<Insert Picture Here>

Oracle Banking Platform - OBP

Security Overview - Part I

Safe Harbor Statement

Due care has been taken to make this Presentation as accurate as possible. Certain statements made in this
presentation may not be based on historical information or facts and may be forward looking statements and
may be subject to risks and uncertainties that could cause actual results to differ materially and adversely from
those that may be projected by such forward looking statements.
These risks and uncertainties and other factors that could affect, including but not limited to, competition,
acquisitions, economic conditions, ability to retain highly skilled employees, technology, law and regulatory
policies, managing risks associated with its business.
Oracle makes no representation or warranties with respect to the contents hereof and shall not be responsible
for any loss or damage caused to the user by the direct or indirect use of this Presentation. Oracle may alter,
modify or otherwise change in any manner the content hereof, without obligation to notify any person of such
revision or changes.
All company and product names are trademarks of the respective companies with which they are associated.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. FLEXCUBE, Daybreak, Mantas and
Reveleus, are trademarks of Oracle Financial Services Software and are registered in several countries.
All company and product names are trademarks of the respective companies with which they are associated.
COPYRIGHT 2013 Oracle Financial Services Software Limited.
All rights reserved.

ORACLE BANKING PLATFORM

Core Oracle Banking

Platform Capability

Complementary
capability by Oracle

3rd party not provided

by Oracle

OBP Security Key Messages

Externalized security
Secure by default
Enforcements wired-in
Protection domain discovery
Entitlements artifacts lifecycle tooling

Table Of Contents

High Level Architecture

User provisioning
Authentication/Single Sign On
Entitlements
Security lifecycle and SCM
Extensibility
Module Integrations
List Of Use Cases

Security - High Level Architecture

OIM is used for user creation.
Provisioning feature propagates
user profile data into OID.
OAM is used for asserting SSO.
OAM uses the user details
persisted in OID
OPSS API is used by the OBP
security module
OBP Application Components are
unaware of the underlying OPSS
API
APM is used for policy
maintenance policies that are
persisted in OID or DB
OAAM for step-up authentication
and risk profiling
OWSM for webservices security
Approvals use the SOA suite
(BPEL workflows)

OID ORACLE INTERNET DIRECTORY

OIM ORACLE IDENTITY MANAGER
OAM ORACLE ACCESS MANAGER
OES ORACLE ENTITLEMENTS SERVER
SSM SERVER SECURITY MODULE
APM AUTHORIZATION & POLICY MANAGER
OPSS ORACLE PLATFORM SECURITY SERVICES
OWSM ORACLE WEBSERVICES MANAGER
SOA ORACLE SOA SUITE
OHS ORACLE HTTP SERVER
em ORACLE ENTERPRISE MANAGER FUSION MIDDLEWARE CONTROL

High Level Architecture Problems addressed

User provisioning
Central management of user profile
lifecycle
Creation/retirement and propagation
to systems
Management of password policies

Single Sign-on
Manage sign-on to multiple
applications
Manage timeouts uniformly

Oracle Platform Security

Services (OPSS)
Centralized management of access
policies
Rules-based access control

OBP

IPM
User

BIP

Work-list

OIM

DOCUMAKER

High Level Architecture Contd.

OBP Functions and interfaces

Identities / policies
Portal

Step-up authentication /
Fraud assertions

Workflow
Documents

Services

Reports

Data-store

Monitoring

Table Of Contents

High Level Architecture

User provisioning
Authentication/SSO
Entitlements
Extensibility
List Of Use Cases

User provisioning data flows

External user provisioning

Implements hooks for KYC

Internal user provisioning

User provisioning use cases

Employee on-boarding
SPML web services

Customer on-boarding
Origination process

User propagation
OIM OID LDAP-synch

Password policy maintenance

Self-service registration
Corporate / Partner on-boarding (feature
extension)

User provisioning Contd.

Users

Groups

Group membership

User profile

OIM OID Provisioning

User Profile Enhancements Extra attributes on user-profile
Mandatory Attributes
Home Branch
Last Logged-In DateTime
2fa-Status
PartyId
Target Unit
AccessibleTarget Units
Optional Attributes
Is Enrolled For 2fa
2fa Status NonActive BeginDate
2faStatus NonActive EndDate
Brand
Forum Nickname
Accreditation

Table Of Contents

High Level Architecture

User provisioning
Authentication/SSO
Entitlements
Extensibility
List Of Use Cases

Authentication and Single sign on

Data flows
OAM gets login profile from
OID.
OAM intercepts access call to
OBP and authenticates user.
OAM ensures single sign-on
across participating
applications (configurable).
SSO across various enterprise
applications for internal users.

