Monday, July 14, 2014

EBS 12.2 -- Securing EBS

There are some documented configurations in order to have a secure EBS R12 environment.
Lets explain them by walking through the "Secure Configuration Guide for Oracle E-Business Suite Release 12".
  • Ensure the ownerships of the binaries in ORACLE_HOME belong to Rdbms Software Owner.
  • Check that all the files under $APPL_TOP belong to the Application Software Owner.
  • Disable remote logins to the Rdbms and Application Software owner account .. Instead, create one account for each System Admins , and make them use their own accounts to login to the servers, and make them use "su" command to connect to the Rdbms or the Application Software accounts. (sudo can be implemented, too)
  • Set the permissions on $ORACLE_HOME/bin to 0751 or less. Set all other directories in $ORACLE_HOME to 0750 or less. Note, this limits access to the Oracle user and its group (probably DBA).
  • The file permission of  listener.ora and sqlnet.ora to 0600.
  • The file permission of  tnsnames.ora to 0644.
  • The file permission of  database data files*.dbf to 0640.
  • chown -R <oracle> $ORACLE_HOME
  • chgrp -R <dba> $ORACLE_HOME
  • Make the necessary permission configurations in order to ensure that the files under $ORACLE_HOME/rdbms/admin directory can not be deleted..
  • The file permission of the dbc file located in $FND_SECURE/ should be 600set userid (SUID) and set group id (SGID) shoud not be set on the Oracle Binaries.
Note that : 
Oracle recommends that the SUID and SGID bits to be removed from binaries shipped by Oracle.
Warning: If Concurrent Manager runs on the Database tier and using the BEQ adapter to avoid TCP cost,the SUID and/or SGID bit must be set on the Oracle database executable in $ORACLE_HOME/bin. This may also apply for any third party products running on the db tier.


  • X server is not required after the installation, it can be closed.
  • Open printer ports if necessary but restrict access to these printers..
  • Ssh should be used for remote connections .(not telnet,rsh,rlogin,rcp or ftp)
  • XDB support is not required in Oracle E-Business Suite. So the XDB service that is serviced from the listener should be disabled.To disable XDB, remove or comment out the line in init.ora that reads *.dispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)'
  • Database Links should be reviewed.. The unnecessary db links should be dropped. Public database links should not be created.
  • Database parameter REMOTE_OS_AUTHENT should be set to FALSE in init.ora REMOTE_OS_AUTHENT specifies whether remote clients will be authenticated with the value of the OS_AUTHENT_PREFIX parameter.
  • There should be 2 password profiles in the database. One for the Applications and one for Administrators. Password management profile should be configured as follows;



  • Database user password should  be changed with "alter user" and Application passwords should be changed with FNDCPASS

For example :
alter user <SCHEMA> identified by <NEW_PASSWORD>;
$ FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> ALLORACLE <NEW_PWD>
(AFPASSWD can be used if the EBS version >=12.1.2)

Note that: Application users can be listed using adutconf.sql
DB schemas are as follows;


Note that : Patch 4926128 can be used to list  all open accounts with default password in the database. DBA_USERS_WITH_DEFPWD view also lists these accounts. It is present in 10g&11g.

  • The init.ora parameter _TRACE_FILES_PUBLIC should be set to FALSE. This will grants file system read access to anyone who has activated SQL tracing.
  • Set REMOTE_OS_ROLES init.ora parameter to FALSE.
  • Limit the filesystem accesses from the database through the application. set utl_file_dir.. Avoid using *. UTL_FILE_DIR = <dir1>,<dir2>,<dir3>...
  • Prevent select any privilege from reading the data dictionary tables using O7_DICTIONARY_ACCESSIBILITY = FALSE.
  • Revoke unnecesary grants from Applsyspub account..
To check permissions, login as SYSTEM and issue the following query:
SELECT * FROM dba_tab_privs WHERE grantee ='APPLSYSPUB';
To revoke unnecessary privileges granted to APPLSYSPUB schema, see patch 3763612.
Applsyspub shoule have the following grants; any extra grants should be revoked.
The grants of applsyspub should be listed with the following sql: 
SELECT * FROM dba_tab_privs WHERE grantee ='APPLSYSPUB';
Patch 3763612 can be used to revoke the unnecessary grants of APPLSYSPUB.

