APPS Blogs

Oracle E-Business Suite Critical Patch Update (CPU) Planning for 2016

With the start of the new year, it is now time to think about Oracle Critical Patch Updates for 2016.  Oracle releases security patches in the form of Critical Patch Updates (CPU) each quarter (January, April, July, and October).  These patches include important fixes for security vulnerabilities in the Oracle E-Business Suite and its technology stack.  The CPUs are only available for certain versions of the Oracle E-Business Suite and Oracle Database, therefore, advanced planning is required to ensure supported versions are being used and potentially mitigating controls may be required when the CPUs can not be applied in a timely manner.

For 2016, CPUs for Oracle E-Business Suite will become a significant focus as a large number of security vulnerabilities for the Oracle E-Business Suite will be fixed.  The January 2016 CPU for the Oracle E-Business Suite (EBS) will include 78 security fixes for a wide range of security bugs with many being high risk such as SQL injection in web facing self-service modules.  Integrigy anticipates the next few quarters will have an above average number of EBS security fixes (average is 7 per CPU since 2005).  This large number of security bugs puts Oracle EBS environments at significant risk as many of these bugs will be high risk and well publicized.

Supported Oracle E-Business Suite Versions

Starting with the April 2016 CPU, only 12.1 and 12.2 will be fully supported for CPUs moving forward.  11.5.10 CPU patches for April 2016, July 2016, and October 2016 will only be available to customers with an Advanced Customer Support (ACS) contract.  There will be no 11.5.10 CPU patches after October 2016.  CPU support for 12.0 ended as of October 2015.

11.5.10 Recommendations
  1. When possible, the recommendation is to upgrade to12.1 or 12.2.
  2. Obtaining an Advanced Customer Support (ACS) contract is a short term (until October 2016) solution, but is an expensive option.
  3. An alternative to applying CPU patches is to use Integrigy's AppDefend, an application firewall for Oracle EBS, in proxy mode which blocks EBS web security vulnerabilities.  AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.

In order to mitigate some mod_plsql security vulnerabilities, all Oracle EBS 11i environments should look at limiting the enabled mod_plsql web pages.  The script /patch/115/sql/txkDisableModPLSQL.sql can be used to limit the allowed pages listed in FND_ENABLED_PLSQL.  This script was introduced in 11i.ATG_PF.H and the most recent version is in 11i.ATG_PF.H.RUP7.  This must be thoroughly tested as it may block a few mod_plsql pages used by your organization.  Review the Apache web logs for the pattern '/pls/' to see what mod_plsql pages are actively being used.  This fix is included and implemented as part of the January 2016 CPU.

12.0 Recommendations
  1. As no security patches are available for 12.0, the recommendation is to upgrade to 12.1 or 12.2 when possible.
  2. If upgrading is not feasible, Integrigy's AppDefend, an application firewall for Oracle EBS, provides virtual patching for EBS web security vulnerabilities as well as blocks common web vulnerabilities such as SQL injection and cross-site scripting (XSS).  AppDefend is a simple to implement and cost-effective solution when upgrading EBS is not feasible.
12.1 Recommendations
  1. 12.1 is supported for CPUs through October 2019 for implementations where the minimum baseline is maintained.  The current minimum baseline is the 12.1.3 Application Technology Stack (R12.ATG_PF.B.delta.3).  This minimum baseline should remain consistent until October 2019, unless a large number of functional module specific (i.e., GL, AR, AP, etc.) security vulnerabilities are discovered.
  2. For organizations where applying CPU patches is not feasible within 30 days of release or Internet facing self-service modules (i.e., iSupplier, iStore, etc.) are used, AppDefend should be used to provide virtual patching of known, not yet patched web security vulnerabilities and to block common web security vulnerabilities such as SQL injection and cross-site scripting (XSS).
12.2 Recommendations
  1. 12.2 is supported for CPUs through July 2021 as there will be no extended support for 12.2.  The current minimum baseline is 12.2.3 plus roll-up patches R12.AD.C.Delta.7 and R12.TXK.C.Delta.7.  Integrigy anticipates the minimum baseline will creep up as new RUPs (12.2.x) are released for 12.2.  Your planning should anticipate the minimum baseline will be 12.2.4 in 2017 and 12.2.5 in 2019 with the releases of 12.2.6 and 12.2.7.  With the potential release of 12.3, a minimum baseline of 12.2.7 may be required in the future.
  2. For organizations where applying CPU patches is not feasible within 30 days of release or Internet facing self-service modules (i.e., iSupplier, iStore, etc.) are used, AppDefend should be used to provide virtual patching of known, not yet patched web security vulnerabilities and to block common web security vulnerabilities such as SQL injection and cross-site scripting (XSS).
EBS Database Recommendations
  1. As of the October 2015 CPU, the only CPU supported database versions are 11.2.0.4, 12.1.0.1, and 12.1.0.2.  11.1.0.7 and 11.2.0.3 CPU support ended as of July 2015.  The final CPU for 12.1.0.1 will be July 2016.
  2. When possible, all EBS environments should be upgraded to 11.2.0.4 or 12.1.0.2, which are supported for all EBS versions including 11.5.10.2.
  3. If database security patches (SPU or PSU) can not be applied in a timely manner, the only effective mitigating control is to strictly limit direct database access.  In order to restrict database access, Integrigy recommends using the EBS feature Managed SQLNet Access, Oracle Connection Manager, network restrictions and firewall rules, and/or terminal servers and bastion hosts.
  4. Regardless if security patches are regularly applied or not, general database hardening such as changing database passwords, optimizing initialization parameters, and enabling auditing should be done for all EBS databases.
Oracle E-Business Suite, Oracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

