i ig.in ni parameters • Cre Create reportin ting on usagetrackingtable S_NQ_ACCT

IntegratingwithE-BusinessSuite • Int Integration ionas aspects cts • SingleSign-On/Authentication •  ApplicationDataSecurity • DrilltoTransactions

Pre-Requisites • TwoA TwoATG TGpat patche ches( s(555 55567 6799, 99,54 54738 73858) 58).B .Both othar arep epart artof of  11i.ATG_PF.HRUP5 • Clie Client ntb bro rows wser ers sho houl uld dac acce cept ptc coo ooki kies es • OBI(1 OBI(10.1 0.1.3. .3.2o 2orh rhigh igher) er)in insta stalllled edon onthe thesa same medom domain ain

 AuthenticationIntegration

 AuthenticationIntegration:EBS •

Login into EBS

•

Set Setpr prof ofil ile eop opti tion on" "FN FND: D:O Ora racl cle eBu Busi sine ness ssI Int ntel elli lige genc nce e SuiteEEbaseURL"to http://[hostname.domain_name]:[port_number]

•

The TheOB OBIE IEE Eli link nki is s[b [bas ase_ e_ur url] l]/a /ana naly lyti tics cs/ /saw saw.d .dll ll? ? [module_invoked]&acf= • [module_invoked]=DashboardorAnswersand[acf_id]is a10digitnumbergeneratedbyEBS.

•

EBS EBSse send nds sa aco cook okie iet to oth the ebr brow owse serr

 Authentication:Presentationconfig •

Modify instanceconfig.xml forexternalauthentication e"> "/>

• •

Rest Resta artt rtth hePr ePres ese enta ntatio tionse nserv rver er.. Note: OncethePresentationServerissetupasabove,itwillonlysupport externalauthentication.Youwillnolongerbeab externalauthenticati on.Youwillnolongerbeabletologindirectlyinto letologindirectlyinto Presentationserverusinghttp://hostname/analytics Presentationserverusing http://hostname/analytics.Youwillneedtologinto .Youwillneedtologinto EBSfirst.

 Authorization:RepositoryConfig • Set Setup upC Con onne nect ctio ion nPo Pool olp pro rope pert rty y

 Authorization:RepositoryConfig • Creat reate eIn Init itia iali liza zati tion onb blo lock cks sfo for: r: • SecurityContext • Responsibility • Language

DrilltoEBusinessSuite

DrilltoEBusinessSuite:ActionLink •

Iden Identi tify fyt the heE EBS BSA App ppli lica cati tion onp pag age/ e/fu func ncti tion on

•

Identif Identifyt ythe hebas baseE eEBS BStab table leand andcre create atevi view ew(qu (query ery)i )int nthe hemet metada adata ta (1):F (1) :Func unctio tion_i n_id d of thepageyouwantto navigatetoinEBS (2):Securitycontext (2) :Securitycontext

DrilltoEBusinessSuite:ActionLink • Map MapMe Meta tada data taV Vie iew wto toB Bas ase eFa Fact ctT Tab able le

DataEncryption • Encryp Encrypty tyou ours rsens ensiti itive vedat data( a(e.g e.g.s .soci ocial alsec securi urity ty numbers) • Stor Store een encr cryp ypti tion onk key eya and ndd dat ata ain ins sep epar arat ate epl plac aces es • Rendersstolendata/tapesworthless

• Easies Easiestto ttodo doth this isin inthe theda datab tabase ase,n ,not otin inOB OBIEE IEE.U .Use se TransparentDataEncryptio TransparentDataEncryption(TDE)featur n(TDE)featureofOracle eofOracle 10gR2andabove.

HowEncryptionworks •

Can Canen encr cry ypta ptany nyo or ral all lc colum olumns ns

•

Single encrypted table key

•

Sto Stored redin ina as sep epar arat ate elo loc catio ation n (wallet)

•

“Salt” added to prevent same encryptedkeyforidenticalvalue

Encryption:Setup • Spec Specif ify ywa wall llet etl loc ocat atio ion nDe Defa faul ult: t: •

$ORACLE_BASE/admin/$ORACLE_SID/wallet

• Create the wallet •

alter system set encryption key authenticated by “protege";

• Open the wallet •

alter system set encryption wallet open authenticated  by “protege";

EncryptColumns SQL> desc acc cco oun unts ts   Name Type --------------- -----------------  ACC_NO NUMBER    ACC_NAME VARCHAR2(30) SSN VARCHAR2(9) alter tab alter table le acco account unts s modif modify y (ssn (ssn enc encry rypt) pt); ; Table altered. SQL> desc acc cco oun unts ts   Name Type --------------- -----------------  ACC_NO NUMBER    ACC_NAME VARCHAR2(30) SSN VARCHAR2(9) ENCRYPT

Ifthereisabreach… • Ifsome Ifsomeon oned edecr ecrypt yptst sthe hekey keys, s,enc encryp ryptw twith itha adif differ ferent ent algorithm alter table accounts rekey using 'aes256'; -- de defa faul ult t is ae aes1 s192 92

• Ifwall Ifwallet etpas passw sword ordis isle leake aked, d,use useWa Walle lletM tMana anager gerto to • ClosetheWallet • Changethewallet password • Openthewalletfor encryption •  Altertabletorekey

Recap • Aspe Aspect cts sof ofs sec ecur urit ity y–– Auth Authen enti tica cati tion on, ,Au Auth thor oriz izat atio ion, n, Monitoring,Integrationwithothe Monitoring,Integrationwithothersystems(EBS rsystems(EBS),and ),and Encryption • Over Overvi view ewo ofO fOBI BIs sec ecur urit ity yop opti tion ons s–– Secu Securi rity tyM Man anag ager er, , InitializationBlocks,Fil InitializationBlocks,Filters,Accessres ters,Accessrestrictionsinthe trictionsinthe Catalog • Howto Howtoin integ tegrat rates esecu ecurit rityw ywith ithEE-Bus Busine iness ssSui Suite te(SS (SSO O  Authentication,Applicatio  Authentication,ApplicationDataSecurity,D nDataSecurity,Drilldown rilldown totransactionsinEBS) • Encr Encryp ypti tion ono of fse sens nsit itiv ive eda data tai in nth the eda data taba base se

ForMoreInformation..

ThankYou!! • . 600We 600WestC stCumm umming ingsPa sPark, rk,Sui Suite te 4300 Woburn,MA01801 TollFree:(877)927-9899ext8336 Direct:(781)305-8336 E-Mail:[email protected] E-Mail:[email protected] •