Stephen Kost's E-Business Suite Security Blog

Subscribe to Stephen Kost's E-Business Suite Security Blog feed
Integrigy's Oracle Security Blog with information on security for the Oracle Database, Oracle E-Business Suite and other Oracle products.
Updated: 16 hours 8 min ago

SCAP OVAL SQL57_TEST Example For Oracle E-Business Suite

Tue, 2017-05-23 06:54

Last week I posted a blog introducing SCAP and OVAL. Here is a quick follow-up with a link to a sql57_test example using the Oracle E-Business Suite - it will suffice for any Oracle database.

A great book to read first on SCAP titled ‘Security Automation Essentials’ for $15 on Amazon is a must read:  https://www.amazon.com/Security-Automation-Essentials-Streamlined-Communication/dp/0071772510. I would highly recommend this book to anyone interested in SCAP and much thanks to Witte, Cook, Kerr and Shaffer for writing it.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
SCAP OVAL, Oracle Database, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

STIGS, SCAP, OVAL, Oracle Databases and ERP Security

Tue, 2017-05-16 06:00

Last week’s unprecedented ransomware cyber attacks (http://preview.tinyurl.com/lhjfjgk) caught me working through some research on security automation. The cyber attacks evidently were attributed to an unpatched Windows XP vulnerability. When challenged with securing 1,000s of assets such as all the Windows desktops and Linux servers in an organization, automation quickly becomes a requirement.

Automation is increasingly coming up in our client conversations about how to secure the technology ‘stack’ supporting large ERP implementations such as the Oracle E-Business Suite, PeopleSoft, and SAP. For example, how do you from a security professional perspective, communicate an objective risk assessment comprehensive of both the secure baseline configuration (control adherence/violation) and security patch levels (patch/unpatched CVEs) for the Linux operating systems, virtualization software, web server, database and the ERP application itself? Without automation, it is not feasible to promptly produce risk-based assessments of the complete technology stack and to produce results that are readily expressed in a common risk measurement (e.g. CVE) not requiring deep subject matter expertise.

Automation, however, can only be considered after requirements have been defined. I have long used Security Technical Implementation Guides (STIGs) in both my research and work with clients to define security requirements. STIGs are secure configuration standards developed by the US Department of Defense for products such as the Oracle RDBMS and are freely available (http://iase.disa.mil/stigs/Pages/index.aspx). While most clients do not need their databases hardened to military specifications, STIGs are an invaluable source of security best practice thinking.

STIGs (security checklists) are only available in xml format – not PDF files. DISA does provide a utility to view and work with STIGs (http://iase.disa.mil/stigs/Pages/stig-viewing-guidance.aspx) which allows you to manually execute the checklist, record your findings and then export the results. See this YouTube (https://www.youtube.com/watch?v=-h_lj5sWo4A) posting for a great summary of the STIG Viewer and how to use it.

Security Content Automation Protocol (SCAP)

To answer the question of how do you automate STIG and/or security checklists, again the Department of Defense has thought through the challenges and has created the Security Content Automation Protocol (SCAP).

SCAP is a multi-purpose framework to automate the security scanning of configurations, vulnerabilities, patch checking and compliance. SCAP content is developed by the National Institute of Standards and Technologies (NIST) and the components are described in the table below. The key point is that SCAP security content (checklists) is free and that the SCAP content scanning tools are available both in open source and commercial options.

SCAP Component

Description eXtensible Checklist Configuration Description Format (XCCDF) XML-based language for specifying checklists and reporting the results of checklist evaluations. Open Vulnerability and Assessment Language (OVAL) XML-based language for specifying test procedures to detect machine state Common Vulnerabilities and Exposures (CVE) Nomenclature and dictionary of security-related security flaws Common Configuration Enumeration (CCE) Nomenclature and dictionary of software security configuration issues Common Vulnerability Scoring System (CVSS) Methodology for measuring the relative security of software flaws Open Checklist Interactive Language (OCIL) XML-based language for specifying security checks that require human interaction or that otherwise cannot be bundled by OVAL Asset Reporting Format (ARF) Standardized data model for sharing information about assets to facilitate the reporting, correlating, and fusing of asset security information.   OpenSCAP

There are many tools, Integrigy’s AppSentry included (https://www.integrigy.com/products/appsentry), that will perform a STIG scan of an Oracle database. The question I was researching this week, is could I use a single SCAP tool to automate the scanning of both the Linux server and the database as well as possibly ERP configurations for PeopleSoft and/or the Oracle E-Business Suite – can could I possibly do this with open source software?

