Stephen Kost's E-Business Suite Security Blog

Subscribe to Stephen Kost's E-Business Suite Security Blog feed
Integrigy's Oracle Security Blog with information on security for the Oracle Database, Oracle E-Business Suite and other Oracle products.
Updated: 5 hours 17 min ago

Integrigy COLLABORATE 17 Sessions - Presentations on Oracle Database, Oracle E-Business Suite, and PeopleSoft Security

Fri, 2017-03-17 10:12

Integrigy is presenting nine papers this year at COLLABORATE 17 (https://collaborate.oaug.org/). The COLLABORATE 17 conference is a joint conference for the Oracle Applications User Group (OAUG), Independent Oracle Users Group (IOUG), and Quest International Users Group.

Here is our schedule. If you have questions or would like to meet with us while at COLLABORTE 17, please conact us at info@integrigy.com.

Sunday Apr 02, 2017

1:45 PM - 2:45 PM

Oracle E-Business Suite 12.2 Security Enhancements

https://app.attendcollaborate.com/event/member?item_id=5621519

Banyan E

Speaker: Stephen Kost

1:45 PM - 2:45 PM

How to Control and Secure Your DBAs and Developers in Oracle E- Business Suite

https://app.attendcollaborate.com/event/member?item_id=5740411

South Seas F

Speaker: Michael Miller

Monday Apr 03, 2017

9:45 AM - 10:45 AM

The Thrifty DBA Does Database Security

https://app.attendcollaborate.com/event/member?item_id=5660960

Jasmine D

Speaker: Stephen Kost

1:00 PM - 4:30 PM

Integrigy team available for meetings and discussions Contacts us at info@integrigy.com to arrange

 

 

Tuesday Apr 04, 2017

9:45 AM - 10:45 AM

Solving Application Security Challenges with Database Vault

https://app.attendcollaborate.com/event/member?item_id=5660961

Jasmine D

Speaker: Stephen Kost

1:00 PM - 4:30 PM

Integrigy team available for meetings and discussions Contacts us at info@integrigy.com to arrange

 

 

Wednesday Apr 05, 2017

9:45 AM - 10:45 AM

When You Can't Apply Database Security Patches

https://app.attendcollaborate.com/event/member?item_id=5660962

Jasmine D

Speaker: Stephen Kost

11:00 AM - 12:00 PM

Common Mistakes When Deploying Oracle E-Business Suite to the Internet

https://app.attendcollaborate.com/event/member?item_id=5621520

South Seas B

Speaker: Stephen Kost

1:30 PM - 2:30 PM

Securing Oracle 12c Multitenant Pluggable Databases

https://app.attendcollaborate.com/event/member?item_id=5660950

Palm A

 

Speaker: Michael Miller

2:45 PM - 3:45 PM

How to Control and Secure Your DBAs and Developers in PeopleSoft

https://app.attendcollaborate.com/event/member?item_id=5617942

Ballroom  J

Speaker: Michael Miller

Thursday Apr 06, 2017

8:30 AM - 9:30 AM

Oracle E-Business Suite Mobile and Web Services Security

https://app.attendcollaborate.com/event/member?item_id=5621407

South Seas B

Speaker: Michael Miller

 

You can download a complete listing of Integrigy's sessions at Integrigy COLLABORATE 17 Sessions.

Oracle Database, Oracle E-Business Suite, Oracle PeopleSoft
Categories: APPS Blogs, Security Blogs

PeopleSoft Security

Fri, 2017-03-17 09:34

This is a quick summary of Integrigy’s latest research on PeopleSoft. Was sending this to a client and decided it was a good posting:

Guide to PeopleSoft Logging and Auditing

How to Control and Secure PeopleSoft DBAs and Developers

PeopleSoft Database Security

PeopleSoft Database Secure Baseline Configuration

PeopleSoft Security Quick Reference

If you have any questions, please contact us at info@integrigy.com

 

 
 
