APPS Blogs

Oracle E-Business Suite Mobile and Web Services Security Explained - Starting with URL Firewall

This is the sixth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

How are web services secured in Oracle 12.2? To start at the beginning, the “front door” of the Oracle E-Business Suite is its web server, the Apache server deployed within the WebLogic server that is installed with release 12.2. To secure an Apache web server largely requires setting various configurations in the Apache configuration file (httpd.conf). For the Oracle E-Business Suite, these critical settings are maintained by Oracle through the AutoConfig utility. 

URL Firewall

The most important setting for Internet-facing clients is the include for the Oracle E-Business Suite’s URL Firewall. When the URL Firewall is included in the httpd.conf, every web request is passed through the URL Firewall, both for forms and for web services. The URL Firewall is non-discretionary and mandatory requirement when the Oracle E-Business Suite is deployed on the Internet.

HTTPD.CONF include for the URL Firewall

The URL Firewall is a template maintained by Oracle that whitelists those forms (e.g. JSP pages) that Oracle Corporation has hardened for use on the Internet. If the JSP is not listed “whitelisted” in the file url_fw.conf it should NOT be used on the Internet. Be sure to use the latest version of the template as Oracle periodically updates the template.

In the template, Oracle comments out all lines which effectively “Denies All.” To use the url_fw.conf, DBAs at each client site need to manually uncomment (“open”) specific JSP pages appropriate to their site. This “opening” by the DBAs must be carefully done and routinely reviewed.

The mechanics of when the url_fw.conf is called or not is determined by the Node's trust level. Most large Oracle E-Business Suite implementations have multiple web servers (referred to as nodes). To deploy the Oracle E-Business Suite on the Internet, one ore more nodes are deployed in a DMZ. If the node making the request of the Apache web server is flagged as an "Internal" web node, the url_fw.conf is skipped. If however the Node's trust level is flagged as "External" because the node is deployed in the DMZ, the url_fw.conf is called.

When called, the url_fw.conf applies regular expressions to the web request to determine if the request is BOTH exists in the whitelist and has been uncommented “opened” by the DBAs. If no match is found, a default-deny result is returned. In security terms, this means all requests are rejected unless explicitly allowed. If a match is found, the web request continues and the WebLogic server will then proceed with authentication and authorization tasks.

Example of URL FW line uncommented

Enabling and configuring the URL Firewall is the first step in securing web services. Unfortunately, Oracle buries the documentation for the URL Firewall in Appendix E of DMZ configuration guide – see the reference section of this paper for more information on the documentation.

To secure web services, it gets more complicated in that a second whitelist is appended to the first. To secure Oracle E-Business Suite web services, the url_fw.conf calls the url_fw_ws.conf. Similar to the configuration of the url_fw.conf, the documentation is buried deep in Appendix E of the DMZ configuration guide.

Different than the url_fw.conf which is supplied as a static listing of JSP pages, a utility (txkGenWebServiceUrlFwConf.pl) is run to generate the file url_fw_ws.conf. After being generated, DBAs similarly need to manually uncomment only those lines for the web services being used. If a web service is not found to be whitelisted, a default-deny rule will be applied; all web services commented out will be denied.

Example of URL FW WS.conf

Errors in selecting a Node’s trust level and configuring either the url_fw.conf and/or the url_fw_ws.conf have serious security consequences and should be routinely reviewed as part of on-going security audits.

Web services can be publically deployed without using the URL Firewall. For example, clients can if they so choose route Internet traffic directly to the E-Business Suite without setting up an External node. Integrigy Corporation highly recommends against doing this. Integrigy Corporation highly recommends always using the URL Firewall when deployed on the Internet, both for forms and for web services.