The first tool I considered was OpenSCAP (https://www.open-scap.org/). This open source tool is easy to install either on your laptop or Linux database server and has remote scanning capabilities. The example below shows the capabilities of the GUI tool ‘SCAP Workbench’ and the freely available content that is installed by default for scanning a Linux server.

This exercise quickly confirmed that there is a great deal of security automation available for Linux system security configurations. Here, though, is where I hit a wall: could OpenSCAP work with Oracle databases? While the SCAP standards clearly showed support for scanning SQL database configurations using OVAL’s SQL probes (e.g. sql_test, sql57_test etc…), I may be corrected, but the standard build of OpenSCAP do not appear to include the SQL probes.

 

JOVAL

To obtain the SQL probes for SCAP scanning of database configurations, after some research, I obtained an evaluation copy of Joval Professional (http://jovalcm.com/). Joval describes themselves as allowing you to Scan anything from anywhere and to allow continuous configuration assessments for developers, enterprises, content authors and security professionals.

The installation of Joval Professional was quick and I was able to scan my laptop and remotely scan the remote Oracle Linux server without issues. The screen shot below shows the results of the remote scan of the Linux server running the Oracle RDBMS.

With a bit of experimentation (and great customer service from Joval), I was able to quickly prove I could develop OVAL content for automated SCAP scanning of Oracle databases, either for standard database security checks or for Oracle E-Business and/or PeopleSoft configurations. One key concern with the proof-of-concept is that connection string hardcodes the user name and password. The hardcoding is certainly a security issue, but JOVAL (as well as OpenSCAP) offers python bindings. The screen shot below is a single OVAL scan that included two SQL checks as well as checks against content in the sqlnet.ora file using the OVAL probe: textfilecontent54_test. 

My OVAL definition is referenced below. I am providing it as an example for others. The key points you will know is for the JOVAL connection string for Oracle:

Engine:  oracle
Version values: 11.2.0, 11.1.0, 10.2.0, 10.1.0, 9.2.0, 9.0.1
Connection string (do not use JDBC syntax): user=<username>;password=<password>;SID=<instance name>

If you want to replicate the proof-of-concept:

  1. Download a trial version of Joval Professional.
  2. Run a scan of your local laptop
  3. Run a remote scan of Linux server running your Oracle RDBMS
  4. Edit sample benchmark file (here) for your database
  5. Upload the edited sample benchmark into Joval
  6. Run the sample benchmark scan
What Next?

Having proven I can use OVAL to write Oracle and ERP audit checks, I will spend a bit more time expanding the POC. I am also interested in automation options for Joval and OpenSCAP exports to a NoSQL database such as MongoDB using the Asset Reporting Format (ARF) (https://scap.nist.gov/specifications/arf/). Both Joval and OpenScap have standard functionality to export results using ARF.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References

Sample Oracle OVAL benchmark definition: SCAP OVAL Example Check for Oracle

SCAP

NIST SCAP site: https://scap.nist.gov/

SCAP content: https://nvd.nist.gov/ncp/repository?scap

Oracle Linux Security Guide – Using OpenSCAP: https://docs.oracle.com/cd/E37670_01/E36387/html/ol-scap-sec.html

Great summary of SCAP: https://energy.gov/sites/prod/files/cioprod/documents/Technical_Introduction_to_SCAP_-_Charles_Schmidt.pdf

OVAL

Writing OVAL content https://oval.mitre.org/documents/docs-07/Writing_an_OVAL_Definition.pdf

OVAL tutorial https://nvd.nist.gov/scap/docs/conference%20presentations/workshops/OVAL%20Tutorial%202%20-%20%20Definitions.pdf

 
 
 
 
 
 
SCAP OVAL, Security Strategy and Standards, FISMA/DOD, Oracle Database, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite APPS_NE Security Risks

Tue, 2017-05-09 06:00

The most recent version of the Oracle E-Business Suite, Release 12.2, introduces on-line patching to reduce downtime requirements. This new technical functionality is based on Edition-based redefinition provided by the Oracle 11gR2 database. For the E-Business Suite to make use of Editioning, Oracle has added a new schema to the ‘APPS’ family – the APPS_NE schema.

The APPS_NE schema is the owner of those objects previously owned by APPS that cannot be Editioned or in other words; the APPS_NEW is the APPS schema for the non-editioned database objects.  

