About Me

Anjum Ara I am a technology enthusiast, an ardent reader. My latest interest is virtualization. In my free time, I love understanding child nutrition, child holistic development. I bake, read, paint, and do whatever it takes to improve myself every day.

Wednesday, November 29, 2017

Security Hardening of Hyperion 11.1.2.4 Part 1

Written by   on   in , , , , , ,   with No comments
There have been a few recurring requests from various clients to make Hyperion Workspace URL, SmartView URL available on TLS 1.2 and then pass all the penetration tests conducted by various software. We setup OHS 11.1.1.9 (instead of the default OHS 11.1.1.7) to support TLS 1.1 onwards. On conducting penetration tests most of the tools pointed out similar defects. Here are a few fixes to it. 

1.   Limit the information the web server present, make the following changes in httpd.conf
REF: https://docs.oracle.com/cd/E57185_01/EPMIS/EPMIS.pdf
Note this entry does not work unless you specify as below:
Header always unset "X-Powered-By"
Header unset "X-Powered-By"
This hides the CGI related headers, refer image below 

2.       To ensure that all cookies coming from OHS are secure, the following can be configured in the httpd.conf file

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;secure
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Ref screenshot below:




3.   Remove any .exe from the Workspace 

We just renamed the wspace folder.
E:\Oracle\Middleware\EPMSystem11R1\common\epmstatic\wspace folder was renamed. This will prevent end users from downloading any .exe like SmartView. I understand it defeats the purpose but in a controlled environment, most end users do not have Admin access to install it up anyway. They require Administrator to individually install it. 


4. Similarly, you can hide other contents as below
Header unset X-Content-Type-Options



5. Remove Server version 

The usual header setting as below does not work for this 
Header unset Server
Header always unset Server
So had to switch off the ServerTokens instead of keeping it on PROD which is expected to give out minimal information
   #ServerTokens Prod
ServerTokens None

This did the trick. 


These above settings enable to secure HTTP server further. I am still working on fixing allowing dangerous HTTP methods like OPTIONS, TRACE, DELETE etc. I have sent the link for the penetration test if it succeeds I will post it on the following blog.




Share:

Tuesday, November 21, 2017

Groups are not displayed after configuring SQL Authenticator with OBIEE 12C

Written by   on   in , , , ,   with No comments
On a newly installed OBIEE 12c server, we configured the SQL Authenticator but we were unable to list the Groups though there were no errors initially as the datasource was unable to connect to the database itself. Once we fixed below warning we got a few errors which showed that the tables were messed up.
Here is how we fixed the first warning.

Nov 16, 2017 3:45:21 PM oracle.bi.security.provider.wls.authentication.dbms.SQLGroupProviderDelegateImpl validateConfiguration
WARNING: Configuration validation connection exception
java.sql.SQLException: Connection pool not usable.
        at oracle.bi.security.provider.wls.authentication.dbms.SQLGroupProviderDelegateImpl.getConnection(SQLGroupProviderDelegateImpl.java:488)
        at oracle.bi.security.provider.wls.authentication.dbms.SQLGroupProviderDelegateImpl.validateConfiguration(SQLGroupProviderDelegateImpl.java:208)
        at oracle.bi.security.provider.wls.authentication.dbms.SQLGroupProviderDelegateImpl.<init>(SQLGroupProviderDelegateImpl.java:108)
        at oracle.bi.security.provider.wls.authentication.dbms.SQLGroupAuthenticationProvider.initialize(SQLGroupAuthenticationProvider.java:28)
        at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:60)
        at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
        at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
        at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
        at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
        at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
        at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:297)
        at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:218)
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1965)
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:498)
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:845)
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:907)
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.preInitialize(CommonSecurityServiceManagerDelegateImpl.java:1189)
        at weblogic.security.service.SecurityServiceManager.preInitialize(SecurityServiceManager.java:570)
        at weblogic.security.PreSecurityService.start(PreSecurityService.java:141)
        at weblogic.server.AbstractServerService.postConstruct(AbstractServerService.java:76)
        at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.glassfish.hk2.utilities.reflection.ReflectionHelper.invoke(ReflectionHelper.java:1262)
        at org.jvnet.hk2.internal.ClazzCreator.postConstructMe(ClazzCreator.java:332)
        at org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:374)
        at org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:471)
Solution:
Documentation mentions to deploy the datasource on both ADMIN SERVER and the BI SERVER but for some reason the admin had missed deploying it to the ADMIN SERVER.
Once you choose ADMIN server as the target the warning disappears and in case there are underlying errors it will be displayed.

[REF] https://docs.oracle.com/middleware/1221/biee/BIESC/privileges.htm#BIESC534
Section 3.4.4.3.3 Configuring the Data Source Using Oracle WebLogic Server Administration Console
Share:

Thursday, November 9, 2017

JDBC Version with EPM 11.1.2.4

Written by   on   in , ,   with No comments
Did you ever wonder which version of JDBC we use with Hyperion 11.1.2.4 ?


Here is how you find out.



1. Go to E:\Oracle\Middleware\jdk160_35\bin
2. java -jar E:\Oracle\Middleware\wlserver_10.3\server\lib\odbc6.jar -getversion
3. Hyperion 11.1.2.4 uses JDBC 4.0 version and ODBC 6.0





Share: