Transcript No Slide Title - Andrew.cmu.edu

Oracle Financial System
Mary Ann Carr
September 14, 2000
1
Financial Management Project
The Financial Management Project (FMP) is a universitywide initiative to improve Carnegie Mellon’s financial
systems and processes. FMP includes implementation of:
• Integrated financial system (Oracle)
• Redesigned work processes
• Financial policies and consistent, university-wide
procedures
• Comprehensive user education
9/14/00
2
Oracle Implementation Timeline
• May 1997 - Acquired Oracle Applications and
development tools
• August 1997 - Beta Test Grants Management
• 1998 - 1999 - Project Implementation
• November 1999 - “Big Bang” Go-Live
• Today - System Stabilization and Upgrade Preparation
- 300 Central and Campus Business Users
- 600 Casual Users
9/14/00
3
FMP Deployment Requirements
• Support all major campus desktop platforms
• Achieve excellent performance on all platforms
• Implement a ‘thin client’
• Minimize software installation, distribution and
maintenance
• Leverage existing infrastructure
• Mitigate any/all security risks
9/14/00
4
Oracle Applications Overview
• Core Financial Applications
• Self Service Web Applications
• Application Desktop Integrator Applications
• Budget Spreadsheet
• Feeder File Interface System
• CITRIX Application Server
9/14/00
5
Core Financial Applications - Overview
• Internet (Network) Computing Architecture
• Multi-Tier Tier Architecture
• Database Tier - DB, stored procedures, executables
• Application - web server, forms server
• Client - java-enabled web browser or applet viewer,
forms client applet
• GUI Interface with ‘Thin’ Client Implementation
• Java Applet connects to Oracle’s forms server,
excepting initial signon HTML page
9/14/00
6
Multi-Tier Architecture
9/14/00
7
Self Service Web Applications
• Web-based Interface for Casual Users (travel expense
reporting, pcard distributions)
• HTML and JavaScript
• Direct connection to an HTTP listener running
Oracle Web Application Server
• Logic is executed through the Web Application
Server’s PL/SQL Cartridge, and Java servlets
• Database communication via JDBC
9/14/00
8
Application Desktop Integrator
• Excel-based interface and extension to Oracle
application database
• Supports budget entry, journal entry, reporting,
and analysis
• Communicates via SQL*Net to database
9/14/00
9
Budget Spreadsheet
• Custom Excel-based budgeting tool
• Template files stored on file server
• Working budget files updated and stored locally
• Two possible transport mechanisms
• Budget inload functionality of ADI
• Web-based upload to interface tables
9/14/00
10
Feeder File Interface System
• Mechanism for uploading feeder files for import into
Oracle GL and/or GM
• Validates and inloads feeder transactions
• Provides e-mail notification of process
success/failure
9/14/00
11
CITRIX Application Server
• NT terminal server implementation to support
UNIX, Macintosh and low-end PCs
• Access to Core Financials
• Access to ADI
• Possible file server for budget spreadsheet
9/14/00
12
System Configuration
PRODUCTION MACHINE
SUN 4500
OS: SOLARIS 2.6
8 CPU
8 GB RAM
250 GB Disk
DEVELOPMENT MACHINE
SUN450
OS: SOLARIS 2.6
4 CPU
2 GB RAM
92 GB Disk
Production
DISASTER RECOVERY MACHINE
/train/applmgr1
/train/applmgr1
TCORA
YCORA
Backup Testing
Forms 4.5.10.13, Apps 11.0.2,
Workflow 2.0.3, OSSWA, Grants
3.1B, LD 3.1A
Patch Testing
Development
Quality Assurance
Training
Production
Standby
Forms 4.5.10.13, Apps 11.0.2,
Training
9/14/00
PCORA STANDBY
Disaster Recovery
Forms 4.5.10.13, Apps 11.0.2,
Workflow 2.0.3, OSSWA, Grants
3.1B, LD 3.1A
/train1/applmgr3
Web Server 3.0.2
/oracle/product/8.0.4
SUN 3500
OS: SOLARIS 2.6
8 CPU
8 GB RAM
200 GB Disk
Workflow 2.0.3, OSSWA, Grants
3.1B, LD 3.1A
User Support
13
Core Financial Applications Security
Features
•
•
•
Signed Java Applet guarantees its authenticity to the forms client and ensures
that the forms server only accepts connections from “certified” forms clients
(open TAR)
All communication between the Forms client applet and forms server is
encrypted using the RSA RC4 40-bit standard form of encryption
Application level security intact: login id/password challenge/response
Concerns
•
Neither Web Browser (w/Java Plug-In, Jinitiator) nor Applet Viewer
supports Secure Socket Layer transport (data encryption between the client
and web server) at this time…desire for stronger encryption
•
No certified Macintosh or Unix JVM as of 3/31/99
•
Additional login/password…desire to move to kerberos-based single sign-on
9/14/00
14
Self Service Web Applications Security
Features
•
Supports Secure Socket Layer transport (data encryption between the client
and web server)
•
Application level security intact: login id/password challenge/response
Concerns
•
Additional login/password…desire to move to kerberos-based single sign-on
9/14/00
15
Application Desktop Integrator Security
Features
•
•
Application level security intact: encrypted login id/password
challenge/response
Ability to implement Oracle’s advanced networking option for stronger
encryption
Concerns
•
•
•
Additional login/password…desire to move to kerberos-based single sign-on.
Physical security of local files…training issue
Excel is susceptible to viruses... train users to use anti-virus protection and to
use caution when enabling embedded macros
9/14/00
16
Budget Spreadsheet Security
Features
•
•
Supports Secure Socket Layer transport (data encryption between the client
and web server) via HTTPS to upload site
Kerberos authentication of Andrew ID
Concerns
•
•
Physical security of local files…training issue
Excel is susceptible to viruses... train users to use anti-virus protection and to
use caution when enabling embedded macros
9/14/00
17
Feeder File Interface Process Security
Features
•
Secure transfer options
• HTTPS - andrew authenticated and SSL encrypted, web-based upload
• SCP - encrypted transfer via public key encryption for unix to unix
transfers
•
Secured directory structure based on authenticated user id and limited access
(only upload or download)
Concerns
•
Physical security of local files with hardcoded login/password…training issue
9/14/00
18
CITRIX Application Server Security
Features
•
•
•
•
Standard NT account security (encrypted login)
RSA RC5 add-on option
Secured directory structure based on authenticated user id and limited access
Supports all standard Oracle application security features
Concerns
•
Virus susceptibility…use anti-virus protection
•
Security holes in NT…apply service paks and all patches
9/14/00
19
FMP Application Security
• Application Username/Password
• Custom ‘responsibilities’ determine which forms,
reports, functions, and data users can access
• Employee level set-ups determine approval
relationships (workflow) and purchasing authority
• Secured ‘value sets’ limit the range of data users can
access by responsibility
• Customizations provide additional security to
implement business rules, e.g. GM Award Security
Extension
9/14/00
20
Additional Security Measures
• Fire wall (TIS) prevents direct connection to any
administrative host
• Business Net isolates ‘trusted’ user community (caveat:
need to verify on an on-going basis)
• SSH 1.2.26 for encrypted developer connections
• Reset Oracle’s default passwords for ‘root’ accounts
• Audit user sessions (performance considerations)
9/14/00
21