Extranet login redirects to intranet URL

Vikram Das - Thu, 2016-01-14 10:15
For an old 11.5.10.2 ERP, we are moving from the architecture of "EBS application server in DMZ" to the architecture of "Reverse Proxy in DMZ and EBS application server in intranet".  After doing all configurations, we hit the classic issue where, you login through extranet url visible on public internet which redirects to intranet url.

So https://extranet.example.com asks for SSO details and after keying in SSO username and password goes to http://intranet.example.com.

The support.oracle.com article DMZ Configuration with Oracle E-Business Suite 11i (Doc ID 287176.1) has listed 4 checks which could be the reason for this issue:

H6: Redirection to an Incorrect Server During Login
If you are getting redirected to an incorrect server during the login process, check the following:
  • Whether the hirearchy type of the profile options mentioned in Section 5.1 is set to SERVRESP .
  • select PROFILE_OPTION_NAME,HIERARCHY_TYPE from fnd_profile_options where profile_option_name in 
    ('APPS_WEB_AGENT','APPS_SERVLET_AGENT','APPS_JSP_AGENT','APPS_FRAMEWORK_AGENT' ,'ICX_FORMS_LAUNCHER','ICX_DISCOVERER_LAUNCHER','ICX_DISCOVERER_VIEWER_LAUNCHER','HELP_WEB_AGENT','APPS_PORTAL','CZ_UIMGR_URL','ASO_CONFIGURATOR_URL','QP_PRICING_ENGINE_URL','TCF:HOST');
    PROFILE_OPTION_NAME                               HIERARCHY_TYPE
    ----------------------------------------                               --------------------------------
    APPS_FRAMEWORK_AGENT                         SERVRESP
    APPS_JSP_AGENT                                         SERVRESP
    APPS_PORTAL                                         SERVRESP
    APPS_SERVLET_AGENT                                 SERVRESP
    APPS_WEB_AGENT                                         SERVRESP
    ASO_CONFIGURATOR_URL                         SERVRESP
    CZ_UIMGR_URL                                         SERVRESP
    HELP_WEB_AGENT                                         SERVRESP
    ICX_DISCOVERER_LAUNCHER                 SERVRESP
    ICX_DISCOVERER_VIEWER_LAUNCHER SERVRESP
    ICX_FORMS_LAUNCHER                         SERVRESP
    QP_PRICING_ENGINE_URL                         SERVRESP
    TCF:HOST                                                 SERVRESP

    All good on this point

  • Whether the profile option values for the fnd profile options (APPS_FRAMEWORK_AGENT, APPS_WEB_AGENT, APPS_JSP_AGENT, APPS_SERVLET_AGENT) are pointing to the correct node. Replace the node_id with the node_id of the external and internal web tier. For example:
  • select fnd_profile.value_specific('APPS_FRAMEWORK_AGENT',null,null,null,null,) from dual;
    This query returned https://extranet.example.com

  • Whether the dbc file pointed to by the JVM parameter (JTFDBCFILE) in jserv.properties exists.
  • wrapper.bin.parameters=-DJTFDBCFILE=
    This was incorrect.  It was pointing to the intranet jdbc file location.

  • Whether the value of the parameter APPL_SERVER_ID set in the dbc file for the node is the same as the value of the server_id in the fnd_nodes table.
    select node_name,node_id,server_id from fnd_nodes;
    This was overwritten in the dbc file, with appl_server_id of intranet when autoconfig was done on intranet and overwritten with appl_server_id of extranet when autoconfig was done on extranet, as the DBC file location and name were same for both intranet and extranet.
I asked the DBA team to manually correct the dbc file name inside $IAS_CONFIG_HOME/Apache/Apache/Jserv/etc/jserv.properties
and create a file of that name in $FND_SECURE/$CONTEXT_NAME.dbc on the extranet node and bounce services.  Once that was done, we tested and it worked. No more redirection to intranet URL.