OIM

User provisioning
get login profile
OID

Authentication / SSO
OAM

webgate

OHS
access url
User

OBP UI
server
OAM Asserter
OID Authenticator
(construct JAAS subject)

Federation Data flows

3. User submits credentials
Login
page

6. Third-party SSO product

federates identity to OAM

2. User gets displayed a

login page

1. Access
protected
resource

7. OAM asserts identity

and gives access to
OBP resource

Third-party SSO product

OAM

4. Protected resource from the SSO

participating application is displayed
to the authenticated user

Landing
page

webtier / webgate

5. User accesses OBP link from

landing page

OBP - UI

BPM
worklist

OBP SSO participating

applications

BIP

Table Of Contents

High Level Architecture

User provisioning
Authentication/SSO
Entitlements
Extensibility
List Of Use Cases

OPSS Entitlements Identity/Policy store

Security setup
Authenticators
OID authenticator
OVD authenticator
Policy re-association
Weblogicapplication.xml
Manifest
Trust service
configuration
Anonymous use cases
Defaultuser=anonymous

Identity store
OIM
connector

Policy store
Weblogic domains

OPSS Entitlements - Users/Roles/Services

User belongs to the enterprise
Users mapped to enterprise roles (used organization-wide)
Enterprise roles mapped to application roles (application
roles used within the application)
Access policies defined for services defined on application
roles

Enterprise role / Application role (functional view)

OES Administrators

OIM System Administrator

User

OBP Security Configurator

Executive
System Entitlements

OAAM - OAAMEnvAdminGroup,
OAAMInvestigationManagerGroup,
OAAMRuleAdministratorGroup

Entitlements - Resource Types

Sr
No

Resource Type

Description of Resource types protected by access policies

Service

A Service is an endpoint. Its a class & method name. Independent of

access mechanism ( SOAP, XML over http etc.)
e.g. DemandDepositManager.creditCash

Page

A jspx or jsff page. Access policies are defined on the page definitions. E.g.
com.ofss.fc.ui.view.txn.customerInformation.pageDefn.casaAcctDetailsPag
eDef

Task Flow

An ADF Task Flow

e.g. /WEB-INF/LoanInquiryTaskflow.xml#LoanInquiryTaskflow

UI Control

Any panel or button etc.

e.g. LoanAccountCBRDetails.region.regLoanAccountInformation

Report

A pre-shipped report name e.g. TP050

Service Response
Element

An output field from a service. Used to protect / hash a response field if the
user does not have access.
e.g. DemandDepositManager.inquireAccountBalance.
SavingsBalanceInquiryResponse.
SavingsBalanceReportDTO.netBalance

Report Field

Similar to the service response element

e.g. AP1011.accountBalance

Entitlements - Resource Types

SOA-server

UI-server

5
2

User

User

1
3
middleware-server

OPSS Entitlements/Fraud assertions/Approvals

Security provisioning Broad categories

Approval Checks
Transaction Limits

Roles / Policies

Transaction
Blackout

Routing
Definition
Matrix-Auth

How do I get artifact names

Search on any
resource name or
description, using
the auto-suggested
possibilities
Example
CASA001 or
Add
Transaction
Double-click on a
resource to drill to
the next level

How do I get artifact names

Guided
navigation
through
highlights.

1
2
3

How do I get artifact names

Security
profile of the
searched
resource
displayed in
tabs (readonly)

Policy management using OES/APM

Roles

Page
/attributes
Authorization policy

Policy management using OES/APM

OBP Attributes

Access policy rule builder

Roles / Policies Factory shipment

Set of factory shipped roles
Standard roles added based on previous implementation experience
Example Configurator, Customer Services Manager etc.
Application role is mapped with an enterprise role having the same name
Example The application role Configurator is mapped to the enterpriserole=Configurator
Mapping can be changed during implementation time

Set of factory shipped policies

Access policies using the above roles on pages / task-flows / services based on previous
implementation experience
Uses data from SM545 for the Page Task-flow Services linkage
Default matrix based policies present for supported services
Credit Decision
Structure solution
Hardship Relief
Event Level Price Benefit Chart
Some transactions having fee negotiations (Offer swap, Adhoc fees etc)

Set of factory shipped policies to enable relationship access

Customer role shipped with access to events that a banker executes on behalf of the
customer.
Example [grant, //role/Customer, //resource/DD_CASH_WITHDRAWAL, //perform]