Oracle PeopleSoft, Whitepaper
Categories: APPS Blogs, Security Blogs

Deploying Oracle E-Business Suite 12.2 REST Web Services

Fri, 2017-03-17 06:00

This is the forth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Physically deploying REST services with 12.2 is straightforward. REST is an architectural style and not a protocol and is best used to support lightweight and “chatty” interfaces such as Mobile applications.  With 12.2, REST Web Application Description Language (WADL) interface definition files are generated within the E-Business Suite's WebLogic server and run through the OAFM Application. The OAFM application created with the installation of the Oracle E-Business Suite.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References
 

 

     
     
     
     
     
     
    Web Services, DMZ/External, Oracle E-Business Suite
    Categories: APPS Blogs, Security Blogs

    Deploying Oracle E-Business Suite Web Services

    Fri, 2017-03-10 06:00

    This is the third posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

    Web services are physically deployed differently depending on whether they are defined using Representational State Transfer (REST) or Simple Object Access Protocol (SOAP).  Logically, however, both REST and SOAP web services are deployed from within the Integrated SOA Gateway (ISG). Refer to the E-Business Suite’s documentation for details, but from within the Integrated SOA Gateway, users can deploy web services by locating the particular web service and then clicking on the "Deploy" button.

    If you have any questions, please contact us at info@integrigy.com

    -Michael Miller, CISSP-ISSMP, CCSP, CCSK

    References
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    Web Services, DMZ/External, Oracle E-Business Suite
    Categories: APPS Blogs, Security Blogs

    Oracle E-Business Suite 12.2 Mobile and Web Services Architecture

    Fri, 2017-03-03 06:00

    This is the second posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

    Approximately 2,900 web services are created with an update to or installation of 12.2 and are defined in the table APPLSYS.FND_IREP_CLASSES. Within the Oracle E-Business Suite’s user interface, the Integrated SOA Gateway (ISG) module is used to deploy the web services defined in APPLSYS.FND_IREP_CLASSES. Key to understanding the 12.2 web services architecture is that ALL web services are defined in the Service Oriented Architecture (SOA) Gateway, this includes both Simple Object Access Protocol (SOAP) and Representational State Transfer (REST) web services. 

    The E-Business Suite’s Mobile and smartphone applications are deployed internally as REST services and are likewise defined in the Integrated SOA Gateway and stored in the table APPLSYS.FND_IREP_CLASSES. The graphic below depicts the addition of web services and helps to visualize the increased attack surface that needs to be secured.

     
     
    Web Services, DMZ/External, Oracle E-Business Suite
    Categories: APPS Blogs, Security Blogs

    Oracle E-Business Suite Mobile and Web Services Security - What You Need To Know

    Fri, 2017-02-24 06:00

    Securing packaged software such as the Oracle E-Business Suite presents different challenges than securing bespoke custom software. Unlike custom software, both the structure of and the security vulnerabilities of the Oracle E-Business Suite are well known and documented, not only to users but also to threat actors.  To begin an attack, limited probing and/or reconnaissance is needed because threat actors know exactly what to target and what to expect.  This also makes the Oracle E-Business Suite, like other ERP platforms, vulnerable to automated attacks. Threat actors only need to compromise one publically facing URL or web service, which given the size and complexity of the Oracle E-Business Suite, makes securing it a somewhat daunting task.

    Starting with version 12.1 and continuing with 12.2, the Oracle E-Business Suite delivers a considerable amount of new web services and Mobile functionality as standard core functionality.  Much, if not most, of this new Mobile and web services functionality, replicates functionality previously only available through the traditional user interface forms and/or public interfaces and these new web services can be easily deployed on the Internet through a DMZ node.  The security implications of 12.2’s increased web services capabilities is that the Oracle E-Business Suite’s attack surface has increased and harder to defend. 

    This blog series summarize the new Mobile and web services functionality and review their security features before recommending best practices for using them securely.