Then I asked them to correct the s_dbc_file_name variable in the context file of extranet node. Run autoconfig on extranet, verify the value of dbcfile in jserv.properties DJTFDBCFILE parameter, verify that the DBC file had the server_id of the extranet node.  Restart all services.
Checked again, and it worked again.

So apart from checking the values of context file variables like s_webentryhost, s_webentrydomain, s_active_port, you also need to check the value of s_dbc_file while verifying the setups for extranet configuration. This can happen in 11i , R12.1 and R12.2 also.
Categories: APPS Blogs

Legal Entity Document Sequencing in Receivables

OracleApps Epicenter - Thu, 2016-01-07 02:55
You need to consider these points when you are trying setup Legal Entity Document Sequencing in Receivables You can set up your primary ledger to allow document sequencing at the legal entity level instead of at the ledger level. This means if you have more than one legal entity assigned to the same ledger, you […]
Categories: APPS Blogs

安全なシアリス通販・中国で作られたシアリスの質は?

The Feature - Tue, 2016-01-05 20:06

シアリスはED(勃起障害)治療薬として世界的に大きなシェアがあります。バイアグラと並んで人気があり、徐々にバイアグラよりも人気が高まっている薬です。
バイアグラに比べて効果がマイルドで副作用のリスクが低い、効果持続時間が長い(バイアグラの約6倍の36時間)、食事の影響を受けない、という点で評価されています。
シアリス通販を行っているサイトはたくさんありますが、どこも同じ品質の薬を扱っているとは限りません。中には偽造品や違法なルートから入手している業者も存在します。
シアリス通販を利用するときには、業者と電話、メール、FAXなどで連絡が取れることをちゃんと事前に確認しておきましょう。
中国で作られているシアリスもありますが、中国の一部の工場では、覚せい剤(アンフェタミン)を密造していた工場でシアリスを一緒に作っていたという報告もあります。また、工場の衛生状態も極めて悪く、シアリスに覚せい剤の成分が混入してしまう恐れもあったと言われています。
もちろん、中国の工場すべてがこのようなレベルというわけではありません。ちゃんと衛生管理されて正規のラインで作られている薬も存在します。
しかし、頭から大丈夫だと信じ込んでしまうと、偽造品や粗悪品が手に入ってしまうという危険があります。
海外から個人輸入するときには、シアリス通販サイトは徹底的に比較しておきましょう。ちゃんとした業者ならば、正規品取扱書や成分保証などの書類を発行してくれます。また、副作用やユーザーの不利益になることもしっかりと記載されている所が多いです。
逆に、良い点ばかりを書いて広告を出している所は、品質が低い恐れがあります。業者の見極めには時間をかけましょう。

投稿安全なシアリス通販・中国で作られたシアリスの質は?シアリス通販情報の最初に登場しました。

Categories: APPS Blogs

Happy New Year 2016 , best wishes to all

OracleApps Epicenter - Sat, 2016-01-02 01:49
This the season to be jolly! Time truly flies when you are doing the things you love and with another year behind us, we can't help but feel a little nostalgic and look back at what the past twelve months have brought us. It was a busy year at personal and professional side .In terms […]
Categories: APPS Blogs

Oracle Management Cloud : The Next Generation Real-Time Monitoring and Analytics IT Tool

OracleApps Epicenter - Sat, 2016-01-02 01:21
Oracle Management Cloud (OMC) is a suite of next-generation integrated monitoring, management, and analytics cloud services built on a scalable big data platform that provides real-time analysis and deep technical and business insights. With OMC you can eliminate disparate silos across end-user and infrastructure data, troubleshoot problems quickly,and run IT like a business OCM meets […]
Categories: APPS Blogs

Calling all Apps DBAs doing 11i to R12.x upgrades

Vikram Das - Tue, 2015-12-22 09:02
At this time of the year during holidays, the Apps DBA community is busy doing upgrades as longer downtimes are possible.  In case you are facing any issues, please feel free to write to me at my email: oracleappstechnology@gmail.com .  I will be glad to hear from you and help you.
Categories: APPS Blogs

11i pre-upgrade data fix script ap_wrg_11i_chrg_alloc_fix.sql runs very slow

Vikram Das - Wed, 2015-12-16 20:51
We are currently upgrading one of our ERP instances from 11.5.10.2 to R12.2.5.  One of the pre-upgrade steps is to execute the data fix script ap_wrg_11i_chrg_alloc_fix.sql.  However, this script has been running very very slow. After 4 weeks of monitoring, logging SRs with Oracle, escalating etc., we started a group chat today with our internal experts.  We had Ali, Germaine, Aditya, Mukhtiar, Martha Gomez and Zoltan.  I also invited our top notch EBS Techstack expert John Felix. After doing explain plan on the sql, Based on the updates being done by the query I predicted that it will take 65 days to complete.

