Professional Documents
Culture Documents
May 2008
This document is provided for information purposes only and the contents hereof are
subject to change without notice. This document is not warranted to be error-free, nor
subject to any other warranties or conditions, whether expressed orally or implied in
law, including implied warranties and conditions of merchantability or fitness for a
particular purpose. We specifically disclaim any liability with respect to this document
and no contractual obligations are formed either directly or indirectly by this
document. This document may not be reproduced or transmitted in any form or by
any means, electronic or mechanical, for any purpose, without our prior written
permission.
Contents
List of Figures
1 Overview
Security Features Overview ................................................................................................................... 1-1
2 PABP Requirements
Requirement 1: Do not retain full magnetic stripe, card validation code or value (CAV2, CID,
CVC2, CVV2), or PIN block data .......................................................................................................... 2-1
Requirement 2: Protect cardholder stored data .................................................................................. 2-5
Requirement 3: Provide secure password features......................................................................... 2-10
Requirement 4: Log application activity........................................................................................... 2-12
Requirement 5: Develop secure applications .................................................................................. 2-15
Requirement 6: Protect wireless transmissions............................................................................... 2-24
Requirement 7: Test applications to address vulnerabilities........................................................ 2-26
Requirement 8: Facilitate secure network implementation .......................................................... 2-27
Requirement 9: Cardholder data must never be stored on a server connected to the Internet.........
2-28
Requirement 10: Facilitate secure remote software updates......................................................... 2-29
Requirement 11: Facilitate secure remote access to application................................................... 2-30
Requirement 12: Encrypt sensitive traffic over public networks................................................. 2-31
Requirement 13: Encrypt all non-console administrative access ................................................. 2-33
Requirement 14: Maintain instructional documentation and training programs for customers,
resellers, and integrators ...................................................................................................................... 2-34
iii
A Appendix: Credit Card Data Flow
iv
Creating a Database Schema Owner and Data Source Connection Users for Oracle Database.......
J-4
Creating the Database Schema Owner and Data Source Connection Users for IBM DB2........ J-5
Special Security Options for Oracle Databases.................................................................................. J-6
Special Security Options for IBM DB2 Databases ............................................................................ J-7
Default Application Administrative Users ......................................................................................... J-7
Glossary
v
List of Figures
3–1 Deployment Model ..................................................................................................................... 3-1
3–2 Java Interface ............................................................................................................................... 3-2
3–3 J2EE Class Updates ..................................................................................................................... 3-3
3–4 Encrypted Data Structure .......................................................................................................... 3-3
3–5 EJB Flow ....................................................................................................................................... 3-4
3–6 Struts Action Flow ...................................................................................................................... 3-4
3–7 POS Flow...................................................................................................................................... 3-5
A–1 Flow of Credit Card Data.......................................................................................................... A-2
B–1 Attributes and Public Methods of EncipheredCardData Class .......................................... B-1
C–1 KeyStoreEncryptionServiceIfc Class ....................................................................................... C-1
C–2 Application Encryption API Flow ........................................................................................... C-1
vi
Preface
For Release 13.0, security enhancements have been made to the following products to
meet the requirements of the Visa Payment Application Best Practices (PABP):
■ Oracle Retail Back Office
■ Oracle Retail Central Office
■ Oracle Retail Point-of-Service
Audience
This document is intended for retailers, resellers, and system integrators who perform
the following functions:
■ Document specific security features and configuration details for the above
mentioned products, in order to facilitate and support the compliance of the
retailer with the Payment Card Industry Data Security Standard (PCI-DSS).
■ Guide retailers, resellers, and system integrators on secure product
implementation for meeting PCI-DSS requirements.
Related Documents
For more information, see the following Release 13.0 documents:
■ Oracle Retail Back Office documentation set
■ Oracle Retail Central Office documentation set
■ Oracle Retail Point-of-Service documentation set
■ Oracle Retail Strategic Store Solutions Configuration Guide
For information on Visa Payment Application Best Practices (PABP), see the following
website:
http://usa.visa.com/merchants/risk_management/cisp_payment_
applications.html
For information on the Payment Card Industry Data Security Standard (PCI-DSS), see
the following website:
https://www.pcisecuritystandards.org/tech/index.htm
vii
Conventions
The following text conventions are used in this document:
Convention Meaning
boldface Boldface type indicates graphical user interface elements associated
with an action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables for
which you supply particular values.
monospace Monospace type indicates commands within a paragraph, URLs, code
in examples, text that appears on the screen, or text that you enter.
viii
1
Overview
Cardholder Data
In the normal course of business, retail applications handle sensitive data like the
account holder name and PAN. Cardholder data is used by the applications from the
time a card is swiped until the data is stored in a database. Oracle Retail
Point-of-Service encrypts, hashes, and masks a PAN immediately after it is read into
system memory. Each form of protection has its own business purpose, and protecting
it in all these manners immediately minimizes exposure of sensitive data.
Overview 1-1
Security Features Overview
When there is a business need to display some form of a PAN, the Release 13.0 Oracle
Retail Stores applications do not display the PAN in clear text. The PAN is masked on
the receipt. In the electronic journal, log files, user interface, and POSLog, it is masked,
encrypted, or hashed.
The flow of cardholder data through the Release 13.0 Oracle Retail Stores applications
is shown in Appendix A. At each step in the flow, the data is protected. In files or
messages built for application integration such as POSLog, the PAN is encrypted,
hashed, and masked. This enables other applications, for example, to display a masked
number without having to decrypt an encrypted number. When searching for a
transaction in Oracle Retail Central Office, the card number is masked. No decryption
is performed to generate the masked string.
Cryptographic Functionality
Cryptographic functionality is provided by integrating with a compliant enterprise
key management application. Oracle Retail Central Office, Back Office, and
Point-of-Service are designed to easily integrate with such a key management solution.
Each application accesses the external key management application via an adapter that
connects the application cryptography API with the API of the third-party vendor. The
retailer or system integrator creates that adapter by implementing the encryption
service interface. The interface provides the methods to encrypt, decrypt, and hash.
This adapter is configured at installation time.
Access to the enterprise key management service is required by external applications
that need to decrypt the data. Securing the external applications is the responsibility of
the customer or system integrator.
System Memory
An operating system can reveal the contents of its memory, through virtual memory, a
core dump, or a KCore file on Linux. By protecting sensitive data in system memory,
cardholder data is protected from exposure. The Release 13.0 Oracle Retail Stores
applications only decrypt data when necessary and overwrite and release memory as
soon as it is no longer needed.
Passwords
Password policy settings are configured through the database. By default, the
password policy is compliant with PCI-DSS section 8.5. For example, passwords must
be changed at least every 90 days, be at least seven characters, and include both
numeric and alphabetic characters.
Caution: You can change the password policy, but you must ensure
the modified settings comply with PCI-DSS section 8.5.
Web Applications
Oracle Central Office and Back Office are web-based applications. These applications
are subjected to additional testing and scrutiny:
■ The applications are tested with tools designed to subject the applications to
known attack methods in an effort to identify areas of vulnerability.
■ The source code for each application undergoes static code analysis and additional
review of all changes for a release.
Database
Once sensitive data is stored in a database, that data must be protected from
unauthorized access. Oracle Retail provides the following recommendations on how to
protect that data:
■ Access to the stored procedures used in the data purge scripts should be restricted.
■ Authentication to the database should be done with a different user ID than
authentication to the applications.
The Release 13.0 Oracle Retail Stores applications do not populate the database with
any pre-defined users. An administrative user is created during installation.
For additional recommendations and examples, see the following requirement:
3.1 Application must require unique usernames and complex passwords for all
administrative access and for all access to cardholder data.
