APPS Blogs

April 2017 Updates to AD and TXK for EBS 12.2

Steven Chan - Tue, 2017-05-02 02:00

We have been fine-tuning the administration tools for E-Business Suite 12.2 via a series of regular updates to the Applications DBA (AD) and EBS Technology Stack (TXK) components:

We have now made available a eleventh set of critical updates to AD and TXK. We strongly recommend that you apply these new AD and TXK updates at your earliest convenience:

They must be individually downloaded from My Oracle Support, as shown by this example for AD:

Refer to the following My Oracle Support knowledge document for full installation instructions and associated tasks:

What's New in this Patchset?

This patchset includes a large number of critical fixes for stability issues that will affect all customers.  It also includes the following new features:

Related Articles

Categories: APPS Blogs

Reminder: Sign E-Business Suite JAR Files

Steven Chan - Mon, 2017-05-01 02:00

Oracle disabled MD5 signed JARs in the April 2017 Critical Patch Update.  JAR files signed with MD5 algorithms will be treated as unsigned JARs.

MD5 JAR file signing screenshot

Does this affect EBS environments?

Yes. This applies to Java 6, 7, and 8 used in EBS 12.1 and 12.2.  Oracle E-Business Suite uses Java, notably for running Forms-based content via the Java Runtime Environment (JRE) browser plug-in.  Java-based content is delivered in JAR files.  Customers must sign E-Business Suite JAR files with a code signing certificate from a trusted Certificate Authority (CA). 

A code signing certificate from a Trusted CA is required to sign your Java content securely. It allows you to deliver signed code from your server (e.g. JAR files) to users desktops and verifying you as the publisher and trusted provider of that code and also verifies that the code has not been altered. A single code signing certificate allows you to verify any amount of code across multiple EBS environments. This is a different type of certificate to the commonly used SSL certificate which is used to authorize a server on a per environment basis. You cannot use an SSL certificate for the purpose of signing jar files. 

Instructions on how to sign EBS JARs are published here:

Where can I get more information?

Oracle's plans for changes to the security algorithms and associated policies/settings in the Oracle Java Runtime Environment (JRE) and Java SE Development Kit (JDK) are published here:

More information about Java security is available here:

Getting help

If you have questions about Java Security, please log a Service Request with Java Support.

If you need assistance with the steps for signing EBS JAR files, please log a Service Request against the "Oracle Applications Technology Stack (TXK)" > "Java."

Related Articles

Categories: APPS Blogs

Critical Patch Update for April 2017 Now Available

Steven Chan - Fri, 2017-04-28 10:59

The Critical Patch Update (CPU) for April 2017 was released on April 18, 2017. Oracle strongly recommends applying the patches as soon as possible.

The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents. 

Supported products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied.

The Critical Patch Update Advisory is available at the following location:

It is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches.

The next four Critical Patch Update release dates are:

  • July 18, 2017
  • October 17, 2017
  • January 16, 2018
  • April 17, 2018
References Related Articles
Categories: APPS Blogs

Oracle E-Business Suite 12.2 Mobile Application Security

This is the tenth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Oracle Corporation has been building out Mobile and Smartphone applications for the Oracle E-Business Suite for a number of releases. Before release 12.2.5, this functionality was designed only for deployment through a corporate VPN, not through an Oracle E-Business Suite external node over the Internet (e.g. a server in DMZ).

With release, 12.2.5 external node deployment for Mobile applications is now an option. 12.2.5 bundles Oracle Mobile v4 and uses the E-Business Suite's WebLogic server.  Specifically, 12.2.5 deploys the Oracle Mobile v4 REST services through the OAFM WebLogic application.  In other words, with 12.2.5, Smartphone applications can now be Internet deployed without a need for a separate WebLogic Server; no need for a SOA Server or a separate WebLogic server.

Oracle Mobile Using Native EBS REST

To secure version 12.2.5 Oracle E-Business Suite Mobile applications, Oracle Mobile Security Services (OMSS) is used.  Check with your Oracle sales representative if OMSS is separately licensed or not. OMSS provides critical URL shortening as well as white/blacklisting and other functionality specific to deploying Oracle Mobile applications. OMSS must be properly configured and is placed in front of OAFM.

OMSS in-line before OAFM

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Webcast: "Personalizing the Oracle E-Business Suite: The Next Generation"

Steven Chan - Thu, 2017-04-27 13:15

Webcast Personalizing OAFOracle University has a wealth of free webcasts for Oracle E-Business Suite.  If you're looking for an overview of how to personalize EBS 12.2, see:

Senthilkumar Ramalingam, Group Manager Product Development, discusses the new Release 12.2 Administrator Personalization Workbench that allows you to quickly and easily personalize Oracle Application Framework (OAF) applications. The new Personalization Workbench provides an intuitive, WYSIWYG personalization experience and offers rich interactivity like select-and-edit and drag-and-drop to perform a wide range of personalizations on a page. Learn about new OAF end user personalization capabilities for optimizing the experience on iOS or Android tablets. Leverage new gesture support and tablet-optimized components in your customizations and extensions. See how to use the Oracle E-Business Suite Developer VM on Oracle Cloud to develop personalizations and extensions. This material was presented at Oracle OpenWorld 2016.