John pointed out that the query was using the index AP_INVOICE_DISTRIBUTIONS_N4  that had a very high cost.  We used an sql profile that replaced AP_INVOICE_DISTRIBUTIONS_N4  with AP_INVOICE_DISTRIBUTIONS_U1.  The query started running faster and my new prediction was that it would complete in 5.45 days.

John mentioned that now another select statement was using the same index AP_INVOICE_DISTRIBUTIONS_N4 that had a very high cost.

After discussing among ourselves, we decided to drop the index, run the script and re-create the index. Aditya saved the definition of the index and dropped it.

DBMS_METADATA.GET_DDL('INDEX','AP_INVOICE_DISTRIBUTIONS_N4','AP')
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

  CREATE INDEX "AP"."AP_INVOICE_DISTRIBUTIONS_N4" ON "AP"."AP_INVOICE_DISTRIBUTIONS_ALL" ("ACCOUNTING_DATE")
  PCTFREE 10 INITRANS 11 MAXTRANS 255 COMPUTE STATISTICS
  STORAGE(INITIAL 131072 NEXT 131072 MINEXTENTS 1 MAXEXTENTS 2147483645
  PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1
  BUFFER_POOL DEFAULT FLASH_CACHE DEFAULT CELL_FLASH_CACHE DEFAULT)
  TABLESPACE "APPS_TS_TX_IDX"

1 row selected.

SQL> drop index AP.AP_INVOICE_DISTRIBUTIONS_N4;

Index dropped.

The updates started happening blazing fast.  The whole thing got done in 39 minutes and we saw the much awaited:

SQL> set time on
16:34:16 SQL> @ap_wrg_11i_chrg_alloc_fix.sql
Enter value for resp_name: Payables Manager
Enter value for usr_name: 123456
-------------------------------------------------------------------------------
/erp11i/applcsf/temp/9570496-fix-16:34:40.html is the log file created
-------------------------------------------------------------------------------

PL/SQL procedure successfully completed.

17:13:36 SQL>

From 65 days to 5.45 days to 39 minutes.  Remarkable.  Thank you John for your correct diagnosis and solution.
Categories: APPS Blogs

動脈硬化改善が期待できるシアリスを川崎で

The Feature - Sat, 2015-12-05 23:39

川崎周辺の会社に勤務している人の中には、健康診断で動脈硬化を指摘され、さらにはEDにも悩まされている方もあるかも知れませんね。
動脈硬化は暴飲暴食や喫煙、睡眠不足、ストレスなどの生活習慣の問題から起こる症状で、そのまま放置していると、やがては心筋梗塞や脳梗塞などの、命の危険にかかわる重大な疾患まで進行することがあるので注意が必要です。
動脈硬化で血流障害が起こるということは、正常な勃起が出来ないEDにも繋がることなので、EDになること自体が心筋梗塞の警告と考える人もいるぐらいです。
ゆえにEDが改善できれば、それはすなわち血液の流れが良くなったということなので、最近の研究では、ED治療薬のシアリスなどに、動脈硬化の予防や改善効果が期待できると報告されています。
実際、まだそれほど深くは研究されていないので、シアリスなどのED治療薬に、本当に動脈硬化の予防や改善効果があるかについては、はっきりとはわかっていません。
どのくらいの量で、どの種類を飲み、どのくらいの間隔で使用すると効果があるのかについては、まだまだ研究段階なので、動脈硬化の人があえてシアリスを服用して、治そうとすることだけはやめましょう。
あくまで期待の段階なので、川崎でシアリスを服用するときは、勃起不全改善のためだけに使うようにしてください。
シアリスは10mgで20~24時間、20mgで30~36時間ほど効果が続くので、週末に恋人や奥さんと一緒に過ごしたいときには、非常に効果的なED治療薬です。
川崎でシアリスを手に入れたいときは、ED専門外来で処方してもらうとよいですが、もし近くにない場合は、インターネットを使い、個人輸入代行通販に注文するようにしてください。