URL Firewall called by Node Trust Level

httpd.conf calls the URL Firewall

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Webcast: "Online Patching with EBS 12.2"

Steven Chan - Thu, 2017-03-30 14:19

Online Patching webcastOracle University has a wealth of free webcasts for Oracle E-Business Suite.  If you're looking for an overview of how Online Patching works in EBS 12.2, see:

The Online Patching feature of Oracle E-Business Suite 12.2 will reduce your Oracle E-Business Suite patching downtimes to however long it takes to bounce your application  server. Kevin Hudson, Senior Director Product Development, details how online patching works, with special attention to what’s happening at the database object level when patches are applied to an Oracle E-Business Suite environment that’s still running. Learn about the operational and system management implications for minimizing maintenance downtimes when applying Oracle E-Business Suite patches with this new technology and the related impact on customizations you might have built on top of Oracle E-Business Suite. This material was presented at Oracle OpenWorld 2016.

Categories: APPS Blogs

Webcast: "Online Patching with EBS 12.2"

Steven Chan - Thu, 2017-03-30 14:19

Online Patching webcastOracle
University has a wealth of free webcasts for Oracle E-Business Suite. 
If you're looking for an overview of how Online Patching works in EBS 12.2, see:

The Online Patching feature of Oracle E-Business Suite 12.2 will reduce your Oracle E-Business Suite patching downtimes to however long it takes to bounce your application  server. Kevin Hudson, Senior Director Product Development, details how online patching works, with special attention to what’s happening at the database object level when patches are applied to an Oracle E-Business Suite environment that’s still running. Learn about the operational and system management implications for minimizing maintenance downtimes when applying Oracle E-Business Suite patches with this new technology and the related impact on customizations you might have built on top of Oracle E-Business Suite. This material was presented at Oracle OpenWorld 2016.

 

Categories: APPS Blogs

Webcast: "12.2 Technical Upgrade Overview and Process Flow"

Steven Chan - Wed, 2017-03-29 10:08

EBS 12.2 upgrade webcastOracle University has a wealth of free webcasts for Oracle E-Business Suite.  If you're looking for an overview of how to optimize your EBS 12.2 installation, see:

Udayan Parvate, Senior Director Release Engineering, Quality and Release Management, shares a high level overview of the 12.2 technical upgrade and the sequence of technical steps to follow in the 12.2 upgrade process. This material was presented at Oracle OpenWorld 2015.

Categories: APPS Blogs

Webcast: "12.2 Technical Upgrade Overview and Process Flow"

Steven Chan - Wed, 2017-03-29 10:08

EBS 12.2 upgrade webcastOracle
University has a wealth of free webcasts for Oracle E-Business Suite. 
If you're looking for an overview of how to optimize your EBS 12.2 installation, see:

Udayan Parvate, Senior Director Release Engineering, Quality and Release Management, shares a high level overview of the 12.2 technical upgrade and the sequence of technical steps to follow in the 12.2 upgrade process. This material was presented at Oracle OpenWorld 2015.

 

Categories: APPS Blogs

Cloning EBS 12.1.3 Environments Integrated with Oracle Access Manager

Steven Chan - Tue, 2017-03-28 02:05

We have documented procedures for cloning EBS 12.1.3 environments.  We also have documented procedures for integrating EBS 12.1.3 environments with Oracle Access Manager
(OAM) and Oracle Internet Directory (OID).  The next logical question
would be: do we have documented procedures for cloning EBS 12.1.3
environments that have been integrated with OAM and OID?

Yes, we have published this here:

EBS OAM architecture

This Note provides a certified process and detailed steps to:

  • Clone EBS using Rapid Clone
  • Deregister the cloned EBS instance from OAM and remove AccessGate
  • Remove OID from the cloned EBS instance
  • Integrate the cloned EBS instance with OID
  • Integrate the cloned EBS instance with OAM
  • Reconfigure SSL

Related Articles

Categories: APPS Blogs

Cloning EBS 12.1.3 Environments Integrated with Oracle Access Manager

Steven Chan - Tue, 2017-03-28 02:05

We have documented procedures for cloning EBS 12.1.3 environments.  We also have documented procedures for integrating EBS 12.1.3 environments with Oracle Access Manager (OAM) and Oracle Internet Directory (OID).  The next logical question would be: do we have documented procedures for cloning EBS 12.1.3 environments that have been integrated with OAM and OID?