Categories: APPS Blogs

JRE 1.6.0_151 Certified with Oracle E-Business Suite 12.1 and 12.2

Steven Chan - Wed, 2017-04-26 12:01

Java logThe latest Java Runtime Environment 1.6.0_151 (a.k.a. JRE 6u151-b10) and later updates on the JRE 6 codeline are now certified with Oracle E-Business Suite Release 12.1 and 12.2 for Windows-based desktop clients.

All JRE 6, 7, and 8 releases are certified with EBS upon release

Our standard policy is that all E-Business Suite customers can apply all JRE updates to end-user desktops:

  • From JRE 1.6.0_03 and later updates on the JRE 6 codeline
  • From JRE 1.7.0_10 and later updates on the JRE 7 codeline 
  • From JRE 1.8.0_25 and later updates on the JRE 8 codeline
We test all new JRE releases in parallel with the JRE development process, so all new JRE releases are considered certified with the E-Business Suite on the same day that they're released by our Java team. 

You do not need to wait for a certification announcement before applying new JRE 6, 7, or 8 releases to your EBS users' desktops.

Effects of new support dates on Java upgrades for EBS environments

Support dates for the E-Business Suite and Java have changed.  Please review the sections below for more details:

  • What does this mean for Oracle E-Business Suite users?
  • Will EBS users be forced to upgrade to JRE 7 for Windows desktop clients?
  • Will EBS users be forced to upgrade to JDK 7 for EBS application tier servers?

New EBS installation scripts

This JRE release is the first with a 3-digit Java version. Installing this in your EBS 11i and 12.x environments will require new installation scripts.  See the documentation listed in the 'References' section for more detail.

32-bit and 64-bit versions certified

This certification includes both the 32-bit and 64-bit JRE versions for various Windows operating systems. See the respective Deploying JRE documentation for your EBS release for details.

Implications of Java 6 End of Public Updates for EBS Users

The Support Roadmap for Oracle Java is published here:

The latest updates to that page (as of Sept. 19, 2012) state:

Java SE 6 End of Public Updates Notice

After February 2013, Oracle will no longer post updates of Java SE 6 to its public download sites. Existing Java SE 6 downloads already posted as of February 2013 will remain accessible in the Java Archive on Oracle Technology Network. Developers and end-users are encouraged to update to more recent Java SE versions that remain available for public download. For enterprise customers, who need continued access to critical bug fixes and security fixes as well as general maintenance for Java SE 6 or older versions, long term support is available through Oracle Java SE Support .

What does this mean for Oracle E-Business Suite users?

EBS users fall under the category of "enterprise users" above. Java is an integral part of the Oracle E-Business Suite technology stack, so EBS users will continue to receive Java SE 6 updates from February 2013 to the end of Java SE 6 Extended Support in June 2017.

In other words, nothing changes for EBS users after February 2013. 

EBS users will continue to receive critical bug fixes and security fixes as well as general maintenance for Java SE 6 until the end of Java SE 6 Extended Support in June 2017. 

How can EBS customers obtain Java 6 updates after the public end-of-life?

Java 6 is now available only via My Oracle Support for E-Business Suite users.  You can find links to this release, including Release Notes, documentation, and the actual Java downloads here: Both JDK and JRE packages are contained in a single combined download after 6u45.  Download the "JDK" package for both the desktop client JRE and the server-side JDK package.

Coexistence of multiple JRE releases Windows desktops

The upgrade to JRE 8 is recommended for EBS users, but some users may need to run older versions of JRE 6 or 7 on their Windows desktops for reasons unrelated to the E-Business Suite.

Most EBS configurations with IE and Firefox use non-static versioning by default. JRE 8 will be invoked instead of earlier JRE releases if both are installed on a Windows desktop. For more details, see "Appendix B: Static vs. Non-static Versioning and Set Up Options" in Notes 290807.1 and 393931.1.

What do Mac users need?

Mac users running Mac OS X 10.10 (Yosemite) can run JRE 7 or 8 plug-ins.  See:

Will EBS users be forced to upgrade to JDK 7 for EBS application tier servers?

JRE is used for desktop clients.  JDK is used for application tier servers.

JDK upgrades for E-Business Suite application tier servers are highly recommended but currently remain optional while Java 6 is covered by Extended Support. Updates will be delivered via My Oracle Support, where you can continue to receive critical bug fixes and security fixes as well as general maintenance for JDK 6 for application tier servers. 

Java SE 6 is covered by Extended Support until June 2017.  All EBS customers with application tier servers on Windows, Solaris, and Linux must upgrade to JDK 7 by June 2017. EBS customers running their application tier servers on other operating systems should check with their respective vendors for the support dates for those platforms.

JDK 7 is certified with E-Business Suite 12 servers.  See:

References

Related Articles
Categories: APPS Blogs

JRE 1.7.0_141 Certified with Oracle E-Business Suite 12.1 and 12.2

Steven Chan - Wed, 2017-04-26 11:52

Java logo

Java Runtime Environment 1.7.0_141 (a.k.a. JRE 7u141-b11) and later updates on the JRE 7 codeline are now certified with Oracle E-Business Suite Release 12.1 and 12.2 for Windows-based desktop clients.

All JRE 6, 7, and 8 releases are certified with EBS upon release

Our standard policy is that all E-Business Suite customers can apply all JRE updates to end-user desktops:

  • From JRE 1.6.0_03 and later updates on the JRE 6 codeline
  • From JRE 1.7.0_10 and later updates on the JRE 7 codeline 
  • From JRE 1.8.0_25 and later updates on the JRE 8 codeline
We test all new JRE releases in parallel with the JRE development process, so all new JRE releases are considered certified with the E-Business Suite on the same day that they're released by our Java team. 

