Oracle EBS 12.2 Security Enhancements

Oracle E-Business Suite 12.
2
Security Enhancements
Prepared by: Stephen Kost, Integrigy
@integrigy
Session ID: 10235

Agenda
Oracle EBS 12.2

Overview WebLogic Q&A
1 2 3 4 5
Application Web
Security Security
April 2-6, 2017 in Las Vegas, NV USA #C17LV

Agenda
Oracle EBS 12.2

Overview Weblogic Q&A
1 2 3 4 5
Application Web
Security Security

Oracle 12.2 Architecture – Simplified
Oracle Fusion Middleware 11g
WebLogic Server
WebLogic JSP
Oracle
HTTP
https UIX 11g Oracle
Client Server
11gR2
Browser = Database
Apache APPS
BC4J
2.0
BI Publisher 10.1.2
Forms 10.1.2
In 12.2, Oracle Application Server 10g is replaced with Oracle Fusion

Middleware 11g, which includes WebLogic Server. All control and
management is done using the Oracle Fusion Middleware control.
12.2 Online Patching
Oracle E-Business Suite 12.2 environment has become much more
complex with on-line patching. Database uses Edition-Based
Redefinition and two full installs of the application server stack.
Run Install Patch Install

3 Stop Run and make
Patch the new Run
EBSapps -> 10.1.2 EBSapps -> 10.1.2
EBSapps -> APPL_TOP EBSapps -> APPL_TOP

Oracle
11gR2 2
EBSapps -> COMMON_TOP Database EBSapps -> COMMON_TOP
FMW_Home Edition-Based FMW_Home

Redefinition
INST_TOP INST_TOP
Patches applied to the

4 Synchronize Run and 1 Patch Install
Patch for next time April 2-6, 2017 in Las Vegas, NV USA #C17LV
12.2 AutoConfig Impact
Oracle Application
Configuration Fusion WLS Administration
Manager
Changes Middleware Control Console
& Autoconfig
 SID name, Listener,

Database Home dbPorts, etc
Performance directives,
Oracle HTTP log configuration, ports,
Server mod_perl, mod_wl_ohs,
etc.
oacore, oafm, forms Classpath and JVM

WebLogic Server and forms-c4ws arguments for
services oacore
Concurrent
Processing, Profile
E-Business Suite Options, Developer
10g, Product Specific
Settings
Agenda
Oracle EBS 12.2

1 2 3 4 5
Application Web
Security Security

Flexfield Value Set Security
• Who can view, insert, or update values for a
particular value set in the Segment Values form
• Adds segregation of duties to maintenance of flexfield
value sets
• Enabled by default
• Access must be explicitly granted
• Access can be based on user, responsibility, role,
application, or operating unit

Flexfield Value Set Security Example
Improve segregation of duties by allowing (1) certain users to only
view or insert values for Account Flexfields and no other value sets,
(2) certain users to only view or insert values for any HR application,
and (3) certain users to only view or insert values for a specific
operating unit. Roles and responsibilities are also supported.
System
GL Super Users Administrator HR Super Users
Responsibility
Accounting HR Flexfield
FND Value Sets
Flexfield Value Sets
Flexfield Value Set Security
• Additional Patches Required
• Requires the mandatory Patch 17305947:R12.FND.C
• Additional Setup Required

• All values sets locked upon install or upgrade until setup
completed
• Release 12.2 Flexfield Value Set Security Documentation
Update for Patch 17305947:R12.FND.C (MOS Note ID
1589204.1)
• MOS Note supersedes 12.2 Flexfields Guide

Allowed JSP Lists
A whitelist of allowed JSP pages. Basically is DMZ URL
Firewall for internal access.
Oracle 12.2 Application Server
Java Server Pages (JSP)
7,800 JSP pages
OA Framework (OA.jsp)
11,600 pages
Client https Apache Database
Browser Core Servlets
APPS
WebLogic 84 servlet classes
Web Services Servlets

8 servlet classes
Oracle Forms
3,300 forms
Allowed JSP Lists
• Explicit list of allowed JSP pages
• Limits access to unused JSP pages for modules not
configured or licensed
• Must be manually enabled
• Enabled by default in 12.2.6
• See the Oracle EBS Security Guide manual for
instructions on usage

Allowed JSP Lists
• Allowed JSP Lists disabled by default
• New profile option to allow for disabling of Allow JSP
Lists
Profile
Description
Option Name
Set at Site or Server Level

Allow Unrestricted JSP Access
(FND_SEC_ALLOW_JSP_UNRESTRICTED_ACCESS) Yes – Allow all JSPs (default)
No – Use Allowed JSP Lists