Yes, we have published this here:

EBS OAM architecture

This Note provides a certified process and detailed steps to:

  • Clone EBS using Rapid Clone
  • Deregister the cloned EBS instance from OAM and remove AccessGate
  • Remove OID from the cloned EBS instance
  • Integrate the cloned EBS instance with OID
  • Integrate the cloned EBS instance with OAM
  • Reconfigure SSL

Related Articles

Categories: APPS Blogs

Webcast: "Oracle E-Business Suite Integration Best Practices"

Steven Chan - Mon, 2017-03-27 14:51

Integration Best PracticesOracle University has a wealth of free webcasts for Oracle E-Business Suite.  If you're looking for an overview of options for integrating EBS with other applications, see:

Oracle is investing across applications and technologies to make the application integration experience easier for customers. Oracle E-Business Suite provides tools and technologies to address various application integration challenges and styles. Vijay Shanmugam, Director Product Development, shares more about Oracle’s integration offering for cloud, data, event-driven, business-to-business, and process-centric integrations. In this session, you will get a better understanding of what Oracle integration technologies you can use and how, when, and where you can leverage them to connect end-to-end business processes across your enterprise, including the Oracle Applications portfolio in the cloud. This material was presented at Oracle OpenWorld 2016.

Categories: APPS Blogs

Webcast: "Oracle E-Business Suite Integration Best Practices"

Steven Chan - Mon, 2017-03-27 14:51

Integration Best PracticesOracle
University has a wealth of free webcasts for Oracle E-Business Suite. 
If you're looking for an overview of options for integrating EBS with other applications, see:

Oracle is investing across applications and technologies to make the application integration experience easier for customers. Oracle E-Business Suite provides tools and technologies to address various application integration challenges and styles. Vijay Shanmugam, Director Product Development, shares more about Oracle’s integration offering for cloud, data, event-driven, business-to-business, and process-centric integrations. In this session, you will get a better understanding of what Oracle integration technologies you can use and how, when, and where you can leverage them to connect end-to-end business processes across your enterprise, including the Oracle Applications portfolio in the cloud. This material was presented at Oracle OpenWorld 2016.

 

Categories: APPS Blogs

Webcast: "Enabling Oracle E-Business Suite for SOA, Cloud"

Steven Chan - Mon, 2017-03-27 02:05

EBS SOA CloudOracle
University has a wealth of free webcasts for Oracle E-Business Suite. 
If you're looking for an overview of how to integrate EBS instances in the cloud with external SOA services, see:

Rekha Ayothi, Principal Product Manager provides a deep dive on how Oracle E-Business Suite is enabled for SOA, Cloud and Mobile based integration. This session provides a technical look at Oracle SOA Suite, Oracle Application Adapters for Data Integration for Oracle E-Business Suite, and a walkthrough of Oracle E-Business Integrated SOA Gateway, and its out-of-the-box capability to produce REST and SOAP based services. Systems Integrators and developers will get an overview of the latest integration technologies available from Oracle E-Business Suite, as well as a sneak preview of future Internet of Things (IoT) integration capabilities and other upcoming features.This material was presented at Oracle OpenWorld 2015.