    If you have any questions, please contact us at info@integrigy.com

    -Michael Miller, CISSP-ISSMP, CCSP, CCSK

    REFERENCES

     
     
     
     
     
    Web Services
    Categories: APPS Blogs, Security Blogs

    Oracle Database 11.2.0.4 and 12.1.0.2 New CPU End Dates

    Fri, 2017-01-27 08:36

    With the upcoming on-premise release of Oracle Database 12.2.0.1, Oracle has updated the Critical Patch Update (CPU) security patch end dates for 11.2.0.4 and 12.1.0.2.  Currently (as of January 2017), only 11.2.0.4 and 12.1.0.2 are supported for CPUs.

    The CPU end-dates, which correspond with the end of Extended Support, have been extended to October 2020 for 11.2.0.4 and July 2021 for 12.1.0.2.  The first year of extended support for both versions is free until December 2018 for 11.2.0.4 and July 2019 for 12.1.0.2.

    All Oracle databases should be updated to either 11.2.0.4 or 12.1.0.2, which provides at least three years of CPU support.  To ensure database security and minimize Oracle support costs, organizations should plan to upgrade 11.2.0.4 and 12.1.0.2 databases in 2018 and move to 12.2 at that time.  All new databases should be 12.1.0.2 and look to begin production use of 12.2 in late 2017 or with the release of 12.2.0.2 in eary 2018.

    For databases that are not currently upgraded to 11.2.0.4 or 12.1.0.2, you must mitigate the risk of not applying security patches as there are at least 27 moderate to high risk unpatched security vulnerabilities in unsupported versions.  A number of these vulnerabilities allow any user, even with only CREATE SESSION, to compromise the entire database.  At a minimum, you must harden the database, limit network access as much as possible, review access and privileges, and enable auditing and monitoring in order to potentially identify attacks and compromises.

    See MOS Support Note 742060.1 for more information on Oracle Database version support.

    Oracle Database, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    Oracle E-Business Suite: 250 Security Vulnerabilities Fixed in the Last Year

    Thu, 2017-01-19 11:23

    Oracle has fixed 250 security vulnerabilities in the Oracle E-Business Suite from January 2016 to January 2017.  The past five Oracle Critical Update Updates (CPU) have included double or triple digit number of fixes for Oracle E-Business Suite.  Almost all these security vulnerabilities are exploitable in all versions of Oracle E-Business Suite including 11i, 12.0, 12.1, and 12.2.  Many of the 250 security vulnerabilities fixed are high risk vulnerabilities such as SQL injection, cross-site scripting (XSS), XML external entity attacks, and privilege escalation.

    Unless your organization is applying the CPU patches immediately and have hardened the application, the Oracle E-Business Suite is extremely vulnerable and easily exploitable.  Significant defensive measures are required to protect Oracle E-Business Suite especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport.   A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.

    Oracle E-Business Suite, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    Oracle E-Business Suite 11i - Critical Patch Updates Extended for Tier 1 Support

    Thu, 2017-01-19 11:07

    As of December 2016, Oracle has extended Critical Patch Update (CPU) support for Oracle E-Business Suite 11.5.10 until October 2017 for additional fee Tier 1 support/Advanced Contract Support (ACS) customers.  Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with Tier 1/ACS support contracts.  See My Oracle Support Note ID 1596629.1 for more information.

    Almost all security vulnerabilities discovered and patched in Oracle E-Business Suite 12.x are also present and exploitable in 11i.  A significant number of these security bugs are SQL injection bugs allow an attacker to execute SQL as the Oracle E-Business Suite APPS database account.  These attacks can easily compromise the entire application and database.  In the past year, Oracle has fixed 250 security vulnerabilities in Oracle E-Business Suite 11i and R12.

    Oracle E-Business Suite 11i customers without Tier 1 support, as well as 12.0 customers, should take immediate take immediate defensive steps to protect the Oracle E-Business Suite 11i, especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport.  A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.

