Security considerations for ORACLE Applications 11i eBusiness Suite

8/9/2019 Security considerations for ORACLE Applications 11i eBusiness Suite

1/27

Security Best Practice for eBS

A Practical Guide

Nikos PlevrisPrincipal Service Delivery Manager


2/27

Agenda

The Security balance & levels

Security considerations

Database level Authentication

eBS level Authentication Auditing

Summary

Q & A


3/27

Theimagecannotbe displayed.Your computer may nothaveenough memory toopen theimage, or theimage may have

Security balance

Risk of exposure

Cost of security

Value of information protected


4/27


ORACLE_HOME

iAS

Forms

ReportsConcurrentManagers

Designer

TNS Listener

Apache

APPL_TOP

ORACLE_HOME

Tools

ORACLE_HOME

RDBMS

RAC

Mod_plsql

Jerver

Web Borwser,Jinit

APPLICATION TIER

DATABASE TIERDESKTOP TIER

The multi-tierenvironment


5/27


Security levels

Across tiers Client

Middle tier

Db tier

Across categories Hardening

Network

Authentication

Authorization Audit


6/27


Security levels

Across tiers Client

Middle tier

Db tier


Network

Authentication

Authorization Audit


7/27


Security levels

Across tiers Client

Middle tier

Db tier


Network

Authentication: Covers account management, password

management and other account related activities. Authorization

Audit


8/27


Security Considerations

The principle of least privilege

System monitoring by auditing & reviewing auditrecords


9/27


Agenda





Summary

Q & A


10/27


Database level Authentication1

Database Tier REMOTE_OS_AUTHENT=FALSE

REMOTE_OS_ROLES=FALSE

Db Profiles for password management FAILED_LOGIN_ATTEMPTS UNLIMITED

PASSWORD_LIFE_TIME UNLIMITED

PASSWORD_REUSE_TIME 180

PASSWORD_REUSE_MAX UNLIMITED

PASSWORD_LOCK_TIME UNLIMITED

PASSWORD_GRACE_TIME UNLIMITED

PASSWORD_VERIFY_FUNCTIONRecommended

_TRACE_FILES_PUBLIC=FALSE Limit file access from PL/SQL Avoid UTL_FILE_DIR = *


11/27



Change default schemas passwords for Core RDBMS [ie, SYS,SYSTEM]

Schemas used by shared components of eBS [ie,APPLSYSPUB,APPLSYS,APPS]

Individual products schemas

Schemas for Optional database features or 3rd partyproducts:

Used by and patched with eBS [ie, CTXSYS, PORTAL30]

Used by eBS but patched only with the RDBMS [ie,MDSYS,ORDSYS]

Not used schemas [ie, SCOTT]


12/27



Change default schemas passwords for Core RDBMS [ie, SYS,SYSTEM]

Schemas used by shared components of eBS [ie,APPLSYSPUB,APPLSYS,APPS]

Individual products schemas

Schemas for Optional database features or 3rd partyproducts:

Used by and patched with eBS [ie, CTXSYS, PORTAL30]

Used by eBS but patched only with the RDBMS [ie,MDSYS,ORDSYS]

Not used schemas [ie, SCOTT]

eBS

eBS

eBS


13/27


Database level Authentication3 - 11i

eBS passwords concerns

A password for the GATEWAY user APPLSYSPUB (The default password is 'PUB) Type I

A password shared between APPLSYS and APPS

(also known asF

NDNAM).Th

e default password is'APPS - Type II

A password for all of the product-specific baseschemas (Default password for these schemas issame as the schema name) - Type III

Optional features schemas used & pacthed by eBS -Type IV


14/27


Database level Authentication4 - Type I

schemas

APPLSYSPUB schema has sufficient privileges to perform theauthentication of an Applications User (FND user)

Runs PL/SQL packages to verify the username/passwordcombination

Records the success or failure of a login attempt

How to Change password Use OAM to alter s_gwyuid_pass variables in context file

Shutdown middle tier processes

Run FNDCPASS APPS/ 0 Y SYSTEM/ ORACLE APPLSYSPUB

Configuration files being updated iAS/Apache/Jserv/etc/formservlet.ini

FND_TOP/secure/_.dbc $FND_TOP/resource/appsweb.cfg, $OA_HTML/bin/appsweb.cfg

iAS/Apache/Apache/conf/apps.conf

Run Autoconfig to propagate pwd changes NOTE: Prior to the July 2006 CPU (or 11.5.10-RUP4 orTKX patch 5107107) Autoconfig did not

fully propagate the changed password. (Manual workaround: Add PassEnv GWYUID to iASconfiguration file apps.conf)

