Upload
nikos-plevris
View
213
Download
0
Embed Size (px)
Citation preview
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
1/27
Security Best Practice for eBS
A Practical Guide
Nikos PlevrisPrincipal Service Delivery Manager
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
2/27
Agenda
The Security balance & levels
Security considerations
Database level Authentication
eBS level Authentication Auditing
Summary
Q & A
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
3/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Security balance
Risk of exposure
Cost of security
Value of information protected
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
4/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
ORACLE_HOME
iAS
Forms
ReportsConcurrentManagers
Designer
TNS Listener
Apache
APPL_TOP
ORACLE_HOME
Tools
ORACLE_HOME
RDBMS
RAC
Mod_plsql
Jerver
Web Borwser,Jinit
APPLICATION TIER
DATABASE TIERDESKTOP TIER
The multi-tierenvironment
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
5/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Security levels
Across tiers Client
Middle tier
Db tier
Across categories Hardening
Network
Authentication
Authorization Audit
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
6/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Security levels
Across tiers Client
Middle tier
Db tier
Across categories Hardening
Network
Authentication
Authorization Audit
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
7/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Security levels
Across tiers Client
Middle tier
Db tier
Across categories Hardening
Network
Authentication: Covers account management, password
management and other account related activities. Authorization
Audit
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
8/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Security Considerations
The principle of least privilege
System monitoring by auditing & reviewing auditrecords
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
9/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Agenda
The Security balance & levels
Security considerations
Database level Authentication
eBS level Authentication Auditing
Summary
Q & A
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
10/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Database level Authentication1
Database Tier REMOTE_OS_AUTHENT=FALSE
REMOTE_OS_ROLES=FALSE
Db Profiles for password management FAILED_LOGIN_ATTEMPTS UNLIMITED
PASSWORD_LIFE_TIME UNLIMITED
PASSWORD_REUSE_TIME 180
PASSWORD_REUSE_MAX UNLIMITED
PASSWORD_LOCK_TIME UNLIMITED
PASSWORD_GRACE_TIME UNLIMITED
PASSWORD_VERIFY_FUNCTIONRecommended
_TRACE_FILES_PUBLIC=FALSE Limit file access from PL/SQL Avoid UTL_FILE_DIR = *
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
11/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Database level Authentication2
Change default schemas passwords for Core RDBMS [ie, SYS,SYSTEM]
Schemas used by shared components of eBS [ie,APPLSYSPUB,APPLSYS,APPS]
Individual products schemas
Schemas for Optional database features or 3rd partyproducts:
Used by and patched with eBS [ie, CTXSYS, PORTAL30]
Used by eBS but patched only with the RDBMS [ie,MDSYS,ORDSYS]
Not used schemas [ie, SCOTT]
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
12/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Database level Authentication2
Change default schemas passwords for Core RDBMS [ie, SYS,SYSTEM]
Schemas used by shared components of eBS [ie,APPLSYSPUB,APPLSYS,APPS]
Individual products schemas
Schemas for Optional database features or 3rd partyproducts:
Used by and patched with eBS [ie, CTXSYS, PORTAL30]
Used by eBS but patched only with the RDBMS [ie,MDSYS,ORDSYS]
Not used schemas [ie, SCOTT]
eBS
eBS
eBS
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
13/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Database level Authentication3 - 11i
eBS passwords concerns
A password for the GATEWAY user APPLSYSPUB (The default password is 'PUB) Type I
A password shared between APPLSYS and APPS
(also known asF
NDNAM).Th
e default password is'APPS - Type II
A password for all of the product-specific baseschemas (Default password for these schemas issame as the schema name) - Type III
Optional features schemas used & pacthed by eBS -Type IV
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
14/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Database level Authentication4 - Type I
schemas
APPLSYSPUB schema has sufficient privileges to perform theauthentication of an Applications User (FND user)
Runs PL/SQL packages to verify the username/passwordcombination
Records the success or failure of a login attempt
How to Change password Use OAM to alter s_gwyuid_pass variables in context file
Shutdown middle tier processes
Run FNDCPASS APPS/ 0 Y SYSTEM/ ORACLE APPLSYSPUB
Configuration files being updated iAS/Apache/Jserv/etc/formservlet.ini
FND_TOP/secure/_.dbc $FND_TOP/resource/appsweb.cfg, $OA_HTML/bin/appsweb.cfg