Applsyspub proper grants:

EXECUTE ON FND_PUB_MESSAGE
EXECUTE ON FND_SECURITY_PKG
EXECUTE ON FND_SIGNON
EXECUTE ON FND_WEBFILEPUB
INSERT ON FND_SESSIONS
INSERT ON FND_UNSUCCESSFUL_LOGINS
SELECT ON FND_APPLICATION
SELECT ON FND_APPLICATION_TL
SELECT ON FND_APPLICATION_VL
SELECT ON FND_LANGUAGES_TL
SELECT ON FND_LANGUAGES_VL
SELECT ON FND_LOOKUPS
SELECT ON FND_PRODUCT_GROUPS
SELECT ON FND_PRODUCT_INSTALLATIONS

  • Enable Audit trail .. Enable auditing to the database or OS.
AUDIT_TRAIL = OS or DB or TRUE

Audit the operations:

SQL>audit session;
SQL>audit user; -- any changes to the standard Oracle E-Business Suite database schemas or creation of new schemas
SQL> AUDIT DATABASE LINK; -- Audit create or drop database links
SQL> AUDIT PUBLIC DATABASE LINK; -- Audit create or drop public database links
SQL> AUDIT SYSTEM AUDIT; -- Audit statements themselves
SQL> AUDIT ALTER ANY ROLE by ACCESS; -- Audit alter any role statements
SQL> AUDIT ALTER DATABASE by ACCESS; -- Audit alter database statements
SQL> AUDIT ALTER SYSTEM by ACCESS; -- Audit alter system statements
SQL> AUDIT CREATE ROLE by ACCESS; -- Audit create role statements
SQL> AUDIT DROP ANY ROLE by ACCESS; -- Audit drop any role statements
SQL> AUDIT PROFILE by ACCESS; -- Audit changes to profiles
SQL> AUDIT PUBLIC SYNONYM by ACCESS; -- Audit public synonyms statements
SQL> AUDIT SYSDBA by ACCESS; -- Audit SYSDBA privileges
SQL> AUDIT SYSOPER by ACCESS; -- Audit SYSOPER privileges
SQL> AUDIT SYSTEM GRANT by ACCESS; -- Audit System grant privileges


If audit trail is set to DB, the records can be analyzed using the following views;

DBA_AUDIT_EXISTS
DBA_AUDIT_OBJECT
DBA_AUDIT_SESSION
DBA_AUDIT_STATEMENT
DBA_AUDIT_TRAIL
DBA_OBJ_AUDIT_OPTS
DBA_PRIV_AUDIT_OPTS
DBA_STMT_AUDIT_OPTS

Column Definitions:

Username: Oracle Username.
Terminal: Machine from which the user originated.
Timestamp: Time the action occurred.
Object Owner: The owner of the object that the user touched.
Object Name: The name of the object that the user touched.
Action Name: The action that occurred against the object (INSERT, UPDATE, DELETE, SELECT,
EXECUTE

Note that: These audit records should be archived and purged periodically.. Period should be at least 90 days. Restrict access to audit records accordingly.

  • Use Apache trusted.conf to limit the web page access as follows;
The <list of TRUSTED IPs> is being replaced with the value of the AutoConfig variable
s_admin_ui_access_nodes which you should set to the list of host machines from which administrators connect.

<Location "uri-to-protect">
Order deny,allow
Deny from all
Allow from localhost <list of TRUSTED IPs>
</Location>

  • Stop adpatch from logging passwords;
adpatch flags=hidepw

  • set WORKFLOWNOTIFICATION MAILER SEND_ACCESS_KEY TO "N" . When this is set to "N", an unauthenticated user who clicks on the notification link must sign on before accessing the Notification Details web page.
  • Forms users should be prevented from using the enter-query feature on a production system.In default.env file ;  /x/inst/apps/VIS12_dbs01/ora/10.1.2/forms/server/default.env , set FORMS_RESTRICT_ENTER_QUERY to TRUE.
  • Set the following profiles to restrict the attachment operations;

Attachment File Upload Restriction Default | FND_SECURITY_FILETYPE_RESTRICT
_DFLT -> "N (whitelist)" 
When enabled it will by default restrict using a blacklist of the file extensions that Windows consider
"executable" such as .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC.

Upload File Size Limit|  UPLOAD_FILE_SIZE_LIMIT -> "as needed"
While you are considering attachments, you may want to check the setting of the maximum allowed size of an
uploaded attachment, see the profile option UPLOAD_FILE_SIZE_LIMIT (kb).

  • Disable the Antisany using following profile option;
FND: Disable Antisamy Filter | FND_DISABLE_ANTISAMY_FILTER -> N

The Antisamy filter ensures that the HTML document only contains an allowed subset of HTML (no scripting or other “dangerous” tags are allowed).

  • SSL should be used between Browser and Web Server..
376700.1 “Enabling SSL for Oracle Applications Release 12”.

Avoid SSLv2 and all ciphers with a key size less than 128 bit.
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
Note that:

If you are concerned about the BEAST attack (CVE-2011-3389), you can change the SSLCipherSuites setting to
use the RC4 stream cipher instead of a block cipher.
The BEAST attack exposes a client side weakness in SSL v3 and TLS 1.0 when used with Block Ciphers in
CBC mode.
The following line will make the server prefer RC4 stream cipher
SSLCipherSuite RC4-SHA:MEDIUM:!aNULL::!MD5:!ADH
You will have to leave SSLv3 enabled as OHS 10.1.3.x uses nzlibs version 10 which do not support TLS.
The UTL_HTTP PL/SQL client in the database also does not currently support TLS.



