As with any software product, be aware that security changes made for third party applications might affect P6 EPPM applications. For example, if you configure WebLogic to use only SSL v3.0, you must disable TLS v1.0 for the client JRE for P6 to launch properly. If using an Internet Explorer browser, you must also disable TLS v1.0 in Internet Options.
Safe Deployment of P6 EPPM
To ensure overall safe deployment of P6 EPPM, you should carefully plan security for all components, such as database servers and client computers that are required for and interact with P6 EPPM. In addition to the documentation included with other applications and hardware components, follow the P6 EPPM-specific guidance below.
Administrative Privileges Needed for Installation and Operation
As the P6 EPPM Administrator, you should determine the minimum administrative privileges or permissions needed to install, configure, and operate P6 EPPM. For example,to successfully install the required JRE for P6 EPPM Web applications (for example, P6 and P6 Progress Reporter), you must be an administrator on the client machine during this installation or update.
Minimum Client Permissions Needed for P6 and P6 Progress Reporter
Because P6 and P6 Progress Reporter are Web applications, users do not have to be administrators on their machines to run them. Instead, you can successfully run these applications with security at the highest level to create a more secure environment.
Minimum Client Permissions Needed for P6 Professional
Users do not have to be administrators on their machines to run P6 Professional. Instead, you can grant minimum permissions to create a more secure environment.
The following is a summary of the minimum system requirements needed to access andrun components of P6 Professional R8.3:
Files within Folders:
- local drive\Program Files\Oracle\Primavera P6\P6 Professional
dbexpsda40.dll
dbexpsda30.dll
dbexpint.dll
dbexpoda40.dll
dbexpoda30.dll
DbExpPrC.dll (only needed when using Compression Server)
dbexpsda.dll
dbxadapter30.dll (only needed when using Compression Server)
Read&Execute/Read permission to access files needed to run P6 Professional applications and to create and modify database alias connections.
- local drive\Program Files\Oracle\Primavera P6\P6 Professional\pm.ini
Read&Execute/Read/Write permission to access the ini file, which is required to log into P6 Professional applications.
- local drive\Program Files\Oracle\Primavera P6\P6 Professional\Java\dbconfig.cmd
admin.cmd
Read&Execute/Read permissions to run the Database Configuration setup, the P6 Administrator application, and API tools (Update Baseline and Schedule Comparison/Claim Digger).
Write permission may be required for the Database Configuration Setup utility (dbconfig.cmd) for the API tools if you need to create a new configuration and update the BREBootStrap.xml file with the new database configuration information.
For your reference, the following are the default installation locations for the PrmBootStrap.xml and BREbootstrap.xml files:
Windows XP:
\%USERPROFILE%\Local Settings\Application Data\Oracle\Primavera P6\P6 Optional Client
Windows Vista and 7:
\%LOCALAPPDATA%\Oracle\Primavera P6\P6 Optional Client
During installation, the PrmBootStrap.xml and BREbootstrap.xml files are also copied to one of the locations below, depending on your operating system. The files will never be modified while using P6 Professional, so they can be copied to the current user location (USERPROFILE or LOCALAPPDATA) if you need to revert P6 Professional back to its original state (for example, if files become corrupted).
Windows XP:
\%ALLUSERSPROFILE%\Application Data\Oracle\Primavera P6\P6 Professional
Windows Vista and 7:
\%PROGRAMDATA%\Oracle\Primavera P6\P6 Professional
- Output directory for File > Export , Log output files
Read&Execute/Read/Write to create and write output files.
Registry Keys:
- HKEY_LOCAL_MACHINE\Software\Primavera
READ
Note: For the Update Baseline and Schedule Comparison/Claim Digger tools, the key opens in Read/Write/Delete mode.
Physical Security Requirements for P6 EPPM
You should physically secure all hardware hosting P6 EPPM to maintain a safe implementation environment. Consider the following when planning your physical security strategy:
- You should install, configure, manage, and maintain your environment according to guidance in all applicable installation and configuration documentation for P6 EPPM.
- You should install P6 EPPM components in controlled access facilities to prevent unauthorized access. Only authorized administrators for the systems hosting P6 EPPM should have physical access to those systems. Such administrators include the Operating System Administrators, Application Server Administrators, and Database
- Administrators.
- You should use Administrator access to client machines only when you install and configure P6 EPPM modules.
Application Security Settings in P6 EPPM
P6 EPPM contains a number of security settings at the application level. The P6 EPPM Post Installation Administrator's Guide details these settings. Use the Security Guidance icon to quickly identify them.
To help you organize your planning, the following are options Oracle recommends:
- In your production environment, opt for empty data instead of sample data during the P6 EPPM database setup.
- Turn on Password Policy in Application Settings. An enabled Password Policy will increase the required length and quality of the password.
- Enable firewall in the application server and database server. Based on your installation, add exceptions for appropriate ports. For instance, P6 EPPM SQL Server Database runs on 1433 port and Oracle Database runs on 1521 port by default. P6 EPPM,P6 Progress Reporter, P6 Team Member Web web run on 8203, 8204, 8207 ports respectively in the default installation.
- In the P6 Administrator application:
- evaluate the Login Lockout Count; the default is 5.
- keep Multiple User for the Content Repository authentication mode.
- use Security Accounts if using Oracle Universal Content Management for the Content Repository.
- use STRONG for the Directory Services security level.
- keep the Enable Cross Site Scripting Filter setting set to true.
- enable LDAP or WebSSO for authentication.