Overview 1-3
Security Features Overview
Parameters
The Oracle Retail Stores applications are configured through the use of parameters.
Some of the parameters can affect compliance with the PABP requirements.
By default, all parameters are set to values that are compliant. If any of the parameters
are changed, be aware that this could affect the PCI-DSS compliance of the retailer and
therefore not provide adequate security for the retailer's customers.
One example is the Timeout Inactive with Transaction parameter. The requirement
states that the application time out in no more than 15 minutes. By default, this
parameter is set to 15 minutes.
The parameter descriptions in the Oracle Retail Strategic Store Solutions Configuration
Guide include a Security Sensitive attribute for each parameter. This attribute
documents whether changing the parameter can impact compliance with the PABP
requirements.
Testing Environment
Having a secure application means having a secure application environment. To this
end, Oracle Retail has leveraged recommendations by the Center for Internet Security
(cisecurity.org) to secure its application testing environment. An objective of
testing is to verify that the applications continue to operate correctly in the retailer's
secure PCI-DSS environment. For details on securing the application environments,
see Requirement 8: Facilitate secure network implementation.
1.1.1 Do not store the full contents of any track from the magnetic stripe (that is on the
back of a card, in a chip or elsewhere). This data is alternatively called full track, track,
track 1, track 2, and magnetic stripe data.
In the normal course of business, the following data elements from the magnetic stripe
may need to be retained: the account holder’s name, primary account number (PAN),
expiration date, and service code. To minimize risk, store only those data elements
needed for business. NEVER store the card verification code or value or PIN
verification value data elements.
Note: See the PCI-DSS Glossary for additional information.
Card Track 1 and Track 3 data are not read by the Release 13.0 Oracle Retail Stores
applications since the data is not functionally required by the applications. Track 2
data is immediately encrypted and used only for card authorization. Upon
authorization, it is overwritten and released from memory.
1.1.2 Do not store the card-validation value or code (three-digit or four-digit number
printed on the front or back of a payment card) used to verify card-not-present
transactions.
Note: See the PCI-DSS Glossary for additional information.
1.1.3 Do not store the personal identification number (PIN) or the encrypted PIN block.
PIN blocks must never be retained (even if encrypted) after transaction authorization.
1.1.4 Securely delete any magnetic stripe data, card validation values or codes, and
PINs or PIN block data stored by previous versions of the software.
You can remove this data by upgrading to a more recent version of Oracle Retail
Central Office, Back Office, and Point-of-Service, which does not store prohibited data
in the database. You can also make custom modifications to your existing
implementation to remove the prohibited data.
1.1.5 Securely delete any cryptographic key material or cryptogram stored by previous
versions of the software. This could be cryptographic keys used for computation or
verification of cardholder data or sensitive authentication data.
You can remove this data by upgrading to a more recent version of Oracle Retail
Central Office, Back Office, and Point-of-Service, which does not store prohibited data
in the database. You can also make custom modifications to your existing
implementation to remove the prohibited data.
Third-party Key Management The Release 13.0 Oracle Retail Stores applications provide
the ability to encrypt data by plugging in a third-party key management infrastructure
such as RSA Key Manager or StrongAuth Strong Key. Whichever key manager you
use, you must ensure that the third-party key management infrastructure securely
deletes keys, as required by PABP section 1.1.5.
1.1.6 Securely delete any log files, debugging files, and other data sources received
from customers for debugging or troubleshooting purposes, to ensure that magnetic
stripe data, card validation codes or values, and PINS or PIN block data are not stored
on software vendor systems. These data sources must be collected in limited amounts
and only when necessary to resolve a problem, encrypted while stored, and deleted
immediately after use.
You must collect sensitive authentication only when needed to solve a specific
problem. You must store such data only in specific, known locations with limited
access. You must collect only the limited amount of data needed to solve a specific
problem. You must encrypt sensitive authentication data while it is stored, and must
securely delete such data immediately after use.
2.1 Mask PAN when displayed (the first six and last four digits are the maximum number
of digits to be displayed).
Note: This requirement does not apply to those employees and other parties with a
specific need to see full PAN; nor does the requirement supersede stricter
requirements in place for displays of cardholder data (for example, for point of sale
[POS] receipts).
Expiration Date Oracle Retail Point-of-Service renders the PAN expiration date
unreadable on receipts. For the transactions that are tendered with a credit card, the
expiration date is shown as '**/****'.
Oracle Retail Central Office masks the PAN expiration date whenever it is displayed.
In the Transaction Tracker feature, transactions can be examined, including tender
information, but the PAN expiration date is always displayed as '**/****'.
Log Files Cardholder data must not be displayed in log files. The Release 13.0 Oracle
Retail Stores applications do not write clear text cardholder data to log files regardless
of the log level. If you are modifying the applications, for example for device
integration, do not log cardholder data for debugging or testing purposes. Do not
assume that you can prevent the logging based on the log level because the log level
can be easily changed. Avoid log statements that might compromise sensitive data.
In addition to cardholder data, other personal information, such as driver's license and
Social Security numbers, should not be logged. Although these items may not be
protected by the PCI-DSS, the Release 13.0 Oracle Retail Stores applications do not log
them in order to help provide identity security for the retailer’s customers.
Oracle Retail Point-of-Service Transaction Lookup Oracle Retail Point-of-Service can request
a transaction lookup based on a PAN. The request message format does not include
the PAN in clear text, but only in both encrypted and hashed values. This is sufficient
for the lookup and does not expose sensitive data in clear text anywhere in the request
message.
Oracle Retail Point-of-Service also creates a POSLog message, which is an industry
standard format for representing a transaction. This message contains tender
information, but the PAN is never shown in clear text. The PAN is only included in
encrypted, hashed, and masked formats.
Encryption Service In order for an application to use cardholder data that is included in
the POSLog message, that application needs access to an encryption service provider
in order to decrypt the data. Many enterprise key managers are available on the
market, and it is expected that a retailer would have an implementation in order to
protect customer data. The Release 13.0 Oracle Retail Stores applications require
integration with an encryption service. They will not start properly without an
encryption service.
Encryption and decryption are not performed directly by Oracle Retail Central Office,
Back Office, and Point-of-Service. These actions are performed by an integrated
encryption service. The encryption service should not be hosted on the same physical
server that hosts the Release 13.0 Oracle Retail Stores applications. The encryption key
store should not be the same database that hosts the Oracle Retail Stores application
data.
Authorization Engine A built-in authorization layer that communicates with the ISD
Tender Suite is included with Oracle Retail Point-of-Service. It is not required that ISD
be used for authorization. However, the default communication with ISD does encrypt
communication with the authorizer, thereby protecting cardholder information. If you
choose to construct your own interface to the same or a different authorizer, you must
ensure that the communication with the authorizer is secure.
Oracle Retail Point-of-Service contains a pluggable interface for authorization engines.
It does not log PAN data during the course of an authorization request. If Oracle Retail
Point-of-Service is modified, ensure that it is not changed to log authorization request
data or response data in clear text, as this data could include the PAN.
Also, under certain conditions, an authorization request may be serialized or queued
onto local storage. Since the PAN is encrypted, it is not exposed at this point. However,
if Oracle Retail Point-of-Service is modified, ensure that the PAN is not written in clear
text to local storage when an authorization request is queued.
Additional Protected Data In addition to protecting data required by the PABP standard,
such as the PAN, expiration date, and track data, the Release 13.0 Oracle Retail Stores
applications also protect data such as house account number and gift card number. A
Social Security Number, when collected, is stored in clear text in order to comply with
the United States Patriot Act (PAT) requirements, although this information is not
frequently collected by the applications.