    Oracle E-Business Suite, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    Oracle Discoverer Security Alert - High impact to SOX Compliance and Financial Reporting

    Wed, 2016-10-19 12:02

    For those clients using Oracle Discoverer, especially those using Discoverer with the Oracle E-Business Suite for financial reporting, the October 2016 Oracle Critical Patch Update (CPU) include a high-risk vulnerability reported by Integrigy Corporation. CVE-2016-5495 is a vulnerability with the Discoverer EUL Code and Schema and has a base score 7.5. Integrigy believes this vulnerability affects all versions of Discoverer used with the Oracle E-Business Suite and that the confidentiality, integrity, and availability of reports are at risk.

    Oracle's recommendation is that clients migrate to Oracle Business Intelligence Enterprise Edition (OBIEE), Oracle Business Intelligence Cloud Service, or Oracle Business Intelligence Applications. If you are still using Discoverer, Oracle recommends upgrading to Fusion Middleware 11g patch set 6 (11.1.1.7.0) and to apply the October 2016 Critical Patch Update Discoverer patch (24716502). Be sure to also apply the CPU patches to WebLogic (10.3.6 and higher) and the database supporting the WebLogic repository.

    If you have any questions, please contact us at info@integrigy.com

    For more information

    October 2016 CPU Announcement: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

    Patch Set Update and Critical Patch Update October 2016 Availability Document (Doc ID 2171485.1)

    ALERT: Premier Support Ends Dec 31 2011 for Oracle Fusion Middleware 10g 10.1.2 & 10.1.4 (Doc Id: 1290974.1)

    Using Discoverer 11.1.1 with Oracle E-Business Suite Release 12 (Doc Id: 1074326.1)

    Using Discoverer 11.1.1 with Oracle E-Business Suite Release 11i (Doc Id: 1073963.1)

    Vulnerability, Sarbanes-Oxley (SOX), Oracle E-Business Suite, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    Oracle E-Business Suite 11i - October 2016 is Last Critical Patch Update

    Tue, 2016-10-18 22:23

    Starting with the April 2016 Critical Patch Update (CPU), Oracle E-Business Suite 11.5.10 CPU patches are only available for customers with additional fee Tier 1 support contracts.  As of December 2016, no more CPU patches are available for Oracle E-Business Suite 11i.  October 2016 is the last CPU patch for Oracle E-Business Suite 11i.  For 12.0, the last CPU patch was October 2015.

    Even though there are no more security patches, many, if not most, vulnerabilities discovered and patched in Oracle E-Business Suite 12.x are also present and exploitable in 11i.  A significant number of these security bugs are SQL injection bugs which allow an attacker to execute SQL as the Oracle E-Business Suite APPS database account.  These attacks can easily compromise the entire application and database.

    As there are no more security patches for 11i and 12.0, we strongly recommend all 11i and 12.0 customers who have not yet upgraded to 12.x take immediate defensive steps to protect the Oracle E-Business Suite 11i, especially those with Internet facing modules such as iSupplier, iStore, iRecruitment, and iSupport.  A key layer of defense is Integrigy’s web application firewall for Oracle E-Business Suite, AppDefend, which provides virtual patching for these security bugs and additional protection from generic web application attack like SQL injection and cross-site scripting (XSS) and common Oracle E-Business Suite security misconfigurations.

    Reference: AppDefend for the Oracle E-Business Suite

    Oracle E-Business Suite, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    Oracle Database Critical Patch Update October 2016: 12.1.0.2 and 11.2.0.4 Only

    Tue, 2016-10-18 22:09

    The list of Oracle Database versions supported for Critical Patch Updates (CPU) is getting shorter and shorter.  Starting with the October 2016 CPU, only 12.1.0.2 and 11.2.0.4 are supported.  In order to apply CPU security patches for all other Oracle versions, the database must be upgraded to 12.1.0.2 or 11.2.0.4.  As these are terminal database releases, the final CPU patch for 12.1.0.2 is July 2021 and for 11.2.0.4 is October 2020.  For those who have not yet applied 12c CPU patches, only Patch Set Updates (PSU) are available which include both security fixes and a large number of high priority fixes - Security Patch Updates (SPU) which include only security fixes are not available for 12c.

