1 oracle financial system mary ann carr september 14, 2000
TRANSCRIPT
9/14/00 2
Financial Management Project
The Financial Management Project (FMP) is a university-wide initiative to improve Carnegie Mellon’s financial systems and processes. FMP includes implementation of:
• Integrated financial system (Oracle)
• Redesigned work processes
• Financial policies and consistent, university-wide procedures
• Comprehensive user education
9/14/00 3
Oracle Implementation Timeline
• May 1997 - Acquired Oracle Applications and development tools
• August 1997 - Beta Test Grants Management
• 1998 - 1999 - Project Implementation
• November 1999 - “Big Bang” Go-Live
• Today - System Stabilization and Upgrade Preparation
- 300 Central and Campus Business Users
- 600 Casual Users
9/14/00 4
FMP Deployment Requirements
• Support all major campus desktop platforms
• Achieve excellent performance on all platforms
• Implement a ‘thin client’
• Minimize software installation, distribution and maintenance
• Leverage existing infrastructure
• Mitigate any/all security risks
9/14/00 5
Oracle Applications Overview
• Core Financial Applications
• Self Service Web Applications
• Application Desktop Integrator Applications
• Budget Spreadsheet
• Feeder File Interface System
• CITRIX Application Server
9/14/00 6
Core Financial Applications - Overview
• Internet (Network) Computing Architecture
• Multi-Tier Tier Architecture• Database Tier - DB, stored procedures, executables
• Application - web server, forms server
• Client - java-enabled web browser or applet viewer, forms client applet
• GUI Interface with ‘Thin’ Client Implementation• Java Applet connects to Oracle’s forms server,
excepting initial signon HTML page
9/14/00 8
Self Service Web Applications
• Web-based Interface for Casual Users (travel expense reporting, pcard distributions)
• HTML and JavaScript• Direct connection to an HTTP listener running
Oracle Web Application Server• Logic is executed through the Web Application
Server’s PL/SQL Cartridge, and Java servlets• Database communication via JDBC
9/14/00 9
Application Desktop Integrator
• Excel-based interface and extension to Oracle application database
• Supports budget entry, journal entry, reporting, and analysis
• Communicates via SQL*Net to database
9/14/00 10
Budget Spreadsheet
• Custom Excel-based budgeting tool
• Template files stored on file server
• Working budget files updated and stored locally
• Two possible transport mechanisms
• Budget inload functionality of ADI
• Web-based upload to interface tables
9/14/00 11
Feeder File Interface System
• Mechanism for uploading feeder files for import into Oracle GL and/or GM
• Validates and inloads feeder transactions
• Provides e-mail notification of process success/failure
9/14/00 12
CITRIX Application Server
• NT terminal server implementation to support UNIX, Macintosh and low-end PCs
• Access to Core Financials
• Access to ADI
• Possible file server for budget spreadsheet
9/14/00 13
System ConfigurationSUN 4500 OS: SOLARIS 2.6 8 CPU 8 GB RAM250 GB Disk
SUN450 OS: SOLARIS 2.6 4 CPU 2 GB RAM 92 GB Disk
PRODUCTION MACHINE
Web
Serv
er 3
.0.2
YCORABackup TestingForm s 4.5.10.13, Apps 11.0.2,W orkflow 2.0.3, O SSW A, G rants3.1B, LD 3.1A
/tra
in1
/ap
plm
gr3
TCORATrain ingForm s 4.5.10.13, Apps 11.0.2,W orkflow 2.0.3, O SSW A, G rants3.1B, LD 3.1A/t
rain
/ap
plm
gr1
PCORA STANDBYDisaster RecoveryForm s 4.5.10.13, Apps 11.0.2,W orkflow 2.0.3, O SSW A, G rants3.1B, LD 3.1A/t
rain
/ap
plm
gr1
SUN 3500 OS: SOLARIS 2.6 8 CPU 8 GB RAM200 GB Disk
DISASTER RECOVERY MACHINE
DEVELOPMENT MACHINE
Production
Training User Support
Production Standby
Patch Testing
Quality AssuranceDevelopment
9/14/00 14
Core Financial Applications SecurityFeatures
• Signed Java Applet guarantees its authenticity to the forms client and ensures that the forms server only accepts connections from “certified” forms clients (open TAR)
• All communication between the Forms client applet and forms server is encrypted using the RSA RC4 40-bit standard form of encryption
• Application level security intact: login id/password challenge/response
Concerns• Neither Web Browser (w/Java Plug-In, Jinitiator) nor Applet Viewer supports
Secure Socket Layer transport (data encryption between the client and web server) at this time…desire for stronger encryption
• No certified Macintosh or Unix JVM as of 3/31/99
• Additional login/password…desire to move to kerberos-based single sign-on
9/14/00 15
Self Service Web Applications Security
Features
• Supports Secure Socket Layer transport (data encryption between the client and web server)
• Application level security intact: login id/password challenge/response
Concerns
• Additional login/password…desire to move to kerberos-based single sign-on
9/14/00 16
Application Desktop Integrator Security
Features
• Application level security intact: encrypted login id/password challenge/response
• Ability to implement Oracle’s advanced networking option for stronger encryption
Concerns
• Additional login/password…desire to move to kerberos-based single sign-on.
• Physical security of local files…training issue
• Excel is susceptible to viruses... train users to use anti-virus protection and to use caution when enabling embedded macros
9/14/00 17
Budget Spreadsheet Security
Features
• Supports Secure Socket Layer transport (data encryption between the client and web server) via HTTPS to upload site
• Kerberos authentication of Andrew ID
Concerns
• Physical security of local files…training issue
• Excel is susceptible to viruses... train users to use anti-virus protection and to use caution when enabling embedded macros
9/14/00 18
Feeder File Interface Process Security
Features
• Secure transfer options
• HTTPS - andrew authenticated and SSL encrypted, web-based upload
• SCP - encrypted transfer via public key encryption for unix to unix transfers
• Secured directory structure based on authenticated user id and limited access (only upload or download)
Concerns
• Physical security of local files with hardcoded login/password…training issue
9/14/00 19
CITRIX Application Server Security
Features
• Standard NT account security (encrypted login)
• RSA RC5 add-on option
• Secured directory structure based on authenticated user id and limited access
• Supports all standard Oracle application security features
Concerns
• Virus susceptibility…use anti-virus protection
• Security holes in NT…apply service paks and all patches
9/14/00 20
FMP Application SecurityFMP Application Security
• Application Username/Password
• Custom ‘responsibilities’ determine which forms, reports, functions, and data users can access
• Employee level set-ups determine approval relationships (workflow) and purchasing authority
• Secured ‘value sets’ limit the range of data users can access by responsibility
• Customizations provide additional security to implement business rules, e.g. GM Award Security Extension
9/14/00 21
Additional Security Measures
• Fire wall (TIS) prevents direct connection to any administrative host
• Business Net isolates ‘trusted’ user community (caveat: need to verify on an on-going basis)
• SSH 1.2.26 for encrypted developer connections
• Reset Oracle’s default passwords for ‘root’ accounts
• Audit user sessions (performance considerations)