Restart middle tier processes


15/27


16/27


Database level Authentication6 - Type

III schemas

How to Change password

Specific product schema FNDCPASS apps/ / 0 Y system/manager ORACLE

ALL product schemas FNDCPASS APPS/ 0 Y SYSTEM/ ALLORACLE


17/27


Database level Authentication7 - Type

IV schemas

eBS uses the CTXSYS schema How to Change password

SQL> alter user CTXSYS password

If using Oracle Login Server and Portal 3.0.9

schemas, PORTAL30, PORTAL30_SSO How to Change password

$ FNDCPASS APPS/ 0 Y SYSTEM/ ORACLE PORTAL30

$ FNDCPASS APPS/ 0 Y SYSTEM/ ORACLE PORTAL30_SSO

If NOT using Oracle Login Server and Portal 3.0.9 How to Change password

SQL> alter user PORTAL30 account lock;

SQL> alter user PORTAL30_SSO account lock;

Or remove schemas


18/27


Agenda





Summary

Q & A


19/27


eBS level Authentication1

Change default passwords for eBS seeded Applications users, ieSYSADMIN, GUEST

GUEST user credentials used forTHIN JDBC driver connection to database

are stored into three different locations

FND_USER db table

GUEST_USER_PWD profile option

DBC file in $FND_TOP/secure/.

How to change password $ FNDCPASS APPS/ 0 Y SYSTEM/ USER GUEST

From OAM oa_users: Edit context xml file, set the value ofs_guest_user to GUEST and s_guest_pass to

Run autoconfig and restart your instance

From Applications Forms Interface reset

the GUEST_USER_PWD profile value

the GUEST user password from form User -> Define


20/27


eBS level Authentication2

Tighten logOn and session profile options SIGNON_PASSWORD_LENGTH 8

SIGNON_PASSWORD_HARD_TO_GUESS YES

SIGNON_PASSWORD_NO_REUSE 180

ICX_SESSION_TIMEOUT 30

Use User Management (UMX) for a common userregistration flow

Create shared responsibilities than shared accounts

ENCRYPTConcurrent programs APPS pwd

In Multi-tier environments, activate Apps servers

security jre oracle.apps.fnd.security.AdminAppServer

Use NODE_TRUST_LEVEL to restrict access at theresponsibility level


21/27


Agenda





Summary

Q & A


22/27


Audit1

SIGNONAUDIT:LEVEL profile option

Retrieve audit records by using Audit Reports or OAMor SQL statements

Review data tracked (manual reporting) Who columns CREATION_DATE Date and Time row was created

CREATED_BY Oracle Applications user ID from FND_USER

LAST_UPDATE_LOGIN Login ID from FND_LOGINS

LAST_UPDATE_DATE Date and Time row as last updated

LAST_UPDATED_BY Oracle Applications user ID from FND_USERS


23/27


Audit2 Audit Trail

System profile optionAuditTrail: Activate to True

Auditing database row changes is performanceintensive

Limit auditing to non-transactional data Keeps a complete history of changes made at a table

and column level


24/27


Summary

Focus on Authentication Proactive password & account management

At db and eBS level

Auditing Reactive


25/27



26/27


Support Terminology & Tools

Best Practices for securing eBS

11i SysAdmin - security

FNDCPASS utility Change The Oracle Users, APPS, APPLSYS and Application

Module Passwords

Note.398942.1Ext/Pub FNDCPASS Utility New FeatureALLORACLE:

Note.358176.1Int/Pub How to Change the APPLSYSPUB Passwordin 11.5.10

Does 11i support database password complexity?

Using OA_HTML/AppsLocalLogin.jsp Causes Passwords ToIncorrectly Fail.

Note.135878.1Ext/Pub Script to prevent a user from changinghis password

Apps profile options related to password admin


27/27


Documents

Security considerations for ORACLE Applications 11i eBusiness Suite