When a credit card is swiped into system memory, the data flows through the JPOS
device driver, and the first Oracle Retail class that holds the data is called
MSRSession.java. It is in this class that the EncipheredCardData is instantiated
and populated. When using EncipheredCardData and other classes that use
sensitive data, note which methods expect and return encrypted data and which
methods expect and return clear-text data. Sometimes this is indicated in the method
name and, in other cases, it is indicated by the JavaDoc.
2.3 If disk encryption is used (rather than file- or column-level database encryption),
logical access must be managed independently of native operating system access
control mechanisms (e.g. not using local system accounts). Decryption keys cannot be
tied to local user accounts.
2.4 Application must protect encryption keys used for encryption of cardholder data
against disclosure and misuse.
2.5 Application must implement key management processes and procedures for keys
used for encryption of cardholder data.
Oracle Retail Encryption API The Oracle Retail encryption API consists of three methods–
encrypt(), decrypt(), and hash(). These methods are called within the Release 13.0
Oracle Retail Stores applications whenever encryption services are needed.
For more information about the Oracle Retail encryption API and how the wrapper
class fits between the Oracle Retail Stores applications and the key management
service, see Appendix C.
Access by Other Applications In order for another application to access sensitive data
produced by Oracle Retail Point-Of-Service, access to the enterprise key management
service is required. For example, when Point-Of-Service creates a POSLog, which is an
XML stream that represents transactional data, a user of the POSLog would need to be
able to decrypt the cardholder data it contains.
3.1 Application must require unique usernames and complex passwords for all
administrative access and for all access to cardholder data.
Note: These password controls are not intended to apply to employees who only have
access to one card number at a time to facilitate a single transaction. These controls are
applicable for access by employees with administrative capabilities, for access to
servers with cardholder data, and for access controlled by the application.
You are advised against using administrative accounts for application login, that is,
don't use the "sa" account for application access to the database. You are also advised
to assign strong passwords to these default accounts even if they won't be used, and
then disable or do not use the accounts.
You are advised to assign strong application and system passwords whenever
possible. To create PCI-DSS compliant complex passwords, according to PCI-DSS
standards 8.5.8 to 8.5.15:
■ Do not use group, shared, or generic accounts and passwords.
■ Change user passwords at least every 90 days.
■ Require a minimum password length of at least seven characters.
■ Use passwords containing both numeric and alphabetic characters.
■ Do not allow an individual to submit a new password that is the same as any of
the last four passwords used.
■ Limit repeated access attempts by locking out the user ID after not more than six
attempts.
■ Set the lockout duration to thirty minutes or until an administrator enables the
user ID.
■ If a session has been idle for more than 15 minutes, require the user to re-enter the
password in order to re-activate the terminal.
Database Configuration Password policy settings are configured through the database.
By default, the password policy is compliant with PCI-DSS section 8.5.
For database management best practices, including restricting access to purge scripts,
creating the database schema owner and the data source owner separately, and special
security options for Oracle 10g and IBM DB2, see Appendix J.
3.2 Access to PCs, servers, and databases with payment applications must require a
unique username and complex password.
You are advised to control access, via unique user ID and PCI-DSS compliant complex
passwords, to any PCs, servers, and databases with payment applications and
cardholder data.
4.1 Application must log all user access (especially users with administrative
privileges), and be able to link all activities to individual users.
4.2 Application must implement an automated audit trail to track and monitor access.
Application log files are configurable, and by default, they are compliant with the
PCI-DSS. If you modify the settings, you must ensure they are compliant with
PCI-DSS standard 10.2 and 10.3.
Implement automated audit trails for all system components to reconstruct the
following events:
■ All individual user accesses to cardholder data
■ All actions taken by any individual with root or administrative privileges
■ Access to all audit trails
■ Invalid logical access attempts
■ Use of identification and authentication mechanisms
■ Initialization of the audit logs
■ Creation and deletion of system-level objects
Record at least the following audit trail entries for all system components for each
event:
■ User identification
■ Type of event
■ Date and time
■ Success or failure indication
■ Origination of the event
■ Identity or name of affected data, system component, or resource
Oracle Retail Point-of-Service implements an automated audit trail system that logs all
system activities into a log file. The log file is configured in the log4j.xml file in the
/OracleRetailStore/<Server or Client>/pos/config directory. The events
that are logged are listed in the file.
Table 2–1 lists the events that are captured by each application as part of the audit trail.
For each event, the Oracle Retail Audit log service logs the point of Origination of the
event. In addition, the audit log framework logs the Initialization of the Audit log
itself.
The log files are created with the following names and in following locations:
■ Oracle Retail Back Office
File Name: BackOffice_audit.log
Location (Oracle stack implementation):
$ORACLE_HOME/j2ee/<Instance Name>/log
Location (IBM stack implementation):
$WAS_HOME/profiles/<Profile Name>/logs
■ Oracle Retail Central Office
File Name: CentralOffice_audit.log
Location (Oracle stack implementation):
$ORACLE_HOME/j2ee/<Instance Name>/log
Location (IBM stack implementation):
$WAS_HOME/profiles/<Profile Name>/logs
■ Oracle Retail Point-of-Service
File Name: audit.log
Location (in each register): $INSTALL_DIR/Client/pos/logs
To be compliant with PCI-DSS standards 10.2.3 and 10.2.7, access to the Audit Log and
implementation of the audit trail for all system components have to be logged. The
following events should be captured at the system level:
■ Logon or logoff
■ Start or stop a process
■ Use of user rights
■ Account administration
■ Change the security policy
■ Restart and shutdown the system
■ USB events and Mount/Unmount events
■ Access a file or directory (create a file, remove a file, read a file, or change file
descriptors)
Various tools are available to collect audit trail information. Audit trails should be
maintained for the applications and for external system events.
5.1 Develop all web applications based on secure coding guidelines such as the Open
Web Application Security Project guidelines. Review custom application code to
identify coding vulnerabilities. Cover prevention of common coding vulnerabilities in
software development processes, to include:
Oracle Retail Back Office and Central Office Implementation Oracle Retail Back Office and
Central Office do not contain any functionality that allows a user to upload a file for
later execution. File uploads are limited to uploads of import data necessary to load
the database with operational data.
Because of this, Oracle Retail Back Office and Central Office are not vulnerable to
malicious file execution attacks.
Release 13.0 Oracle Retail Back Office and Central Office have been tested against each
of the OWASP Top 10 attacks and have been found compliant.
Oracle Retail Back Office and Central Office Implementation Input is validated using a known
good validation method. Invalid data is rejected. Release 13.0 Oracle Retail Back Office
and Central Office have been tested against this attack and have been found
compliant.
Oracle Retail Back Office and Central Office Implementation Broken access controls include
both the failure to restrict URL access and to prevent insecure object references.
Failure to control URL access could allow a user with insufficient permissions to
perform an operation that the user would otherwise be unable to accomplish if the
user knew the URL to call and the data to pass to the application for that operation.
Oracle Retail Back Office and Central Office both prevent users from accessing URLs
that they do not have permission to view.
Insecure object references occur when an application exposes key data directly or
indirectly to the user. This could be in the form of a primary key value in a hidden
field or shown in a URL. A malicious user could modify that data in an attempt to
access objects that the user would not normally be able to access. Oracle Retail Back
Office and Central Office both consider the current user's access prior to allowing the
user access to objects.
Release 13.0 Oracle Retail Back Office and Central Office have been tested against this
attack and have been found compliant.
Oracle Retail Back Office and Central Office Implementation Oracle Retail Back Office and
Central Office leverage the authentication and session management features of the
application server and do not manage their own cookies or credentials. The
application server is responsible for providing that functionality and does so in a
secure manner. The use of SSL further helps to safeguard authentication and session
management.
Release 13.0 Oracle Retail Back Office and Central Office have been tested against this
attack and have been found compliant.