There are several security implications with regard to APPS_NE:

  • The same password must be shared among APPLSYS, APPS, and APPS_NE. The default password for APPS_NE is 'APPS.'
  • APPS_NE has similar elevated system privileges to APPS (e.g. SELECT ANY TABLE), but is not identical. See the listing below for the 56 privileges granted to APPS_NE.
  • APPS_NE must be logged, audited and monitored APPS_NE as you do APPS. APPS_NE needs to be added to your audit scripts and procedures as well as monitoring solutions

The following lists summarize the system privilege differences between APPS and APPS_NE

-- APPS_NE has 3 privileges APPS does not            
CREATE MATERIALIZED VIEW
CREATE SEQUENCE
DROP ANY TYPE

 

-- APPS has 18 privileges that APPS_NE does not
ALTER ANY PROCEDURE
ALTER DATABASE
ANALYZE ANY DICTIONARY
CHANGE NOTIFICATION
CREATE ANY DIRECTORY
CREATE ANY EDITION
CREATE ANY PROCEDURE
CREATE EXTERNAL JOB
CREATE JOB
CREATE PUBLIC DATABASE LINK
CREATE PUBLIC SYNONYM
DEQUEUE ANY QUEUE
DROP ANY EDITION
DROP ANY PROCEDURE
DROP PUBLIC SYNONYM
ENQUEUE ANY QUEUE
EXECUTE ANY TYPE
MANAGE ANY QUEUE

 

-- APPS_NE has 56 system privileges
ALTER ANY CLUSTER
ALTER ANY INDEX
ALTER ANY MATERIALIZED VIEW
ALTER ANY OUTLINE
ALTER ANY ROLE
ALTER ANY SEQUENCE
ALTER ANY TABLE
ALTER ANY TRIGGER
ALTER ANY TYPE
ALTER SESSION
ALTER SYSTEM
ANALYZE ANY
COMMENT ANY TABLE
CREATE ANY CLUSTER
CREATE ANY CONTEXT
CREATE ANY INDEX
CREATE ANY MATERIALIZED VIEW
CREATE ANY OUTLINE
CREATE ANY SEQUENCE
CREATE ANY SYNONYM
CREATE ANY TABLE
CREATE ANY TRIGGER
CREATE ANY TYPE
CREATE ANY VIEW
CREATE DATABASE LINK
CREATE MATERIALIZED VIEW
CREATE PROCEDURE
CREATE ROLE
CREATE SEQUENCE
CREATE SESSION
CREATE SYNONYM
CREATE TRIGGER
CREATE TYPE
CREATE VIEW
DELETE ANY TABLE
DROP ANY CLUSTER
DROP ANY CONTEXT
DROP ANY INDEX
DROP ANY MATERIALIZED VIEW
DROP ANY OUTLINE
DROP ANY ROLE
DROP ANY SEQUENCE
DROP ANY SYNONYM
DROP ANY TABLE
DROP ANY TRIGGER
DROP ANY TYPE
DROP ANY VIEW
EXECUTE ANY PROCEDURE
GLOBAL QUERY REWRITE
GRANT ANY ROLE
INSERT ANY TABLE
LOCK ANY TABLE
SELECT ANY SEQUENCE
SELECT ANY TABLE
UNLIMITED TABLESPACE
UPDATE ANY TABLE

 

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
 
 
Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Recommended Approach for Oracle E-Business Suite 12.2 Mobile and Web Services Security

Fri, 2017-05-05 06:00

This is the eleventh and final posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Deploying Internet-based Oracle E-Business Suite web services requires proper configuration of the URL Firewall, both the url_fw.conf and url_fw_ws.conf and the use of a WAF – ideally the Oracle API Gateway. This recommendation applies equally to all whose only use of web services is the Oracle Supplier Network (OSN). One opening of the attack surface exposed to the Internet exposes the entire Oracle E-Business Suite.

For Mobile and Smartphone applications, due to the overall complexity and additional license requirements, it is recommended to continue using VPN for deployment instead of using an External Node. 

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

Reference
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite APPLSYS, APPS and APPS_NE

Tue, 2017-05-02 06:00

The evolution of the Oracle E-Business Suite since its inception in the late 1980s has gone through many significant changes. For example, I can personally remember in the late 1990s upgrading clients to release 10.5 of the E-Business Suite with the big change being the introduction of the APPS schema.

The introduction of the APPS schema greatly simplified the technical interdependencies of the then 40+ applications of Release 10.5 of the E-Business Suite. The most recent version of the Oracle E-Business Suite, Release 12.2, with 200+ modules, introduces on-line patching to reduce downtime requirements. This new technical functionality is based on Edition-based Redefinition provided by the Oracle 11gR2 database. For the E-Business Suite to make use of Editioning, Oracle has added a new schema to the ‘APPS’ family – the APPS_NE schema.