    The October 2016 CPU fixes 12 security bugs in 7 database components.  Only the APEX (Application Express) security bug is remotely exploited without authentication – as with all APEX patches, this is a separate patch and upgrades APEX to 5.0.4.00.12.

    This CPU should be considered HIGH risk due to the 5 security bugs that require only CREATE SESSION privilege in order to exploit.  These bugs can be exploited by any database user and can be used to compromise the entire database.

    Oracle Database, Oracle Critical Patch Updates
    Categories: APPS Blogs, Security Blogs

    PeopleSoft Data Mover Security

    Mon, 2016-09-12 06:00

    The Data Mover allows for total manipulation of data within PeopleSoft. You can use it to transfer data among PeopleSoft databases, regardless of operating system and database vendor. To state that Data Mover scripts need to be carefully secured is an understatement – the security of Data Mover scripts and activities must be HIGHLY secured.

    When performing a PeopleSoft security audit Integrigy carefully reviews Data Mover scripts and activities. If you want to look today at your environment, locate where Data Mover scripts are being stored. The location should be secured to only those with privileges to use Data Mover. Ideally, a source code control tool should be used to store and secure Data Mover scripts.

    If you have questions, please contact us at info@integrigy.com

    Michael A. Miller, CISSP-ISSMP, CCSP

    References

    PeopleSoft Security Quick Reference

    Auditing, Oracle PeopleSoft
    Categories: APPS Blogs, Security Blogs

    PeopleSoft Process Scheduler Security

    Mon, 2016-09-05 06:00

    When performing a PeopleSoft security audit Integrigy carefully reviews batch processing activity generated through the Process Scheduler. Of particular focus is who has access to administer the Process Scheduler and reviewing batch jobs to identify where jobs are being run with super user privileges.

    To look today at your environment for who has access to manage the Process Scheduler, the following can be used:

    SELECT A.ROLEUSER, A.ROLENAME, A.DYNAMIC_SW
    FROM SYSADM.PSROLEUSER A
    WHERE UPPER(A.ROLENAME) = 'PROCESSSCHEDULERADMIN';

    If you have questions, please contact us at info@integrigy.com

    Michael A. Miller, CISSP-ISSMP, CCSP

    References

    PeopleSoft Security Quick Reference

    Auditing, Oracle PeopleSoft
    Categories: APPS Blogs, Security Blogs

    PeopleSoft User Security

    Mon, 2016-08-29 06:00

    When performing a PeopleSoft security audit, reconciling users should be one of the first tasks. This includes default accounts created through the installation of PeopleSoft as well as user accounts associated with staff, vendors and customers.

    The following are several of the topics that Integrigy investigates during our PeopleSoft security configuration assessments - take a look today at your settings:

    • Default accounts - PeopleSoft default application user accounts with superuser privileges where possible should be removed or have their password changed. Carefully consult your documentation but this is a key task.

    Default Oracle PeopleSoft Users

    BELHR

    JCADMIN1

    PSJPN

    CAN

    NLDHR

    PSPOR

    CFR

    PS

    TIME

    CNHR

    PSCFR

    UKHR

    ESP

    PSDUT

    UKNI

    FRA

    PSESP

    USA

    FRHR

    PSFRA

    HSHR

    GER

    PSGER

    WEBGUEST

    GRHR

    PSINE

    WEBMODEL

     

    • Stale users – users that have not logged on in months or years should be identified and removed. Use the following SQL to locate stale users:
    SELECT * FROM SYSADM.PSPTLOGINAUDIT;

    To manage accounts, the following navigation can assist. As it cannot be mentioned enough, BEFORE you disable or delete any user TEST in non-production first.

    User management:

    1. Select PeopleTools, Security, User Profiles, User Profiles
    2. Select user to disable or delete
    3. If disabling, check Account Locked Out check box


     

    If you have questions, please contact us at info@integrigy.com

    Michael A. Miller, CISSP-ISSMP, CCSP

    References

    PeopleSoft Security Quick Reference

    Auditing, Oracle PeopleSoft
    Categories: APPS Blogs, Security Blogs

    PeopleSoft Jolt Security

    Mon, 2016-08-22 06:00

    Jolt along with Tuxedo supports PeopleSoft web requests. Specifically, Jolt is the layer between the application server and the web server. It is also described as a Java-enabled version of Tuxedo.