Oracle Retail Back Office and Central Office Implementation Because Oracle Retail Back
Office and Central Office are Java based applications, they are not vulnerable to
traditional C++ buffer overflows. However, they do need to consider a similar issue,
Integer overflow. Both applications have been scanned using static code analysis tools
and appropriate measures were taken where necessary.
Release 13.0 Oracle Retail Back Office and Central Office have been tested against this
attack and have been found compliant.
Oracle Retail Back Office and Central Office Implementation Release 13.0 Oracle Retail Back
Office and Central Office use automated tools to help detect code vulnerabilities.
FindBugs is one such tool that can help discover SQL injection vulnerabilities.
The following are two possible SQL injection vulnerabilities:
■ A PreparedStatement object is created based on a non-constant string of SQL. This
may or may not include user modifiable parameters from the web layer. If no
parameters are included in the SQL, then no SQL injection vulnerability exists for
that query.
■ A non-constant string of SQL is passed directly to an execute method of a
Statement object. This may or may not include any user modifiable parameters.
The safe and preferred way to execute SQL is to create a PreparedStatement object,
apply the parameters, and call the execute method on that object. A
PreparedStatement object has the SQL statement inside it compiled before any
parameters are applied. Doing so means that a malicious parameter cannot change the
SQL query that will be run.
Injection flaws are not limited to SQL injection. Oracle Retail Back Office and Central
Office validate and escape dynamic data to prevent HTML, XML, and other types of
injection.
Release 13.0 Oracle Retail Back Office and Central Office have been tested against this
attack and have been found compliant.
Oracle Retail Back Office and Central Office Implementation Oracle Retail Back Office and
Central Office provide error messages to the user that convey the nature of the error
without compromising important system information. Systems integrators and
retailers who extend or modify the product should ensure that any new error
conditions created by the modifications do not provide more information than
necessary.
Release 13.0 Oracle Retail Back Office and Central Office have been tested against this
attack and have been found compliant.
Oracle Retail Back Office and Central Office Implementation Insecure storage refers to
cryptographic storage and the management of encryption keys. As of Release 13.0,
key management and the encryption, decryption, and hashing of information is the
responsibility of an external key management and encryption service.
Release 13.0 Oracle Retail Back Office and Central Office have been tested against this
attack and have been found compliant.
Oracle Retail Back Office and Central Office Implementation The applications are built and
tested using standards and guidelines similar to those presented by the Open Web
Application Security Project (www.owasp.org). These standards include common
issues like data validation, proper access controls and authentication, as well as
dealing with injection flaws. Prevention of common web application attacks, like
cross-site scripting and client-side request forgeries, are among the many types of
vulnerabilities addressed by the development standards.
In addition to these standards and guidelines, all of the code in the applications is
reviewed to ensure that latent defects that might exist in the application are discovered
and fixed before being shipped. All new code and changes to the existing code
undergo at least one review prior to them being released to Oracle Retail customers.
In addition to code reviews and standards, a PABP Regression Test Suite around PABP
specific areas has been created. It will be executed with each new release of the Oracle
Retail Stores applications. The test suite may be modified based on findings from test
execution for this release as well as future releases. The suite will also evolve as the
PABP standard evolves.
Retailers and system integrators who are customizing or extending any of the
applications or integrating with other applications, should consider PABP and
PCI-DSS requirements for developing secure applications by having their own
standards and review processes.
5.2 Develop software applications based on industry best practices and incorporate
information security throughout the software development life cycle.
Tools The Release 13.0 Oracle Retail Stores applications use a number of security tools
to scan for security issues. As with any tool, the output of these tools should be
analyzed in detail since the output may contain false positive warnings.
The following sections list security tools and where each tool can be downloaded. The
tools fall into one of two categories
■ Code scanning tools which work on the source code itself:
– Klocwork
– FindBugs
■ Intrusion testing tools which probe the operating system, webserver, and
application for vulnerabilities:
– Nessus
– Nikto
– Wikto
– Paros
– Wireshark
Although Oracle Retail uses these tools, you can use any tools that you choose. No
recommendation of the following tools is intended or implied.
Klocwork Klocwork Developer for Java is a commercial static code analysis tool. It
provides automated detection of security vulnerabilities and quality defects. It
integrates with Eclipse IDE. The security vulnerabilities include array index out of
range, cross site scripting, null pointer exception, SQL injection, and unvalidated
inputs.
For Release 13.0, a trial version of Klocwork was run on the source code and high
severity issues were analyzed and fixed. This tool is best run towards the end of the
code completion phase where most of the code is already in.
Klocwork can be downloaded from the following website:
http://www.klocwork.com/
FindBugs FindBugs looks for bugs in Java programs. It uses static code analysis to
inspect Java bytecode for occurrences of bug patterns. Static code analysis means that
FindBugs can find bugs by simply inspecting program code. Executing the program is
not necessary. FindBugs works by analyzing Java bytecode (compiled class files), so
the program source code is not needed. Because its analysis is sometimes imprecise,
FindBugs can report false warnings, which are warnings that do not indicate real
errors. In Release 13.0, this tool was used to look for and remediate SQL-injection
issues prior to the usage of Klocwork.
FindBugs can be downloaded from the following website:
http://findbugs.sourceforge.net/index.html
Nessus Nessus is a tool that automates the testing and discovery of known security
problems. This is done through plug-ins. These plug-ins are very much like virus
signatures in a common virus scanner application. Each plug-in is written to test for a
specific vulnerability. These try to exploit the vulnerabilities or test for known
vulnerable software versions. The tool also includes port scanning to look for open
ports that could be exploited. It is essentially responsible for verifying the operating
system and any deployed middleware is secured. It is one of the first tools used in the
secure environment to verify the security of the servers.
Nessus can be downloaded from the following website:
http://www.nessus.org/nessus/
Nikto Nikto is an open source web server scanner. It is designed to find various default
and insecure files, configurations, and programs on any type of web server. Nikto is
PERL software designed to find many types of web server problems, including server
and software configuration problems, default files and programs, insecure files and
programs, and outdated servers and programs. In Release 13.0, this tool was used to
scan both the Oracle stack and IBM stack machines which host the application servers.
Nikto can be downloaded from the following website:
http://www.cirt.net/nikto2
Wikto Wikto is primarily a web sever testing tool. It is very similar to Nikto but
includes a Windows GUI interface. It also includes other features like the ability to
spider a website. In Release 13.0, this tool was used to scan both the Oracle stack and
IBM stack machines which host the application servers.
Wikto can be downloaded from the following website:
http://www.sensepost.com/research/wikto/
Paros Paros looks for security holes in web applications. It is an HTTP/HTTPS proxy
for assessing web application vulnerability. It supports editing and viewing HTTP
messages on the fly.
All HTTP and HTTPS data between server and client, including cookies and form
fields, can be intercepted and modified. The Spider feature is used to crawl the
websites and gather URL links. The Scanner feature is used to scan the server. The
checks include checking for obsolete files and default files on the webservers as these
could be exploited. It also tries to perform injection attacks by modifying data in the
request parameters during scanning.
Paros can be downloaded from the following website:
http://www.parosproxy.org/index.shtml
5.2.1 Testing of all security patches and system and software configuration changes
before deployment.
Oracle Retail Stores has documented that it tests all security patches and system and
software configuration changes before providing them to the customer for
deployment.
All the above numbers are well documented test PAN numbers.
The following websites publish these numbers as test PAN numbers:
■ https://www.paypal.com/en_US/vhelp/paypalmanager_help/credit_
card_numbers.htm
■ http://www.merchantplus.com/visamastercardlogos.php#Numbers
■ http://www.infomerchant.net/creditcardprocessing/credit_card_
test_numbers.html
5.2.5 Removal of test data and accounts before production systems become active.
5.2.7 Review of custom code prior to release to customers, to identify any potential
coding vulnerability.