投稿動脈硬化改善が期待できるシアリスを川崎でシアリス通販情報の最初に登場しました。

Categories: APPS Blogs

富山の泌尿器科に行けばシアリスを入手できる

The Feature - Wed, 2015-11-25 20:30

富山の泌尿器科に行けばシアリスを入手することが出来ます。富山の泌尿器科には、国から認可された三つのED治療薬が提供されています。その三つの内の一つがシアリスという薬で、問診を受けて必要があると判断されたときにはその場でシアリスを購入することが出来るのです。富山の泌尿器科には、正規品のED治療薬を置いてあるので保険証を持っていかなくても欲しいときに相談することが出来ます。
ED治療薬の入手方法は、現状このようにクリニックに行く方法がメジャーです。そもそも、日本国内と海外では薬に対する考え方が全く異なるということを知っておかなくてはいけません。基本的に、日本は海外で作られた薬に対する審査がものすごく厳しいです。特定の病院で使うことは認めても、一般的な市場でその薬を使うためには未だに許可を与えないことも珍しくありません。
世界では、一般的な市場で既に利用することが出来る薬のことをジェネリック医薬品と言います。ジェネリック医薬品は、病院で処方されている薬と全く同じ効果を発揮することが出来るため市場で発売されている薬は大変人気があります。しかし、海外の市場では特にED治療薬の方面で偽物が出回っていることもあります。こうした偽物がジェネリック医薬品として国内に入ってくるのを防ぐのも日本の役目であるため、薬の精査は非常に大切なのです。
シアリスは、ED治療薬の中でも最も優れた薬です。薬の持続時間だけではなく副作用に関しても他の薬と比べて格段に低く世界で最も人気のある薬なのです。そのため、偽物が製造される割合も非常に多いという事情があります。病院で処方をしてもらえば確実に正規のシアリスを入手することが出来るため安心なのです。

投稿富山の泌尿器科に行けばシアリスを入手できるシアリス通販情報の最初に登場しました。

Categories: APPS Blogs

sqlplus core dumps with segmentation fault error in OEL 6.6 when you connect to DB

Vikram Das - Mon, 2015-11-16 16:23
We have used OEL 6.6 image in our latest build.  When we cloned an EBS R12.2 instance that was on OEL 5.7 to this new server that has OEL 6.6, During the clone, adcfgclone.pl was failing. On further checks, we discovered that sqlplus is crashing with segmentation fault error whenever we tried to connect to database:

sqlplus /nolog
conn apps/apps
Segmentation Fault

So, I suggested the DBAs to do strace sqlplus apps/apps.  The strace revealed many missing libraries:

We had another working OEL 6.4 instance where we checked for these libraries, and all of them were present.

The locate command was used to locate the full directory paths of the missing libraries

locate libnss_sss.so.2
/lib/libnss_sss.so.2

/lib/libnss_sss.so.2
/lib/libnss_files.so.2
/lib/libociei.so
/lib/libc.so.6
/lib/libgcc_s.so.1
/lib/libnsl.so.1
/lib/libpthread.so.0

Then rpm -qf command was used to find out the rpm that would have the library:

$ rpm -qf /lib/libnss_sss.so.2
sssd-client-1.11.6-30.el6_6.3.i686
$ rpm -qf /lib/libnss_files.so.2
glibc-2.12-1.149.el6_6.9.i686
$ rpm -qf /lib/libociei.so
error: file /lib/libociei.so: No such file or directory
$ rpm -qf /lib/libc.so.6
glibc-2.12-1.149.el6_6.9.i686
$ rpm -qf /lib/libgcc_s.so.1
libgcc-4.4.7-3.el6.i686
$ rpm -qf /lib/libnsl.so.1
glibc-2.12-1.149.el6_6.9.i686
$ rpm -qf /lib/libpthread.so.0
glibc-2.12-1.149.el6_6.9.i686
$ rpm -qf /lib/libm.so.6
glibc-2.12-1.149.el6_6.9.i686
$ rpm -qf /lib/libdl.so.2
glibc-2.12-1.149.el6_6.9.i686

Since 10.1.2 home is 32-bit in EBS R12.1 and 12.2, all the libraries needed to be 32-bit.

Except for sssd-client, the other rpms were present.  64-bit version of sssd-client was present and whenver we tried to install the 32-bit rpm it would give this error, as the operating system thinks that it is already installed:

# yum install sssd-client.i686
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package sssd-client.i686 0:1.12.4-47.el6 will be installed
--> Finished Dependency Resolution
Error:  Multilib version problems found. This often means that the root
       cause is something else and multilib version checking is just
       pointing out that there is a problem. Eg.:

         1. You have an upgrade for sssd-client which is missing some
            dependency that another package requires. Yum is trying to
            solve this by installing an older version of sssd-client of the
            different architecture. If you exclude the bad architecture
            yum will tell you what the root cause is (which package
            requires what). You can try redoing the upgrade with
            --exclude sssd-client.otherarch ... this should give you an error
            message showing the root cause of the problem.

         2. You have multiple architectures of sssd-client installed, but
            yum can only see an upgrade for one of those arcitectures.
            If you don't want/need both architectures anymore then you
            can remove the one with the missing update and everything
            will work.

         3. You have duplicate versions of sssd-client installed already.
            You can use "yum check" to get yum show these errors.

       ...you can also use --setopt=protected_multilib=false to remove
       this checking, however this is almost never the correct thing to
       do as something else is very likely to go wrong (often causing
       much more problems).

