APPS Blogs

Oracle E-Business Suite 12.2 Web Services Security for Oracle Supplier Network

This is the ninth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

The most common use of web services with the Oracle E-Business Suite is the Oracle Suppler Network (OSN). Do not confuse OSN with the Oracle Social Network (also referred to as OSN) or when configuring OSN, do not confuse the Oracle Transport Agent (OXTA) web services with Oracle Training Administration (OTA) web services.

To use OSN, you must configure the both the url_fw.conf and url_fw_ws.conf file to open traffic for the XML Gateway to consume OXTA web services. The OSN documentation in places confuses OTXA and OTA.  The risk is that in the url_fw_ws.conf there are services for both the Oracle Training Administration (OTA) module as well as for the OXTA. Unless both are being used, be careful to open only the correct services.

It should also be noted that while OSN uses web services, as of 12.2.5, OSN’s web services are NOT shown as deployed in the ISG repository.  This is because OSN’s functionality is built into the Oracle E-Business Suite’s core functionality.

It is very important to note that while using OSN with trading partners over the Internet requires opening the E-Business Suite to the Internet. Unfortunately, it is not clearly stated that a WAF, ideally the API Gateway, should be used to protect OSN. Even if OSN is the only web service being used, a WAF is still required to guard the attack surface.

Lastly, the passwords used for the various OSN accounts (defined within the OSN GUI forms) need to be complex and regularly rotated. Many clients forget about these accounts.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Guide to PeopleSoft Logging and Auditing - Revised Whitepaper

After discussions at Collaborate2017 with several PeopleSoft architects we have revised our Guide to PeopleSoft Auditing. The key change is the recommendation NOT to use PeopleSoft’s native database auditing and to instead use Oracle Fine Grained Auditing (FGA). FGA comes free with the Enterprise Edition of the Oracle RDBMS and, not only is it easier to implement, FGA does not have the performance impact of PeopleSoft’s native auditing.

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP

References
 
 
Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

Oracle Audit Trail Add Program Name

The program name attribute (V$SESSION.PROGRAM) is not by default passed to Oracle’s audit logs. It can be optionally included. To do so, apply Patch 7023214 on the source database. After the patch is applied, the following event needs to be set:

ALTER SYSTEM SET
           EVENT='28058 trace name context forever'
           COMMENT='enable program logging in audit trail' SCOPE=SPFILE;

The table below summarizes key session attributres (V$SESSION) the are passed/not passed to Oracle auditing

Oracle Audit Trails

Session Attribute

(V$SESSION)

Description

Traditional Auditing (SYS.AUD$)

Fine Grained Auditing (SYS.FGA_LOG$)

CLIENT_IDENTIFIER

End user username

CLIENTID

CLIENTID

CLIENT_INFO

Concatenated application log string

Not passed

Not passed

MODULE

ABAP program, module, application component or service

Not passed

Not passed

ACTION

Business action being executed, page, code event, location within program

Not passed

Not passed

 

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP

Reference
 
 
 
Auditing, Oracle Database, Oracle Audit Vault
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 12.2 Mobile and Web Services Security Requires Web Application Firewall (WAF)

This is the eighth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Web Application Firewalls (WAFs) cannot replace the URL Firewall, nor can the URL Firewall replace WAFs.  The URL Firewall provides the critical function of only allowing those forms and web services that have been both hardened by Oracle and flagged by the client as being used – all other requests are blocked by the default-deny rules. The URL Firewall does not protect against common web attack techniques such as those below – this what WAFs protect against:

  • Denial of Service (DoS)
    • Flooding, recursive & oversized payloads
  • Injection & Malicious Code
    • XXC, SQLi, logic bombs, malformed content
  • Confidentiality and Integrigy
    • Parameter tampering, schema poisoning
  • Reconnaissance Attacks
    • Scanning and registry disclosure
  • Privilege Escalation Attacks
    • Race condition, format string, buffer overflow

Additional protection is required to secure Internet facing Oracle E-Business Suite web services. Third party WAFs can certainly be deployed, but Oracle Corporation’s API Gateway offers a compelling advantage for Oracle E-Business Suite clients. The API Gateway is a separate license option and is placed in front of the SOA Server (also a separate license option) to defend against the common web attack techniques specific to web services as identified above.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 12.2 Web Services Security: Authentication and Authorization

This is the seventh posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Once traffic is accepted and passed by the URL Firewall, WebLogic initiates the standard Oracle E-Business Suite authentication and authorization procedures. Web services are authenticated and authorized no differently than for end-users.

