12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle E-Business Suite R12.2: Secure
Configuration Console and ADOP changes
Shyam Sundar Rao (Senior Principal Developer, EBS Release Engineering)
Chowdari Mathukumilli (Principal Developer, EBS Release Engineering)
November 04, 2017

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.

1
2
3
4
Secure Configure Console

Agenda for Secure Configuration Console
Secure Configuration Console overview
Checks of Secure Configuration Console in 12.2
Additional new checks introduced in 12.2.7
Deep dive into few checks
Command line utility
Where to find more information
Q/A
1
2
3
4
5
6
7

Secure Configuration Console
EBS Users cannot login to the system
1
2
3
4
New

Automatic Assessment of your Environment by Sysadmin
1
2
3
4
New

Automatic Assessment of your Environment by Sysadmin
1
2
3
4
Configure or Acknowledge and Accept Warnings:
Your system will be locked down until the system
administrator configures or acknowledges the
recommended security configurations.
New

Automatic Assessment of Your Environment
1
2
3
4
•Review and implement secure
configuration recommendations from
a single dashboard.
•Access via the “Functional
Administrator” responsibility,
“Configuration Manager” tab
•Check your configuration
•Automatically configure items that
are out of compliance
•Checks are assigned a severity level
•Suppress checks that are not relevant
to your system

Manual/Autofixable and Failed/Passed Checks
1
2
3
Details: Manual and Autofixable checks
Details: Failed Configuration

Security Guideline Details for a Check
1
2
3
4

1
2
3
4
1. Default application users passwords have been changed to non-default values.
2. Attachment upload profiles are available and set correctly.
3. Critical profile values are set correctly.
4. Default database users default passwords have been changed to non-default values.
5. Forms blocking of bad characters on the web server is active.
6. Site level security profiles are available in the system.
7. ModSecurity on the web server is active.
8. Serversecurity (Secure Flag in DBC file) is enabled.
9. Allowed Redirects feature is enabled
10. APPLSYSPUB privileges are properly restricted.
11. Auditing profiles are set.
12. Cookie Domain scoping is configured.
13. Application user passwords have been migrated to hashed passwords.
14. HTTPS is enabled Confidential.
Oracle E-Business Suite Security Guide Release 12.2

Checks introduced in 12.2.7
1
2
3
4
1. Clickjacking protection is configured.
2. Diagnostic web page protection is configured.
3. PUBLIC role privileges are restricted.
4. Oracle Workflow generated emails that reference URLs in EBS require additional user authentication.
5. Allowed Resources feature is enabled.
6. Required whitelist configuration for the allowed resources feature is correct and up-to-date.
7. Recommended Database initialization parameters have been set.
8. Database profiles have been created in the EBS database for password management.
9. iRecruitment file upload security profile value is set.
10. Oracle Workflow Admin access is restricted.
10 Additional Checks for a Total of 24 Checks

Check: Attachment upload profiles are available and set correctly
1
2
3
4
• The Attachments feature are configured to restrict the file types that may be uploaded (actually, it restricts using a
blacklist of the file extensions that Windows considers as executables such as .COM,.EXE and so on).
• Profile Option Name: FND_SECURITY_FILETYPE_RESTRICT _DFLT
• Recommended Value: N
• Define maximum allowed size of an uploaded attachment
• Profile Option Name: UPLOAD_FILE_SIZE_LIMIT
• Recommended Value: As needed in (kb)
• Enable Antisamy HTML Filter
• This allows upload of a sanitized version of HTML documents such as resumes for iRecruitment.
• Profile Option Name: FND_DISABLE_ANTISAMY_FILTER
• Recommended Value: N

Check: Default application users passwords have been changed to non-default values
1
2
3
4
• Oracle ships seeded user accounts with default passwords that are recommended to be changed.
• Depending on product usage, some seeded accounts can or can not be disabled.
• Disable an application user account by setting the END_DATE for the account.
• Do not disable the GUEST user account.
• If the GUEST password is changed, set the AutoConfig variable s_guest_pass to the new value in the
context file before running AutoConfig. AutoConfig must be run to propagate the new password to
config files.
• The GUEST password must always be in UPPERCASE.
• Script “fnddefpw.sql” can be executed as “apps” user to list the seeded accounts that still have the default
password.

Check: Default database users default passwords have been changed to non-default values
1
2
3
4
• The application database instance contains default, open schemas with default passwords.
• These accounts and corresponding passwords are well-known, and they should be changed, especially
for a database to be used in a production environment.
• For Default database administration schemas we can make use of "alter user <SCHEMA> identified by
<NEW_PASSWORD>;“
• For Schemas common to all Oracle E-Business Suite products and associated with specific Oracle E-
Business Suite products we can make use of utility "FNDCPASS"

Check: Application user passwords have been migrated to hashed passwords
1
2
3
4
• Traditionally, Oracle E-Business Suite has stored the password of the application users in
encrypted form.
• Starting with release 12.0.4, it is possible to switch the Oracle E-Business Suite system to
store hashed versions of the passwords instead.
• Hence its recommended as part of secure configuration console check to change the
passwords.
• Use AFPASSWD/FNDCPASS utility to hash the password.
• IMPORTANT: This process is irreversible.

