Stephen Kost's E-Business Suite Security Blog

Subscribe to Stephen Kost's E-Business Suite Security Blog feed
Integrigy's Oracle Security Blog with information on security for the Oracle Database, Oracle E-Business Suite and other Oracle products.
Updated: 8 hours 42 min ago

Oracle E-Business Suite Mobile and Web Services Security - What You Need To Know

Fri, 2017-02-24 06:00

Securing packaged software such as the Oracle E-Business Suite presents different challenges than securing bespoke custom software. Unlike custom software, both the structure of and the security vulnerabilities of the Oracle E-Business Suite are well known and documented, not only to users but also to threat actors.  To begin an attack, limited probing and/or reconnaissance is needed because threat actors know exactly what to target and what to expect.  This also makes the Oracle E-Business Suite, like other ERP platforms, vulnerable to automated attacks. Threat actors only need to compromise one publically facing URL or web service, which given the size and complexity of the Oracle E-Business Suite, makes securing it a somewhat daunting task.

Starting with version 12.1 and continuing with 12.2, the Oracle E-Business Suite delivers a considerable amount of new web services and Mobile functionality as standard core functionality.  Much, if not most, of this new Mobile and web services functionality, replicates functionality previously only available through the traditional user interface forms and/or public interfaces and these new web services can be easily deployed on the Internet through a DMZ node.  The security implications of 12.2’s increased web services capabilities is that the Oracle E-Business Suite’s attack surface has increased and harder to defend. 

This blog series summarize the new Mobile and web services functionality and review their security features before recommending best practices for using them securely.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

REFERENCES

 
 
 
 
 
Web Services
Categories: APPS Blogs, Security Blogs

Oracle Database 11.2.0.4 and 12.1.0.2 New CPU End Dates

Fri, 2017-01-27 08:36

With the upcoming on-premise release of Oracle Database 12.2.0.1, Oracle has updated the Critical Patch Update (CPU) security patch end dates for 11.2.0.4 and 12.1.0.2.  Currently (as of January 2017), only 11.2.0.4 and 12.1.0.2 are supported for CPUs.

The CPU end-dates, which correspond with the end of Extended Support, have been extended to October 2020 for 11.2.0.4 and July 2021 for 12.1.0.2.  The first year of extended support for both versions is free until December 2018 for 11.2.0.4 and July 2019 for 12.1.0.2.

All Oracle databases should be updated to either 11.2.0.4 or 12.1.0.2, which provides at least three years of CPU support.  To ensure database security and minimize Oracle support costs, organizations should plan to upgrade 11.2.0.4 and 12.1.0.2 databases in 2018 and move to 12.2 at that time.  All new databases should be 12.1.0.2 and look to begin production use of 12.2 in late 2017 or with the release of 12.2.0.2 in eary 2018.

For databases that are not currently upgraded to 11.2.0.4 or 12.1.0.2, you must mitigate the risk of not applying security patches as there are at least 27 moderate to high risk unpatched security vulnerabilities in unsupported versions.  A number of these vulnerabilities allow any user, even with only CREATE SESSION, to compromise the entire database.  At a minimum, you must harden the database, limit network access as much as possible, review access and privileges, and enable auditing and monitoring in order to potentially identify attacks and compromises.

See MOS Support Note 742060.1 for more information on Oracle Database version support.

Oracle Database, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite: 250 Security Vulnerabilities Fixed in the Last Year

Thu, 2017-01-19 11:23

Oracle has fixed 250 security vulnerabilities in the Oracle E-Business Suite from January 2016 to January 2017.  The past five Oracle Critical Update Updates (CPU) have included double or triple digit number of fixes for Oracle E-Business Suite.  Almost all these security vulnerabilities are exploitable in all versions of Oracle E-Business Suite including 11i, 12.0, 12.1, and 12.2.  Many of the 250 security vulnerabilities fixed are high risk vulnerabilities such as SQL injection, cross-site scripting (XSS), XML external entity attacks, and privilege escalation.

Unless your organization is applying the CPU patches immediately and have hardened the application, the Oracle E-Business Suite is extremely vulnerable and easily exploitable.  Significant defensive measures are required to protect Oracle E-Business Suite especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport.   A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.

Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 11i - Critical Patch Updates Extended for Tier 1 Support

Thu, 2017-01-19 11:07

As of December 2016, Oracle has extended Critical Patch Update (CPU) support for Oracle E-Business Suite 11.5.10 until October 2017 for additional fee Tier 1 support/Advanced Contract Support (ACS) customers.  Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with Tier 1/ACS support contracts.  See My Oracle Support Note ID 1596629.1 for more information.

Almost all security vulnerabilities discovered and patched in Oracle E-Business Suite 12.x are also present and exploitable in 11i.  A significant number of these security bugs are SQL injection bugs allow an attacker to execute SQL as the Oracle E-Business Suite APPS database account.  These attacks can easily compromise the entire application and database.  In the past year, Oracle has fixed 250 security vulnerabilities in Oracle E-Business Suite 11i and R12.

Oracle E-Business Suite 11i customers without Tier 1 support, as well as 12.0 customers, should take immediate take immediate defensive steps to protect the Oracle E-Business Suite 11i, especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport.  A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.

Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Discoverer Security Alert - High impact to SOX Compliance and Financial Reporting

Wed, 2016-10-19 12:02

For those clients using Oracle Discoverer, especially those using Discoverer with the Oracle E-Business Suite for financial reporting, the October 2016 Oracle Critical Patch Update (CPU) include a high-risk vulnerability reported by Integrigy Corporation. CVE-2016-5495 is a vulnerability with the Discoverer EUL Code and Schema and has a base score 7.5. Integrigy believes this vulnerability affects all versions of Discoverer used with the Oracle E-Business Suite and that the confidentiality, integrity, and availability of reports are at risk.

Oracle's recommendation is that clients migrate to Oracle Business Intelligence Enterprise Edition (OBIEE), Oracle Business Intelligence Cloud Service, or Oracle Business Intelligence Applications. If you are still using Discoverer, Oracle recommends upgrading to Fusion Middleware 11g patch set 6 (11.1.1.7.0) and to apply the October 2016 Critical Patch Update Discoverer patch (24716502). Be sure to also apply the CPU patches to WebLogic (10.3.6 and higher) and the database supporting the WebLogic repository.

If you have any questions, please contact us at info@integrigy.com

For more information

October 2016 CPU Announcement: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Patch Set Update and Critical Patch Update October 2016 Availability Document (Doc ID 2171485.1)

ALERT: Premier Support Ends Dec 31 2011 for Oracle Fusion Middleware 10g 10.1.2 & 10.1.4 (Doc Id: 1290974.1)

Using Discoverer 11.1.1 with Oracle E-Business Suite Release 12 (Doc Id: 1074326.1)

Using Discoverer 11.1.1 with Oracle E-Business Suite Release 11i (Doc Id: 1073963.1)

Vulnerability, Sarbanes-Oxley (SOX), Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 11i - October 2016 is Last Critical Patch Update

Tue, 2016-10-18 22:23

Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with additional fee Tier 1 support contracts.  As of December 2016, no more CPU patches are available for Oracle E-Business Suite 11i.  October 2016 is the last CPU patch for Oracle E-Business Suite 11i.  For 12.0, the last CPU patch was October 2015.

Even though there are no more security patches, many, if not most, vulnerabilities discovered and patched in Oracle E-Business Suite 12.x are also present and exploitable in 11i.  A significant number of these security bugs are SQL injection bugs which allow an attacker to execute SQL as the Oracle E-Business Suite APPS database account.  These attacks can easily compromise the entire application and database.

As there are no more security patches for 11i and 12.0, we strongly recommend all 11i and 12.0 customers who have not yet upgraded to 12.x take immediate defensive steps to protect the Oracle E-Business Suite 11i, especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport.  A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.

Reference: AppDefend for the Oracle E-Business Suite

Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Oracle Database Critical Patch Update October 2016: 12.1.0.2 and 11.2.0.4 Only

Tue, 2016-10-18 22:09

The list of Oracle Database versions supported for Critical Patch Updates (CPU) is getting shorter and shorter.  Starting with the October 2016 CPU, only 12.1.0.2 and 11.2.0.4 are supported.  In order to apply CPU security patches for all other Oracle versions, the database must be upgraded to 12.1.0.2 or 11.2.0.4.  As these are terminal database releases, the final CPU patch for 12.1.0.2 is July 2021 and for 11.2.0.4 is October 2020.  For those who have not yet applied 12c CPU patches, only Patch Set Updates (PSU) are available which include both security fixes and a large number of high priority fixes - Security Patch Updates (SPU) which include only security fixes are not available for 12c.