Authorization rules for web services are relatively easy to configure in that all web services are defined as functions. The Oracle E-Business Suite's function security scheme and rules engine apply the same to GUI forms as for web services. In other words, the table APPLSYS.FND_FORM_FUNCTIONS defines all the forms that users use as well as defines all web services deployed. Menus then are built referencing these functions and Oracle E-Business Suite user accounts (APPLSYS.FND_USER) are given responsibilities with the menus of functions. These user accounts can be staff members or can be generic accounts (e.g. to support specific web services). Ensuring that appropriate users and responsibilities can call and use specific web services is the same critical step as ensuring that only appropriate users can use specific forms.

There are two authentication options for web services, local FND_USER passwords and tokens. Tokens can be SAML send vouchers/E-Business Suite Session Ids). Whichever is used, ensure that accounts are not inappropriately over privileged and the passwords and tokens not widely known and/or shared.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

E-Business Suite Technology Stack Blog in Migration

Steven Chan - Thu, 2017-04-06 18:05

This blog is being migrated to a new blogging platform (at last!). This is our fifth migration since 2006, so I expect a bit of reorganization of content.  We're going on hiatus for a bit until the dust settles.

Heads up: all comments posted from now to the new blog's appearance will be lost. If you post a comment that's gotten lost in the transition, please re-post when the new blog is up and running.


Categories: APPS Blogs

Oracle Listener Security New ORACLE 12.2 Firewall Feature

Service-Level ALCs is a new feature of the 12.2 Listener that allows every database service to have its own ACL. The ACL must be based on IP addresses and this feature allows multitenant pluggable databases (PDBs) to each have an ACL enforced by the Listener. This is because each PDB is a unique service registered in the Listener.

To implement this feature a new parameter FIREWALL must be used and has the following options:

  • (FIREWALL=ON) - This enables strict ACL validation (whitelist-based approach) of all connections based on the ACLs. If no ACLs are configured for a service, all connections are rejected.
  • FIREWALL is not set (defined for service) – This is a mixed mode. If an ACL is configured for a service, it will be enforced. If no ACL is defined, all connections will be accepted.
  • (FIREWALL=OFF) No validation (No ACLs enforced) and all connections are accepted

For more information refer to: http://docs.oracle.com/database/122/NETAG/configuring-and-administering-oracle-net-listener.htm#NETAG0102

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

 
 
Security Strategy and Standards, Oracle Database
Categories: APPS Blogs, Security Blogs

Oracle Database Listener Security Guide – Rewritten For Oracle 12.2

In October 2002 Integrigy first posted a guide to securing the Oracle Listener. Since then this whitepaper has been our most popular download. This month we rewrote the whitepaper for Oracle 12c, inclusive of 12.2

Integrigy Consulting has found the Database Listener to be one of the most frequently overlooked security risks at customers. This whitepaper is an overview of the Database Listener, its unique security risks, and step-by-step recommendations for securing it are provided.

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
Security Strategy and Standards, Oracle Database
Categories: APPS Blogs, Security Blogs

I’m speaking at Collaborate 17 in Las Vegas

David Haimes - Fri, 2017-03-31 19:22

This year will be my sixth year at Collaborate, according to my recollection I first presented there in 2011 and have only missed one year (2013) since then.  It’s going to be a shorter visit than usual, so apologies if I don’t get to connect with you or attend your session.  Here is where you can find me…

Monday

Two of the most knowledgeable speakers you will see are speaking at the same time, there should be a law against it.  I might shuttle between the two, because I don’t want to miss either presentations

2:45 PM– Jasmine H – Mohan Iyer

How do I know where to use – FAH, FAHRCS or SLA?

2: 45 – South Seas I – Thomas Simkiss

Tips and Tricks – Get the most out of Financial Reporting in the Oracle Cloud

4:15 Jasmine H – General Ledger SIG – Always a good knowledgeable crowd.

Tuesday

7am – Morning run

Join myself, Peter Care (@FXLoader) and hopefully quite a few others for as many laps of the Mandalay bay pool complex as you feel up to.  This is now officially an annual tradition, we ought to get OAUG to put it in the agenda.  Best way to blow away the cobwebs and energize yourself for the day ahead.

8:30am – Keynote –  Glenn Finch, IBM

I have been quietly spending a lot of time around blockchain for some time now, so this got my attention.  If you don’t know about blockchain you should, I’m happy to talk about it at any opportunity.  This excerpt from the description should give you an idea how big it really can be

emerging technologies such as Blockchain, Cognitive and Quantum Computing will do more than change our businesses. They will transform industries and create their own ecosystems

Expect to hear more from me about blockchain as the year goes on.