# $Header: allowed_jsps.conf
allowed_jsps.conf 120.0.12020000.3 2013/06/11 21:37:29
srveerar noship $
/OA_HTML/AppsLocalLogin.jsp
/OA_HTML/cabo/jsps/a.jsp
/OA_HTML/cabo/jsps/frameRedirect.jsp
/OA_HTML/fndgfm.jsp
/OA_HTML/jsp/fnd/close.jsp
/OA_HTML/jsp/fnd/fnderror.jsp
/OA_HTML/OADownload.jsp
/OA_HTML/OAErrorDetailPage.jsp
/OA_HTML/OAErrorPage.jsp
/OA_HTML/OAExport.jsp
/OA_HTML/OA.jsp
/OA_HTML/OALogout.jsp
/OA_HTML/OARegion.jsp
/OA_HTML/RF.jsp
/OA_HTML/GWY.jsp
/OA_HTML/runforms.jsp
/OA_HTML/xdo_doc_display.jsp
/OA_HTML/OAD.jsp
/OA_HTML/OAP.jsp
include allowed_jsps_FIN.conf
include allowed_jsps_HR.conf
include allowed_jsps_Leasing.conf
include allowed_jsps_Procurement.conf
include allowed_jsps_SCM.conf
include allowed_jsps_CRM.conf
include allowed_jsps_VCP.conf
include allowed_jsps_diag_tests.conf
Default Passwords – Fresh Install
Of 191 database accounts, only default password is
APPLSYSPUB/PUB
Sets Weblogic control

password
Sets APPS and APPLSYS

passwords
Sets SYS, SYSTEM, CTXSYS,

OUTLN, and 9 other
standard database
account passwords
Sets accounts for all EBS

product schemas –
161 total accounts
Default Passwords – Upgrade
New database accounts will be added during the database upgrade for
new application modules based on from what version you are upgrading
from. Be sure to check these accounts for default passwords.
New Database
Version Upgrade From
Accounts
11.5.10 XLE ASN FUN FPA ZX LNS IA XDO
12.0.0 JMF GMO IBW IPM DNA
12.0.4 IZU
12.1.0 RRS DPP MTH QPR DDR INL
12.2.2 GHG APPS_NE

Secure Configuration Console
• 12.2.6 introduces the Secure Configuration Console
• Apply patch 24744399:R12.FND.C
• Locks down Oracle EBS and unable to access the
application until system administrator fixes or
acknowledges all recommended configurations
• Checks 16 high risk security settings in the Oracle EBS
Secure Configuration Guide
• Can be also executed through the command line
• See the Oracle EBS Security Guide (12.2.6) manual for
additional information
Proxy Users Limit Responsibilities
• 12.2.4 introduces new system administration controls for
the Proxy User feature
1. Exclude responsibilities from being allowed to be

delegated to proxy users
2. Setup policies controlling which users delegators can
select as their proxy users
3. Assign delegation privileges to all users or users with a
selected role or responsibility

Proxy Activity Reporting
• 12.2.6 introduces proxy activity reporting
• Able to track and view activity of users using the Proxy
User feature within EBS
• Access parameters and reports through the “Proxy Audit
Report” page

Forms in Read-Only Mode on the
Responsibility or User Level
• 12.2.6 introduces the ability to set Forms to read-only
mode at a responsibility, user, operating unit, or group of
users
• Set the “EBS Read Only” permission set in Role-Based
Access Control
• Only works for Forms

Agenda
Oracle EBS 12.2

1 2 3 4 5
Application Web
Security Security

WebLogic/Fusion Middleware
Control Demonstration

Agenda
Oracle EBS 12.2

1 2 3 4 5
Application Web
Security Security

Clickjacking Protection
• Frame Busting
• Provides protection against clickjacking by disallowing OA
Framework pages from being embedded into frames from
third-party sites
Profile
Description
Option Name
Set at Site or Server Level

FND: Disable Frame Busting
(FND_DISABLE_FRAME_BUSTING) True – Disable frame busting
False – Use frame busting (default)
Clickjacking Protection
X-Frame-Options HTTP response header
• Now enabled for all Oracle EBS web pages and configured in
the Apache httpd.conf

Attachment Virus Scanning
• Enhanced virus scanning of all attachments and file
uploads
• Limited to Symantec server
• Can be enabled or disabled at site, responsibility, application or
user level with FND: Disable Virus Scan
• OA Framework customizations can selectively enable or disable
virus scanning
• Virus scanning should be utilized when implementing
iRecruitment or iSupplier

Additional Web Application Security
• Cookie Domains
• Protects the Oracle EBS session cookie from web-based attacks
• Set to domain by default in profile option
ICX_SESSION_COOKIE_DOMAIN
• Cross-site Scripting (XSS) Protections

• Check file uploads and attachments for XSS
• XSS checking in Messaging Rich Text Editor
• Use AntiSamy library for XSS filtering

Security Concerns
• Delivery Manager report output
• Send reports to EBS users through e-mail
• Upload reports to an FTP server
• Save reports to the local file system of the EBS application tier
• SOA and Web Services (REST)

• Do your DBA and security teams understand web services and
how to properly secure them?