 

Categories: APPS Blogs

Creditcard and Bank Account Decryption No Longer Possible in Oracle E-Business Suite

In January 2014 Integrigy published extensive research and recommendations on how best to secure credit cards and bank accounts within the Oracle E-Business Suite. This research is available here Oracle E-Business Suite: Credit Cards and PCI Compliance

With Release 12 of the Oracle E-Business Suite, Oracle consolidated into the new Payments module, new functionality to encrypt credit cards and external bank accounts. Integrigy’s recommendation in January 2014 was that if encryption was enabled, that the concurrent programs to optionally decrypt credit cards and external bank accounts also be disabled. Integrigy's rationale for this recommendation was that decryption should only be allowed in a carefully controlled and managed process. End-dating the decryption request set and concurrent programs would prevent the decryption programs from being run accidently or run for nefarious purposes – in production but certainly in non-production databases.

Evidently, Oracle is now once again taking a security recommendation from Integrigy by permanently disabling the decryption programs. Per Oracle’s security team, the decryption programs have been disabled. For more information refer to Oracle Support Note 2209450.1, posted December 1, 2016 - "Is It Possible To Decrypt the Bank Accounts Data After Enabling The Encryption Feature."

If you have questions about protecting credit cards and/or external bank accounts in the Oracle E-Business Suite or have questions about this blog post, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
Encryption, PCI, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Deploying Oracle E-Business Suite 12.2 SOAP Web Services

This is the fifth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Physically deploying SOAP-based web services for the Oracle E-Business Suite is more complicated than for REST. SOAP interfaces are best used to support heavy-duty solutions such as Business-to-Business (B2B) interfaces. To deploy SOAP services for the Oracle E-Business Suite, the Oracle SOA Suite must be licensed and configured. Once the SOA Suite is installed and configured, two (2) WebLogic servers will exist. The first WebLogic server is the initial WebLogic server supporting the Oracle E-Business Suite and the second WebLogic Server is the WebLogic server supporting the SOA Suite. Integration between the two WebLogic Servers is done through both through HTTP and the ISG client. The ISG client is installed on the SOA Suite’s WebLogic server and uses Oracle’s proprietary T3 protocol to do the majority of the heavy lifting for communication with the E-Business Suite.

When a SOAP service is deployed within the Integrated SOA Gateway forms in the Oracle E-Business Suite, the SOAP Web Services Description Language (WDSL) file defining the web service is generated on the second WebLogic Server, the SOA Suite WebLogic Server, not the E-Business Suite’s WebLogic server. The interaction with B2B business partners using the web service then occurs between the Oracle SOA Suite and the business partner’s servers. Ultimately the Oracle E-Business Suite generates or receives the information, but the Oracle E-Business Suite does not directly communicate with the B2B partners.

SOAP Needs a Separate SOA Suite WebLogic Server

Only the SOA Suite communicates with B2B clients

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 
 
 
 
 
 
 
 
 
Web Services, DMZ/External, Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Reminder: Upgrade BPEL 11.1.1.7 to 11.1.1.9 Before December 2018

Steven Chan - Thu, 2017-03-23 10:48

Oracle Fusion Middleware products get new Patch Set updates.  When a new Patch Set has been released, a 12 month Grace Period for the previous Patch Set begins.  Once that Grace Period ends, no new patches for the previous Patch Set will be released.

For more details, see:

Oracle BPEL Process Manager is part of Oracle SOA Suite 11.1.1.x.  Note 1290894.1 does not have a separate listing for Oracle SOA Suite; it refers to "Oracle Fusion Middleware" (FWM) instead. The references in that document to "FMW" implicitly include SOA Suite.

SOA Suite 11.1.1.7 was released in April 2013.  SOA Suite 11.1.1.9 was released in May 2015, which means that the Grace Period for SOA Suite 11.1.1.7 will end after December 2018. 

All E-Business Suite users running BPEL Process Manager in SOA Suite 11.1.1.7 should upgrade to BPEL Process Manager in SOA Suite 11.1.1.9 to remain under Error Correction Support. SOA Suite 11.1.1.x is covered by Premier Support to December 2018, and covered by Extended Support to December 2021.