The APPS_NE schema is the owner of those objects previously owned by APPS that cannot be Editioned or in other words; the APPS_NE is the APPS schema for the non-editioned APPS foundation database objects.  APPS_NE has similar elevated system privileges to APPS (e.g. SELECT ANY TABLE), but is not identical. The same password must be shared among APPLSYS, APPS, and APPS_NE. The default password for APPS_NE is 'APPS.'

--This SQL gives a high-level summary of the difference between APPS and APPS_NE
SELECT OWNER, OBJECT_TYPE, COUNT(*)
FROM DBA_OBJECTS
WHERE OWNER = 'APPS_NE'
GROUP BY OWNER, OBJECT_TYPE
UNION
SELECT OWNER, OBJECT_TYPE, COUNT(*)
FROM DBA_OBJECTS
WHERE OWNER = 'APPS'
GROUP BY OWNER,OBJECT_TYPE
ORDER BY 1,3 DESC;
 
The table below is a high-level summary of the APPS schemas.
 

Oracle E-Business Suite ‘APPS’ Schemas

Schema

Description

APPS

Introduced with 10.5 of the E-Business Suite, APPS, owns all of the applications code in the database and has access all data in the Oracle E-Business Suite. All end-user connections as well connect as APPS after being authenticated using the APPLSYSPUB schema. The APPS schema must have same password as APPLSYS and APPS_NE schemas.

APPSLSYS

Owns the foundation objects (AD_* and FND_* tables) of the E-Business Suite used to define users and menus etc…. The APPLSYS schema must have same password as APPS and APPS_NE.

APPS_NE

New with 12.2, the APPS_NE schema is the Non-Editioned runtime ‘APPS’ user for the E-Business Suite. The APPS_NE schema must have same password as APPLSYS and APPS schemas.

APPS_MRC

APPS_MRC was created to support functionality for multiple reporting currencies (MRC). This schema has been obsolete since 11.5.10 and is no longer used. Its default was APPS_MRC, but country code suffixes were added (e.g. APPS_UK, APPS_JP). APPS_MRC is dropped by the upgrade to 11.5.10 and should not exist in R12 instances.

 

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 12.2 Mobile Application Security

Fri, 2017-04-28 06:00

This is the tenth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Oracle Corporation has been building out Mobile and Smartphone applications for the Oracle E-Business Suite for a number of releases. Before release 12.2.5, this functionality was designed only for deployment through a corporate VPN, not through an Oracle E-Business Suite external node over the Internet (e.g. a server in DMZ).

With release, 12.2.5 external node deployment for Mobile applications is now an option. 12.2.5 bundles Oracle Mobile v4 and uses the E-Business Suite's WebLogic server.  Specifically, 12.2.5 deploys the Oracle Mobile v4 REST services through the OAFM WebLogic application.  In other words, with 12.2.5, Smartphone applications can now be Internet deployed without a need for a separate WebLogic Server; no need for a SOA Server or a separate WebLogic server.

Oracle Mobile Using Native EBS REST

To secure version 12.2.5 Oracle E-Business Suite Mobile applications, Oracle Mobile Security Services (OMSS) is used.  Check with your Oracle sales representative if OMSS is separately licensed or not. OMSS provides critical URL shortening as well as white/blacklisting and other functionality specific to deploying Oracle Mobile applications. OMSS must be properly configured and is placed in front of OAFM.

OMSS in-line before OAFM

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Oracle Unified Auditing Performance Issues and 12.2 Improvements

Tue, 2017-04-25 06:00

For those of you using and/or considering Unified Auditing, in case you might have missed, Oracle has made significant changes to Unified Auditing in 12.2. Unified Auditing, new in Oracle 12c, represents a complete rewrite of how native database auditing works - see the links below for Integrigy research on Unified Auditing.

With Oracle 12.1, when using Unified Auditing, reads of the UNIFIED_AUDIT_TRAIL view were not performant. With Oracle 12.2, a new relational partitioned table (AUDSYS.AUD$UNIFIED) is created to solve the performance issue, and a patch (22782757) has been issued to backport the fix to 12.1.

For 12.1 clients using Unified Auditing, the patch and/or the workaround should be a high priority consideration.

