1

Oracle Financial System

Mary Ann Carr

September 14, 2000

9/14/00 2

Financial Management Project

The Financial Management Project (FMP) is a university-wide initiative to improve Carnegie Mellon’s financial systems and processes. FMP includes implementation of:

• Integrated financial system (Oracle)

• Redesigned work processes

• Financial policies and consistent, university-wide procedures

• Comprehensive user education

9/14/00 3

Oracle Implementation Timeline

• May 1997 - Acquired Oracle Applications and development tools

• August 1997 - Beta Test Grants Management

• 1998 - 1999 - Project Implementation

• November 1999 - “Big Bang” Go-Live

• Today - System Stabilization and Upgrade Preparation

- 300 Central and Campus Business Users

- 600 Casual Users

9/14/00 4

FMP Deployment Requirements

• Support all major campus desktop platforms

• Achieve excellent performance on all platforms

• Implement a ‘thin client’

• Minimize software installation, distribution and maintenance

• Leverage existing infrastructure

• Mitigate any/all security risks

9/14/00 5

Oracle Applications Overview

• Core Financial Applications

• Self Service Web Applications

• Application Desktop Integrator Applications

• Budget Spreadsheet

• Feeder File Interface System

• CITRIX Application Server

9/14/00 6

Core Financial Applications - Overview

• Internet (Network) Computing Architecture

• Multi-Tier Tier Architecture• Database Tier - DB, stored procedures, executables

• Application - web server, forms server

• Client - java-enabled web browser or applet viewer, forms client applet

• GUI Interface with ‘Thin’ Client Implementation• Java Applet connects to Oracle’s forms server,

excepting initial signon HTML page

9/14/00 7

Multi-Tier Architecture

9/14/00 8

Self Service Web Applications

• Web-based Interface for Casual Users (travel expense reporting, pcard distributions)

• HTML and JavaScript• Direct connection to an HTTP listener running

Oracle Web Application Server• Logic is executed through the Web Application

Server’s PL/SQL Cartridge, and Java servlets• Database communication via JDBC

9/14/00 9

Application Desktop Integrator

• Excel-based interface and extension to Oracle application database

• Supports budget entry, journal entry, reporting, and analysis

• Communicates via SQL*Net to database

9/14/00 10

Budget Spreadsheet

• Custom Excel-based budgeting tool

• Template files stored on file server

• Working budget files updated and stored locally

• Two possible transport mechanisms

• Budget inload functionality of ADI

• Web-based upload to interface tables

9/14/00 11

Feeder File Interface System

• Mechanism for uploading feeder files for import into Oracle GL and/or GM

• Validates and inloads feeder transactions

• Provides e-mail notification of process success/failure

9/14/00 12

CITRIX Application Server

• NT terminal server implementation to support UNIX, Macintosh and low-end PCs

• Access to Core Financials

• Access to ADI

• Possible file server for budget spreadsheet

9/14/00 13

System ConfigurationSUN 4500 OS: SOLARIS 2.6 8 CPU 8 GB RAM250 GB Disk

SUN450 OS: SOLARIS 2.6 4 CPU 2 GB RAM 92 GB Disk

PRODUCTION MACHINE

Web

Serv

er 3

.0.2

YCORABackup TestingForm s 4.5.10.13, Apps 11.0.2,W orkflow 2.0.3, O SSW A, G rants3.1B, LD 3.1A

/tra

in1

/ap

plm

gr3

TCORATrain ingForm s 4.5.10.13, Apps 11.0.2,W orkflow 2.0.3, O SSW A, G rants3.1B, LD 3.1A/t

rain

/ap

plm

gr1

PCORA STANDBYDisaster RecoveryForm s 4.5.10.13, Apps 11.0.2,W orkflow 2.0.3, O SSW A, G rants3.1B, LD 3.1A/t

rain

/ap

plm

gr1

SUN 3500 OS: SOLARIS 2.6 8 CPU 8 GB RAM200 GB Disk

DISASTER RECOVERY MACHINE

DEVELOPMENT MACHINE

Production

Training User Support

Production Standby

Patch Testing

Quality AssuranceDevelopment

9/14/00 14

Core Financial Applications SecurityFeatures

• Signed Java Applet guarantees its authenticity to the forms client and ensures that the forms server only accepts connections from “certified” forms clients (open TAR)

• All communication between the Forms client applet and forms server is encrypted using the RSA RC4 40-bit standard form of encryption

• Application level security intact: login id/password challenge/response

Concerns• Neither Web Browser (w/Java Plug-In, Jinitiator) nor Applet Viewer supports

Secure Socket Layer transport (data encryption between the client and web server) at this time…desire for stronger encryption

• No certified Macintosh or Unix JVM as of 3/31/99

• Additional login/password…desire to move to kerberos-based single sign-on

9/14/00 15

Self Service Web Applications Security

Features

• Supports Secure Socket Layer transport (data encryption between the client and web server)

• Application level security intact: login id/password challenge/response

Concerns

• Additional login/password…desire to move to kerberos-based single sign-on

9/14/00 16

Application Desktop Integrator Security

Features

• Application level security intact: encrypted login id/password challenge/response

• Ability to implement Oracle’s advanced networking option for stronger encryption

Concerns

• Additional login/password…desire to move to kerberos-based single sign-on.

• Physical security of local files…training issue

• Excel is susceptible to viruses... train users to use anti-virus protection and to use caution when enabling embedded macros

9/14/00 17

Budget Spreadsheet Security

Features

• Supports Secure Socket Layer transport (data encryption between the client and web server) via HTTPS to upload site

• Kerberos authentication of Andrew ID

Concerns

• Physical security of local files…training issue

• Excel is susceptible to viruses... train users to use anti-virus protection and to use caution when enabling embedded macros

9/14/00 18

Feeder File Interface Process Security

Features

• Secure transfer options

• HTTPS - andrew authenticated and SSL encrypted, web-based upload

• SCP - encrypted transfer via public key encryption for unix to unix transfers

• Secured directory structure based on authenticated user id and limited access (only upload or download)

Concerns

• Physical security of local files with hardcoded login/password…training issue

9/14/00 19

CITRIX Application Server Security

Features

• Standard NT account security (encrypted login)

• RSA RC5 add-on option

• Secured directory structure based on authenticated user id and limited access

• Supports all standard Oracle application security features

Concerns

• Virus susceptibility…use anti-virus protection

• Security holes in NT…apply service paks and all patches

9/14/00 20

FMP Application SecurityFMP Application Security

• Application Username/Password

• Custom ‘responsibilities’ determine which forms, reports, functions, and data users can access

• Employee level set-ups determine approval relationships (workflow) and purchasing authority

• Secured ‘value sets’ limit the range of data users can access by responsibility

• Customizations provide additional security to implement business rules, e.g. GM Award Security Extension

9/14/00 21

Additional Security Measures

• Fire wall (TIS) prevents direct connection to any administrative host

• Business Net isolates ‘trusted’ user community (caveat: need to verify on an on-going basis)

• SSH 1.2.26 for encrypted developer connections

• Reset Oracle’s default passwords for ‘root’ accounts

• Audit user sessions (performance considerations)