Roles / Policies Implementation activities

Identify and add additional roles
Map Application roles to appropriate enterprise roles
Example Add role=Operator
Map Application-role=Operator to enterprise-role=Operator

Add policies
Access policies on pages / task-flows / services as necessary
Deny policies on UI components
Example [deny, //resource/PI042.pt1:btnUpdate, //view]
Change matrix based policies (rules) as necessary

Add policies to enable relationship access

Add relationship based roles as necessary
Example Accountant, Solicitor etc.
Map application roles to enterprise roles
Add role based policies for the customer facing roles.
Example grant[//role/Accountant, //resource/DD_CASH_WITHDRAWAL,
//perform]

Note: Provision access policies for the other resource-types if necessary

(Reports / Report-fields / Service-response-type)

Access Policies pages / task-flows

Non-admin role has a shorter menu

Admin role has a full menu

Teller view

Access Policies services

Notorious Access denied error causes
Unauthenticated user accesses a protected service
Certain roles not allowed access on restricted accounts
Rules configured
Self-service channels not allowed to post certain
transactions if user is not SOW/JAO/JAF/JOF/TRA
Fraud policies return an action = Blocked
Metadata/adapter problems
Changed service signatures/DTO modifications
Entity loading problems

Hiding UI components
Visibility of individual UI
components on each ADF page
are controlled vide OPSS
access policies (explicit deny).
Visibility can be controlled by
using 3 actions
Hide a field
Disable a field
Hash a field

Hide Branch-name
Hash Loan-purpose

Hiding UI components Contd.

Branch-name is
hidden
Loan-purpose is
hashed

Hiding UI components Contd.

Tester role had read-only
privileges

Admin role has full

maintenance privileges

Access Policies for Reports

Use case retrieving a list of allowed reports
is similar to the menu-building use case.
ResourceType=Report
A security policy evaluation sequence for
protecting report fields is described below -

Use Case Description

Bank teller is able to view all details in the LN811
report. The CSR is able to view all details except the
Interest accrued figures.
1.Bank teller logs in into OBP and accesses the
Generate report menu link.
2. Teller enters report parameters and submits.
Example
report name, bank code, branch code etc.
3. System generates the report.
4. Teller views all data in the LN811 report

Teller view

Solving the resource discovery problem

JOB :
Application service
security check
source weaver

Weave security check

Policy files
Service
Middleware workspace

UI workspace

Developer

<<generate ADM>>
Policy files
taskflow
Policy files
taskflow

JOB : Artifact
Dependency
Map (ADM)
generator

Page
<<uses>>

Adds dev
artifacts

Seed, Diagnosis, T2P, Upgrade

<<uses>
>
<<uses>
>

ADM

Policy
Import
Tool

Policy
store
(productio
n)

1. Create
fresh
policy store

Policy store
Diagnosis
Tool
Generates policy
<<uses> files
>

3. Perform upgrade

Factory-shipped (OBP version

x.y)

2.

Security
Configurator

Policy
store
(test)

Factory-shipped (OBP version x.y)

Policy files
Policy files
Policy files

Add
policies

3.1 Uses policy files

created by upgrade tool
3.2 Uses ADM x.y+1
3.3 Repeat steps 1 and
2 for the newer version

T2
P

Capabilities include
reporting missing
and extra security
artifacts vis--vis
config

3. Policy store Upgrade Tool

<<uses>
>

Uses policy files generated by diagnosis tool

Runs upgrade rules and constructs upgraded
resource-ids
Creates policy files with new resource-ids
Creates report of resource-ids that could not be
migrated (will need manual handling using SM500)

Entitlements - Creation Of Policy Objects

Creation of resources
Number of Resources are
constant for an
implementation
Addition of resources
involves re-deployment of
application
No management screen
required to be built in OBP
for maintenance of
resources
APM to be used for ad-hoc
resource
creation/maintenance for
future OBP releases

First release
Initial seed data
preparation

Ongoing releases
as and when
new resources
are added

Ad-hoc resource creation

(enhancement feature envisaged in future releases)

Creation Of Policy Objects Contd.

Creation of resource
types/actions
Resources types are non-dynamic
in nature
Added in OPSS vide a seed data
script
Available in OBP application as
enumerations
Available actions a part of the
resource type definition
Example 1
Resource type = Service
Action = perform
Example 2
Resource type = UIControl
Actions = view, enable

First release
Initial seed data
preparation

OID

Ongoing releases
as and when
new resource types and
actions
are added

Security Lifecycle Internals Contd.