5.3 Software vendor must follow change control procedures for all product software
configuration changes. The procedures must include the following:
Oracle Retail Back Office, Central Office, and Point-of-Service Implementation Oracle Retail
Stores applications are developed using accepted software development practices. All
changes are documented, approved by the appropriate parties, and tested prior to
deployment. Backout procedures are developed with the changes should it become
necessary to remove them.
5.4 Disable or remove unnecessary and insecure services and protocols (e.g., NetBIOS,
file-sharing, Telnet, unencrypted FTP, and others). These services and protocols must
not be used or required by the application.
5.5 Ensure that all web-facing applications are protected against known attacks by
either of the following methods:
■ Having all custom application code reviewed for common vulnerabilities by an
organization that specializes in application security
■ Installing an application-layer firewall in front of web-facing applications
Note: For PCI-DSS, this method is considered a best practice until June 30, 2008, after
which it becomes a requirement.
6.1 For wireless networks transmitting cardholder data, encrypt the transmissions by
using WiFi Protected Access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS.
Never rely exclusively on wired equivalent privacy (WEP) to protect confidentiality and
access to a wireless LAN.
If WEP is used, do the following:
■ Use with a minimum 104-bit encryption key and 24 bit-initialization value.
■ Use ONLY in conjunction with WiFi Protected Access (WPA or WPA2) technology,
VPN, or SSL/TLS.
■ Rotate shared WEP keys quarterly (or automatically if the technology permits).
■ Rotate shared WEP keys whenever there are changes in personnel with access to
keys.
■ Restrict access based on media access code (MAC) address.
Wireless Environments Change wireless vendor defaults, including but not limited to,
wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords,
and SNMP community strings. Disable SSID broadcasts. Enable WiFi protected access
(WPA and WPA2) technology for encryption and authentication when WPA-capable.
Wireless Networks Transmitting Cardholder Data Encrypt the transmissions by using WiFi
protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely
exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to
a wireless LAN. If WEP is used, do the following:
■ Use with a minimum 104-bit encryption key and 24 bit-initialization value.
■ Use only in conjunction with WiFi protected access (WPA or WPA2) technology,
VPN, or SSL/TLS.
■ Rotate shared WEP keys quarterly (or automatically if the technology permits).
■ Rotate shared WEP keys whenever there are changes in personnel with access to
keys.
■ Restrict access based on media access code (MAC) address.
7.1 Software vendors must establish a process to identify newly discovered security
vulnerabilities (e.g., subscribe to alert services freely available on the Internet), to test
their applications for vulnerabilities, and for timely development and deployment of
security patches and upgrades. Updates and patches must be delivered in a secure
manner with a known chain-of-trust. Any underlying software or systems that are
provided along with the payment application (e.g., web servers) must be included in
this process.
8.1 The payment application must be able to be implemented into a secure network
environment. Application must not interfere with use of network address translation
(NAT), port address translation (PAT), traffic filtering network devices, anti-virus
protection, patch or update installation, or encryption.
9.1 The payment application must not require that the database server and web server
be on the same server, or in the DMZ with the web server.
10.1 If software updates are delivered via remote access into customers' systems,
software vendors must tell customers to turn on modem only when needed for
downloads from vendor, and to turn off immediately after download completes.
Alternatively, if delivered via VPN or other high-speed connection, software vendors
must advise customers to properly configure a personal firewall product to secure
"always-on" connections.
Develop usage policies for critical employee-facing technologies (such as modems and
wireless) to define proper use of these technologies for all employees and contractors.
Ensure these usage policies require the following:
■ Explicit management approval
■ Authentication for use of the technology
■ List of all such devices and personnel with access
■ Labeling of devices with owner, contact information, and purpose
■ Acceptable uses of the technologies
■ Acceptable network locations for the technologies
■ List of company-approved products
■ Automatic disconnect of modem sessions after a specific period of inactivity
■ Activation of modems for vendors only when needed by vendors, with immediate
deactivation after use
■ When accessing cardholder data remotely via modem, prohibition of storage of
cardholder data onto local hard drives, floppy disks, or other external media.
Prohibition of cut-and-paste and print functions during remote access.
Install personal firewall software on any computers with direct connectivity to the
Internet via VPN or other high-speed connection in order to secure these "always-on"
connections.
11.1 The payment application must not interfere with use of a two-factor authentication
mechanism. The application must allow for technologies such as RADIUS or TACACS
with tokens, or VPN with individual certificates.
12.1 Use strong cryptography and security protocols such as secure sockets layer
(SSL) / transport layer security (TLS) and, internet protocol security (IPSEC)) to
safeguard sensitive cardholder data during transmission over open, public networks.
Examples of open, public networks that are in scope of the PCI-DSS are the Internet,
WiFi (IEEE 802.11x), Global System for Mobile communications (GSM), and General
Packet Radio Service (GPRS).
Wireless Networks Transmitting Cardholder Data Encrypt the transmissions by using WiFi
protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never rely
exclusively on wired equivalent privacy (WEP) to protect confidentiality and access to
a wireless LAN. If WEP is used, do the following:
■ Use with a minimum 104-bit encryption key and 24 bit-initialization value.
■ Use only in conjunction with WiFi protected access (WPA or WPA2) technology,
VPN, or SSL/TLS.
■ Rotate shared WEP keys quarterly (or automatically if the technology permits).
■ Rotate shared WEP keys whenever there are changes in personnel with access to
keys.
■ Restrict access based on media access code (MAC) address.
Hypertext Transfer Protocol over Secure Socket Layer (HTTPS) Oracle Retail Back Office and
Central Office can only be accessed over HTTPS. HTTP protocol is disabled and
accessing these applications over HTTP is not possible.
To install a valid SSL Certificate on the application server, see the documentation for
your installed application server. The use of the default SSL certificate shipped with
the application server is not allowed and can render the application prone to intrusion
attacks.
13.1 Encrypt all non-console administrative access. Use technologies such as SSH,
VPN, or SSL/TLS for web-based management and other non-console administrative
access.
Telnet or rlogin must never be used for non-console administrative access.
14.1.2 Includes a review at least annually and updates to keep the documentation
current with software changes as well as with changes to the requirements in this
document.
Oracle Retail Back Office, Central Office, and Point-of-Service Implementation Release 13.0 is
the first published release of the Oracle Retail Strategic Store Solutions Security
Implementation Guide.
The Oracle Retail Stores Software Development Methodology has been updated to
include a review and revision of this guide as part of its ongoing certification process.
At least annually, or with each major release, the guide will be updated.
The updates will include any new areas of concern in the applications regarding
security, any updates to software development practices and methodology, and
responses to changes in the PABP security standard.
14.2 Develop and implement training and communication programs to ensure software
resellers and integrators know how to implement the application software and related
systems and networks in a PABP-compliant manner. Update the training on an annual
basis and whenever new software versions are released.
Logical Distribution
A KeyStore client is required at each deployment point. This enables access from the
server-based application as well as the client application when the KeyStore server is
offline. Figure 3–1 illustrates the design.
The components of the deployment model are described in the following table.
Component Description
Corporate Centralized, corporate deployment environment
Store-x Local store deployment environment
Central Office, Back Office, Oracle Retail Stores applications
POS Server, POS Client-x
Key Store Server Centralized encryption key repository
Key Store Client Local client APIs for KeyStore access as well as local key
cache for offline support
Static Model
The primary API is the KeyStoreEncryptionServiceIfc. This interface abstracts away
the specifics of each vendor KeyStore API.