You do not need to wait for a certification announcement before applying new JRE 6, 7, or 8 releases to your EBS users' desktops.

Effects of new support dates on Java upgrades for EBS environments

Support dates for the E-Business Suite and Java have changed.  Please review the sections below for more details:

  • What does this mean for Oracle E-Business Suite users?
  • Will EBS users be forced to upgrade to JRE 7 for Windows desktop clients?
  • Will EBS users be forced to upgrade to JDK 7 for EBS application tier servers?

32-bit and 64-bit versions certified

This certification includes both the 32-bit and 64-bit JRE versions for various Windows operating systems. See the respective Recommended Browser documentation for your EBS release for details.

Where are the official patch requirements documented?

EBS + Discoverer 11g Users

This JRE release is certified for Discoverer 11g in E-Business Suite environments with the following minimum requirements:

JRE 7 End of Public Updates

The JRE 7u79 release was the last JRE 7 update available to the general public. Java is an integral part of the Oracle E-Business Suite technology stack, so EBS users will continue to receive Java SE 7 updates to the end of Java SE 7 Premier Support to the end of July 2016.

How can EBS customers obtain Java 7 updates after the public end-of-life?

EBS customers can download Java 7 patches from My Oracle Support.  For a complete list of all Java SE patch numbers, see:

Both JDK and JRE packages are now contained in a single combined download.  Download the "JDK" package for both the desktop client JRE and the server-side JDK package. 

Coexistence of multiple JRE releases Windows desktops

The upgrade to JRE 8 is recommended for EBS users, but some users may need to run older versions of JRE 6 or 7 on their Windows desktops for reasons unrelated to the E-Business Suite.

Most EBS configurations with IE and Firefox use non-static versioning by default. JRE 8 will be invoked instead of earlier JRE releases if both are installed on a Windows desktop. For more details, see "Appendix B: Static vs. Non-static Versioning and Set Up Options" in Notes 290807.1 and 393931.1.

Java Auto-Update Mechanism

With the release of the January 2015 Critical patch Updates, the Java Auto-Update Mechanism will automatically update JRE 7 plug-ins to JRE 8.

Coexistence of multiple JRE releases Windows desktops

The upgrade to JRE 8 is recommended for EBS users, but some users may need to run older versions of JRE 6 or 7 on their Windows desktops for reasons unrelated to the E-Business Suite.

Most EBS configurations with IE and Firefox use non-static versioning by default. JRE 8 will be invoked instead of earlier JRE releases if both are installed on a Windows desktop. For more details, see "Appendix B: Static vs. Non-static Versioning and Set Up Options" in Notes 290807.1 and 393931.1.

What do Mac users need?

Mac users running Mac OS X 10.7 (Lion), 10.8 (Mountain Lion), 10.9 (Mavericks), and 10.10 (Yosemite) can run JRE 7 or 8 plug-ins.  See:

Will EBS users be forced to upgrade to JDK 7 for EBS application tier servers?

JRE is used for desktop clients.  JDK is used for application tier servers.

JDK upgrades for E-Business Suite application tier servers are highly recommended but currently remain optional while Java 6 is covered by Extended Support. Updates will be delivered via My Oracle Support, where you can continue to receive critical bug fixes and security fixes as well as general maintenance for JDK 6 for application tier servers. 

Java SE 6 is covered by Extended Support until June 2017.  All EBS customers with application tier servers on Windows, Solaris, and Linux must upgrade to JDK 7 by June 2017. EBS customers running their application tier servers on other operating systems should check with their respective vendors for the support dates for those platforms.

JDK 7 is certified with E-Business Suite 12.  See:

Known Issues

When using Internet Explorer, JRE 1.7.0_01 had a delay of around 20 seconds before the applet started to load. This issue is fixed in JRE 1.7.0_95.

References

Related Articles
Categories: APPS Blogs

JRE 1.8.0_131 Certified with Oracle EBS 12.1 and 12.2

Steven Chan - Wed, 2017-04-26 11:46

Java logo

Java Runtime Environment 1.8.0_131 (a.k.a. JRE 8u131-b11) and later updates on the JRE 8 codeline are now certified with Oracle E-Business Suite 12.1 and 12.2 for Windows clients.

Java Web Start is now certified with EBS 12.1 and 12.2 for Windows clients.  This JRE release may be run with either the Java plug-in or Java Web Start.

All JRE 6, 7, and 8 releases are certified with EBS upon release

Our standard policy is that all E-Business Suite customers can apply all JRE updates to end-user desktops:

  • From JRE 1.6.0_03 and later updates on the JRE 6 codeline
  • From JRE 1.7.0_10 and later updates on the JRE 7 codeline 
  • From JRE 1.8.0_25 and later updates on the JRE 8 codeline
We test all new JRE releases in parallel with the JRE development process, so all new JRE releases are considered certified with the E-Business Suite on the same day that they're released by our Java team. 

You do not need to wait for a certification announcement before applying new JRE 6, 7, or 8 releases to your EBS users' desktops.

32-bit and 64-bit versions certified

This certification includes both the 32-bit and 64-bit JRE versions for various Windows operating systems. See the respective Recommended Browser documentation for your EBS release for details.

Where are the official patch requirements documented?