The October 2016 CPU fixes 12 security bugs in 7 database components.  Only the APEX (Application Express) security bug is remotely exploited without authentication – as with all APEX patches, this is a separate patch and upgrades APEX to 5.0.4.00.12.

This CPU should be considered HIGH risk due to the 5 security bugs that require only CREATE SESSION privilege in order to exploit.  These bugs can be exploited by any database user and can be used to compromise the entire database.

Oracle Database, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

PeopleSoft Data Mover Security

Mon, 2016-09-12 06:00

The Data Mover allows for total manipulation of data within PeopleSoft. You can use it to transfer data among PeopleSoft databases, regardless of operating system and database vendor. To state that Data Mover scripts need to be carefully secured is an understatement – the security of Data Mover scripts and activities must be HIGHLY secured.

When performing a PeopleSoft security audit Integrigy carefully reviews Data Mover scripts and activities. If you want to look today at your environment, locate where Data Mover scripts are being stored. The location should be secured to only those with privileges to use Data Mover. Ideally, a source code control tool should be used to store and secure Data Mover scripts.

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Process Scheduler Security

Mon, 2016-09-05 06:00

When performing a PeopleSoft security audit Integrigy carefully reviews batch processing activity generated through the Process Scheduler. Of particular focus is who has access to administer the Process Scheduler and reviewing batch jobs to identify where jobs are being run with super user privileges.

To look today at your environment for who has access to manage the Process Scheduler, the following can be used:

SELECT A.ROLEUSER, A.ROLENAME, A.DYNAMIC_SW
FROM SYSADM.PSROLEUSER A
WHERE UPPER(A.ROLENAME) = 'PROCESSSCHEDULERADMIN';

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft User Security

Mon, 2016-08-29 06:00

When performing a PeopleSoft security audit, reconciling users should be one of the first tasks. This includes default accounts created through the installation of PeopleSoft as well as user accounts associated with staff, vendors and customers.

The following are several of the topics that Integrigy investigates during our PeopleSoft security configuration assessments - take a look today at your settings:

  • Default accounts - PeopleSoft default application user accounts with superuser privileges where possible should be removed or have their password changed. Carefully consult your documentation but this is a key task.

Default Oracle PeopleSoft Users

BELHR

JCADMIN1

PSJPN

CAN

NLDHR

PSPOR

CFR

PS

TIME

CNHR

PSCFR

UKHR

ESP

PSDUT

UKNI

FRA

PSESP

USA

FRHR

PSFRA

HSHR

GER

PSGER

WEBGUEST

GRHR

PSINE

WEBMODEL

 

  • Stale users – users that have not logged on in months or years should be identified and removed. Use the following SQL to locate stale users:
SELECT * FROM SYSADM.PSPTLOGINAUDIT;

To manage accounts, the following navigation can assist. As it cannot be mentioned enough, BEFORE you disable or delete any user TEST in non-production first.

User management:

  1. Select PeopleTools, Security, User Profiles, User Profiles
  2. Select user to disable or delete
  3. If disabling, check Account Locked Out check box


 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Jolt Security

Mon, 2016-08-22 06:00

Jolt along with Tuxedo supports PeopleSoft web requests. Specifically, Jolt is the layer between the application server and the web server. It is also described as a Java-enabled version of Tuxedo.

When performing a PeopleSoft security audit, Integrigy reviews in detail the PeopleSoft Jot security settings to ensure they are set per best practice recommendations.  To do this yourself, use the table below to review your settings. These settings should also be regularly reviewed to ensure against configuration drift.

Field

Description

Recommended Value

Disconnect Timeout

Seconds to wait before disconnecting Oracle Jolt connection. Zero (0) means no limit.

0

Send Timeout

Maximum number of seconds servlet allowed to send a request.