       Protected multilib versions: sssd-client-1.12.4-47.el6.i686 != sssd-client-1.11.6-30.el6_6.4.x86_64


# rpm -qa | grep sssd-client
sssd-client-1.11.6-30.el6_6.4.x86_64

Eventually we installed it with force option

# rpm -Uvh --force /tmp/sssd-client-1.11.6-30.el6_6.3.i686.rpm

# rpm -qa | grep sssd-client
sssd-client-1.11.6-30.el6_6.3.i686
sssd-client-1.11.6-30.el6_6.4.x86_64

pam-ldap was one of the other rpms that was installed for other missing libraries.  Surprisingly, sssd-client and pam-ldap rpms are not mentioned as pre-requisites in support.oracle.com article:
Oracle E-Business Suite Installation and Upgrade Notes Release 12 (12.2) for Linux x86-64 (Doc ID 1330701.1) 
Categories: APPS Blogs

twm: unable to open fontset "-adobe-helvetica-bold-r-normal--*-120-*-*-*-*-*-*"

Vikram Das - Mon, 2015-11-16 15:59
While launching twm, it gives this error and exits to unix prompt:

twm: unable to open fontset "-adobe-helvetica-bold-r-normal--*-120-*-*-*-*-*-*"

I found a solution on http://ubuntuforums.org/archive/index.php/t-1596636.html :

It was reported here for fedora: https://bugzilla.redhat.com/show_bug.cgi?id=509639. The workaround is to execute it with a specific shell variable:

$ LANG=C
$ export LANG
twm &

twm launches fine after this.
Categories: APPS Blogs

Oracle SSO Failure - Unable to process request Either the requested URL was not specified in terms of a fully-qualified host name or OHS single sign-on is incorrectly configured

Vikram Das - Sat, 2015-11-14 14:57
Today, during a cutover when we were moving one of our ERP instance on Cisco UCS VMware VMs to Exalogic and Exadata, I got a call from Bimal.  The extranet iSupplier URL had been configured, but whenever any user logged in, they were seeing the following error instead of the iSupplier OAF Home page:

Oracle SSO Failure - Unable to process request Either the requested URL was not specified in terms of a fully-qualified host name or OHS single sign-on is incorrectly configured

A search on support.oracle.com showed many hits.  I went through a few of them and ruled out the solutions given. This article sounded promising: Oracle SSO Failure - Unable to process request Either the requested URL was not specified in terms of a fully-qualified host name or OHS single sign-on is incorrectly configured (Doc ID 1474474.1).

The solution suggested:

There is  a hardware load-balancer for a multi-tier environment on place, as well as an SSL accelerator.

     For R12, there is a context variable, s_enable_sslterminator, that was set to "#".

     This should be null for e-Business R12 using specific hardwarementioned before.


1. Set  context variable, s_enable_sslterminator to null,

2. Re-ran autoconfig,

3. Re-test Single sign-ons via IE and Firefox now works as expected.

I asked the DBAs to check the value of s_enable_sslterminator:

grep s_enable_sslterminator

and sure enough the value was #

As per article Enabling SSL or TLS in Oracle E-Business Suite Release 12 (Doc ID 376700.1), the value of s_enable_sslterminator should be made null if you are using an SSL accelerator.  In our case we use SSL certificate on the Load Balancer and never on Web servers.

The DBAs removed the #
Ran autoconfig
Deregistered SSO
Registered SSO

The user was able to login after that.



Categories: APPS Blogs

Basic OBIEE Enumeration Checklist

Several clients and partners have asked for this checklist lately. Posting it for those who may find it useful:

  1. If possible ask for the following:
    1. System diagram
    2. All URLs – WebLogic, Enterprise Manager and OBIEE
    3. Ask about load balancer and reverse proxy
    4. WebLogic accounts and passwords for both /EM and /Console
    5. TNSNAMES info and DB accounts and passwords for WebLogic repository database
    6. Ideally O/S accounts and passwords for server supporting WebLogic – will need for WLST scripts
    7. Request copy of config.xml file for each environment. If o/s accounts are surrendered these can be easily obtained.
  2. Network probe
    1. NMAP scan for WebLogic and OBIEE ports 7001, 9701 and 9703. Suggest scanning 9700 – 9710. Also NMAP scan for Oracle networking 1521 (default).  Suggest scanning 1520-1530
    2. Check WebLogic and OBIEE specific URLs. For public facing, use Google. For internal construct URLs using information gathered from NMAP:

Tool

URL

Administration Server Console

http://host:port/console

Enterprise Manager Console

http://host:port/em

Enterprise Manager Agent

http://host:port/emd/main

Oracle Portal

http://host:port/portal/pls/portal

Oracle Forms

http://host:port/forms/frmservlet

Oracle Reports

http://host:port/reports/rwservlet

Oracle Discoverer Viewer

http://host:port/discoverer/viewer

WebLogic

If external Google: intitle:"WebLogic Server" intitle:"Console Login" inurl:console –site:targetdomain.com