Thank you to Mark Dietrich for pointing out the 12.1 patch.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
 
Auditing, Oracle Database
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 12.2 Web Services Security for Oracle Supplier Network

Fri, 2017-04-21 06:00

This is the ninth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

The most common use of web services with the Oracle E-Business Suite is the Oracle Suppler Network (OSN). Do not confuse OSN with the Oracle Social Network (also referred to as OSN) or when configuring OSN, do not confuse the Oracle Transport Agent (OXTA) web services with Oracle Training Administration (OTA) web services.

To use OSN, you must configure the both the url_fw.conf and url_fw_ws.conf file to open traffic for the XML Gateway to consume OXTA web services. The OSN documentation in places confuses OTXA and OTA.  The risk is that in the url_fw_ws.conf there are services for both the Oracle Training Administration (OTA) module as well as for the OXTA. Unless both are being used, be careful to open only the correct services.

It should also be noted that while OSN uses web services, as of 12.2.5, OSN’s web services are NOT shown as deployed in the ISG repository.  This is because OSN’s functionality is built into the Oracle E-Business Suite’s core functionality.

It is very important to note that while using OSN with trading partners over the Internet requires opening the E-Business Suite to the Internet. Unfortunately, it is not clearly stated that a WAF, ideally the API Gateway, should be used to protect OSN. Even if OSN is the only web service being used, a WAF is still required to guard the attack surface.

Lastly, the passwords used for the various OSN accounts (defined within the OSN GUI forms) need to be complex and regularly rotated. Many clients forget about these accounts.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Guide to PeopleSoft Logging and Auditing - Revised Whitepaper

Thu, 2017-04-20 06:00

After discussions at Collaborate2017 with several PeopleSoft architects we have revised our Guide to PeopleSoft Auditing. The key change is the recommendation NOT to use PeopleSoft’s native database auditing and to instead use Oracle Fine Grained Auditing (FGA). FGA comes free with the Enterprise Edition of the Oracle RDBMS and, not only is it easier to implement, FGA does not have the performance impact of PeopleSoft’s native auditing.

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP

References
 
 
Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

Oracle Audit Trail Add Program Name

Tue, 2017-04-18 06:00

The program name attribute (V$SESSION.PROGRAM) is not by default passed to Oracle’s audit logs. It can be optionally included. To do so, apply Patch 7023214 on the source database. After the patch is applied, the following event needs to be set:

ALTER SYSTEM SET
           EVENT='28058 trace name context forever'
           COMMENT='enable program logging in audit trail' SCOPE=SPFILE;

The table below summarizes key session attributres (V$SESSION) the are passed/not passed to Oracle auditing

Oracle Audit Trails

Session Attribute

(V$SESSION)

Description

Traditional Auditing (SYS.AUD$)

Fine Grained Auditing (SYS.FGA_LOG$)

CLIENT_IDENTIFIER

End user username

CLIENTID

CLIENTID

CLIENT_INFO

Concatenated application log string

Not passed

Not passed

MODULE

ABAP program, module, application component or service

Not passed

Not passed

ACTION

Business action being executed, page, code event, location within program

Not passed

Not passed

 

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP

Reference
 
 
 
Auditing, Oracle Database, Oracle Audit Vault
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 12.2 Mobile and Web Services Security Requires Web Application Firewall (WAF)

Fri, 2017-04-14 06:00

This is the eighth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Web Application Firewalls (WAFs) cannot replace the URL Firewall, nor can the URL Firewall replace WAFs.  The URL Firewall provides the critical function of only allowing those forms and web services that have been both hardened by Oracle and flagged by the client as being used – all other requests are blocked by the default-deny rules. The URL Firewall does not protect against common web attack techniques such as those below – this what WAFs protect against:

  • Denial of Service (DoS)
    • Flooding, recursive & oversized payloads
  • Injection & Malicious Code
    • XXC, SQLi, logic bombs, malformed content
  • Confidentiality and Integrigy
    • Parameter tampering, schema poisoning
  • Reconnaissance Attacks
    • Scanning and registry disclosure
  • Privilege Escalation Attacks
    • Race condition, format string, buffer overflow

Additional protection is required to secure Internet facing Oracle E-Business Suite web services. Third party WAFs can certainly be deployed, but Oracle Corporation’s API Gateway offers a compelling advantage for Oracle E-Business Suite clients. The API Gateway is a separate license option and is placed in front of the SOA Server (also a separate license option) to defend against the common web attack techniques specific to web services as identified above.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 12.2 Web Services Security: Authentication and Authorization

Fri, 2017-04-07 06:00

This is the seventh posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Once traffic is accepted and passed by the URL Firewall, WebLogic initiates the standard Oracle E-Business Suite authentication and authorization procedures. Web services are authenticated and authorized no differently than for end-users.