Security Concerns
• Encrypted vs. Non-Reversible Hashed Application
Passwords
• Default for EBS application accounts is still encrypted
passwords vs. non-reversible hashed passwords

Agenda
Oracle EBS 12.2

1 2 3 4 5
Application Web
Security Security

References
• Database Initialization Parameters for Oracle E-Business Suite
Release 12 (Doc ID 396009.1)
• Oracle E-Business Suite Product Specific Release Notes, Release
12.2.2 (Doc ID 1585844.1)
• Oracle Application Framework Profile Options Release 12.2 (Doc ID
1373537.1)

Please Complete Your
Session Evaluation
Evaluate this session in your COLLABORATE app.
Pull up this session and tap "Session Evaluation"
to complete the survey.
Session ID: 10235

Q&A
Contact Information
web: www.integrigy.com
Stephen Kost
e-mail: info@integrigy.com
Chief Technology Officer
blog: integrigy.com/oracle-security-blog
Integrigy Corporation
youtube: youtube.com/integrigy

Oracle EBS 12.2 Security Enhancements

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Oracle EBS 12.2 Security Enhancements

Încărcat de

Drepturi de autor:

Formate disponibile

Oracle E-Business Suite 12.

Session ID: 10235

Oracle EBS 12.2

April 2-6, 2017 in Las Vegas, NV USA #C17LV

Oracle EBS 12.2

April 2-6, 2017 in Las Vegas, NV USA #C17LV

In 12.2, Oracle Application Server 10g is replaced with Oracle Fusion

Run Install Patch Install

EBSapps -> APPL_TOP EBSapps -> APPL_TOP

FMW_Home Edition-Based FMW_Home

Patches applied to the

 SID name, Listener,

oacore, oafm, forms Classpath and JVM

Oracle EBS 12.2

April 2-6, 2017 in Las Vegas, NV USA #C17LV

April 2-6, 2017 in Las Vegas, NV USA #C17LV

• Additional Setup Required

April 2-6, 2017 in Las Vegas, NV USA #C17LV

Web Services Servlets

April 2-6, 2017 in Las Vegas, NV USA #C17LV

Set at Site or Server Level

April 2-6, 2017 in Las Vegas, NV USA #C17LV

Sets Weblogic control

Sets APPS and APPLSYS

Sets SYS, SYSTEM, CTXSYS,

Sets accounts for all EBS

11.5.10 XLE ASN FUN FPA ZX LNS IA XDO

12.0.0 JMF GMO IBW IPM DNA

12.1.0 RRS DPP MTH QPR DDR INL

12.2.2 GHG APPS_NE

1. Exclude responsibilities from being allowed to be

April 2-6, 2017 in Las Vegas, NV USA #C17LV

April 2-6, 2017 in Las Vegas, NV USA #C17LV

April 2-6, 2017 in Las Vegas, NV USA #C17LV

Oracle EBS 12.2

April 2-6, 2017 in Las Vegas, NV USA #C17LV

April 2-6, 2017 in Las Vegas, NV USA #C17LV

Oracle EBS 12.2

April 2-6, 2017 in Las Vegas, NV USA #C17LV

Set at Site or Server Level

April 2-6, 2017 in Las Vegas, NV USA #C17LV

April 2-6, 2017 in Las Vegas, NV USA #C17LV

• Cross-site Scripting (XSS) Protections

April 2-6, 2017 in Las Vegas, NV USA #C17LV

• SOA and Web Services (REST)

April 2-6, 2017 in Las Vegas, NV USA #C17LV

April 2-6, 2017 in Las Vegas, NV USA #C17LV

Oracle EBS 12.2

April 2-6, 2017 in Las Vegas, NV USA #C17LV

April 2-6, 2017 in Las Vegas, NV USA #C17LV

Session ID: 10235

April 2-6, 2017 in Las Vegas, NV USA #C17LV

S-ar putea să vă placă și