Check: Database profiles have been created in the EBS database for password management
1
2
3
4
• Implement Two Profiles for Password Management
• The database provides parameters to enforce password management policies.
• However, some of the database password policy parameters could lock-out the Oracle E-Business Suite.
• Because of this, we make specific recommendations for or against using certain management features
depending upon schema type.
• Create two database profiles:
• One for middle tier application schemas (“managed schemas”)
• One for all accounts used by individual database administrators to the second profile.
Password Parameters Application Profile Administrator Profile
FAILED_LOGIN_ATTEMPTS UNLIMITED 5
PASSWORD_LIFE_TIME UNLIMITED 90
PASSWORD_REUSE_TIME 180 180
PASSWORD_REUSE_MAX UNLIMITED UNLIMITED
PASSWORD_LOCK_TIME UNLIMITED 7
PASSWORD_GRACE_TIME UNLIMITED 14
PASSWORD_VERIFY_FUNCTION Recommended Recommended
Recommended Values

Check: PUBLIC role privileges are restricted
1
2
3
4
Check whether the PUBLIC role privileges are restricted.
• This checks whether unnecessary privileges to Oracle E-Business Suite object have been granted to the Oracle
Database PUBLIC role.
• Revoke unnecessary privileges from the PUBLIC role. Oracle E-Business Suite database objects should not
have privileges granted to the PUBLIC role.
• 'Create Index' should not be granted to PUBLIC

Check: Allowed Resources feature is enabled
1
2
3
4
• Allowed JSPs introduced in E-Business Suite 12.2.4
• Enabled by default in E-Business Suite ATG 12.2.7
• Rebranded to Allowed Resources in 12.2.6 with the following patches:
• ATG 12.2.6 (21900895:R12.ATG_PF.C.DELTA.6)
• TKX Delta 9 (25180736:R12.TXK.C.DELTA.9)
• ENABLE ALLOWED RESOURCES (24737426:R12.FND.C) - This patch will turn the Allowed Resources feature
ON.

Feature overview of Allowed Resources
1
2
3
4
• Defines whitelist of web allowed resources
• A whitelist is an explicit list of items that are allowed for access
• Enhancements to Allowed JSPs feature
• Whitelist resources including servlets and JSPs
• Prevents access to resources which are not used.
• Allows custom resources to ne defined in the list of allowed resources.
• Additional Features in 12.2.7
• Metadata now stored in the database (not in configuration files)
• New user interface
• With configuration metadata stored in the database, allowed resources configuration will be preserved
when upgrading and patching
• Whitelist configuration recommendations are provided based upon products used and underlying resource
usage
• Utilities to identify custom resources and populate usage data

Configuration overview of Allowed Resources
1
2
3
4
• Applying Patch 24737426:R12.FND.C delivers new profile
• "Security: Allowed Resources" (FND_SEC_ALLOWED_RESOURCES)
• The default value is CONFIG (Configured).
• This provides restricted access to the allowed resources as per the whitelisted resources listed in
the configuration files.
• The feature can be turned of by setting the profile option to “All”
• New profile overrides profile: Allow Unrestricted JSP Access (FND_SEC_ALLOW_JSP_UNRESTRICED_ACCESS)
• The profile is refreshed at the UPDATE_CHECK_INTERVAL rate. Its generally 60sec.

Feature overview of Allowed Resources
1
2
3
4
3 Levels of Granularity for Configuring Access through the UI
• If you are not using any products in a particular product family, ensure that the Enabled check box is not selected
in the Details section of the Product Family Configuration page.
• To restrict access at the product level, deny access to the appropriate product-level resources on the Product
Details tab in the Product and Common Resources section.
• To restrict access at the individual resource level, deny access to the resources in question by drilling down to the
Resource Details or denying access in Common Resources tab.

UI is accessible via the
Functional Administrator
responsibility  Functional
Administrator page 
Allowed Resources tab
Easily allow or deny access
to products and underlying
resources
A family name may be
selected from the left
menu to view the Product
Family Configuration
User Interface for Allowed Resources

Details section
Enabled check box
indicates whether or not
the product family
resources are used and
allowed.
Product and Common
Resources Details Section
Use this section of the page
to configure products.
12.2.7

Product and Common Resource Details  Product Details tab

Product and Common Resource Details  Common Resources Tab
12.2.7

Product and Common Resource Details  Product Details tab  Click on Product Name
12.2.7