Authorization rules for web services are relatively easy to configure in that all web services are defined as functions. The Oracle E-Business Suite's function security scheme and rules engine apply the same to GUI forms as for web services. In other words, the table APPLSYS.FND_FORM_FUNCTIONS defines all the forms that users use as well as defines all web services deployed. Menus then are built referencing these functions and Oracle E-Business Suite user accounts (APPLSYS.FND_USER) are given responsibilities with the menus of functions. These user accounts can be staff members or can be generic accounts (e.g. to support specific web services). Ensuring that appropriate users and responsibilities can call and use specific web services is the same critical step as ensuring that only appropriate users can use specific forms.

There are two authentication options for web services, local FND_USER passwords and tokens. Tokens can be SAML send vouchers/E-Business Suite Session Ids). Whichever is used, ensure that accounts are not inappropriately over privileged and the passwords and tokens not widely known and/or shared.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Oracle Listener Security New ORACLE 12.2 Firewall Feature

Wed, 2017-04-05 06:00

Service-Level ALCs is a new feature of the 12.2 Listener that allows every database service to have its own ACL. The ACL must be based on IP addresses and this feature allows multitenant pluggable databases (PDBs) to each have an ACL enforced by the Listener. This is because each PDB is a unique service registered in the Listener.

To implement this feature a new parameter FIREWALL must be used and has the following options:

  • (FIREWALL=ON) - This enables strict ACL validation (whitelist-based approach) of all connections based on the ACLs. If no ACLs are configured for a service, all connections are rejected.
  • FIREWALL is not set (defined for service) – This is a mixed mode. If an ACL is configured for a service, it will be enforced. If no ACL is defined, all connections will be accepted.
  • (FIREWALL=OFF) No validation (No ACLs enforced) and all connections are accepted

For more information refer to: http://docs.oracle.com/database/122/NETAG/configuring-and-administering-oracle-net-listener.htm#NETAG0102

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

 
 
Security Strategy and Standards, Oracle Database
Categories: APPS Blogs, Security Blogs

Oracle Database Listener Security Guide – Rewritten For Oracle 12.2

Mon, 2017-04-03 06:00

In October 2002 Integrigy first posted a guide to securing the Oracle Listener. Since then this whitepaper has been our most popular download. This month we rewrote the whitepaper for Oracle 12c, inclusive of 12.2

Integrigy Consulting has found the Database Listener to be one of the most frequently overlooked security risks at customers. This whitepaper is an overview of the Database Listener, its unique security risks, and step-by-step recommendations for securing it are provided.

If you have questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
Security Strategy and Standards, Oracle Database
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite Mobile and Web Services Security Explained - Starting with URL Firewall

Fri, 2017-03-31 06:00

This is the sixth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

How are web services secured in Oracle 12.2? To start at the beginning, the “front door” of the Oracle E-Business Suite is its web server, the Apache server deployed within the WebLogic server that is installed with release 12.2. To secure an Apache web server largely requires setting various configurations in the Apache configuration file (httpd.conf). For the Oracle E-Business Suite, these critical settings are maintained by Oracle through the AutoConfig utility. 

URL Firewall

The most important setting for Internet-facing clients is the include for the Oracle E-Business Suite’s URL Firewall. When the URL Firewall is included in the httpd.conf, every web request is passed through the URL Firewall, both for forms and for web services. The URL Firewall is non-discretionary and mandatory requirement when the Oracle E-Business Suite is deployed on the Internet.

HTTPD.CONF include for the URL Firewall

The URL Firewall is a template maintained by Oracle that whitelists those forms (e.g. JSP pages) that Oracle Corporation has hardened for use on the Internet. If the JSP is not listed “whitelisted” in the file url_fw.conf it should NOT be used on the Internet. Be sure to use the latest version of the template as Oracle periodically updates the template.

In the template, Oracle comments out all lines which effectively “Denies All.” To use the url_fw.conf, DBAs at each client site need to manually uncomment (“open”) specific JSP pages appropriate to their site. This “opening” by the DBAs must be carefully done and routinely reviewed.

The mechanics of when the url_fw.conf is called or not is determined by the Node's trust level. Most large Oracle E-Business Suite implementations have multiple web servers (referred to as nodes). To deploy the Oracle E-Business Suite on the Internet, one ore more nodes are deployed in a DMZ. If the node making the request of the Apache web server is flagged as an "Internal" web node, the url_fw.conf is skipped. If however the Node's trust level is flagged as "External" because the node is deployed in the DMZ, the url_fw.conf is called.