  • If EBS will be open to the external sites , an External WebTier should be used. (DMZ configuration)--more secure..
  • Terminal Services should be used for direct client connections. (secure trusted servers rahter than desktop clients) -- Client-Server , for example : Toad connections should be from a Terminal server.
  • Passwords of Seeded Application  accounts should be changed.

If necessary, the accounts can be disabled. You can disable an application user account by setting the END_DATE for the account.

Note that :
Do not disable the GUEST user account
Do not disable the SYSADMIN user account until you have created other accounts with similar privilege
fnddefpw.sql executed as Apps will display  the seeded accounts that still have the default password.
In the out put of the script;
an ‘x’ in the EndDT column means the account ship end-dated.
an ‘x’ in the NoPwd column indicates that the account ships with an “impossible password”, this
means that the password column in FND_USER contains a clear text string that is never a valid encrypted or
hashed password. Thus it is not possible to login as this user, - unless you change the password!
The “impossible” value can be “DUMMY”, “INVALID” or “INTERNAL USER-NOLOGIN“.
You can easily identify the users with an impossible password as the length of the impossible password is
shorter than the encrypted or hashed password. For example this SQL statement will list users with in impossible
password:
select USER_NAME,END_DATE,ENCRYPTED_USER_PASSWORD from FND_USER
where length(ENCRYPTED_USER_PASSWORD) < 30 order by 1;

  • Hashed password should be used instead of encrypted password stored in FND_USER table;
MOS Note 457166.1 “FNDCPASS Utility New Feature: Enhance Security With Non-Reversible
Hash Password”

  • Strong passwords, account lockouts and session inactivity timeouts shoud  be configured using followind profile options:

SIGNON_PASSWORD_LENGTH 8
SIGNON_PASSWORD_HARD_TO_GUESS YES
SIGNON_PASSWORD_NO_REUSE 180
SIGNON_PASSWORD_CASE Sensitive
SIGNON_PASSWORD_FAILURE_LIMIT 5
ICX_SESSION_TIMEOUT 30
SIGNON_PASSWORD_CUSTOM implement (optional -- if standards are not enough , you can impelement a custom validation function and register it with EBS.)

  • Single Sign On (SSO) should  be used..

Note 376811.1 “Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On”.

  • Make the user creation operations through UMX (Oracle User Management)
  • Use shared responsibilites rahter than shared accounts.
  • Configure Concurrent Manager for safe authentication. That is, concurrent managers pass apps schema password to the concurrent programs on the command line.. Something that can interpret the command line can steal the passwords.. To prevent this define the concurrent program executable as a HOST program in the Concurrent Program Executable form. Enter ENCRYPT in the Execution Options field of the Concurrent Programs window when defining a concurrent program using this executable. ENCRYPT signals Concurrent Manager to pass the username/password in the environment variable FCP_LOGIN. Concurrent Manager leaves argument $1 blank.

To prevent username/password from being passed, enter SECURE in the Execution Options field. With this change, Concurrent Manager does not pass the username/password to the program. This of cause means that the program will have to get the database credentials some other way if it needs to connect to the database.

  • Configure Start/Stop scripts of the Concurrent Manager to able to work without apps credentials..

To implement this;
Create an application user named CONCOPER, and assign Concurrent Manager Operator responsibility to this user.
Then set following autoconfig variables in the application tier and run autoconfig in the application tier.
s_cp_user ->CONCOPER
s_cp_password_type -> AppsUser
s_cp_resp_shortname -> FND
s_cp_resp_name -> Concurrent Manager Operator

After this change we will use -secureapps argument when starting the control scripts..

For Ex:
sh adstrtal.sh -secureapps
enter application username:CONCOPER
Enter applications password:
  • Check server security status.. It should be secure..
select NODE_NAME,SERVER_ID,SERVER_ADDRESS from FND_NODES
where SERVER_ADDRESS = '*'
NODE_NAME SERVER_ID SERVER_ADDRESS
------------------  ------------------ ----------------------------
AUTHENTICATION SECURE  *

-- Note that : SECURE Recommended; only registered application servers and trusted code modules may connect.


  • Review document 1334930.1 "Sensitive Administrative Pages in Oracle E-Business Suite".. The access to these pages should be minimized, eliminated. Only System Administrator and some trusted users should access these pages.
  • Set Sign-on Audit level profile option  to "form" to  enable as much auditing possible. With this setting operations like sign-on , responsibility selections, form accesses are audited and saved in the fnd_logins,fnd_login_responsibilities and fnd_login_resp_forms tables.