Extensions to the base web application classes are made to ease access to this service.
Interaction Patterns
There are two similar interaction patterns for accessing the new encryption service,
J2EE Session Bean and POS POJO.
1. The session bean asks its base class (EnterpriseBeanAdapter) for the service
implementation.
2. The base class calls out to Spring via the BeanLocator class to get a handle to the
EncryptionService implementation class.
3. Once returned, the session bean calls the class, via its interface, to handle any
encryption needs.
As shown in Figure 3–6, a similar pattern is followed to handle encryption needs from
within an action.
1. The action asks its base class (Action, DispatchAction, DispatchLookupAction) for
the service implementation.
2. The base class calls out to Spring via the BeanLocator class to get a handle to the
EncryptionService implementation class.
3. Once returned, the action calls the class, via its interface, to handle any encryption
needs.
POS POJO
As shown in Figure 3–7, the pattern is slightly different for Oracle Retail
Point-of-Service. The Manager/Technician framework is used to access the encryption
service.
1. Any site needing access to encryption services uses the Dispatcher to get a handle
to the EncryptionManager.
2. That manager delegates to the configured EncryptionTechnician via a valet.
3. The EncryptionTechnician uses Spring (via the BeanLocator) to access the
configured EncryptionService and calls the class, via its interface, to handle any
encryption needs.
This figure shows the flow of credit card data in Oracle Retail Central Office, Back
Office, and Point-of-Service from the register (input device) to storage in the corporate
database.
In-memory encryption is accomplished through the use of the Oracle Retail Java class,
EncipheredCardData. It is used to maintain cardholder data in various unreadable
formats and should be instantiated and populated immediately upon reading sensitive
data into memory. This class will maintain a card number in four formats—encrypted,
hashed, masked, and last four digits. This enables the applications to access the card
number in whatever format is required without having to decrypt it.
This figure shows the attributes and some useful public methods of the
EncipheredCardData class.
Each application accesses the external key management application via the Spring
Framework. The web applications, Oracle Retail Central Office and Back Office,
expect the key management client JARs to be made available via the JCA container.
Oracle Retail Point-of-Service, a pure Java application, accesses them directly via the
classpath.
■ EncryptValets=true
This causes the RMI communication between Manager/Technician pairs to be
secured.
■ javax.net.ssl.keyStore=$KEYSTORE_FILE$
This points to the KeyStore that contains the private keys and public
certificates for the server. For example:
javax.net.ssl.keyStore=$JAVA_HOME\\jre\\lib\\security\\<keystore_name>
■ javax.net.ssl.keyStorePassword=!$KEYSTORE_PASSWORD$
This is the encrypted password for the KeyStore. For example:
javax.net.ssl.keyStorePassword=!changeit
Note: The cipher suites selected for the register have to match the
ones selected for the store server.
■ EncryptValets=true
This causes the RMI communication between Manager/Technician pairs to be
secured.
■ javax.net.ssl.trustStore=$TRUSTSTORE_FILE$
This points to the truststore that contains the public certificates for the client.
For example:
javax.net.ssl.trustStore=$JAVA_HOME\jre\lib\security\<truststore_name>
The keytool utility is included with the JRE. It is used to create new keys, import
digital certificates, export existing keys, and interact with the key management system.
2. Once the Certificate Signing Request is saved in a file, send it to the Certificate
Authority of your choice. To get a trial certificate, see the following website:
https://www.thawte.com
3. When the response from the Certificate Authority is received, save the certificate
in a file from which it can be imported. In order to import the certificate, the root
certificate must be in your list of trusted certificate authorities, or you must accept
the root certificate selected by the keytool utility.
4. To import the certificate, use the following command:
keytool -import -keystore <your_keystore_name>
-file <your_certificate_file.cer> -alias <your_alias> -trustcacerts
For development or testing purposes, it should not be necessary to get a trial certificate
or have your certificate signed.
listener.ora
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /u01/oracle/10g)
(PROGRAM = extproc)
)
)
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = 10.143.44.108)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.143.44.108)(PORT = 2484))
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROCO))
)
)
WALLET_LOCATION=(SOURCE=(METHOD=FILE)
(METHOD_DATA=(DIRECTORY=/u01/oracle/admin/SECURDB10G)))
SSL_CLIENT_AUTHENTICATION=FALSE
sqlnet.ora
SSL_CLIENT_AUTHENTICATION=FALSE
SSL_CIPHER_SUITES=(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_
MD5, SSL_DH_anon_WITH_DES_CBC_SHA)
WALLET_LOCATION=(SOURCE=(METHOD=FILE)
(METHOD_DATA=(DIRECTORY=/u01/oracle/admin/SECURDB10G)))
tnsnames.ora
SECURDB10G =
(DESCRIPTION =
(ADDRESS_LIST =
(ADDRESS = (PROTOCOL = TCP)(HOST = 10.143.44.108)(PORT = 1521))
(ADDRESS = (PROTOCOL = TCPS)(HOST = 10.143.44.108)(PORT = 2484))
)
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = SECURDB10G)
)
)
3. The database connection call requires the following properties to be set, either as
system properties or JDBC connection properties:
Property Value
oracle.net.ssl_cipher_suites (SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_RC4_128_MD5,
SSL_DH_anon_WITH_DES_CBC_SHA)
javax.net.ssl.trustStore Path and file name of trust store
For example:
/DevTools/Testing/Secure10g/truststore/truststore
javax.net.ssl.trustStoreType JKS
2. Copy the ojdbc14.jar file from the database server and replace in the pos
library.
3. The following changes have to be made for the connection pool that is defined in
the following files:
■ server/pos/config/DefaultDataTechnician.xml
■ server/pos/config/EnterpriseDataTechnician.xml
The following example shows the DefaultDataTechnician.xml file.
<POOL class="DataConnectionPool" name="jdbcpool"
package="com.extendyourstore.foundation.manager.data">
<POOLPROPERTY propname="numConnections" proptype="INTEGER"
propvalue="8"/>
<CONNECTION class="JdbcDataConnection"
package="com.extendyourstore.foundation.manager.data">
<CONNECTIONPROPERTY propname="driver" proptype="STRING"
propvalue="oracle.jdbc.driver.OracleDriver"/>
<CONNECTIONPROPERTY propname="databaseUrl" proptype="STRING"
propvalue="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.143.
44.108)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=SECURDB10G)))"/>
<CONNECTIONPROPERTY propname="userid" proptype="STRING"
propvalue="anilorabo"/>
<CONNECTIONPROPERTY propname="oracleCipherSuites" proptype="STRING"
propvalue="(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_RC4_128_
MD5,SSL_DH_anon_WITH_DES_CBC_SHA)"/>
<CONNECTIONPROPERTY propname="password" proptype="STRING"
propvalue="!anilorabo"/>
<CONNECTIONPROPERTY propname="exceptionMappingClass"
proptype="STRING"
propvalue="com.extendyourstore.foundation.manager.data.JdbcSQLState"/>
<CONNECTIONPROPERTY propname="exceptionMapping" proptype="STRING"
propvalue="classpath://com/extendyourstore/domain/arts/oracleexceptionmap.xml"/
>
</CONNECTION>
</POOL>
2. Add the SSL JDBC properties. The following example shows part of the
data-sources.xml file.
<connection-pool name="Oracle10GPool">
<connection-factory factory-class="oracle.jdbc.pool.OracleDataSource"
user="securuser" password="->securuser"
url="jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=10.143.44.108
)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=SECURDB10G)))">
<connection-properties>
<property name="oracle.net.ssl_cipher_suites"
value="(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_
RC4_128_MD5, SSL_DH_anon_WITH_DES_CBC_SHA)"/>
</connection-properties>
</connection-factory>
</connection-pool>
3. Import your new shared libraries for your application. To make the new
oracle.jdbc and oracle.toplink shared libraries the default for all applications in
your OC4J instance, update the system-applications.xml file as shown in
the following example.