    When performing a PeopleSoft security audit, Integrigy reviews in detail the PeopleSoft Jot security settings to ensure they are set per best practice recommendations.  To do this yourself, use the table below to review your settings. These settings should also be regularly reviewed to ensure against configuration drift.

    Field

    Description

    Recommended Value

    Disconnect Timeout

    Seconds to wait before disconnecting Oracle Jolt connection. Zero (0) means no limit.

    0

    Send Timeout

    Maximum number of seconds servlet allowed to send a request.

    50

    Receive Timeout

    Maximum number of seconds servlet will wait for a response.

    600

     

    If you have questions, please contact us at info@integrigy.com

    Michael A. Miller, CISSP-ISSMP, CCSP

    References

    PeopleSoft Database Security

    PeopleSoft Security Quick Reference

    Auditing, Oracle PeopleSoft
    Categories: APPS Blogs, Security Blogs

    PeopleSoft Web Portal Security

    Mon, 2016-08-15 06:00

    When performing a PeopleSoft security audit, Integrigy reviews in detail the PeopleSoft Web Portal security settings to ensure they are set per best practice recommendations.  To do this yourself, use the table below to review your settings.

    These settings should also be regularly reviewed to ensure against configuration drift.

    Field

    Description

    Recommended Value

    Allow Public Access

    User sign on bypassed when direct link to a page are used – PUBLIC user access.

    NULL/Disabled

    Days to Autofill User ID

    Convenience for users. Caches user Id for x days.

    7

    View File Time to Live

    Number of seconds to wait after sending a file attachment to a user's browser before removing that file from the web server.

    Default is 0. Set to 0 (zero) for public area/kiosk

    PIA use HTTP Same Server

    Use the HTTP protocol instead of HTTPS for requests that are issued by the portal for content hosted on same server.

    N

    Allow Unregistered Content

    Whether both registered and unregistered content is served. Turning this option off will prevent explicitly registered content references from being displayed in the portal.

    Y

    SSL Secured Access Only

    Forces use of SSL. Prevents users from using non-SSL protocols to access any link within this website or application.

    Y

    Secure Cookie with SSL

    Prevents single signon token from traveling over an insecure network. If selected the system sets the secure attribute of the single signon cookie (PS_TOKEN) to True.

    Y

    Inactivity Warning

    Number of seconds that the portal waits before warning users that browser sessions will expire. 

    1080

    HTTP Session Inactivity

    Number of seconds of inactivity after which the HTTP session times out for authenticated users. 

    1200

    Inactivity Logout

    Number of seconds of the inactivity timeout interval that applies to PeopleSoft applications to which a user is signed in. 

    1200

    Show Connection Information

    Generates system information page when a user presses Ctrl+J. Shows:

    browser, OS, PeopleTools release, application release, service pack, page definition name, component definition name, menu definition name, user ID, database name, database type, and application server address

    Off/Null

    Show Trace Link at Signon

    Displays URL link at sign-in for setting trace parameters.

    FALSE

     

    If you have questions, please contact us at info@integrigy.com

    Michael A. Miller, CISSP-ISSMP, CCSP

    References

    PeopleSoft Database Security

    PeopleSoft Security Quick Reference

    Categories: APPS Blogs, Security Blogs

    PeopleSoft Encryption

    Mon, 2016-08-08 06:00

    Protection of sensitive data while at-rest, in-motion or in-use all need to be addressed as part of a holistic security strategy. This includes both Personally Identifiable Information (PII) as well as sensitive PeopleSoft system configurations.

    When performing a PeopleSoft security audit, Integrigy reviews the use and implementation of encryption within all components of the PeopleSoft technology stack. This includes the following, all which are critical. Review yours today and contact Integrigy with any questions.

