R12: Setting Up Payment Wallets for Funds Disbursement (Payables Payments) [ID 1430916.

1]
Modified: Nov 1, 2012 Type: BULLETIN Status: PUBLISHED Priority: 2

In this Document Purpose Scope Details 1. What are "wallets"? 2. HTTP client authentication

3. Encryption 4. Creating a Wallet file (OWM) 5. Finalizing the creation of a wallet file (EBS) Have more questions? References

Applies to:
Oracle Payments - Version 12.0.0 to 12.1.3 [Release 12.0 to 12.1] Information in this document applies to any platform.

Purpose
This article is intended to assist Oracle Payables users to learn about "wallet" functionality -- as it relates to supplier/creditor payments -- and how to use it.

Scope
This article will be limited to a discussion of wallet functionality for the following versions of the Oracle E-Business Suite: versions 12.0.0 through 12.1.3. This article discusses wallet functionality related to Funds Disbursement (Payables) activities only. If you have questions related to credit card encryption for Funds Capture (Receivables/CRM) functionality, please refer to the following Notes in My Oracle Support: 602155.1 iPayment Wallet Explained 863053.1 How To Encrypt Credit Card Data In Release 12 1300956.1 How To Rotate Payments Encryption Wallet After Clone From Production 1118887.1 How To Setup a Wallet At R12 Level In scope Of PA-DSS Implementation? 1301337.1 How To Enable Oracle Payments Data Encryption Functionality

Details

1. What are "wallets"?

Wallets are files that contain the information necessary to accommodate two possible functionalities (encryption and client authentication) related to paying trusted partners electronically. Depending on the purpose (encryption or client authentication), how and where you create the wallet (and what information is included) will be different. Oracle Payments Implementation Guide Release 12.1 Part No. E13416-04 August 2010 Page 4-8 The contents of the wallet file are managed by Oracle Wallet Manager [a program which is separate from the E-Business Suite of applications, together with the Wallet Setup page found within the E-Business Suite.] The wallet file has two functions: to perform HTTP client authentication of your middle-tier server for payment systems that require this level of security When used for client authentication, the wallet contains the private key of the entity authorized to send transactions to the payment system (usually the counterpart to the middle-tier server's public certificate). This is sensitive data and, depending on how much trust is placed in the ability to authenticate as the certificate's subject, potentially damaging if compromised. to store the system (master) security key used to encrypt sensitive data Storing the system key in the wallet file provides greater security for the encrypted payment instrument data since the system key resides outside the Oracle Payments database. As this key is used to secure such data as credit card numbers, compromise of the wallet is highly damaging. The purpose of....the Wallet Setup page [within the E-Business Suite] is to: - specify the location of the wallet file - define the password for the wallet file - specify whether to generate the system key yourself or let the system do it

2. HTTP client authentication

The Oracle Payments module (IBY) supports two types of authentication of the payment system: Basic authentication between Oracle Payments and payment system servlets

Authentication of an engine which is a client of the servlet in a machine outside the firewall

Authentication of an engine which is a client of the servlet in a machine outside the firewall Oracle Payments Implementation Guide Release 12.1 Part No. E13416-04 August 2010 Page 3-5 Basic Authentication for Payment Systems For setting up security for basic authentication between Oracle Payments and payment system servlets, you must perform some tasks both in the Oracle Payments setup user interface and in the Apache Server administration tool. While configuring Oracle Payments for a particular payment system, you must assign the payment system user name and password in the payment system configuration screens. You must assign the same user name and password in the Apache Server that runs the payment system servlets. For details on setting up basic authentication in Apache Server, see the Apache Server documentation.

Oracle Payments Implementation Guide Release 12.1 Part No. E13416-04 August 2010 Page 3-6 Oracle Payments Engine to Oracle Payments Servlet Communication Oracle Payments architecture lets you install the payment system servlet in a machine outside the firewall. If you have installed either Oracle Payments (or its components) or the source product in a distributed environment, Oracle recommends configuring SSL between Oracle Payments and the payment system components. You can create an Oracle Wallet to store certificates and credential information to support authentication of the engine, in this case a client of the servlet, by the server running the servlet.

You can specify the wallet location and password using FND profiles.

You can configure the server where the servlet is running to request client certificates (on the engine side). Oracle Payments retrieves the certificates from the Oracle Wallet and sends the certificates to the server for authentication.

3. Encryption
For Funds Disbursement transactions, you can encrypt supplier (external) bank account details to secure sensitive data. It CANNOT be used for securing internal bank account data.

Oracle Payments Implementation Guide Release 12.1 Part No. E13416-04 August 2010 Page 3-5 Payment Instrument Encryption Payment Instrument Encryption is an advanced Oracle Payments [IBY] security feature that enables Oracle Applications to encrypt credit card data [and external bank account data]. This feature assists with your compliance with the cardholder data protection requirements of the Payment Card Industry (PCI) Data Security Standard and with Visa's Cardholder Information Security Program (CISP). The Visa program is based on the PCI Data Security Standard. When the feature is enabled, credit card and bank account numbers for external third parties, such as customers, suppliers, or students are encrypted. Note: Other products such as iExpenses do store internal credit card numbers in Oracle Payments' tables. Adoption of the Payment Instrument Encryption feature should be part of the implementation of a complete security policy, which is specific to your organization. For example, your security policy should include a regular schedule to rotate keys to secure your payment instrument data. For general guidelines on securing Oracle EBusiness Suite applications products, see Best Practices for Securing Oracle E-Business Suite, [My Oracle Support] Document 189367.1.