<imported-shared-libraries>
<import-shared-library name="oracle.jdbc" min-version="10.3"
max-version="10.3"/>
<import-shared-library name="oracle.toplink" min-version="10.3"
max-version="10.3"/>
</imported-shared-libraries>
IBM DB2 has supported SSL encryption since version 9.1 Fix Pack 3. Information on
how to configure SSL on the server and client can be found at the following websites:
■ http://publib.boulder.ibm.com/infocenter/db2luw/v9/index.jsp?to
pic=/com.ibm.db2.udb.uprun.doc/doc/t0025241.htm
■ http://www-1.ibm.com/support/docview.wss?uid=swg21249656
This appendix has information on how to enable SSL for IBM DB2. Information from
the DB2 V9 Information Center, Global Security Kit Secure Sockets Layer Introduction, and
iKeyman User's Guide is included in this appendix.
Summary
To secure JDBC on IBM DB2 requires the following:
■ An SSL provider must be established on the DB2 server.
■ The provider requires a digital certificate and corresponding private key to
provide the secure communications.
■ The client either needs to have a copy of the digital certificate or trust the signer of
the server certificate.
■ The client needs to be configured to use the secure service, and optionally use a
FIPS-compliant SSL provider.
Prerequisites
The information in this section is from the DB2 V9 Information Center.
1. Make sure you have the required fix pack version of DB2.
To determine the fix pack level you have, run the db2level command at the
command line. If you have a fix pack version earlier than Fix Pack 3, you need to
obtain Fix Pack 3 or a later version.
2. Make sure the GSKit is installed.
On linux, it is located in /usr/local/ibm/gsk7.
3. Make sure the GSKit libraries are in the path.
Make sure the /usr/local/ibm/gsk7/lib directory is included in
LD_LIBRARY_PATH.
4. For information on how to check if the connection concentrator is in use, see the
IBM documentation.
For example:
/home/db2inst1/sqllib/cfg/SSLconfig.ini
■ For Windows:
<INSTHOME>\SSLconfig.ini
For example:
F:\IBM\SQLLIB\DB2\SSLconfig.ini
3. Add SSL parameters to the SSL configuration file. The SSLconfig.ini file
contains the SSL parameters that are used to load and start SSL. The list of SSL
parameters are shown in the following table:
4. Add the value SSL to the DB2COMM registry variable. For example, use the
following command:
db2set -i <db2inst1> DB2COMM=SSL
where <db2inst1> is the IBM DB2 instance name.
The database manager can support multiple protocols at the same time. For
example, to enable both TCP/IP and SSL communication protocols:
db2set -i <db2inst1> DB2COMM=SSL,TCPIP
5. Restart the IBM DB2 instance. For example, use the following commands:
db2stop
db2start
At this point, the server should be ready to start serving SSL connections. You can
check the db2diag.log file for errors. There should be no errors pertaining to
SSL after the restart.
2. Set security properties to ensure that all JSSE code uses the IBMJSSE2 provider.
The following example shows the entries in java.security.
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
h. Enter a distinct alias and the full path to the certificate file on the server in the
File name field. Make sure the Data type corresponds to the type in the file.
The certificate should appear in the list of Signer certificates.
2. Update all the data sources to use SSL. (jdbc/DataSource, jdbc/DimpDataSource,
jdbc/DimpDataSource)
a. Log in to the WebSphere Integrated Solutions Console (Admin Console).
b. Expand the Resources menu option.
c. Expand the JDBC menu option.
d. Click the Data sources option. The list of data sources is displayed.
e. Click on the data source to be edited.
f. In the Additional Properties list, click the Custom properties link.
g. Click the New button.
h. Enter sslConnection in the Name field, true in the Value field, and click OK.
i. Click the data source name in the bread crumb trail to return to the data
source edit page.
j. Change the Port number field from the TCPIP port to the SSL port.
k. Click OK.
l. Edit the remaining data sources.
m. Save the configuration.
Useful Links
For more information, see the following websites:
■ http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/com.ib
m.db2.udb.apdv.java.doc/doc/rjvdsprp.htm
This website has documentation of all the properties available in the DB2 Driver
for JDBC.
■ http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/com.ib
m.db2.udb.apdv.java.doc/doc/tjvjcccn.htm
This website contains documentation of the URL syntax for connecting to DB2
using JDBC.
■ http://retailweb.us.oracle.com:8080/download/attachments/127800
85/sg247555.pdf?version=1
An IBM Redbook on security related issues with DB2 including auditing and data
encryption. It is dated January 18, 2008 and has a product number SG24-7555-00.
Securing JMS communication varies based on the vendor. For information on securing
JMS, see the following websites:
■ IBM MQ Series
– http://www.ibm.com/developerworks/ibm/library/i-supply1i
■ Oracle Application Server
– http://download-uk.oracle.com/docs/cd/B14099_
15/core.1012/b13995/ssl_intro.htm
– http://download.oracle.com/docs/cd/B31017_
01/web.1013/b28958/jms.htm#sthref382
– http://download.oracle.com/docs/cd/B31017_
01/web.1013/b28958/jms.htm#CHDCEDHE
Caution: Never set the user name and password to the connection
factory settings.
Doing this gives any user with JNDI read-access, full access to all JMS
destinations. It also increases the risk of exposure if the serializable
connection factory contains the user name and password. The client,
or the client context, should always provide the user name and
password for authentication. Therefore, it is not necessary to supply
those in the connection factory.
Resources
For more information on securing networks, see the following websites:
■ http://www.microsoft.com/industry/retail/businessvalue/securest
oreabstract.mspx
■ http://www.novell.com/industries/retail/pcidss.html
Physical Security
Retailers must take precautions to ensure that any user with malicious intent cannot
gain physical access to networks and devices. All equipment involved in the Oracle
Retail Point-of-Service activity must be physically secured, including cables and
equipment housings. Oracle Retail Point-of-Service registers must be configured to
automatically lock when left alone, and must require a password, that conforms to the
password policy guidelines, to unlock the register.
■ The user ID and password for schema owners should comply with PABP user and
password policies:
– Do not use group, shared, or generic accounts and passwords.
– Change user passwords at least every 90 days.
– Require a minimum password length of at least seven characters.
– Use passwords containing both numeric and alphabetic characters.
– Do not allow an individual to submit a new password that is the same as any
of the last four passwords used.
– Limit repeated access attempts by locking out the user ID after not more than
six attempts.
– Set the lockout duration to 30 minutes or until an administrator enables the
user ID.
– If a session has been idle for more than 15 minutes, require the user to re-enter
the password in order to re-activate the terminal.
■ Maintenance scripts should have their own user schema. Oracle Retail
recommends a limited user be created at the database to handle schema
maintenance (deleting data from the database). This can be accomplished by
granting execute rights only on delete store procedures.
– Set the following rights when using an Oracle database:
* ALTER SESSION
* CONNECT
* SELECT_CATALOG_ROLE
* GRANT EXECUTE on PROCEDURE
– Set the following rights when using an IBM DB2 database:
* CONNECT
* IMPLICIT_SCHEMA
* GRANT EXECUTE on PROCEDURE
■ Maintenance scripts should only be run using a non-operating system
administrator user ID.
■ Maintenance scripts should run as part of a secure schedule job:
– An operating system user should not have the ability to log in remotely to the
database server.
– An operating system user should only use the scripts for maintenance
purposes.
– An operating system user should not have administrator rights.
– An operating system user should not have execute, read, or write permission
of any file beyond the file to execute the data maintenance script.
