Securing Oracle Banking Branch

Desktop Security

Refer to the vendor-specific relevant sections for securing the desktop operating system. In addition, refer to the browser-specific security settings mentioned in the vendor-specific docs.

Refer to the client browser setting required for Oracle Banking Branch.

Oracle Banking Branch Controls

This section describes the various programs available within Oracle Banking Branch to help in the maintenance of security. Access to the system is possible only if the user logs in with a valid ID and the correct password. The activities of the users can be reviewed by the Security Officer in the Event Log and the Violation Log reports.

Table 2-1 Oracle Banking Branch Products Controls

Control	Description
Disable Logging	It is recommended that the debug logging facility of the application be turned off, once the system is in production. This is achieved by updating the `logback.xml` file of the application. The above-described practice does not disable logging performed by the application in the database tier. This can be disabled by running the lockdown scripts provided. The lockdown scripts will disable logging across all modules and all users in the system.
Sign-on Messages	Message - User Authentication Failed/Invalid Login Explanation - An incorrect user ID or password was entered. Message - User Status is Locked. Please contact your System Administrator Explanation - The user profile has been disabled due to an excessive number of attempts to login, using an incorrect user ID or password. The number of attempts could have matched either the successive number of login failures (configured for the system).
Authentication and Authorization	Only authenticated users can access the system. Secondly, a user should have access rights to execute a function. The user profile of a user contains the User ID and the functions to which the user has access. Oracle Banking Branch operations such as new, copy, query, unlock, and so on will be enabled based on function rights available for the user. The function rights will be checked for each operation performed by the user, in the Security Management Service module of the Oracle Banking Branch.
Role-Based Access Controls	The role-based access controls are: Application level access has been implemented via the Security Management System (SMS) module. SMS supports “ROLE BASED” access of screens and different types of operations. Oracle Banking Branch supports dual control methodology, wherein every operation performed has to be authorized by another user with the requisite rights. SMS provides an option to map multiple roles for a user in a given branch. Allowed operations are mapped to the roles and SMS authorizes the user based on it.
Access Controls - Branch Level	SMS provides branch-level access through the roles provided for the user at a particular branch.
Maker – Checker	The application supports dual control methodology, wherein every operation performed has to be authorized by another user with the requisite rights.
Access Enforcement	Access management in Oracle Banking Branch can be done in two steps: Branch level: In such a case the user cannot view even the menu list of the Oracle Banking Branch when the user tries to log in into the restricted branch. Thus, no transactions could be performed. Roles wise: As described above based on the user-roles mapping, the user can access different functions of the Oracle Banking Branch. For example, a bank clerk will have access to customer creation, account opening, term-deposits opening, and liquidation screens, but will not have access to the User Creation function activity.
Password Management	The Oracle Banking Branch application relies on external password management and does not store any credentials. If an external LDAP is used, password management and policy rules can be set on that (For example, in WebLogic Embedded-LDAP, the user and password rules can be configured via the admin console of the WebLogic). If OIM/OAM is configured, password management and policy rules can be set on OIM. The Identity Provider (IdP) in case of SAML takes care of the password policies. Certain user password related parameters should be defined at the system level. These parameters will apply to all the users of the system. Examples of such parameters are the number of invalid login attempts after which a user-id should be disabled, the maximum and minimum length for a password. Note: For more information on Password Management, refer to Password Policies in this guide.

Password Policies

To enable password validation criteria, there is a flag given in the SECURITY_CONFIG table is PASSWORD_VALIDATION_FLAG which has to be set as Y.

Table 2-2 SECURITY_PASSWORD_VAL_CONFIG

Property	Value	Description
MIN_PSWD_LEN	Any integer	Minimum password length required
MAX_PSWD_LEN	Any integer	Maximum password length allowed
MIN_PSWD_AGE	Any integer	Not used currently
MAX_PSWD_AGE	Any integer	Not used currently
FLAG_UPPER_CHAR	Y/N	Y- Uppercase characters required
NUM_MAND_UPPER	Integer	Minimum uppercase characters required. Checked only if FLAG_UPPER_CHAR is set to Y
FLAG_LOWER_CHAR	Y/N	Y- Lowercase characters required
NUM_MAND_LOWER	Integer	Minimum lowercase characters required. Checked only if FLAG_LOWER_CHAR is set to Y
FLAG_SPECIAL_CHAR	Y/N	Y- Special characters required
NUM_MAND_SPECIAL	Integer	Minimum special characters required. Checked only if FLAG_SPECIAL_CHAR is set to Y
FLAG_NUMERIC_CHAR	Y/N	Y- Numeric characters required
NUM_MAND_NUMERIC	Integer	Minimum numeric characters required. Checked only if FLAG_ NUMERIC_CHAR is set to Y