Related Articles

Categories: APPS Blogs

Reminder: Upgrade BPEL 11.1.1.7 to 11.1.1.9 Before December 2018

Steven Chan - Thu, 2017-03-23 10:48

Oracle Fusion Middleware products get new Patch Set updates.  When a
new Patch Set has been released, a 12 month Grace Period for the
previous Patch Set begins.  Once that Grace Period ends, no new patches
for the previous Patch Set will be released.

For more details, see:

Oracle BPEL Process Manager is part of Oracle SOA Suite 11.1.1.x.  Note 1290894.1 does not have a separate listing for Oracle SOA Suite; it refers to "Oracle Fusion Middleware" (FWM) instead. The references in that document to "FMW" implicitly include SOA Suite.

SOA Suite 11.1.1.7 was released in
April 2013.  SOA Suite 11.1.1.9 was released in May 2015, which means that
the Grace Period for SOA Suite 11.1.1.7 will end after December 2018. 


All E-Business Suite users running BPEL Process Manager in SOA Suite 11.1.1.7 should
upgrade to BPEL Process Manager in SOA Suite 11.1.1.9 to remain under Error Correction
Support. SOA Suite 11.1.1.x is
covered by Premier Support to December 2018, and covered by Extended
Support to December 2021.

Related Articles

Categories: APPS Blogs

Webcast: "Installation, Cloning and Configuration of EBS 12.2"

Steven Chan - Wed, 2017-03-22 10:51

Install EBS 12.2Oracle University has a wealth of free webcasts for Oracle E-Business Suite.  If you're looking for an overview of how to install, clone, and configure EBS 12.2, see:

Max Arderius, Senior Principal Product Manager covers the technology stack for Oracle E-Business Suite 12.2, including the use of Oracle WebLogic Server (Oracle Fusion Middleware 11g) and Oracle Database functionality. Topics include an architectural overview of the latest updates, installation options, configuration options, and new tools for automated cloning. Also learn how Online Patching (based on the Oracle Database Edition-Based Redefinition feature) will reduce your database patching downtimes. This material was presented at OOW 2015.

Categories: APPS Blogs

Webcast: "Installation, Cloning and Configuration of EBS 12.2"

Steven Chan - Wed, 2017-03-22 10:51

Install EBS 12.2Oracle
University has a wealth of free webcasts for Oracle E-Business Suite. 
If you're looking for an overview of how to install, clone, and configure EBS 12.2, see:

Max Arderius, Senior Principal Product Manager covers the technology stack for Oracle E-Business Suite 12.2, including the use of Oracle WebLogic Server (Oracle Fusion Middleware 11g) and Oracle Database functionality. Topics include an architectural overview of the latest updates, installation options, configuration options, and new tools for automated cloning. Also learn how Online Patching (based on the Oracle Database Edition-Based Redefinition feature) will reduce your database patching downtimes. This material was presented at OOW 2015.

 

Categories: APPS Blogs

Webcast: "Personalizing EBS: The Next Generation"

Steven Chan - Wed, 2017-03-22 02:06

Personalize EBS Oracle
University has a wealth of free webcasts for Oracle E-Business Suite. 
If you're looking for an overview of how to personalize EBS 12.2, see:

Senthilkumar Ramalingam, Group Manager Product Development, discusses the new Release 12.2 Administrator Personalization Workbench that allows you to quickly and easily personalize Oracle Aramework Framework (OAF) applications. The new Personalization Workbench provides an intuitive, WYSIWYG personalization experience and offers rich interactivity like select-and-edit and drag-and-drop to perform a wide range of personalizations on a page. Learn about new OAF end user personalization capabilities for optimizing the experience on iOS or Android tablets. Leverage new gesture support and tablet-optimized components in your customizations and extensions. See how to use the Oracle E-Business Suite Developer VM on Oracle Cloud to develop personalizations and extensions. This material was presented at Oracle OpenWorld 2016.