50

Receive Timeout

Maximum number of seconds servlet will wait for a response.

600

 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Web Portal Security

Mon, 2016-08-15 06:00

When performing a PeopleSoft security audit, Integrigy reviews in detail the PeopleSoft Web Portal security settings to ensure they are set per best practice recommendations.  To do this yourself, use the table below to review your settings.

These settings should also be regularly reviewed to ensure against configuration drift.

Field

Description

Recommended Value

Allow Public Access

User sign on bypassed when direct link to a page are used – PUBLIC user access.

NULL/Disabled

Days to Autofill User ID

Convenience for users. Caches user Id for x days.

7

View File Time to Live

Number of seconds to wait after sending a file attachment to a user's browser before removing that file from the web server.

Default is 0. Set to 0 (zero) for public area/kiosk

PIA use HTTP Same Server

Use the HTTP protocol instead of HTTPS for requests that are issued by the portal for content hosted on same server.

N

Allow Unregistered Content

Whether both registered and unregistered content is served. Turning this option off will prevent explicitly registered content references from being displayed in the portal.

Y

SSL Secured Access Only

Forces use of SSL. Prevents users from using non-SSL protocols to access any link within this website or application.

Y

Secure Cookie with SSL

Prevents single signon token from traveling over an insecure network. If selected the system sets the secure attribute of the single signon cookie (PS_TOKEN) to True.

Y

Inactivity Warning

Number of seconds that the portal waits before warning users that browser sessions will expire. 

1080

HTTP Session Inactivity

Number of seconds of inactivity after which the HTTP session times out for authenticated users. 

1200

Inactivity Logout

Number of seconds of the inactivity timeout interval that applies to PeopleSoft applications to which a user is signed in. 

1200

Show Connection Information

Generates system information page when a user presses Ctrl+J. Shows:

browser, OS, PeopleTools release, application release, service pack, page definition name, component definition name, menu definition name, user ID, database name, database type, and application server address

Off/Null

Show Trace Link at Signon

Displays URL link at sign-in for setting trace parameters.

FALSE

 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Categories: APPS Blogs, Security Blogs

PeopleSoft Encryption

Mon, 2016-08-08 06:00

Protection of sensitive data while at-rest, in-motion or in-use all need to be addressed as part of a holistic security strategy. This includes both Personally Identifiable Information (PII) as well as sensitive PeopleSoft system configurations.

When performing a PeopleSoft security audit, Integrigy reviews the use and implementation of encryption within all components of the PeopleSoft technology stack. This includes the following, all which are critical. Review yours today and contact Integrigy with any questions.

  • Implementation of Oracle Advanced Security Option (ASO) for Transparent Data Encryption (TDE), Oracle Wallets and encryption key management for database encryption
  • Configuration of SQL-NET encryption between database server, application and web servers
  • PeopleSoft Pluggable Encryption Technology (PET)
  • PeopleSoft client and web services connections. Specifically, we look to ensure that both internal and external network traffic is encrypted using TLS not SSL to encrypt network traffic. TLS is the successor to SSL and is considered more secure.
  • Encryption of Tuxedo configurations using the PSADMIN utility
  • Encryption of PeopleSoft web server configurations by generating or implementing a new PSCipher key to encrypt values in the web server configuration files.
  • Encryption of the Template file. The Template file is used to share configurations among multiple environments (Test, Dev Prod etc...) and passwords stored in the file MUST be encrypted and should not be stored in clear text.

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Encryption, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft PUBLIC User Security

Mon, 2016-08-01 06:00

PeopleSoft Public users are not required to authenticate (sign on). These are generic accounts created for specific purposes, for example informational pages and/or company directories. Public users are also not subject to timeouts (session inactivity). Because no authentication is required, no sensitive data should be accessible to these users. It also goes without saying, that if you don’t need Public accounts, don’t use them.

When performing a PeopleSoft security audit, Integrigy identifies Public users and analyzes their authorization privileges. To do this yourself, use the SQL below to list your public users and then query the application or database to look at their authorization privileges.