All patches required for ensuring full compatibility of the E-Business Suite with JRE 8 are documented in these Notes:

For EBS 12.1 & 12.2

EBS + Discoverer 11g Users

This JRE release is certified for Discoverer 11g in E-Business Suite environments with the following minimum requirements:

Implications of Java 6 and 7 End of Public Updates for EBS Users

The Oracle Java SE Support Roadmap and Oracle Lifetime Support Policy for Oracle Fusion Middleware documents explain the dates and policies governing Oracle's Java Support.  The client-side Java technology (Java Runtime Environment / JRE) is now referred to as Java SE Deployment Technology in these documents.

Starting with Java 7, Extended Support is not available for Java SE Deployment Technology.  It is more important than ever for you to stay current with new JRE versions.

If you are currently running JRE 6 on your EBS desktops:

  • You can continue to do so until the end of Java SE 6 Deployment Technology Extended Support in June 2017
  • You can obtain JRE 6 updates from My Oracle Support.  See:

If you are currently running JRE 7 on your EBS desktops:

  • You can continue to do so until the end of Java SE 7 Deployment Technology Premier Support in July 2016
  • You can obtain JRE 7 updates from My Oracle Support.  See:

If you are currently running JRE 8 on your EBS desktops:

Will EBS users be forced to upgrade to JRE 8 for Windows desktop clients?

No.

This upgrade is highly recommended but remains optional while Java 6 and 7 are covered by Extended Support. Updates will be delivered via My Oracle Support, where you can continue to receive critical bug fixes and security fixes as well as general maintenance for JRE 6 and 7 desktop clients. Note that there are different impacts of enabling JRE Auto-Update depending on your current JRE release installed, despite the availability of ongoing support for JRE 6 and 7 for EBS customers; see the next section below.

Impact of enabling JRE Auto-Update

Java Auto-Update is a feature that keeps desktops up-to-date with the latest Java release.  The Java Auto-Update feature connects to java.com at a scheduled time and checks to see if there is an update available.

Enabling the JRE Auto-Update feature on desktops with JRE 6 installed will have no effect.

With the release of the January Critical patch Updates, the Java Auto-Update Mechanism will automatically update JRE 7 plug-ins to JRE 8.

Enabling the JRE Auto-Update feature on desktops with JRE 8 installed will apply JRE 8 updates.

Coexistence of multiple JRE releases Windows desktops

The upgrade to JRE 8 is recommended for EBS users, but some users may need to run older versions of JRE 6 or 7 on their Windows desktops for reasons unrelated to the E-Business Suite.

Most EBS configurations with IE and Firefox use non-static versioning by default. JRE 8 will be invoked instead of earlier JRE releases if both are installed on a Windows desktop. For more details, see "Appendix B: Static vs. Non-static Versioning and Set Up Options" in Notes 290807.1 and 393931.1.

What do Mac users need?

JRE 8 is certified for Mac OS X 10.8 (Mountain Lion), 10.9 (Mavericks), 10.10 (Yosemite), and 10.11 (El Capitan) desktops.  For details, see:

Will EBS users be forced to upgrade to JDK 8 for EBS application tier servers?

No.

JRE is used for desktop clients.  JDK is used for application tier servers.

JRE 8 desktop clients can connect to EBS environments running JDK 6 or 7.

JDK 8 is not certified with the E-Business Suite.  EBS customers should continue to run EBS servers on JDK 6 or 7.

Known Iusses

Internet Explorer Performance Issue

Launching JRE 1.8.0_73 through Internet Explorer will have a delay of around 20 seconds before the applet starts to load (Java Console will come up if enabled).

This issue fixed in JRE 1.8.0_74.  Internet Explorer users are recommended to uptake this version of JRE 8.

Form Focus Issue Clicking outside the frame during forms launch may cause a loss of focus when running with JRE 8 and can occur in all Oracle E-Business Suite releases. To fix this issue, apply the following patch:

References

Related Articles
Categories: APPS Blogs

JRE 1.7.0_141 Certified with Oracle E-Business Suite 12.1 and 12.2

Steven Chan - Wed, 2017-04-26 02:00

Java logo

Java Runtime Environment 1.7.0_141 (a.k.a. JRE 7u141-b11) and later updates on the JRE 7 codeline are now certified with Oracle E-Business Suite Release 12.1 and 12.2 for Windows-based desktop clients.

All JRE 6, 7, and 8 releases are certified with EBS upon release

Our standard policy is that all E-Business Suite customers can apply all JRE updates to end-user desktops:

  • From JRE 1.6.0_03 and later updates on the JRE 6 codeline
  • From JRE 1.7.0_10 and later updates on the JRE 7 codeline 
  • From JRE 1.8.0_25 and later updates on the JRE 8 codeline
We test all new JRE releases in parallel with the JRE development process, so all new JRE releases are considered certified with the E-Business Suite on the same day that they're released by our Java team. 

You do not need to wait for a certification announcement before applying new JRE 6, 7, or 8 releases to your EBS users' desktops.

Effects of new support dates on Java upgrades for EBS environments

Support dates for the E-Business Suite and Java have changed.  Please review the sections below for more details:

  • What does this mean for Oracle E-Business Suite users?
  • Will EBS users be forced to upgrade to JRE 7 for Windows desktop clients?
  • Will EBS users be forced to upgrade to JDK 7 for EBS application tier servers?

32-bit and 64-bit versions certified

This certification includes both the 32-bit and 64-bit JRE versions for various Windows operating systems. See the respective Recommended Browser documentation for your EBS release for details.

Where are the official patch requirements documented?