4. Creating a Wallet file (OWM)

In R11i, wallets were stored on the database. To improve security, wallet definitions were moved to the user's file system in R12, and are defined using a program called "Oracle Wallet Manager" (OWM) which is a GUI tool that allows you to create and save wallets. Oracle Payments Implementation Guide Release 12.1 Part No. E13416-04 August 2010 Page 4-8 Creating a Wallet File To create a wallet file, you must start the Oracle Wallet Manager program. On UNIX systems this is done with the following command: owm 1. If the wallet will contain only the system security key, it is sufficient to create an empty wallet file. 2. If the wallet is to contain a private key for client authentication, it must be imported here.

For instance, the screenshots below show how to set up a new wallet for encryption purposes: Oracle Wallet Manager - Home page

Navigation: Goto Wallet > New

1. Click on "No" 2. You will be prompted to enter a password for the wallet file 3. You will be prompted to specify whether or not you wish to create a certificate request. For encryption functionality, you only need to create a "blank" wallet, so click on "No"

This creates an empty wallet as shown below:

1. Use the Goto Wallet menu option to ensure that the Autologin flag is UNCHECKED (this is a MUST for an encryption wallet) 2. Then select Wallet > Save 3. Specify a directory (as shown below)

This will create and save a new "blank" wallet file called ewallet.pl2 (default name) as shown below:

To complete the creation of the wallet, you'll use the Wallet Setup page in EBS (see Section 5 below) to specify the full path and file name in order to enable the encryption. After the encryption is enabled, you'll see 2 files in the directory: ewallet.pl2 (the blank wallet that you created above) cwallet.sso (a passwordless binary file that can be read by Oracle Payments APIs)

5. Finalizing the creation of a wallet file (EBS)

Oracle Payments Implementation Guide Release 12.1 Part No. E13416-04 August 2010 Page 4-7 Step 2. Setting Up System Security Options System security options enable you to set security options for payment instrument encryption, masking, and credit card control. These options are used for both funds capture and funds disbursement processes. Payments uses the settings to handle security issues, such as encrypting payment instrument sensitive data, payment instrument masking, and credit card owner verification controls. For payment instrument encryption, Payments uses a chained key approach. To simplify, the chained key approach is where A encrypts B and B encrypts C. In Oracle

For payment instrument encryption, Payments uses a chained key approach. To simplify, the chained key approach is where A encrypts B and B encrypts C. In Oracle Payments, the system key encrypts the subkeys and the subkeys encrypt the payment instrument data. This approach allows easier rotation of the system key. The system key is the encryption master key for the entire installation. It is stored in a wallet file and is used to encrypt Oracle Payments subkeys. Pre-requisite Before you can set up security options, you must set up a wallet [using the Oracle Wallet Manager program from Unix].

Oracle Payments Implementation Guide Release 12.1 Part No. E13416-04 August 2010 Page 4-8 Once the wallet file is accessible to the middle-tier server, it is initialized with the system security key using the following Oracle Payments navigation: Oracle Payments Setup > System Security Options [Figures 5.1 and 5.2 below] You have the option of importing your own 24-bit system security key (stored in a binary file whose location is specified through the user interface) or you can generate a random one. Once the wallet setup process is complete, a system security key exists in the wallet, and a passwordless version of the wallet named "cwallet.sso" is created in the same directory as the original wallet file. Encrypting Payment Instruments [Figure 5.3 below] In the System Security Options setup page, you specify whether you want to enable or disable encryption of payment instruments and whether you wish the encryption to occur immediately when new payment instruments are registered or be performed on a regularly scheduled basis for performance reasons. Masking Payment Instruments [Figure 5.4 below] In the System Security Options setup page...external bank account numbers can be masked by selecting the number of digits to mask and display. Defining the Wallet File Password [Figure 5.5 below] To define the password for the wallet file in the Wallet Setup page, enter any string. This password is used to encrypt the wallet file. Specifying or Generating the System Key File Location [Figure 5.5 below] In the Wallet Setup page [accessed via the System Security Options page], you can provide the system key by specifying the location of the system key file or you can let the system generate the system key for you. In either case, the specified or generated key is put into the wallet file and encrypted with the password you provide.

Figure 5.1: Accessing the System Security Options setup page RESPONSIBILITY: Payments Setup Administrator NAVIGATION: Oracle Payments Setup main menu > Shared Setup group > System Security Options > click on the Go To Task icon

Figure 5.2: The System Security Options page

Figure 5.3: The encryption region In this region, you can enable or disable encryption of payment instruments, and set when you want the encryption to occur.

Figure 5.4: The masking region In this region, credit cards (for FC) and external bank account numbers (for FC and FD) can be masked by selecting the number of digits to mask and display.

Figure 5.5: The Wallet Setup page (click on the Wallet Setup button) Use this page to: specify the location of the wallet file

define the password for the wallet file

specify whether to generate the encryption system key yourself, or let the system do it

Have more questions?

Join our growing Oracle Payables Community and learn from your peers and Oracle on how to address your unique issues in AP! You can access the main Oracle Communities page at http://communities.oracle.com (If you are enrolled,the Payables community will be listed on your left. If you're not already enrolled in the Payables community, you can do so by clicking on the link Edit Subscriptions). OR from "My Oracle Support" as follows: 1. 2. 3. 4. Log into My Oracle Support (Flash or Classic). Click the "Community" link at the top of the page. Click [Enter Here] on the following page. Select the community from the "My Communities" list on the top-left.

References
NOTE:1118887.1 - How To Setup a Wallet At R12 Level In scope Of PA-DSS Implementation ? NOTE:1301337.1 - How To Enable Oracle Payments Data Encryption Functionality NOTE:189367.1 - Secure Configuration Guide for Oracle E-Business Suite 11i

NOTE:189367.1 - Secure Configuration Guide for Oracle E-Business Suite 11i NOTE:602155.1 - iPayment Wallet Explained NOTE:863053.1 - How To Encrypt Credit Card Data In Release 12