1:30pm – I’m speaking about @FAHRCS

Come see my session – 1:30 PM–2:30 PM South Seas G

How E-Business Suite Customers have achieved modern reporting in the cloud

2:15pm – Fintech Design Jam

I’m a mentor for this two hour Design Jam run by the Applications UX Innovation Events team.  If you have not registered not sure if there is time now, but if you already are I will see you there.  Our goal is to help the teams tell a story about how they would use Fintech in their work, helping them hone in on a manageable 3 minute story showcasing their design.

5pm – airport… (and breathe).

 


Categories: APPS Blogs

EBS Release 12 certified with Safari 10 and macOS Sierra 10.12

Steven Chan - Fri, 2017-03-31 17:56

Apple logoOracle E-Business Suite Release 12 (12.1.3, 12.2.4 or higher) is now certified with macOS Sierra 10.12 with the following desktop configuration:

  • macOS Sierra version 10.12.3 or higher
  • Safari version 10 (10.0.3 or higher)
  • Oracle JRE 8 plugin (1.8.0_121 or higher)

Additionally, Safari 10 on OS X El Capitan 10.11 with the JRE 8 plugin is also now certified. Users should review all relevant information along with other specific patching requirements and known limitations posted here:

Related Articles

Categories: APPS Blogs

Oracle E-Business Suite Mobile and Web Services Security Explained - Starting with URL Firewall

This is the sixth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

How are web services secured in Oracle 12.2? To start at the beginning, the “front door” of the Oracle E-Business Suite is its web server, the Apache server deployed within the WebLogic server that is installed with release 12.2. To secure an Apache web server largely requires setting various configurations in the Apache configuration file (httpd.conf). For the Oracle E-Business Suite, these critical settings are maintained by Oracle through the AutoConfig utility. 

URL Firewall

The most important setting for Internet-facing clients is the include for the Oracle E-Business Suite’s URL Firewall. When the URL Firewall is included in the httpd.conf, every web request is passed through the URL Firewall, both for forms and for web services. The URL Firewall is non-discretionary and mandatory requirement when the Oracle E-Business Suite is deployed on the Internet.

HTTPD.CONF include for the URL Firewall

The URL Firewall is a template maintained by Oracle that whitelists those forms (e.g. JSP pages) that Oracle Corporation has hardened for use on the Internet. If the JSP is not listed “whitelisted” in the file url_fw.conf it should NOT be used on the Internet. Be sure to use the latest version of the template as Oracle periodically updates the template.

In the template, Oracle comments out all lines which effectively “Denies All.” To use the url_fw.conf, DBAs at each client site need to manually uncomment (“open”) specific JSP pages appropriate to their site. This “opening” by the DBAs must be carefully done and routinely reviewed.

The mechanics of when the url_fw.conf is called or not is determined by the Node's trust level. Most large Oracle E-Business Suite implementations have multiple web servers (referred to as nodes). To deploy the Oracle E-Business Suite on the Internet, one ore more nodes are deployed in a DMZ. If the node making the request of the Apache web server is flagged as an "Internal" web node, the url_fw.conf is skipped. If however the Node's trust level is flagged as "External" because the node is deployed in the DMZ, the url_fw.conf is called.

When called, the url_fw.conf applies regular expressions to the web request to determine if the request is BOTH exists in the whitelist and has been uncommented “opened” by the DBAs. If no match is found, a default-deny result is returned. In security terms, this means all requests are rejected unless explicitly allowed. If a match is found, the web request continues and the WebLogic server will then proceed with authentication and authorization tasks.

Example of URL FW line uncommented

Enabling and configuring the URL Firewall is the first step in securing web services. Unfortunately, Oracle buries the documentation for the URL Firewall in Appendix E of DMZ configuration guide – see the reference section of this paper for more information on the documentation.

To secure web services, it gets more complicated in that a second whitelist is appended to the first. To secure Oracle E-Business Suite web services, the url_fw.conf calls the url_fw_ws.conf. Similar to the configuration of the url_fw.conf, the documentation is buried deep in Appendix E of the DMZ configuration guide.

Different than the url_fw.conf which is supplied as a static listing of JSP pages, a utility (txkGenWebServiceUrlFwConf.pl) is run to generate the file url_fw_ws.conf. After being generated, DBAs similarly need to manually uncomment only those lines for the web services being used. If a web service is not found to be whitelisted, a default-deny rule will be applied; all web services commented out will be denied.

Example of URL FW WS.conf

Errors in selecting a Node’s trust level and configuring either the url_fw.conf and/or the url_fw_ws.conf have serious security consequences and should be routinely reviewed as part of on-going security audits.