EBS + Discoverer 11g Users

This JRE release is certified for Discoverer 11g in E-Business Suite environments with the following minimum requirements:

JRE 7 End of Public Updates

The JRE 7u79 release was the last JRE 7 update available to the general public. Java is an integral part of the Oracle E-Business Suite technology stack, so EBS users will continue to receive Java SE 7 updates to the end of Java SE 7 Premier Support to the end of July 2016.

How can EBS customers obtain Java 7 updates after the public end-of-life?

EBS customers can download Java 7 patches from My Oracle Support.  For a complete list of all Java SE patch numbers, see:

Both JDK and JRE packages are now contained in a single combined download.  Download the "JDK" package for both the desktop client JRE and the server-side JDK package. 

Coexistence of multiple JRE releases Windows desktops

The upgrade to JRE 8 is recommended for EBS users, but some users may need to run older versions of JRE 6 or 7 on their Windows desktops for reasons unrelated to the E-Business Suite.

Most EBS configurations with IE and Firefox use non-static versioning by default. JRE 8 will be invoked instead of earlier JRE releases if both are installed on a Windows desktop. For more details, see "Appendix B: Static vs. Non-static Versioning and Set Up Options" in Notes 290807.1 and 393931.1.

Java Auto-Update Mechanism

With the release of the January 2015 Critical patch Updates, the Java Auto-Update Mechanism will automatically update JRE 7 plug-ins to JRE 8.

Coexistence of multiple JRE releases Windows desktops

The upgrade to JRE 8 is recommended for EBS users, but some users may need to run older versions of JRE 6 or 7 on their Windows desktops for reasons unrelated to the E-Business Suite.

Most EBS configurations with IE and Firefox use non-static versioning by default. JRE 8 will be invoked instead of earlier JRE releases if both are installed on a Windows desktop. For more details, see "Appendix B: Static vs. Non-static Versioning and Set Up Options" in Notes 290807.1 and 393931.1.

What do Mac users need?

Mac users running Mac OS X 10.7 (Lion), 10.8 (Mountain Lion), 10.9 (Mavericks), and 10.10 (Yosemite) can run JRE 7 or 8 plug-ins.  See:

Will EBS users be forced to upgrade to JDK 7 for EBS application tier servers?

JRE is used for desktop clients.  JDK is used for application tier servers.

JDK upgrades for E-Business Suite application tier servers are highly recommended but currently remain optional while Java 6 is covered by Extended Support. Updates will be delivered via My Oracle Support, where you can continue to receive critical bug fixes and security fixes as well as general maintenance for JDK 6 for application tier servers. 

Java SE 6 is covered by Extended Support until June 2017.  All EBS customers with application tier servers on Windows, Solaris, and Linux must upgrade to JDK 7 by June 2017. EBS customers running their application tier servers on other operating systems should check with their respective vendors for the support dates for those platforms.

JDK 7 is certified with E-Business Suite 12.  See:

Known Issues

When using Internet Explorer, JRE 1.7.0_01 had a delay of around 20 seconds before the applet started to load. This issue is fixed in JRE 1.7.0_95.

References

Related Articles
Categories: APPS Blogs

Oracle Unified Auditing Performance Issues and 12.2 Improvements

For those of you using and/or considering Unified Auditing, in case you might have missed, Oracle has made significant changes to Unified Auditing in 12.2. Unified Auditing, new in Oracle 12c, represents a complete rewrite of how native database auditing works - see the links below for Integrigy research on Unified Auditing.

With Oracle 12.1, when using Unified Auditing, reads of the UNIFIED_AUDIT_TRAIL view were not performant. With Oracle 12.2, a new relational partitioned table (AUDSYS.AUD$UNIFIED) is created to solve the performance issue, and a patch (22782757) has been issued to backport the fix to 12.1.

For 12.1 clients using Unified Auditing, the patch and/or the workaround should be a high priority consideration.

Thank you to Mark Dietrich for pointing out the 12.1 patch.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
 
Auditing, Oracle Database
Categories: APPS Blogs, Security Blogs

Java Web Start Now Available for EBS 12.1 and 12.2

Steven Chan - Mon, 2017-04-24 12:20

Java Web Start (JWS) is now available for Oracle E-Business Suite 12.1 and 12.2:

What is Java Web Start?

Java Web Start launches E-Business Suite Java-based functionality as Java Web Start applications instead of as applets.  Java Web Start is part of the Java Runtime Environment (JRE).

Does EBS use Java on desktop clients?

Yes.  The E-Business Suite requires Oracle Forms.  Oracle Forms requires Java. 

Other EBS products also have functionality that require Java.

What is the new approach with Java Web Start?

It's not technically "new" (it is a mature Java technology originally released in 2004), but we're using it for the first time with the E-Business Suite.  This approach launches EBS Forms-based screens and other functionality as Java Web Start applications instead of as applets.

What prerequisites are needed for Java Web Start?

 Oracle E-Business Suite Release  Minimum JRE Release  12.2  JRE 8 Update 121 b33  12.1.3  JRE 8 Update 121 b33

A small number of server-side patches for Forms and EBS are needed. See:

Why is this important?

Until now, E-Business Suite's Java-based content required a browser that supports Netscape Plug-in Application Programming Interface (NPAPI) plug-ins.

Some browsers are phasing out NPAPI plug-in support.  Some browsers were released without NPAPI plug-in support.  This prevents the Java plug-in from working.