 

Categories: APPS Blogs

Using Job Role Separation with ASM and EBS 12.2

Steven Chan - Tue, 2017-03-21 10:45

A job role separation configuration of Oracle Database and Oracle Automatic Storage Management (ASM) is a configuration with groups and users to provide separate groups for operating system authentication.

This is now a certified option for E-Business Suite 12.2 environments. The EBS Rapid Install now supports the use of job role separation to manage operating system permissions for ASM, Oracle Grid Infrastructure, and Oracle software installations.

Job Role separation table for ASM in EBS environments

The following guides have been updated to reflect this newly-certified configuration option:

Related Articles


Categories: APPS Blogs

Using Job Role Separation with ASM and EBS 12.2

Steven Chan - Tue, 2017-03-21 10:45

A job role separation configuration of Oracle Database and Oracle Automatic Storage Management (ASM) is a configuration with groups and users to provide separate groups for operating system authentication.

This is now a certified option for E-Business Suite 12.2 environments. The EBS Rapid Install now supports the use of job role separation to manage operating system permissions for ASM, Oracle Grid Infrastructure, and Oracle software installations.

Job Role separation table for ASM in EBS environments

The following guides have been updated to reflect this newly-certified configuration option:

Related Articles

 

Categories: APPS Blogs

EBS Support Implications for Discoverer 11gR1 in June 2017

Steven Chan - Fri, 2017-03-17 10:57

What happens to Discoverer support in June 2017?

The Oracle Lifetime Support Policy: Oracle Fusion Middleware Products document states:

  • Premier Support for Discoverer 11gR1 ended on June 30, 2014. 
  • Extended Support for Discoverer 11gR1 ends on June 30, 2017. 

No new patches for Discoverer 11gR1 or its E-Business Suite (EBS) Discoverer-based content will be created after June 30, 2017.  EBS customers will continue to have access to existing released patches and other published resources.

Which EBS releases are affected?

E-Business Suite 12.1 and 12.2 included workbooks, business areas, and folders built for Discoverer 11gR1.  Both EBS 12.1 and 12.2 are affected by this.

What should EBS users use for analytics now?

This document was published in March 2014:

That Note recommends that Discoverer users migrate to Oracle Business Intelligence Enterprise Edition (OBIEE), Oracle Business Intelligence for Applications (OBIA), or Oracle Endeca Information Discovery.

Are there automated tools for migrating from Discoverer to other Oracle analytics tools?

No, there are no automated tools for migrating Discoverer content to OBIEE, OBIA, or Oracle Endeca Information Discovery.

Can EBS customers request new patches after June 2017?

No, Oracle will not produce new patches or documentation for Discoverer, EBS content for Discoverer, or Discoverer certifications with EBS 12.1 or 12.2 after June 30, 2017. 

Can EBS customers access existing Discoverer-related resources after June 2017?

Yes, EBS customers will still be able to download existing Discoverer patches.  For example, Discoverer 11.1.1.7 was certified in June 2013 and is certified for EBS 12.1 and 12.2.  Customers will continue to be able to download Discoverer 11.1.1.7 and Discoverer-related documentation for EBS environments (Note 1380591.1 for EBS 12.2, Note 1074326.1 for EBS 12.1).

Can EBS customers continue to use Discoverer after June 2017?

Yes, but Oracle's ability to assist with questions will be increasingly-limited as environments with Discoverer are retired.  Customers should minimize changes to their Discoverer-related infrastructure with the goal of keeping Discoverer environments stable: e.g. limiting changes that might affect load, hardware infrastructure, or business processes.

Will Discoverer work with new desktop client updates after June 2017?

This is unknown.  No new certifications for Discoverer will be performed after June 2017.  Desktop client updates such as new JRE releases, new Windows updates, and new browsers may have unpredictable effects on Discoverer.  Oracle will not issue new compatibility patches for these types of issues after June 2017.


Categories: APPS Blogs

Pages

Subscribe to Oracle FAQ aggregator - APPS Blogs