Web services can be publically deployed without using the URL Firewall. For example, clients can if they so choose route Internet traffic directly to the E-Business Suite without setting up an External node. Integrigy Corporation highly recommends against doing this. Integrigy Corporation highly recommends always using the URL Firewall when deployed on the Internet, both for forms and for web services.

URL Firewall called by Node Trust Level

httpd.conf calls the URL Firewall

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Webcast: "Online Patching with EBS 12.2"

Steven Chan - Thu, 2017-03-30 14:19

Online Patching webcastOracle University has a wealth of free webcasts for Oracle E-Business Suite.  If you're looking for an overview of how Online Patching works in EBS 12.2, see:

The Online Patching feature of Oracle E-Business Suite 12.2 will reduce your Oracle E-Business Suite patching downtimes to however long it takes to bounce your application  server. Kevin Hudson, Senior Director Product Development, details how online patching works, with special attention to what’s happening at the database object level when patches are applied to an Oracle E-Business Suite environment that’s still running. Learn about the operational and system management implications for minimizing maintenance downtimes when applying Oracle E-Business Suite patches with this new technology and the related impact on customizations you might have built on top of Oracle E-Business Suite. This material was presented at Oracle OpenWorld 2016.

Categories: APPS Blogs

Webcast: "12.2 Technical Upgrade Overview and Process Flow"

Steven Chan - Wed, 2017-03-29 10:08

EBS 12.2 upgrade webcastOracle University has a wealth of free webcasts for Oracle E-Business Suite.  If you're looking for an overview of how to optimize your EBS 12.2 installation, see:

Udayan Parvate, Senior Director Release Engineering, Quality and Release Management, shares a high level overview of the 12.2 technical upgrade and the sequence of technical steps to follow in the 12.2 upgrade process. This material was presented at Oracle OpenWorld 2015.

Categories: APPS Blogs

Cloning EBS 12.1.3 Environments Integrated with Oracle Access Manager

Steven Chan - Tue, 2017-03-28 02:05

We have documented procedures for cloning EBS 12.1.3 environments.  We also have documented procedures for integrating EBS 12.1.3 environments with Oracle Access Manager (OAM) and Oracle Internet Directory (OID).  The next logical question would be: do we have documented procedures for cloning EBS 12.1.3 environments that have been integrated with OAM and OID?

Yes, we have published this here:

EBS OAM architecture

This Note provides a certified process and detailed steps to:

  • Clone EBS using Rapid Clone
  • Deregister the cloned EBS instance from OAM and remove AccessGate
  • Remove OID from the cloned EBS instance
  • Integrate the cloned EBS instance with OID
  • Integrate the cloned EBS instance with OAM
  • Reconfigure SSL

Related Articles

Categories: APPS Blogs

Webcast: "Oracle E-Business Suite Integration Best Practices"

Steven Chan - Mon, 2017-03-27 14:51

Integration Best PracticesOracle University has a wealth of free webcasts for Oracle E-Business Suite.  If you're looking for an overview of options for integrating EBS with other applications, see:

Oracle is investing across applications and technologies to make the application integration experience easier for customers. Oracle E-Business Suite provides tools and technologies to address various application integration challenges and styles. Vijay Shanmugam, Director Product Development, shares more about Oracle’s integration offering for cloud, data, event-driven, business-to-business, and process-centric integrations. In this session, you will get a better understanding of what Oracle integration technologies you can use and how, when, and where you can leverage them to connect end-to-end business processes across your enterprise, including the Oracle Applications portfolio in the cloud. This material was presented at Oracle OpenWorld 2016.

Categories: APPS Blogs

Creditcard and Bank Account Decryption No Longer Possible in Oracle E-Business Suite

In January 2014 Integrigy published extensive research and recommendations on how best to secure credit cards and bank accounts within the Oracle E-Business Suite. This research is available here Oracle E-Business Suite: Credit Cards and PCI Compliance

With Release 12 of the Oracle E-Business Suite, Oracle consolidated into the new Payments module, new functionality to encrypt credit cards and external bank accounts. Integrigy’s recommendation in January 2014 was that if encryption was enabled, that the concurrent programs to optionally decrypt credit cards and external bank accounts also be disabled. Integrigy's rationale for this recommendation was that decryption should only be allowed in a carefully controlled and managed process. End-dating the decryption request set and concurrent programs would prevent the decryption programs from being run accidently or run for nefarious purposes – in production but certainly in non-production databases.