With the release of Java Web Start, E-Business Suite 12.1 and 12.2 users can launch Java-based content (e.g. Oracle Forms) from browsers that do not support Java plug-ins via NPAPI.  Java Web Start in EBS works with:

  • Microsoft Internet Explorer
  • Microsoft Edge
  • Firefox Rapid Release (32-bit and 64-bit)
  • Firefox Extended Support Release (32-bit and 64-bit)
  • Google Chrome

How does the technology architecture change?

Java Web Start changes the way that Java runs on end-users' computers but this technical change is generally invisible to end-users.

Java Web Start applications are launched from browsers using the Java Network Launching Protocol (JNLP).

E-Business Suite Java Web Start architecture diagram

Will the end-user's experience change?

Generally not. We have worked hard to ensure that your end-users' experience with Java Web Start applications is as similar as possible to applets via the Java browser plugin.  The differences between the Java Plug-in and Java Web Start are expected to be almost-invisible to end-users.

Will E-Business Suite still require Java in the future?

Yes.  It is expected that our ongoing use of Oracle Forms for high-volume professional users of the E-Business Suite means that EBS will continue to require Java.  We replicate, simplify, or migrate selected Forms-based flows to OA Framework-based (i.e. web-based HTML) equivalents with every EBS update, but Oracle Forms is expected to continue to be part of the E-Business Suite technology stack for the foreseeable future. 

Does the E-Business Suite have other Java applet dependencies?

Yes.  In addition to Oracle Forms, various E-Business Suite products have functionality that runs as Java applets.  These Java applets require browsers that offer plugin support.  These products include applets:

  • Oracle General Ledger (GL): Account Hierarchy Manager
  • Oracle Customers Online (IMC): Party Relationships
  • Oracle Call Center Technology (CCT)
  • Oracle Sourcing (PON): Auction Monitor
  • Oracle Installed Base (CSI): Visualizer
  • Oracle Process Manufacturing (OPM): Recipe Designer
  • Oracle Advanced Supply Chain Planning (MSC): Plan Editor (PS/SNO)
  • Workflow (WF): Status Diagram, Notification Signing with Digital Signatures
  • Scripting (IES): Script Author

What is the roadmap for browser support for plug-ins?

Plug-in support has various names, including:

This article will simply use the term "plug-in support," which refers to all of the different types listed above.

Some browsers are phasing out plug-in support. Some browsers were never released with plug-in support.

Some organizations may wish to use browsers that do not offer plugin support.  The Java Web Start approach works with all browsers, regardless of whether they have plugin support. 

What is the roadmap for Java's support for plug-ins?

The Java team recently published their plans
for removing the Java browser plugin in a future version of Java. The announcement states (highlighted for emphasis):

Oracle plans to deprecate the Java browser plugin in JDK 9. This technology will be removed from the Oracle JDK and JRE in a future Java SE release.

What does "deprecate" mean?

In this context, "deprecate" means there will still be a Java Plug-in in JRE 9.

In other words, JRE 9 will include the Java Browser Plug-in and Java Web Start.  Users will still be able to run Java-based applications using the Java Plug-in and Java Web Start in JRE 9.

What does this mean for E-Business Suite users running the Java Plug-in with JRE 9?

The release of Java 9 is not expected to affect E-Business Suite users.

JRE 9 is expected to continue to work with the E-Business Suite in browsers that support the Java Browser Plug-in via the NPAPI protocol.

JRE 9 is expected to work with the E-Business Suite in browsers that support Java Web Start.

What browsers are expected to support the JRE 9 plug-in?

Internet Explorer, Firefox ESR 32-bit, and Safari are expected continue to support NPAPI -- and, therefore, Java and Forms. 

Firefox Rapid Release, Firefox ESR 64-bit, Google Chrome, and Microsoft Edge do not support NPAPI, so Java-based apps cannot run in those browsers using the Java Plug-in.  EBS users can run Java-based content using Java Web Start with JRE 9.

What are the timelines for browsers' plugin support?

Individual browser vendors have been updating their plans regularly.  Here's a snapshot of what some browser vendors have stated as of today:

Microsoft Internet Explorer (IE)

Microsoft has indicated that they intend to continue to offer plug-in support in IE.

Microsoft Edge

Microsoft Edge was released in Windows 10 without Browser Helper Object (BHO, aka. plugin) support.  Microsoft has no plans to add plugin support to Edge.

Mozilla Firefox Extended Support Release (ESR)

Mozilla indicated in early 2016 that Firefox ESR 52 32-bit will be the last version to offer NPAPI (and JRE) support.  Firefox ESR 52 32-bit was released in March 2017 and will be supported until May 2018. 

Mozilla removed NPAPI support from Firefox ESR 52 64-bit in March 2017.  

Mozilla Firefox Rapid Release

Mozilla removed NPAPI support from the Firefox 52 Rapid Release version in March 2017. 

Apple Safari for macOS

Safari offers Internet plug-in support for macOS users.  Apple has not made any statements about deprecating plugin support for macOS users.

Google Chrome for Windows

Chrome offered support for plugins until version 45, released in September 2015.  They removed NPAPI support in later Chrome releases.

Will I need to change browsers for EBS 12.1 or 12.2?

Not generally, but it depends on your choice of browsers and whether you wish to use Java Plug-in or Java Web Start.