--List the public users
SELECT O.OPRID, O.OPRDEFNDESC, O.ACCTLOCK, O.LASTPSWDCHANGE, O.FAILEDLOGINS,O.ENCRYPTED, O.EMPLID
FROM SYSADM.PSWEBPROFILE P, SYSADM.PSOPRDEFN O
WHERE P.BYPASSSIGNON = 'Y'
AND P.DEFAULTUSERID = O.OPRID;

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

Oracle E-Business Suite 12.1 and 12.2 Support for TLS 1.2 Added

Tue, 2016-07-26 15:47

Oracle has released support for TLS 1.2 in Oracle E-Business Suite 12.1 and 12.2.  Previously, Oracle E-Business Suite only supported SSLv3 and TLS 1.0, which are no longer approved for use with Federal systems and are not PCI-DSS compliant as of June 2014.  For TLS 1.2 support, new My Oracle Support (MOS) documents are available:

Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)

Enabling TLS in Oracle E-Business Suite Release 12.1 (Doc ID 376700.1)

Oracle E-Business Suite 11.5 and 12.0 are desupported, therefore, these versions will continue to only support SSLv3 and TLS 1.0.

Integrigy recommends all Oracle E-Business Suite implementations use an external SSL/TLS termination point, such as an F5 BIG-IP load balancer, rather than the Oracle E-Business Suite TLS implementation in order to provide a more robust TLS implementation and allow for faster patching of the SSL technology stack.  In addition, an external TLS termination point is usually maintained by network and/or security staff for multiple applications, thus off-loading this responsibility from the Oracle DBAs who often have only limited experience with the complexity of network encryption and certificates.  Although, the one disadvantage is that the network traffic between the load balancer and Oracle E-Business Suite application server is unencrypted, however, this is normally limited to VLANs within the data center.

Encryption, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

PeopleSoft Guest User Security

Mon, 2016-07-25 06:00

Being hospitable and welcoming to guests is usually considered good manners.  That said, being a gracious host does not mean you should be careless with your security.

With regard to PeopleSoft application security, the user GUEST is a default account created with the installation of PeopleSoft.  When performing a PeopleSoft security audit, several attributes of the GUEST user are reviewed, including the following -  take a look today at your settings:

For the GUEST user:

  • Change the default password
  • Ensure does not have access to sensitive menus and/or roles, including not having access to the following:
  • The role ‘PeopleSoft User’
  • Any role that includes the permission list PTPT1000
  • The role ‘PAPP_USER’
  • Any role that includes the permission list PAPP0002

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Security User Authorization Audits

Mon, 2016-07-18 06:00

When performing a PeopleSoft security audit, reviewing what rights and privileges individual users have been granted for system and application security privileges (authorization) is one of the key deliverables. The following are several of the topics that Integrigy investigates during our PeopleSoft security configuration assessments - take a look today at your settings:

Review users with access to

  • PeopleTools
  • The SQR folder
  • Process scheduler
  • Security and other sensitive administration menus
  • Security and other sensitive administration roles
  • Web profiles
  • PeopleSoft Administrator Role
  • Correction mode

To check access to PeopleTools, use the following. If you need assistance with the other topics, let us know –

-- Access to PeopleTools

SELECT UNIQUE  A.OPRID, A.OPRDEFNDESC, A.ACCTLOCK, B.ROLENAME
FROM SYSADM.PSOPRDEFN A, SYSADM.PSROLEUSER B
WHERE A.OPRID = B.ROLEUSER
AND upper(B.ROLENAME) ='PEOPLETOOLS'
ORDER BY A.OPRID,B.ROLENAME;

 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Integration Broker (IB) Security

Mon, 2016-07-11 06:00

Securing the PeopleSoft Integration Broker (IB) ensures the security of messaging both within PeopleSoft applications and among third-party systems. The following are several of the key tasks that Integrigy performs during our PeopleSoft security configuration assessments - take a look today at your settings:

  • Ensure all inbound requests are required to use Secure Socket Layer security/Transport Layer Security (SSL/TLS)
  • Ensure that the default the PSKEY  password has been changed - The PSKEY is keystore contains all root and node certificates used by the Integration Gateway and PIA. Using the default or weak password is not best practice.
  • Ensure the IB node ANONYMOUS is appropriately privileged.  If IB connections do not specify a node name and credentials, IB will try to use the ANONYMOUS node and the “default user ID” tied to that node. This default user must not be a highly privileged user and should be granted the least number of privilege possible.
  • Review all other nodes for permissions appropriate for the business services supported by the node. Best practice is to use a unique UserID for each node that only has appropriate permissions to only to the required objects or related sets of operations.

