1. Session ID:
Prepared by:
Remember to complete your evaluation for this session within the app!
10452
Securing Oracle E-Business
Suite 12.1 and 12.2
Technology Infrastructure
21-Feb-2018
Vasu Balla
Principal Consultant
Pythain
@r12dba

2. Agenda
Talk about not so popular options in
Oracle E-Business Suite that make it
even more secure

3. About Me
Vasu Balla
–15 Years of Apps DBA Experience
–Principal Consultant with Pythian
–Oracle EBS ATG CAB Member
–Based out of Ottawa, Canada
–@r12dba

4. ABOUT PYTHIAN
Pythian’s 400+ IT professionals
help companies adopt and
manage disruptive technologies
to better compete
4

5. Systems currently
managed by Pythian
EXPERIENCED
Pythian experts
in 35 countries
GLOBAL
Millennia of experience
gathered and shared
over 19 years
EXPERTS
11,800 2400
5

6. Apps Web - Allowed JSPs/Resources
• Next gen URL Firewall
• Defines whitelist of allowed
JSPs/Servlets for EBS 12.2
• Prevents access to JSPs which are not
used
• $FND_TOP/secure/allowed_jsps.conf
• Oracle Doc Bug

7. Apps Web - Allowed JSPs/Resources
[oracle@apps secure]$ view allowed_jsps.conf
# +======================================================================+
# | Copyright (c) 2005, 2016 Oracle and/or its affiliates. |
# | All rights reserved. |
# | Version 12.0.0 |
# +======================================================================+
# $Header: allowed_jsps.conf 120.0.12020000.14 2016/07/08 04:32:20 sbandla noship $
/OA_HTML/AppsLocalLogin.jsp
/OA_HTML/cabo/jsps/a.jsp
/OA_HTML/cabo/jsps/frameRedirect.jsp
/OA_HTML/fndgfm.jsp
/OA_HTML/jsp/fnd/close.jsp
/OA_HTML/jsp/fnd/fnderror.jsp
/OA_HTML/OADownload.jsp
/OA_HTML/OAFrame.jsp
/OA_HTML/jsp/fnd/AOLDataStreaming.jsp
/OA_HTML/jsp/fnd/fndhelpbuilder.jsp
…
…
…
include allowed_jsps_FIN.conf
include allowed_jsps_HR.conf
include allowed_jsps_Leasing.conf
include allowed_jsps_Procurement.conf
include allowed_jsps_SCM.conf
include allowed_jsps_CRM.conf
include allowed_jsps_VCP.conf
include allowed_jsps_diag_tests.conf
include allowed_jsps_PA.conf

8. Apps Web - Allowed JSPs/Resources

9. Apps Web - Allowed JSPs/Resources
• Enhanced Even further in 12.2.7

10. Apps Web - Allowed Redirects
• Defines whitelist of allowed redirect
destinations for Oracle EBS 12.2
• Prevents redirects that are not listed as
allowed
• $FND_TOP/secure/allowed_redirects.conf

11. Apps Web - Allowed Redirects
#----------------
# List of hosts - use full host name
# host destination.example.com
#----------------
# host <REDIRECT HOST>.<REDIRECT DOMAIN>
#------------------------------------------------------------------
# List of domains. A <DOMAIN NAME> matches across hosts - for example
# domain example.com will match both host.internal.example.com and
# host.external.example.com
#------------------------------------------------------------------
# domain <REDIRECT DOMAIN>
#--------------------------------------------
# Server level profiles (site or server level)
#--------------------------------------------
profile APPS_SERVLET_AGENT # URL for JSP and Servlets
profile APPS_WEB_AGENT # URL for PL/SQL agent
profile APPS_FRAMEWORK_AGENT # URL for Self Service Applications entry point
profile APPS_AUTH_AGENT # URL for OAM integration using EBS AccessGate
profile APPS_SSO_POSTLOGOUT_HOME_URL # URL to redirect on logout
profile ICX_DISCOVERER_VIEWER_LAUNCHER # URL to launch Discoverer Viewer
profile ICX_DISCOVERER_LAUNCHER # URL directed to Discoverer Server
profile ICX_REPORT_LAUNCHER # URL for Report Launcher
profile ICX_FORMS_LAUNCHER # URL for the Forms Launcher
profile FND_OBIEE_URL # URL for Oracle Business Intelligence Suite
profile HELP_WEB_AGENT # Base URL for Applications Help
profile HELP_WEB_BASE_URL # Base location Applications Help System
profile APPS_LOGICAL_AGENT # Logical name for application tiers
profile APPS_PORTAL # URL for Portal
profile APPS_PORTAL_LOGOUT # URL for Portal Logout
# Product team profiles

12. Apps Web - Cookie Domain Scoping
• Defines scope of cookie sharing to
avoid unnecessary exposure
• Prevents EBS session cookie from
getting hijacked
• Controlled by profile option - Oracle
Applications Session Cookie Domain
• Set this to HOST for DMZ

13. Apps –Password Hashing
SQL> select
ENCRYPTED_FOUNDATION_PASSWORD, ENCRYPTED_USER_PASSWORD
from fnd_user where user_name ='SYSADMIN‘

14. Apps – New Password Hash
• Enable Nonreversible hashing for
passwords
• SHA1 is replaced by SHA256, SHA384 &
SHA512
• Use AFPASSWD utility to migrate to new
and more secure hash algos
SQL> select
FND_WEB_SEC.GET_PWD_ENC_MODE from
dual;

15. Apps – Harden Passwords

16. Apps – Passwords handling
• Use secureapps option of startup
shutdown scripts
• Avoids use of apps db account
• Allows separation of duties

17. Apps - TLS
• Enable TLS Between Web Server and Client Browser
• TLS is successor to SSL and TLS 1.2 is the current
recommend protocol
• Make sure to disable SSLv2 & SSLv3
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!RC4:+HIGH:+MEDIUM
• SHA1 based certs are deprecated, Migrate to SHA2
based certs
• LetsEncrypt - Free SSL Certs
https://blog.pythian.com/using-letsencrypt-certs-oracle-e-
business-suite/

18. Apps - DMZ
• Activate Server Security - Secure Flag
in DBC
• Set the NODE_TRUST_LEVEL profile
for Server
• Restrict Responsibilities by setting
Responsibility Trust Level profile at
resp level

19. Apps - DMZ

20. DB – Encrypt SQL Traffic
• As of Oracle E-Business Suite Release
12, all components are encryption
compatible
• ANO is free with Enterprise Edition
• Just need to add these 2 lines to
$TNS_ADMIN/sqlnet_ifile.ora on the DB
SQLNET.ENCRYPTION_SERVER = REQUIRED
SQLNET.ENCRYPTION_TYPES_SERVER= (AES256, AES192,
3DES168)

21. Apps security references
• Security Configuration and Auditing Scripts for
Oracle E-Business Suite (Doc ID 2069190.1)
–Set of SQL and shell scripts that generate
report of different areas to secure
• Secure Configuration Console
–Functional administrator > Configuration
Manager tab
• Oracle E-Business Suite Security Guide,
Release 12.2

22. Session ID:
Remember to complete your evaluation for this session within the app!
10452
balla@pythian.com
@r12dba
slideshare.net/vasuballa