Here's the compatibility matrix for EBS 12.1 and 12.2 certified combinations:

   Java Plug-In  Java Web Start  Microsoft Internet Explorer  Yes  Yes  Microsoft Edge    Yes  Firefox Rapid Release 32-bit    See Note 1  Firefox Rapid Release 64-bit    See Note 1  Firefox Extended Support Release 32-bit  Yes  Yes  Firefox Extended Support Release 64-bit    Yes  Google Chrome    Yes  Safari on macOS  Yes  See Note 2

Note 1: Expected to work but not tested.

New personal versions of Firefox on the Rapid Release channel are released roughly every six weeks.  It is impractical for us to certify these new personal Rapid Release versions of Firefox with the Oracle E-Business Suite because a given Firefox release is generally obsolete by the time we complete the certification.

From Firefox 10 and onwards, Oracle E-Business Suite is certified only with selected Firefox Extended Support Release versions. Oracle has no current plans to certify new Firefox personal releases on the Rapid Release channel with the E-Business Suite.

Note 2: Not certified.

Apple changed the Gatekeeper permissions in macOS Sierra 10.12.  These changes prevent JNLP execution, making the Java Web Start user experience very challenging.  We are investigating options right now. 

Will Oracle release its own browser for the E-Business Suite?

No.  Long-time Oracle users may remember the Oracle PowerBrowser. The industry has since moved away from software that requires proprietary browsers.  We have no plans to release a browser specifically for E-Business Suite users. 

Will this work on Android or iOS?

No. Neither of these operating systems are compatible with Java. 

E-Business Suite users who need to run Oracle Forms-based content or other Java-based functionality should use Windows or macOS.

Will Java Web Start be mandatory?

Not immediately. It is expected that the use of Java Web Start will be optional at least up to, and including, Java 9, which may be the last Java release to include the JRE browser plugin. 

Will Java Web Start coexist with JRE?

Yes.  You can have a mixed environment where some end-users launch Java Web Start applications, while others use applets via the Java plug-in.  This mixed group of end-users can connect to the same E-Business Suite environment.

EBS system administrators have full server-side control over these choices.

Will this affect EBS customizations?

Maybe. It depends upon which of the following apply to your environment:

  • Scenario 1You have modified standard EBS screens running in Forms: 
    No actions needed. These customizations are expected to work with Java Web Start without any additional changes.
  • Scenario 2You have built custom Java applets of your own to extend the E-Business Suite:  These will continue to run with the Java plug-in, but you may wish to update those applets to use Java Web Start.
  • Scenario 3You have third-party extensions or products that depend upon the Java plug-in:
    These will continue to run with the Java plug-in but you may wish to contact your third-party vendor for details about their plans for Java Web Start.

Are there any additional licensing costs?

No. Java Web Start is included with EBS licenses and does not introduce any new licensing costs.

Related Articles

Disclaimer

The preceding is intended to outline our general product direction.  It is intended for information purposes only, and may not be incorporated into any contract.   It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decision.  The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

 

Categories: APPS Blogs

Oracle E-Business Suite 12.2 Web Services Security for Oracle Supplier Network

This is the ninth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

The most common use of web services with the Oracle E-Business Suite is the Oracle Suppler Network (OSN). Do not confuse OSN with the Oracle Social Network (also referred to as OSN) or when configuring OSN, do not confuse the Oracle Transport Agent (OXTA) web services with Oracle Training Administration (OTA) web services.

To use OSN, you must configure the both the url_fw.conf and url_fw_ws.conf file to open traffic for the XML Gateway to consume OXTA web services. The OSN documentation in places confuses OTXA and OTA.  The risk is that in the url_fw_ws.conf there are services for both the Oracle Training Administration (OTA) module as well as for the OXTA. Unless both are being used, be careful to open only the correct services.

It should also be noted that while OSN uses web services, as of 12.2.5, OSN’s web services are NOT shown as deployed in the ISG repository.  This is because OSN’s functionality is built into the Oracle E-Business Suite’s core functionality.

It is very important to note that while using OSN with trading partners over the Internet requires opening the E-Business Suite to the Internet. Unfortunately, it is not clearly stated that a WAF, ideally the API Gateway, should be used to protect OSN. Even if OSN is the only web service being used, a WAF is still required to guard the attack surface.

Lastly, the passwords used for the various OSN accounts (defined within the OSN GUI forms) need to be complex and regularly rotated. Many clients forget about these accounts.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Guide to PeopleSoft Logging and Auditing - Revised Whitepaper

After discussions at Collaborate2017 with several PeopleSoft architects we have revised our Guide to PeopleSoft Auditing. The key change is the recommendation NOT to use PeopleSoft’s native database auditing and to instead use Oracle Fine Grained Auditing (FGA). FGA comes free with the Enterprise Edition of the Oracle RDBMS and, not only is it easier to implement, FGA does not have the performance impact of PeopleSoft’s native auditing.