    • Implementation of Oracle Advanced Security Option (ASO) for Transparent Data Encryption (TDE), Oracle Wallets and encryption key management for database encryption
    • Configuration of SQL-NET encryption between database server, application and web servers
    • PeopleSoft Pluggable Encryption Technology (PET)
    • PeopleSoft client and web services connections. Specifically, we look to ensure that both internal and external network traffic is encrypted using TLS not SSL to encrypt network traffic. TLS is the successor to SSL and is considered more secure.
    • Encryption of Tuxedo configurations using the PSADMIN utility
    • Encryption of PeopleSoft web server configurations by generating or implementing a new PSCipher key to encrypt values in the web server configuration files.
    • Encryption of the Template file. The Template file is used to share configurations among multiple environments (Test, Dev Prod etc...) and passwords stored in the file MUST be encrypted and should not be stored in clear text.

    If you have questions, please contact us at info@integrigy.com

    Michael A. Miller, CISSP-ISSMP, CCSP

    References

    PeopleSoft Database Security

    PeopleSoft Security Quick Reference

    Encryption, Oracle PeopleSoft
    Categories: APPS Blogs, Security Blogs

    PeopleSoft PUBLIC User Security

    Mon, 2016-08-01 06:00

    PeopleSoft Public users are not required to authenticate (sign on). These are generic accounts created for specific purposes, for example informational pages and/or company directories. Public users are also not subject to timeouts (session inactivity). Because no authentication is required, no sensitive data should be accessible to these users. It also goes without saying, that if you don’t need Public accounts, don’t use them.

    When performing a PeopleSoft security audit, Integrigy identifies Public users and analyzes their authorization privileges. To do this yourself, use the SQL below to list your public users and then query the application or database to look at their authorization privileges.

    --List the public users
    SELECT O.OPRID, O.OPRDEFNDESC, O.ACCTLOCK, O.LASTPSWDCHANGE, O.FAILEDLOGINS,O.ENCRYPTED, O.EMPLID
    FROM SYSADM.PSWEBPROFILE P, SYSADM.PSOPRDEFN O
    WHERE P.BYPASSSIGNON = 'Y'
    AND P.DEFAULTUSERID = O.OPRID;

    If you have questions, please contact us at info@integrigy.com

    Michael A. Miller, CISSP-ISSMP, CCSP

    References

    PeopleSoft Security Quick Reference

    Auditing, Oracle PeopleSoft
    Categories: APPS Blogs, Security Blogs

    Oracle E-Business Suite 12.1 and 12.2 Support for TLS 1.2 Added

    Tue, 2016-07-26 15:47

    Oracle has released support for TLS 1.2 in Oracle E-Business Suite 12.1 and 12.2.  Previously, Oracle E-Business Suite only supported SSLv3 and TLS 1.0, which are no longer approved for use with Federal systems and are not PCI-DSS compliant as of June 2014.  For TLS 1.2 support, new My Oracle Support (MOS) documents are available:

    Enabling TLS in Oracle E-Business Suite Release 12.2 (Doc ID 1367293.1)

    Enabling TLS in Oracle E-Business Suite Release 12.1 (Doc ID 376700.1)

    Oracle E-Business Suite 11.5 and 12.0 are desupported, therefore, these versions will continue to only support SSLv3 and TLS 1.0.

    Integrigy recommends all Oracle E-Business Suite implementations use an external SSL/TLS termination point, such as an F5 BIG-IP load balancer, rather than the Oracle E-Business Suite TLS implementation in order to provide a more robust TLS implementation and allow for faster patching of the SSL technology stack.  In addition, an external TLS termination point is usually maintained by network and/or security staff for multiple applications, thus off-loading this responsibility from the Oracle DBAs who often have only limited experience with the complexity of network encryption and certificates.  Although, the one disadvantage is that the network traffic between the load balancer and Oracle E-Business Suite application server is unencrypted, however, this is normally limited to VLANs within the data center.

    Encryption, Oracle E-Business Suite
    Categories: APPS Blogs, Security Blogs

    Pages