Note: The role with the execute procedure privilege does not need
specific access to the underlying tables.
When a user executes another user's procedure, the procedure is
executed using the privileges of the procedure owner, not the invoker.
Thus the invoker does not have direct delete privileges on the tables
contained within the stored procedure.
A public synonym provides a name for an object. This name can be used instead of the
physical name of the object and its owner, thus providing another layer of
transparency and security.
For example, the physical name for the purge EJournal stored procedure is
purge_ejrl. The synonym purge_ejournal can be created to rename the object
logically. Then, the procedure can be referenced either by purge_ejrl or
purge_ejournal.
The following steps show how to create the synonym. Examples of the SQL statements
used to create the synonym for an Oracle database are included.
1. Create the procedure.
SQL> start purge_ejrl.sql
3. Create a role.
SQL> CREATE ROLE do_ejrl_purge;
4. Create a role in the database to be used for the data source connection user.
create role <data_source_connection_role>;
12. Grant select, insert, and update for all the objects owned by the schema owner to
the data source connection role.
GRANT SELECT, INSERT, UPDATE, DELETE ON <object name> TO
<data_source_connection_role>
14. Create synonyms for all the objects owned by the schema owner.
CREATE SYNONYM <object name> FOR <schema_owner_user>.<object name>
Creating the Database Schema Owner and Data Source Connection Users
for IBM DB2
To create the database schema owner and data source connection users:
1. Log in using the database administrator user ID.
2. Create the schema owner user.
create schema <schema_owner_user> authorization Ix3Plo1
4. Grant the privileges, shown in the following example, to the schema owner user.
grant CREATEIN, DROPIN, ALTERIN ON SCHEMA <schema_owner_role> to user
<schema_owner_role> with GRANT OPTION
6. Grant the privileges, shown in the following example, to the data source
connection user.
grant CONNECT, IMPLICIT_SCHEMA ON DATABASE to <data_source_user>
7. Grant the object level privileges, shown in the following example, to the data
source connection user.
grant CREATEIN ON SCHEMA <data_source_user> to user <data_source_user> with
GRANT OPTION
12. Create synonyms for all the objects owned by the schema owner.
CREATE SYNONYM <object name> FOR <schema_owner_user>.<object name>
Password policies can be enforced via a password complexity verification script, for
example:
UTLPWDMG.SQL
The password complexity verification routine can ensure that the password meets the
following requirements:
■ Is at least four characters long
■ Differs from the user name
■ Has at least one alpha, one numeric, and one punctuation mark character
■ Is not simple or obvious, for example, welcome, account, database, or user
■ Differs from the previous password by at least three characters
For example, to set the password to expire as soon as the user logs in for the first time:
CREATE USER jbrown
IDENTIFIED BY zX83yT
...
PASSWORD EXPIRE;
Audit Log
A chronological record of system activities. It provides a trail sufficient to permit
reconstruction, review, and examination of the sequence of environments and activities
surrounding or leading to an operation, procedure, or event in a transaction from
inception to final results. Sometimes specifically referred to as the security audit trail.
Cardholder Data
The full magnetic stripe or the PAN plus any of the following:
■ Cardholder name
■ Expiration date
■ Service code
Glossary-1
ccsrch utility
ccsrch utility
ccsrch is a utility provided by TrustWave to identify un-encrypted or un-masked
sensitive data. For more information, see the following website:
http://sourceforge.net/projects/ccsrch/
Compensating Control
Compensating controls may be considered when an entity cannot meet a requirement
explicitly as stated, due to legitimate technical or documented business constraints,
but has sufficiently mitigated the risk associated with the requirement through
implementation of other controls. Compensating controls must do the following:
■ Meet the intent and rigor of the original stated PABP requirement.
■ Repel a compromise attempt with similar force.
■ Be "above and beyond" other PABP requirements (not simply in compliance with
other PABP requirements).
■ Be commensurate with the additional risk imposed by not adhering to the PABP
requirement.
DSS
Data Security Standard
PCI-DSS is a multifaceted security standard that includes requirements for security
management, policies, procedures, network architecture, software design and other
critical protective measures.
DTM
Data Transmission Message
XML representation of a transaction that contains all data stored in the database.
Placed on a JMS queue to move transaction data between the store and enterprise.
Encryption
The process of converting information into an unintelligible form except to holders of
a specific cryptographic key. The use of encryption protects information between the
encryption process and the decryption process (the inverse of encryption) against
unauthorized disclosure.
Glossary-2
PABP
ISD
The ISD Tender Suite provides support for tender types including the following:
■ Credit Card
■ Debit Card
■ Check
■ Pre-Paid/Stored Value/Gift Card
■ Private Label Credit Card
■ Electronic Benefits Transfer (EBT)
■ Fleet Card
■ Phone Card
■ Payroll Card
■ Corporate Purchasing Card
The ISD Tender Suite can accept multiple tender types from a wide variety of
transaction delivery channels including point-of-sale devices, call centers, wireless
devices, and the internet. It provides the ability to reliably process payments 24 hours,
7 days a week.
Mask
Display only a subset of the credit card number.
OWASP
Open Web Application Security Project
A worldwide free and open community focused on improving the security of
application software. For more information, see the following website:
http://www.owasp.org.
PA-DSS
Payment Application Data Security Standard
A new standard based on the Visa Payment Application Best Practices (PABP).
PABP
Payment Application Best Practices
A standard developed by Visa to assist software vendors in creating secure payment
applications that help retailers and agents mitigate compromises, prevent storage of
sensitive cardholder data (that is, full magnetic stripe data, CVV, CVV2, or PIN data),
and support overall compliance with the Payment Card Industry Data Security
Standard (PCI-DSS).
Glossary-3
PAN
PAN
Primary Account Number
The defining factor in the applicability of PCI-DSS requirements and the PABP. If the
PAN is not stored, processed, or transmitted, PCI-DSS and PABP do not apply.
Password
A string of characters that serve as an authenticator of the user.
Payment card
VISA, MasterCard, Discover, American Express, and JCB.
PCI-DSS
Payment Card Industry Data Security Standard
POSLog
Data captured at the point-of-sale, represented as XML according to the schema
defined by the IXRetail standard.
SSH
Secure shell. Protocol suite providing encryption for network services like remote
login or remote file transfer.
Strong Cryptography
General term to indicate cryptography that is extremely resilient to cryptanalysis. That
is, given the cryptographic method (algorithm or protocol), the cryptographic key or
protected data is not exposed. The strength relies on the cryptographic key used.
Effective size of the key should meet the minimum key size of comparable strength
recommendations. One reference for minimum comparable strength notion, NIST
Special Publication 800-57, August, 2005
(http://csrc.nist.gov/publications/), and others that meet the following
minimum comparable key bit security:
■ 80 bits for secret key based systems (for example, TDES)
■ 1024 bits modulus for public key algorithms based on the factorization (for
example, RSA)
■ 1024 bits for the discrete logarithm (for example, Diffie-Hellman) with a minimum
160 bits size of a large subgroup (for example, DSA)
■ 160 bits for elliptic curve cryptography (for example, ECDSA)
Truncate
Practice of removing a data segment. Commonly, when account numbers are
truncated, the first 12 digits are deleted, leaving only the last 4 digits.
Glossary-4
Vulnerability
Two-factor authentication
Authentication that requires users to produce two credentials to access a system.
Credentials consist of something users have in their possession (for example,
smartcards or hardware tokens) and something they know (for example, a password).
To access a system, a user must produce both factors.
User ID
A character string used to uniquely identify each user of a system.
Vulnerability
Weakness in system security procedures, system design, implementation, or internal
controls that could be exploited to violate a system security policy.
Glossary-5
Vulnerability
Glossary-6