When called, the url_fw.conf applies regular expressions to the web request to determine if the request is BOTH exists in the whitelist and has been uncommented “opened” by the DBAs. If no match is found, a default-deny result is returned. In security terms, this means all requests are rejected unless explicitly allowed. If a match is found, the web request continues and the WebLogic server will then proceed with authentication and authorization tasks.

Example of URL FW line uncommented

Enabling and configuring the URL Firewall is the first step in securing web services. Unfortunately, Oracle buries the documentation for the URL Firewall in Appendix E of DMZ configuration guide – see the reference section of this paper for more information on the documentation.

To secure web services, it gets more complicated in that a second whitelist is appended to the first. To secure Oracle E-Business Suite web services, the url_fw.conf calls the url_fw_ws.conf. Similar to the configuration of the url_fw.conf, the documentation is buried deep in Appendix E of the DMZ configuration guide.

Different than the url_fw.conf which is supplied as a static listing of JSP pages, a utility (txkGenWebServiceUrlFwConf.pl) is run to generate the file url_fw_ws.conf. After being generated, DBAs similarly need to manually uncomment only those lines for the web services being used. If a web service is not found to be whitelisted, a default-deny rule will be applied; all web services commented out will be denied.

Example of URL FW WS.conf

Errors in selecting a Node’s trust level and configuring either the url_fw.conf and/or the url_fw_ws.conf have serious security consequences and should be routinely reviewed as part of on-going security audits.

Web services can be publically deployed without using the URL Firewall. For example, clients can if they so choose route Internet traffic directly to the E-Business Suite without setting up an External node. Integrigy Corporation highly recommends against doing this. Integrigy Corporation highly recommends always using the URL Firewall when deployed on the Internet, both for forms and for web services.

URL Firewall called by Node Trust Level

httpd.conf calls the URL Firewall

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Creditcard and Bank Account Decryption No Longer Possible in Oracle E-Business Suite

Fri, 2017-03-24 09:21

In January 2014 Integrigy published extensive research and recommendations on how best to secure credit cards and bank accounts within the Oracle E-Business Suite. This research is available here Oracle E-Business Suite: Credit Cards and PCI Compliance

With Release 12 of the Oracle E-Business Suite, Oracle consolidated into the new Payments module, new functionality to encrypt credit cards and external bank accounts. Integrigy’s recommendation in January 2014 was that if encryption was enabled, that the concurrent programs to optionally decrypt credit cards and external bank accounts also be disabled. Integrigy's rationale for this recommendation was that decryption should only be allowed in a carefully controlled and managed process. End-dating the decryption request set and concurrent programs would prevent the decryption programs from being run accidently or run for nefarious purposes – in production but certainly in non-production databases.

Evidently, Oracle is now once again taking a security recommendation from Integrigy by permanently disabling the decryption programs. Per Oracle’s security team, the decryption programs have been disabled. For more information refer to Oracle Support Note 2209450.1, posted December 1, 2016 - "Is It Possible To Decrypt the Bank Accounts Data After Enabling The Encryption Feature."

If you have questions about protecting credit cards and/or external bank accounts in the Oracle E-Business Suite or have questions about this blog post, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
Encryption, PCI, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Deploying Oracle E-Business Suite 12.2 SOAP Web Services

Fri, 2017-03-24 06:00

This is the fifth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Physically deploying SOAP-based web services for the Oracle E-Business Suite is more complicated than for REST. SOAP interfaces are best used to support heavy-duty solutions such as Business-to-Business (B2B) interfaces. To deploy SOAP services for the Oracle E-Business Suite, the Oracle SOA Suite must be licensed and configured. Once the SOA Suite is installed and configured, two (2) WebLogic servers will exist. The first WebLogic server is the initial WebLogic server supporting the Oracle E-Business Suite and the second WebLogic Server is the WebLogic server supporting the SOA Suite. Integration between the two WebLogic Servers is done through both through HTTP and the ISG client. The ISG client is installed on the SOA Suite’s WebLogic server and uses Oracle’s proprietary T3 protocol to do the majority of the heavy lifting for communication with the E-Business Suite.

When a SOAP service is deployed within the Integrated SOA Gateway forms in the Oracle E-Business Suite, the SOAP Web Services Description Language (WDSL) file defining the web service is generated on the second WebLogic Server, the SOA Suite WebLogic Server, not the E-Business Suite’s WebLogic server. The interaction with B2B business partners using the web service then occurs between the Oracle SOA Suite and the business partner’s servers. Ultimately the Oracle E-Business Suite generates or receives the information, but the Oracle E-Business Suite does not directly communicate with the B2B partners.