iAS/Apache/Apache/conf/apps.conf
Run Autoconfig to propagate pwd changes NOTE: Prior to the July 2006 CPU (or 11.5.10-RUP4 orTKX patch 5107107) Autoconfig did not
fully propagate the changed password. (Manual workaround: Add PassEnv GWYUID to iASconfiguration file apps.conf)
Restart middle tier processes
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
15/27
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
16/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Database level Authentication6 - Type
III schemas
How to Change password
Specific product schema FNDCPASS apps/ / 0 Y system/manager ORACLE
ALL product schemas FNDCPASS APPS/ 0 Y SYSTEM/ ALLORACLE
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
17/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Database level Authentication7 - Type
IV schemas
eBS uses the CTXSYS schema How to Change password
SQL> alter user CTXSYS password
If using Oracle Login Server and Portal 3.0.9
schemas, PORTAL30, PORTAL30_SSO How to Change password
$ FNDCPASS APPS/ 0 Y SYSTEM/ ORACLE PORTAL30
$ FNDCPASS APPS/ 0 Y SYSTEM/ ORACLE PORTAL30_SSO
If NOT using Oracle Login Server and Portal 3.0.9 How to Change password
SQL> alter user PORTAL30 account lock;
SQL> alter user PORTAL30_SSO account lock;
Or remove schemas
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
18/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Agenda
The Security balance & levels
Security considerations
Database level Authentication
eBS level Authentication Auditing
Summary
Q & A
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
19/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
eBS level Authentication1
Change default passwords for eBS seeded Applications users, ieSYSADMIN, GUEST
GUEST user credentials used forTHIN JDBC driver connection to database
are stored into three different locations
FND_USER db table
GUEST_USER_PWD profile option
DBC file in $FND_TOP/secure/.
How to change password $ FNDCPASS APPS/ 0 Y SYSTEM/ USER GUEST
From OAM oa_users: Edit context xml file, set the value ofs_guest_user to GUEST and s_guest_pass to
Run autoconfig and restart your instance
From Applications Forms Interface reset
the GUEST_USER_PWD profile value
the GUEST user password from form User -> Define
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
20/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
eBS level Authentication2
Tighten logOn and session profile options SIGNON_PASSWORD_LENGTH 8
SIGNON_PASSWORD_HARD_TO_GUESS YES
SIGNON_PASSWORD_NO_REUSE 180
ICX_SESSION_TIMEOUT 30
Use User Management (UMX) for a common userregistration flow
Create shared responsibilities than shared accounts
ENCRYPTConcurrent programs APPS pwd
In Multi-tier environments, activate Apps servers
security jre oracle.apps.fnd.security.AdminAppServer
Use NODE_TRUST_LEVEL to restrict access at theresponsibility level
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
21/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Agenda
The Security balance & levels
Security considerations
Database level Authentication
eBS level Authentication Auditing
Summary
Q & A
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
22/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Audit1
SIGNONAUDIT:LEVEL profile option
Retrieve audit records by using Audit Reports or OAMor SQL statements
Review data tracked (manual reporting) Who columns CREATION_DATE Date and Time row was created
CREATED_BY Oracle Applications user ID from FND_USER
LAST_UPDATE_LOGIN Login ID from FND_LOGINS
LAST_UPDATE_DATE Date and Time row as last updated
LAST_UPDATED_BY Oracle Applications user ID from FND_USERS
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
23/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Audit2 Audit Trail
System profile optionAuditTrail: Activate to True
Auditing database row changes is performanceintensive
Limit auditing to non-transactional data Keeps a complete history of changes made at a table
and column level
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
24/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Summary
Focus on Authentication Proactive password & account management
At db and eBS level
Auditing Reactive
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
25/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
26/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have
Support Terminology & Tools
Best Practices for securing eBS
11i SysAdmin - security
FNDCPASS utility Change The Oracle Users, APPS, APPLSYS and Application
Module Passwords
Note.398942.1Ext/Pub FNDCPASS Utility New FeatureALLORACLE:
Note.358176.1Int/Pub How to Change the APPLSYSPUB Passwordin 11.5.10
Does 11i support database password complexity?
Using OA_HTML/AppsLocalLogin.jsp Causes Passwords ToIncorrectly Fail.
Note.135878.1Ext/Pub Script to prevent a user from changinghis password
Apps profile options related to password admin
8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite
27/27
Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have