The following attributes are also reviewed that govern IB activity :

Integration Broker Profile Values

Field

Description

Recommendation

IB_PROFILESTATUS

IB Profile Status. If enabled, IB will show performance information.

For production or Internet facing set to off.

IB_ENABLELOG

Enables logging

 

For production or Internet facing set to off.

IB_LOGLEVEL

Log Level  (if logging is enabled)

1= Standard gateway exception errors.

  1. 2 = All errors and warnings (Default.)
  • 3 = Errors, warnings and important information.
  • 4 = Errors, warnings, important and standard information.
  • 5= Errors, warnings important, standard and low importance information

Default: 2

IB_DEPTHLIMIT

Checks for recursion within messages (number of levels) to ensure that messages do not reference themselves.

Value between 3 and 50

Default: 20

IB_MASTER_OVERRIDE

Determines if Master processing returns statistics in the Output Information section after a Post.

For production or Internet facing set to off.

IB_PRE_848

Pre-848 Tools Release

Default is N

IB_MULTIACT_DOMAIN

By default, only one domain may be active in the Integration Broker system. However, PeopleSoft provides the option to enable the activation of multiple domains.

Off unless required.

IB_USEIPADDRESS

Determines if the application server URL for a synchronous slave template uses the application server IP address:  e.g. URL format from <machine name>:<jolt port> to IP address

On

 

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Logging and Auditing

Tue, 2016-07-05 06:00

Logging and auditing are one of the pillars of PeopleSoft Security.  Both application and database auditing is required. Logging and auditing support a trust-but-verify approach which is often deemed required to secure the activities of privileged system and database administrators.

While both the application and database offer sophisticated auditing solutions, one key feature Integrigy always recommends is to ensure that EnableDBMononitoring is enabled within the psappssrv.cfg file. This is set by default but we at times find it disabled.

When enabled EnableDBMononitoring allows PeopleSoft application auditing to bridge or flow into database auditing. This is done by populating the Oracle Client_Info variable with the PeopleSoft User Id, IP address and program name. With Oracle RDBMS auditing enabled, anything written to Client_Info is also written into the database audit logs.

In other words, with both database and EnableDBMononitoring enabled, you can report on which user updated what and when – not just that the PeopleSoft application or ‘Access ID’ issued an update statement.

The graphics below we commonly use to help review Integrigy’s approach to PeopleSoft logging and auditing.

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Auditing, Oracle PeopleSoft, Auditor
Categories: APPS Blogs, Security Blogs

PeopleSoft Database Secure Baseline Configuration

Mon, 2016-06-27 06:00

PeopleSoft, similar to other major ERP applications, while depending on a database to store information, arguably does not secure the supporting database. The security of the database is the client’s responsibility.

In order to give a few examples of what we are talking about when we refer to database security, the following are several of the 200+ database security checks that Integrigy performs during our PeopleSoft security configuration assessments - take a look today at your database for a few quick checks:

  • Limit direct database access whenever possible. This is always our number one recommendation – how isolated is your database?
  • Database CPU patching – have you applied the latest database CPU patches?
  • Logging and auditing – do you have auditing enabled? How much? What monitoring tools and processes do you have?
  • Database passwords – especially key accounts such as the Connect Id, Access Id, IB and PS – are they set to weak or default passwords? Are you using profiles?
  • Permissions and authorizations – when was the last time you reviewed them? How many users have SELECT ANY TABLE privileges?
  • Ensure the Default tablespace should never be ‘SYSTEM’ or PSDEFAULT for named users. These should be reserved for the Oracle RDBMS and application respectively
  • Do not use SYSADM for day-to-day support. Use named accounts instead, are you?

If you have questions, please contact us at info@integrigy.com

Michael A. Miller, CISSP-ISSMP, CCSP

References

PeopleSoft Database Security

PeopleSoft Security Quick Reference

Oracle Database, Oracle PeopleSoft, Auditor
Categories: APPS Blogs, Security Blogs

Pages