Generation of resources Contd.
Seed Data Module Iterates through a workspace/set of jars and extracts service names
from public interfaces (Resource-type=Service)
Iterates through a workspace/set of jars and extracts service
response element names from public interfaces (Resourcetype=ServiceResponseElement)

Iterates through *.jspx, *.jsff in the workspace and loads the

client-ids for all component-ids of all tags starting with
<af:* - ADF Faces
<fc:* - OBP Declarative Components
<dvt:* - ADF Data Visualization Graph
<tr:* - Trinidad Faces (Used for Mobile)

Iterates through the XDO template files for report element names
Creates resources and attributes in OID for their use in access
policies.

Security Lifecycle Build jobs

ADMGENERATION

-Generates application data map

-Page>TaskFlow>Service linkages
ApplicationDataMap.csv

IP: 10.180.22.96
Location: /var/build/generic_scripts/ADMGeneration
Dependency: SAILSBUILD_UI

CREATE_RESOURCE

Location:/var/build/generic_scripts
/ADMGeneration/output/
Also, Checked in in svn at
/trunk/core/config/security/opss

-Populates tables with the new resources

-Populates csvs with above table-exports

IP: 10.180.22.96
Location: /var/build/SecurityServerScript
Dependency: SAILSBUILD_UI

flx_sm_resources_defn
flx_md_menu_attrs_b
flx_sm_res_attrs_b
flx_sm_attrs_b
Tables+CSVs

Location:/var/build/generic_scripts
/ADMGeneration/output/
+
Tables
+
Checked in in svn at
/trunk/core/config/security/opss

Security Lifecycle Builds jobs Contd.

WORKLIST_REPORT

-generates reports for jsff pages and

services which do not adhere to the
conventions to be followed by screens
which are to be rendered as humantask
forms in bpm worklist application

IP: 10.180.22.96
Location: /var/build/generic_scripts/WorklistReports
Dependency: SAILSBUILD_UI

WorklistIntegration_*txt
VOBindingsExceptions_*.csv

Location:
1./home/hudson/tomcat/webapps/WorklistReports/
VOBindingIdentifierUtility/output
2. /home/hudson/tomcat/webapps/WorklistReports/
APPXCallReport/output/
Reports are published at :
http://10.180.22.96:7070/WorklistReports/VOBindingIdentifierUtility
http://10.180.22.96:7070/WorklistReports/APPXCallReport

SAILS_BUILD_JUNIT_SMS

-runs the entire junit lifecycle of security

module to make sure all the security
use cases are working properly

IP: 10.180.22.96
Location: /u01/build/com.ofss.fc.junit.sms/junit
Dependency: SAILSBUILD_UI

Test Result HTML files

Location: /u01/build/com.ofss.fc.junit.sms/junit

Security Lifecycle Builds jobs Contd.

SECURITY_SEED

-Reads the csvs populated during CREATE

_RESOURCE job and creates resources
And policies in specified OIDs

IP: 10.180.22.96
Location: /var/build/SecurityServerScript
Dependency: None
Run: During night

OID Policystore

Location: Resource addition and policy creation

takes place in specified OIDs

Table Of Contents

High Level Architecture

User provisioning
Authentication/SSO
Entitlements
Extensibility
List Of Use Cases

Extensibility
Access policies achieve flexibility through execution of attributesbased rules.
Fixed set of OBP entities and attributes, on which policy rules
can be based, will be factory shipped and supported out-of-the
box. Entities currently supported are

DemandDepositAccount
TermDepositAccount
Party
User
Branch
LoanAccount

Allowed-policy-attributes define the attributes that can be used in

a service.

Table Of Contents

High Level Architecture

User provisioning
Authentication/SSO
Entitlements
Extensibility
List Of Use Cases

Use Case Summary list of use cases

Sr. No.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Use Case
Add users in OIM
Add users to groups in OIM
Login declarative and programmatic
Single Sign On across Banker UI, IPM, Worklist, BIP
Build session context on the basis of user search
Build menu on the basis of a list of granted pages
View users granted access on a page
Ascertain user access to service subject to constraints (rules)
Restrict access to screen fields Hide / disable / hash value
Restrict access to specific reports
Restrict access to certain report columns
Hash certain fields in web service output
Assert identities across servers (customer portal, banker UI,
application server)
Add policies using APM
Protect web-services calls using OWSM
Enable third-party access