End user access data stored in tables below :
APPLSYS.FND_LOGINS
 APPLSYS.FND_LOGIN_RESPONSIBILITIES
APPLSYS.FND_LOGIN_RESP_FORMS
APPLSYS.FND_UNSUCCESSFUL_LOGINS
FND_CONCURRENT_REQUESTS
ICX.ICX_FAILURES

FND_LOGIN table should be archived and truncated periodically. Purge Signon Audit Data concurrent program  should be scheduled to run once a week to retain 30 to 90 days of records.. You can report audit records using seeded report programs..

  • Track page accesses using OAM. Note : 402116.1 Page Access Tracking.
  • Make the necessary configuration in database listener to restict the connections.

Enable validnode_checking in sqlnet.ora  to restrict the serves which can be connected to the database..
tcp.validnode_checking = YES
tcp.invited_nodes = ( X.X.X.X, hostname, ... )
--Note that: servers should be Application server , database server and if needed some thrid party application servers, or tool such as Toad -- not recommended for Production.)
These validnode checking configurations can be done using Autoconfig also..
If the profile option “SQLNet Access” (FND_SQLNET_ACCESS) is set to “ALLOW_RESTRICTED” at the Site level when AutoConfig is run on the database server, AutoConfig will add IP restrictions to sqlnet.ora.

  • Listener connection timeout should be configured in listener.ora CONNECT_TIMEOUT_$ORACLE_SID = 10  --> $ORACLE_SID is ORACLE_SID not the the listener's name)
  • Tns listener traffic should be encrypted.. (This requires Advanced Security Option!)

To enable encryption;

In $TNS_ADMIN/sqlnet_ifile.ora;
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256, AES192, 3DES168)
SQLNET.CRYPTO_SEED = somelongandrandomstringforyourdeploymentUpTo70characters

Note that : We need to allow both the AES and the triple DES ciphers as the OCI and JDBC client side code varies in their cipher support.

  • The Listener should be configured to ask for passwords;

Normally, listener uses OS authentication.. That is the user that owns the software can control the listener.
To enable the authentication, simply set s_enable_listener_password to ON and run Autoconfig on the database server.

Set the current listener, then change the password.
LSNRCTL> set current_listener VIS12
Current Listener is VIS12
LSNRCTL> change_password
Old password: -- just hit return
New password: -- new, secure password
Reenter new password: -- new, secure password
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbs01)(PORT=1541)))
Password changed for VIS12
The command completed successfully
LSNRCTL> set password
Password:
The command completed successfully
LSNRCTL> save_config
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbs01)(PORT=1541)))
Saved DBLSNR configuration parameters.
Listener Parameter File /x/db/tech_st/10.2.0/network/admin/VIS12_dbs01/listener.ora
The command completed successfully
This added the following lines to listener.ora:
#----ADDED BY TNSLSNR 13-JAN-2007 11:47:56---
PASSWORDS_VIS12 = D911537D50B15546
#--------------------------------------------

  • Set ADMIN_RESTRICTIONS_<listener>=ON in listener.ora
Alternatively, autoConfig can set this if you set the AutoConfig variable s_admin_restrictions to ON and run AutoConfig on the database server.
ADMIN_RESTRICTIONS disables lsnrctl usage. So after enabling it ; only way to change the configuration is to edit the listener.ora file.

  • Enable logging in listener by setting the following parameters in listener.ora;
LOG_STATUS = ON
LOG_DIRECTORY_$ORACLE_SID = $TNS_ADMIN
LOG_FILE_$ORACLE_SID = $ORACLE_SID
  • In the client site;

Configure browser settings: 389422.1 . Update browser with the security enhancements (only to the supported level)
Turn off autocomplete.
Use password locked screensavers.. Lock the screen through a corporate policy.

  • In the network site;

Use firewall or router machine, filter unused port/services out.Block all rpc ports on the router.(unless nfs is used between the network)

In /etc/ssh/sshd.conf limit which users can connect  to the machine.
Turn of source routing and filter packets from outside the network that have source IP address from inside the network.
Automatically disable OS users that have failed login attempts.. Use hard-to-guess OS user passwords. Change the password on a reqular basis.


Okay, That 's it.  I have try to show up whats need to be done to have a secure EBS R12 environment. I tried to write the actions which seem necessary even in the first sight.
Note that : Of course there are some extra configurations and/or some advanced security configurations which can be implemented to enhance the security .
 Please refer "Extras for Expert" section of "Secure Configuration Guide for Oracle E-Business Suite Release 12" for those configurations.
Important Note: Weblogic is a big part of EBS 12.2.. So securing Weblogic is an essential subject to have a secure EBS environment.  
The document named : 
Oracle® Fusion Middleware Securing Oracle WebLogic Server should be analyzed for this.
The possible effects that may change the way that EBS operates,  should be considered before making any changes to the Weblogic.

1 comment :