OBIEE

Look for: analytics/saw.dll

e.g. if external Google: Inurl: analytics/saw.dll –site:targetdomain.com

 

  1. Inventory the databases associated with WebLogic. Issue the following from the repository databases:
    1. SELECT * FROM SYSTEM.SCHEMA_VERSION_REGISTRY$;
    2. SELECT * FROM PRODUCT_COMPONENT_VERSION;
  2. Read and analyze the primary WebLogic configurations. The primary config file is the /domains/DOMAIN_NAME/config/config.xml 
  3. Get server information, suggest running WLST scripts for – Google several good examples: ‘wlst script list servers and information’
  4. Get WebLogic user information, suggest running WLST scripts for – Google several good examples: ‘wlst script list users’
  5. For OBIEE authentication will first be done by WebLogic. WebLogic will determine who can access OBIEE. WebLogic groups may or may not then drive authorization. Older OBIEE solutions also might internally authenticate within the repository (RDP).  Overall security authorization within OBIEE can be at control at various levels; Catalog/Presentation, RPD and within the data sources or a combination of everything. There can also be no security/authorization e.g. authentication by WebLogic to use OBIEE and then handoff to a PUBLIC / generic OBIEE report.
Oracle Fusion Middleware, Oracle Business Intelligence (OBIEE)
Categories: APPS Blogs, Security Blogs

Multi-Element Arrangements

OracleApps Epicenter - Sat, 2015-11-07 07:10
Multi-element arrangement aka occurs when a vendor agrees to provide more than one product or a combination of products and services to a customer in an arrangement. Multi-element arrangements may include additional software products, rights to purchase additional software products at a significant incremental discount, specified upgrades or enhancements, hardware, PCS or other services. Multiple-element […]
Categories: APPS Blogs

How To Install Latest Verisign G5 Root Certificates

Vikram Das - Wed, 2015-10-21 16:48
Dhananjay pinged me today and told me that for their Paypal integration, they had to upgrade to Verisign G5 root certificate.  This was the message from Paypal:

Global security threats are constantly changing, and the security of our merchants continues to be our highest priority. To guard against current and future threats, we are encouraging our merchants to make the following upgrades to their integrations:
  1. Update your integration to support certificates using the SHA-256 algorithm. PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256 algorithm.
  2. Discontinue use of the VeriSign G2 Root Certificate. In accordance with industry standards, PayPal will no longer honor secure connections that require the VeriSign G2 Root Certificate for trust validation. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.
For detailed information on these changes, please reference the Merchant Security System Upgrade Guide. For a basic introduction to internet security, we also recommend these short videos on SSL Certificates and Public Key Cryptography.

There is a support.oracle.com article published on October 16, 2015 which has detailed steps for 11i and R12.1:

How To Install Latest Verisign Root Certificates For Use With Paypal SDK 4.3.X (Doc ID 874433.1)

The Verisign G5 root certificate can be downloaded from:

Paypal Microsite about this change: https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766&expand=true&locale=en_US

Useful Links
Categories: APPS Blogs

Apple Logo

iAdvise - Wed, 2015-10-21 08:00
As simple as it is the story about the Apple Logo inspiration is quite true because there are very many people who have done research on the same and ended up with this result. This actually triggered some emotions from a number of people who said that the story was quite touching and they would have never thought of it in that way. There are still a few people however who still believe that it is a myth. This is probably because there are very many theories that have been made up on the topic.

Apple is arguably one of the best mobile phone brands that are found in the market today. The company is always rolling out new versions of the phone which come with better specs so that they can fit in the ever changing technology world. There are numerous versions that people have come up with as to the origin of the Logo inspiration. Below however you will find the real story behind it to know how it really came about.

Apple LogoApple LogoApple LogoApple LogoApple LogoApple Logo

A gentleman by the name John Kates claimed that the Apple Logo found on the back of the Mac or iPhone was done as a tribute to another gentleman who was known as Alan Turing. Turing was the made who laid the foundations that are used for modern day computers. He pioneered research into artificial intelligence and also unlocked the codes used for German wartime. He died ten years after the war had ended and provided the links with the brand. Facing jail being charged with indecency, unrecognized for his great work and humiliated by the estrogen injections he was given in a bid to "cure" his sexuality are some of the frustrations that made him bit into an apple that had been laced with cyanide.

Alan Turing dies on 7th June 1954 in obscurity exactly ten years and a day after Normady landings. These made copious use of the intelligence that has been gleaned by his methods. Before iOS7 was introduced to the market the story goes on about how two entrepreneurs in Stanford were searching for a logo that would be used for their new computer company. After some time they remembered the contribution that Turing had made to the industry and thus decided to work with an Apple. This was not a full one but one that had been bitten.