SOAP Needs a Separate SOA Suite WebLogic Server

Only the SOA Suite communicates with B2B clients

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Integrigy COLLABORATE 17 Sessions - Presentations on Oracle Database, Oracle E-Business Suite, and PeopleSoft Security

Fri, 2017-03-17 10:12

Integrigy is presenting nine papers this year at COLLABORATE 17 (https://collaborate.oaug.org/). The COLLABORATE 17 conference is a joint conference for the Oracle Applications User Group (OAUG), Independent Oracle Users Group (IOUG), and Quest International Users Group.

Here is our schedule. If you have questions or would like to meet with us while at COLLABORTE 17, please conact us at info@integrigy.com.

Sunday Apr 02, 2017

1:45 PM - 2:45 PM

Oracle E-Business Suite 12.2 Security Enhancements

https://app.attendcollaborate.com/event/member?item_id=5621519

Banyan E

Speaker: Stephen Kost

1:45 PM - 2:45 PM

How to Control and Secure Your DBAs and Developers in Oracle E- Business Suite

https://app.attendcollaborate.com/event/member?item_id=5740411

South Seas F

Speaker: Michael Miller

Monday Apr 03, 2017

9:45 AM - 10:45 AM

The Thrifty DBA Does Database Security

https://app.attendcollaborate.com/event/member?item_id=5660960

Jasmine D

Speaker: Stephen Kost

1:00 PM - 4:30 PM

Integrigy team available for meetings and discussions Contacts us at info@integrigy.com to arrange

 

 

Tuesday Apr 04, 2017

9:45 AM - 10:45 AM

Solving Application Security Challenges with Database Vault

https://app.attendcollaborate.com/event/member?item_id=5660961

Jasmine D

Speaker: Stephen Kost

1:00 PM - 4:30 PM

Integrigy team available for meetings and discussions Contacts us at info@integrigy.com to arrange

 

 

Wednesday Apr 05, 2017

9:45 AM - 10:45 AM

When You Can't Apply Database Security Patches

https://app.attendcollaborate.com/event/member?item_id=5660962

Jasmine D

Speaker: Stephen Kost

11:00 AM - 12:00 PM

Common Mistakes When Deploying Oracle E-Business Suite to the Internet

https://app.attendcollaborate.com/event/member?item_id=5621520

South Seas B

Speaker: Stephen Kost

1:30 PM - 2:30 PM

Securing Oracle 12c Multitenant Pluggable Databases

https://app.attendcollaborate.com/event/member?item_id=5660950

Palm A

 

Speaker: Michael Miller

2:45 PM - 3:45 PM

How to Control and Secure Your DBAs and Developers in PeopleSoft

https://app.attendcollaborate.com/event/member?item_id=5617942

Ballroom  J

Speaker: Michael Miller

Thursday Apr 06, 2017

8:30 AM - 9:30 AM

Oracle E-Business Suite Mobile and Web Services Security

https://app.attendcollaborate.com/event/member?item_id=5621407

South Seas B

Speaker: Michael Miller

 

You can download a complete listing of Integrigy's sessions at Integrigy COLLABORATE 17 Sessions.

Oracle Database, Oracle E-Business Suite, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Security

Fri, 2017-03-17 09:34

This is a quick summary of Integrigy’s latest research on PeopleSoft. Was sending this to a client and decided it was a good posting:

Guide to PeopleSoft Logging and Auditing

How to Control and Secure PeopleSoft DBAs and Developers

PeopleSoft Database Security

PeopleSoft Database Secure Baseline Configuration

PeopleSoft Security Quick Reference

If you have any questions, please contact us at info@integrigy.com

 

 
 
Oracle PeopleSoft, Whitepaper
Categories: APPS Blogs, Security Blogs

Deploying Oracle E-Business Suite 12.2 REST Web Services

Fri, 2017-03-17 06:00

This is the forth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Physically deploying REST services with 12.2 is straightforward. REST is an architectural style and not a protocol and is best used to support lightweight and “chatty” interfaces such as Mobile applications.  With 12.2, REST Web Application Description Language (WADL) interface definition files are generated within the E-Business Suite's WebLogic server and run through the OAFM Application. The OAFM application created with the installation of the Oracle E-Business Suite.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 

 

     
     
     
     
     
     
    Web Services, DMZ/External, Oracle E-Business Suite
    Categories: APPS Blogs, Security Blogs

    Pages