Evidently, Oracle is now once again taking a security recommendation from Integrigy by permanently disabling the decryption programs. Per Oracle’s security team, the decryption programs have been disabled. For more information refer to Oracle Support Note 2209450.1, posted December 1, 2016 - "Is It Possible To Decrypt the Bank Accounts Data After Enabling The Encryption Feature."

If you have questions about protecting credit cards and/or external bank accounts in the Oracle E-Business Suite or have questions about this blog post, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
Encryption, PCI, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Deploying Oracle E-Business Suite 12.2 SOAP Web Services

This is the fifth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Physically deploying SOAP-based web services for the Oracle E-Business Suite is more complicated than for REST. SOAP interfaces are best used to support heavy-duty solutions such as Business-to-Business (B2B) interfaces. To deploy SOAP services for the Oracle E-Business Suite, the Oracle SOA Suite must be licensed and configured. Once the SOA Suite is installed and configured, two (2) WebLogic servers will exist. The first WebLogic server is the initial WebLogic server supporting the Oracle E-Business Suite and the second WebLogic Server is the WebLogic server supporting the SOA Suite. Integration between the two WebLogic Servers is done through both through HTTP and the ISG client. The ISG client is installed on the SOA Suite’s WebLogic server and uses Oracle’s proprietary T3 protocol to do the majority of the heavy lifting for communication with the E-Business Suite.

When a SOAP service is deployed within the Integrated SOA Gateway forms in the Oracle E-Business Suite, the SOAP Web Services Description Language (WDSL) file defining the web service is generated on the second WebLogic Server, the SOA Suite WebLogic Server, not the E-Business Suite’s WebLogic server. The interaction with B2B business partners using the web service then occurs between the Oracle SOA Suite and the business partner’s servers. Ultimately the Oracle E-Business Suite generates or receives the information, but the Oracle E-Business Suite does not directly communicate with the B2B partners.

SOAP Needs a Separate SOA Suite WebLogic Server

Only the SOA Suite communicates with B2B clients

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Reminder: Upgrade BPEL 11.1.1.7 to 11.1.1.9 Before December 2018

Steven Chan - Thu, 2017-03-23 10:48

Oracle Fusion Middleware products get new Patch Set updates.  When a new Patch Set has been released, a 12 month Grace Period for the previous Patch Set begins.  Once that Grace Period ends, no new patches for the previous Patch Set will be released.

For more details, see:

Oracle BPEL Process Manager is part of Oracle SOA Suite 11.1.1.x.  Note 1290894.1 does not have a separate listing for Oracle SOA Suite; it refers to "Oracle Fusion Middleware" (FWM) instead. The references in that document to "FMW" implicitly include SOA Suite.

SOA Suite 11.1.1.7 was released in April 2013.  SOA Suite 11.1.1.9 was released in May 2015, which means that the Grace Period for SOA Suite 11.1.1.7 will end after December 2018. 

All E-Business Suite users running BPEL Process Manager in SOA Suite 11.1.1.7 should upgrade to BPEL Process Manager in SOA Suite 11.1.1.9 to remain under Error Correction Support. SOA Suite 11.1.1.x is covered by Premier Support to December 2018, and covered by Extended Support to December 2021.

Related Articles

Categories: APPS Blogs

Webcast: "Installation, Cloning and Configuration of EBS 12.2"

Steven Chan - Wed, 2017-03-22 10:51

Install EBS 12.2Oracle University has a wealth of free webcasts for Oracle E-Business Suite.  If you're looking for an overview of how to install, clone, and configure EBS 12.2, see:

Max Arderius, Senior Principal Product Manager covers the technology stack for Oracle E-Business Suite 12.2, including the use of Oracle WebLogic Server (Oracle Fusion Middleware 11g) and Oracle Database functionality. Topics include an architectural overview of the latest updates, installation options, configuration options, and new tools for automated cloning. Also learn how Online Patching (based on the Oracle Database Edition-Based Redefinition feature) will reduce your database patching downtimes. This material was presented at OOW 2015.

Categories: APPS Blogs

Using Job Role Separation with ASM and EBS 12.2

Steven Chan - Tue, 2017-03-21 10:45

A job role separation configuration of Oracle Database and Oracle Automatic Storage Management (ASM) is a configuration with groups and users to provide separate groups for operating system authentication.

This is now a certified option for E-Business Suite 12.2 environments. The EBS Rapid Install now supports the use of job role separation to manage operating system permissions for ASM, Oracle Grid Infrastructure, and Oracle software installations.

Job Role separation table for ASM in EBS environments

The following guides have been updated to reflect this newly-certified configuration option:

Related Articles


Categories: APPS Blogs

Pages

Subscribe to Oracle FAQ aggregator - APPS Blogs