Some of the theories that have been advanced in regards to apple is that the founders used the theme of the first people (Adam and Eve) when eve bit the apple. Others refer to the fruit as the one that helped Sir Isaac Newton to develop the concept of gravity. Supporters of the latter believe that the logo was first known as the Newton before it changed its name. This can however be challenged because it happened more than ten years after the logo had already been created. The developer however does away with the two theories and tends to agree with the Turing version and says that it is an incredible urban legend.
Categories: APPS Blogs

sftp failure due to newline character difference between windows and unix.

Vikram Das - Fri, 2015-10-09 21:36
Recently I spent almost a full day struggling to make out, why an sftp connection would not work without password, after setting up ssh equivalence.  The keys were correct, the permissions on the directories were correct.  The authorized_keys file looked ok.  I copied the authorized_keys file of another account that was working fine.  When I replaced the authorized_keys after taking backup of original authorized_keys, it started working.  So then I proceeded to check the contents in a hex editor


On the left side you have the authorized_keys file created in Windows.
On the right side you have the same authorized_keys file created in Unix.

If you notice the ends of the lines in the Windows file it shows CR LF, where as unix shows LF.

This difference is well described in the wikipedia article on newline character.

The one mistake I had done this time was create the authorized_keys file in Windows notepad, as I was teaching a Developer how to create authorized_keys file.  Once I used vi on unix to create the authorized_keys file and pasted the same ssh key, sftp started working without prompting for password.  I know that Windows/DOS and Unix have different newline characters.  However, I was not able to apply that knowledge, till I compared the files in hex editor.

Whenever, a techie is able to get to the root cause of a problem, a deep sense of satisfaction is experienced.  I am glad I got the opportunity to troubleshoot and fix the issue by getting to the root cause of the issue.
Categories: APPS Blogs

DAM tools, IBM Guardium, Oracle E-Business Suite, PeopleSoft and SAP

A question we have answered a few times in the last few months is whether or not, and if so, how easy do Database Activity Monitoring (DAM) tools such as IBM Guardium support ERP platforms such as the Oracle E-Business Suite, PeopleSoft and SAP. The answer is yes; DAM tools can support ERP systems. For example, IBM Guardium has out-of-the-box policies for both the E-Business Suite and SAP – see figures one and two below.

There are many advantages to deploying a DAM solution to protect your ERP platform, the first being additional defense-in-depth for one of your most critical assets. You can read more here ( Integrigy Guide to Auditing and Logging in Oracle E-Business Suite)  about Integrigy’s recommendations for database security programs. DAM solutions allow for complex reporting as well as 24x7 monitoring and easy relaying of alerts to your SIEM (e.g. Splunk or ArcSight).

Deploying DAM solutions to protect your SAP, PeopleSoft or E-Business Suite is a not-plug-and-play exercise. IBM Guardium’s out-of-the-box policies for the E-Business Suite require configuration to be of any value – see figure three below. The out-of-the-box DAM policies are a good starting point and Integrigy rarely sees them implemented as is. Integrigy also highly recommends, if at all possible, to complete a sensitive data discovery project prior to designing your initial DAM policies. Such projects greatly help to define requirements as well as offer opportunities for data clean up.

Overall, to design and implement an initial set of Guardium policies for the E-Business Suite (or any other ERP package) is usually a few weeks of effort depending on your size and complexity.

If you have any questions, please contact us at info@integrigy.com

Figure 1- Seeded Guardium Policies for EBS and SAP

Figure 2- Guardium E-Business Suite PCI Policy

Figure 3- Example of Blank Configuration

 

 

 

Auditing, Oracle E-Business Suite, IBM Guardium
Categories: APPS Blogs, Security Blogs

Copycat blog

Vikram Das - Tue, 2015-09-15 03:50
While doing a google search today I noticed that there is another blog that has copied all content from my blog and posted it as their own content and even kept a similar sounding name: http://oracleapps-technology.blogspot.com .  I have made a DMCA complaint to google about this.  The google team asked me to provide a list of URLs.  I had to go through the copycat's whole blog and create a spreadsheet with two columns. One column with URL of my original post and second column with the URL of the copycat's blog.  There were 498 entries.  I patiently did it and sent the spreadsheet to google team and got a reply within 2 hours:


Hello,
In accordance with the Digital Millennium Copyright Act, we have completed processing your infringement notice. We are in the process of disabling access to the content in question at the following URL(s):

http://oracleapps-technology.blogspot.com/

The content will be removed shortly.

Regards,
The Google Team 
Categories: APPS Blogs

Pages

Subscribe to Oracle FAQ aggregator - APPS Blogs