We need to ensure
1) Password complexity standards are adhered to, and
2) Idle Oracle database connections are terminated, which means that Harvest will need to detect that the connection has been terminated and re-establish it, and
3) All data in transit must be encrypted.
Release : 13.0.3, 14.x
Component : CA HARVEST SCM CORE FUNCTIONALITY/PROCESS AUTOMATION
Requirement #1 - Password complexity
LDAP controls password complexity for LDAP-authenticated users.
For internally authenticated users, the password complexity can be set from the command line utilities hppolget and hppolset. Hppolget gets the existing default password configuration file. Any complexity can be introduced into this policy, and then the policy can be set using hppolset command line formulation. For more details on how to run these utilities, please refer to the below command line utilities docops link.
hppolget Command-Get Password Policy
hppolset Command-Set Password Policy
Requirement # 2 - Idle database connections terminated:
There is no provision to determine the idle database connections on Oracle, but there is a provision to identify an idle HServer process from the Harvest side and kill it. Idle HServers can be detected and set to shutdown after a pre-determined timeline. You can use the -killperiod option to set the HServer idle time limit (the period of inactivity after which the broker shuts down “temporary” servers. For more details, please refer to the below link
Configure the Broker and Server Communication on Windows
Topic: How the Broker Manages Server Processes on Windows
Requirement #3 - all data in transit must be encrypted:
Existing Harvest Encryption enablement methods include:
Oracle database encryption on Windows:
If the server is on the Windows platform, you may refer to the article below.
How to enable encryption for ODBC connections to Oracle databases?
Oracle database encryption on Non-windows:
This is possible on Non-Windows using the below-specified methods
[c]The encryption methods available in DataDirect ODBC drivers are applicable here
We can add EncryptionMethod=X in the odbc.ini file
X can be of levels 1,2,3,4 and 5
Valid Values 0 | 1 | 3 | 4 | 5
If set to 0 (No Encryption), data is not encrypted.
If set to 1 (SSL), data is encrypted using SSL. If the server supports protocol negotiation, the driver and server negotiate the use of TLS v1, SSL v3, or SSL v2 in that order.
If set to 3 (SSL3), the driver uses SSL3 data encryption.
If set to 4 (SSL2), the driver uses SSL2 data encryption.
If set to 5 (TLS1), the driver uses TLS1 data encryption.
Default 0 (No Encryption)
The CAPKI option is automatic, and the rest must be enabled and configured according to your needs.
Further details on the TLS versions supported by the DataDirect for ODBC driver:
TLS versions supported for encryption between Harvest and Oracle