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP

References
 
 
Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

Oracle Audit Trail Add Program Name

The program name attribute (V$SESSION.PROGRAM) is not by default passed to Oracle’s audit logs. It can be optionally included. To do so, apply Patch 7023214 on the source database. After the patch is applied, the following event needs to be set:

ALTER SYSTEM SET
           EVENT='28058 trace name context forever'
           COMMENT='enable program logging in audit trail' SCOPE=SPFILE;

The table below summarizes key session attributres (V$SESSION) the are passed/not passed to Oracle auditing

Oracle Audit Trails

Session Attribute

(V$SESSION)

Description

Traditional Auditing (SYS.AUD$)

Fine Grained Auditing (SYS.FGA_LOG$)

CLIENT_IDENTIFIER

End user username

CLIENTID

CLIENTID

CLIENT_INFO

Concatenated application log string

Not passed

Not passed

MODULE

ABAP program, module, application component or service

Not passed

Not passed

ACTION

Business action being executed, page, code event, location within program

Not passed

Not passed

 

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP

Reference
 
 
 
Auditing, Oracle Database, Oracle Audit Vault
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 12.2 Mobile and Web Services Security Requires Web Application Firewall (WAF)

This is the eighth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Web Application Firewalls (WAFs) cannot replace the URL Firewall, nor can the URL Firewall replace WAFs.  The URL Firewall provides the critical function of only allowing those forms and web services that have been both hardened by Oracle and flagged by the client as being used – all other requests are blocked by the default-deny rules. The URL Firewall does not protect against common web attack techniques such as those below – this what WAFs protect against:

  • Denial of Service (DoS)
    • Flooding, recursive & oversized payloads
  • Injection & Malicious Code
    • XXC, SQLi, logic bombs, malformed content
  • Confidentiality and Integrigy
    • Parameter tampering, schema poisoning
  • Reconnaissance Attacks
    • Scanning and registry disclosure
  • Privilege Escalation Attacks
    • Race condition, format string, buffer overflow

Additional protection is required to secure Internet facing Oracle E-Business Suite web services. Third party WAFs can certainly be deployed, but Oracle Corporation’s API Gateway offers a compelling advantage for Oracle E-Business Suite clients. The API Gateway is a separate license option and is placed in front of the SOA Server (also a separate license option) to defend against the common web attack techniques specific to web services as identified above.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 12.2 Web Services Security: Authentication and Authorization

This is the seventh posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Once traffic is accepted and passed by the URL Firewall, WebLogic initiates the standard Oracle E-Business Suite authentication and authorization procedures. Web services are authenticated and authorized no differently than for end-users.

Authorization rules for web services are relatively easy to configure in that all web services are defined as functions. The Oracle E-Business Suite's function security scheme and rules engine apply the same to GUI forms as for web services. In other words, the table APPLSYS.FND_FORM_FUNCTIONS defines all the forms that users use as well as defines all web services deployed. Menus then are built referencing these functions and Oracle E-Business Suite user accounts (APPLSYS.FND_USER) are given responsibilities with the menus of functions. These user accounts can be staff members or can be generic accounts (e.g. to support specific web services). Ensuring that appropriate users and responsibilities can call and use specific web services is the same critical step as ensuring that only appropriate users can use specific forms.

There are two authentication options for web services, local FND_USER passwords and tokens. Tokens can be SAML send vouchers/E-Business Suite Session Ids). Whichever is used, ensure that accounts are not inappropriately over privileged and the passwords and tokens not widely known and/or shared.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

E-Business Suite Technology Stack Blog in Migration

Steven Chan - Thu, 2017-04-06 18:05

This blog is being migrated to a new blogging platform (at last!). This is our fifth migration since 2006, so I expect a bit of reorganization of content.  We're going on hiatus for a bit until the dust settles.

Heads up: all comments posted from now to the new blog's appearance will be lost. If you post a comment that's gotten lost in the transition, please re-post when the new blog is up and running.


Categories: APPS Blogs

E-Business Suite Technology Stack Blog in Migration

Steven Chan - Thu, 2017-04-06 18:05

This blog is being migrated to a new blogging platform (at last!). This is our fifth migration since 2006, so I expect a bit of reorganization of content.  We're going on hiatus for a bit until the dust settles.

Heads up: all comments posted from now to the new blog's appearance will be lost. If you post a comment that's gotten lost in the transition, please re-post when the new blog is up and running.


Categories: APPS Blogs

Oracle Listener Security New ORACLE 12.2 Firewall Feature

Service-Level ALCs is a new feature of the 12.2 Listener that allows every database service to have its own ACL. The ACL must be based on IP addresses and this feature allows multitenant pluggable databases (PDBs) to each have an ACL enforced by the Listener. This is because each PDB is a unique service registered in the Listener.

To implement this feature a new parameter FIREWALL must be used and has the following options:

  • (FIREWALL=ON) - This enables strict ACL validation (whitelist-based approach) of all connections based on the ACLs. If no ACLs are configured for a service, all connections are rejected.
  • FIREWALL is not set (defined for service) – This is a mixed mode. If an ACL is configured for a service, it will be enforced. If no ACL is defined, all connections will be accepted.
  • (FIREWALL=OFF) No validation (No ACLs enforced) and all connections are accepted

For more information refer to: http://docs.oracle.com/database/122/NETAG/configuring-and-administering-oracle-net-listener.htm#NETAG0102

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

 
 
Security Strategy and Standards, Oracle Database
Categories: APPS Blogs, Security Blogs

Oracle Database Listener Security Guide – Rewritten For Oracle 12.2

In October 2002 Integrigy first posted a guide to securing the Oracle Listener. Since then this whitepaper has been our most popular download. This month we rewrote the whitepaper for Oracle 12c, inclusive of 12.2

Integrigy Consulting has found the Database Listener to be one of the most frequently overlooked security risks at customers. This whitepaper is an overview of the Database Listener, its unique security risks, and step-by-step recommendations for securing it are provided.

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
Security Strategy and Standards, Oracle Database
Categories: APPS Blogs, Security Blogs

Pages

Subscribe to Oracle FAQ aggregator - APPS Blogs