Title: Oracle Financial System
1- Oracle Financial System
- Mary Ann Carr
- September 14, 2000
2Financial Management Project
- The Financial Management Project (FMP) is a
university-wide initiative to improve Carnegie
Mellons financial systems and processes. FMP
includes implementation of - Integrated financial system (Oracle)
- Redesigned work processes
- Financial policies and consistent,
university-wide procedures - Comprehensive user education
3Oracle Implementation Timeline
- May 1997 - Acquired Oracle Applications and
development tools - August 1997 - Beta Test Grants Management
- 1998 - 1999 - Project Implementation
- November 1999 - Big Bang Go-Live
- Today - System Stabilization and Upgrade
Preparation - - 300 Central and Campus Business Users
- - 600 Casual Users
4FMP Deployment Requirements
- Support all major campus desktop platforms
- Achieve excellent performance on all platforms
- Implement a thin client
- Minimize software installation, distribution and
maintenance - Leverage existing infrastructure
- Mitigate any/all security risks
5Oracle Applications Overview
- Core Financial Applications
- Self Service Web Applications
- Application Desktop Integrator Applications
- Budget Spreadsheet
- Feeder File Interface System
- CITRIX Application Server
6Core Financial Applications - Overview
- Internet (Network) Computing Architecture
- Multi-Tier Tier Architecture
- Database Tier - DB, stored procedures,
executables - Application - web server, forms server
- Client - java-enabled web browser or applet
viewer, forms client applet - GUI Interface with Thin Client Implementation
- Java Applet connects to Oracles forms server,
excepting initial signon HTML page
7Multi-Tier Architecture
8Self Service Web Applications
- Web-based Interface for Casual Users (travel
expense reporting, pcard distributions) - HTML and JavaScript
- Direct connection to an HTTP listener running
Oracle Web Application Server - Logic is executed through the Web Application
Servers PL/SQL Cartridge, and Java servlets - Database communication via JDBC
9Application Desktop Integrator
- Excel-based interface and extension to Oracle
application database - Supports budget entry, journal entry, reporting,
and analysis - Communicates via SQLNet to database
10Budget Spreadsheet
- Custom Excel-based budgeting tool
- Template files stored on file server
- Working budget files updated and stored locally
- Two possible transport mechanisms
- Budget inload functionality of ADI
- Web-based upload to interface tables
11Feeder File Interface System
- Mechanism for uploading feeder files for import
into Oracle GL and/or GM - Validates and inloads feeder transactions
- Provides e-mail notification of process
success/failure
12CITRIX Application Server
- NT terminal server implementation to support
UNIX, Macintosh and low-end PCs - Access to Core Financials
- Access to ADI
- Possible file server for budget spreadsheet
13System Configuration
14Core Financial Applications Security
- Features
- Signed Java Applet guarantees its authenticity to
the forms client and ensures that the forms
server only accepts connections from certified
forms clients (open TAR) - All communication between the Forms client applet
and forms server is encrypted using the RSA RC4
40-bit standard form of encryption - Application level security intact login
id/password challenge/response - Concerns
- Neither Web Browser (w/Java Plug-In, Jinitiator)
nor Applet Viewer supports Secure Socket Layer
transport (data encryption between the client and
web server) at this timedesire for stronger
encryption - No certified Macintosh or Unix JVM as of 3/31/99
- Additional login/passworddesire to move to
kerberos-based single sign-on
15Self Service Web Applications Security
- Features
- Supports Secure Socket Layer transport (data
encryption between the client and web server) - Application level security intact login
id/password challenge/response - Concerns
- Additional login/passworddesire to move to
kerberos-based single sign-on
16Application Desktop Integrator Security
- Features
- Application level security intact encrypted
login id/password challenge/response - Ability to implement Oracles advanced networking
option for stronger encryption - Concerns
- Additional login/passworddesire to move to
kerberos-based single sign-on. - Physical security of local filestraining issue
- Excel is susceptible to viruses... train users to
use anti-virus protection and to use caution when
enabling embedded macros
17Budget Spreadsheet Security
- Features
- Supports Secure Socket Layer transport (data
encryption between the client and web server) via
HTTPS to upload site - Kerberos authentication of Andrew ID
- Concerns
- Physical security of local filestraining issue
- Excel is susceptible to viruses... train users to
use anti-virus protection and to use caution when
enabling embedded macros
18Feeder File Interface Process Security
- Features
- Secure transfer options
- HTTPS - andrew authenticated and SSL encrypted,
web-based upload - SCP - encrypted transfer via public key
encryption for unix to unix transfers - Secured directory structure based on
authenticated user id and limited access (only
upload or download) - Concerns
- Physical security of local files with hardcoded
login/passwordtraining issue
19CITRIX Application Server Security
- Features
- Standard NT account security (encrypted login)
- RSA RC5 add-on option
- Secured directory structure based on
authenticated user id and limited access - Supports all standard Oracle application security
features - Concerns
- Virus susceptibilityuse anti-virus protection
- Security holes in NTapply service paks and all
patches
20FMP Application Security
FMP Application Security
- Application Username/Password
- Custom responsibilities determine which forms,
reports, functions, and data users can access - Employee level set-ups determine approval
relationships (workflow) and purchasing authority - Secured value sets limit the range of data
users can access by responsibility - Customizations provide additional security to
implement business rules, e.g. GM Award Security
Extension
21Additional Security Measures
- Fire wall (TIS) prevents direct connection to any
administrative host - Business Net isolates trusted user community
(caveat need to verify on an on-going basis) - SSH 1.2.26 for encrypted developer connections
- Reset Oracles default passwords for root
accounts - Audit user sessions (performance considerations)