Product Details tab  Click on Product Name  Used Tab
12.2.7

Evaluating Usage with Access Logs
Step 1. Generate Web Usage File - generate a summary of resources used in your instance.
• Download webusage.awk
– My Oracle Support Knowledge Document 2069190.1, Security Configuration and Auditing Scripts for Oracle E-
Business Suite, for the latest zip file containing the script
– Generates a summary of resources used from any available Apache access logs.
– This can then be leveraged using the WLDataMigration utility to identify custom resources as well as populate web
usage data.
– Execute the webusage.awk script againstyour Apache access logs:
$ cat access_log | tr '?' ' ' | awk -f webusage.awk > webusage.out
12.2.7

Populate Web usage data
Step 2. Populate Web Usage and Custom Configurations
•Populate web usage data or custom configuration with WLDataMigration
•The WLDataMigration utility provides the ability to identify and populate custom resources and web usage data from
your Apache access logs. It also allows you to populate that information, or migrate existing customization
configuration files, into the allowed resources repository.
•Execute Loader utility to populate web usage data for already seeded resources and generate CUSTOM.out for
unknown resources
$ java oracle.apps.fnd.security.resource.WLDataMigration MODE=seed INPUT_FILE=webusage.out
DBC=$FND_SECURE/<SID>.dbc
This mode allows you to leverage your existing Apache access logs to identify custom resources as well as
populate web usage data. It takes the webusage.out file as input which is generated via the webusage.awk script
described in the previous section. This mode also produces a CUSTOM.out file of potential custom resources.

Load Custom Configuration for Allowed Resources
Step 3 – Review CUSTOM.out and Load
• Option 1: Use the CUSTOM.out file generated from WLDataMigration
Review the CUSTOM.out file before uploading to ensure that entries are legitimate
$ java oracle.apps.fnd.security.resource.WLDataMigration MODE=custom INPUT_FILE=CUSTOM.out
• Option 2: Use the custom.conf file from prior configuration of Allowed JSPs or Allowed Resources feature.
$ java oracle.apps.fnd.security.resource.WLDataMigration MODE=custom INPUT_FILE=CUSTOM.conf

Command line utility
1
2
3
4
If a user with local system administrator privileges is not available, you can access the Secure Configuration Console by using the
following command line utility:
java oracle.apps.fnd.security.AdminSecurityCfg <APPS Username/APPS password[@<DB Host>] [-check|-fix|-status|-lock|-unlock]
[DBC=<DBC File Path>] [CODES=<code1>,<code2>,<code3>...]
This utility is provided for the following tasks:
• To take the system out of locked down mode.
• To compute the status of a certain configuration or all configurations.
• To configure a certain configuration or all configurations of type 'Autofixable'.
• To view the status of a certain configuration or all configurations.

Where to find more information ?
1
2
3
4
EBS Documentation and Training
– EBS 12.2 Information Center MOS Note 1581299.1
Includes link to the EBS Documentation Web Library
FAQ: Oracle E-Business Suite Security (MOS Note 2063486.1)
Oracle E-Business Suite Security Guide, Release 12.2 – Part# E22952
Security Configuration and Auditing Scripts for Oracle E-Business Suite (MOS Note 2069190.1)

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 35
Program Agenda: ADOP and Rapid Install Changes
Service Name Change for Patch Edition FS
File System Synchronization
Improved Log Directory Structure
Rapid Install: Patching Stage Area
References
Q/A
1
2
3
4
5
6

New and Changed Features in ADOP

Service Name change for Patch Edition FS
• The Oracle Grid Infrastructure is required by Oracle Automatic Storage
Management (ASM), which can be used by Oracle Real Application
Clusters.
• The Grid Listener requires all registered service names to be unique.
• AD-TXK Delta 9 introduces full support for the Oracle Grid Listener used
by ASM.
• AD-TXK Delta 8 and earlier, the service name for connections to the
patch edition of the database was always 'ebs_patch'.
• In AD-TXK Delta.9, the service name to connect to the patch edition has
been changed to '<instance_name>_ebs_patch'.
37

Mandatory Steps for Migrating Service Name change
• Migrate changes from Application Tier to Database tier nodes (after AD-TXK
Delta patching cycle).
• On Run Edition File System
– Execute the admkappsutil.pl utility to create the appsutil.zip file in
<INST_TOP>/admin/out.
• $ perl <AD_TOP>/bin/admkappsutil.pl
• On Database tier nodes:
– Source the environment for RDBMS ORACLE_HOME
• Copy or FTP the appsutil.zip file to <RDBMS ORACLE_HOME>
• Uncompress appsutil.zip, under <RDBMS ORACLE_HOME>
– $ unzip -o appsutil.zip
• Run Autoconfig on Database Tier nodes
• Run Autoconfig on Run Edition File System
Confidential – Oracle Internal 38

Patch Service Rename: What to Know?
• Starting AD-TXK Delta.9, the service name to connect to the patch edition
has been changed to '<instance_name>_ebs_patch'.
• Mandatory to Update database tier with the latest patches post AD-TXK
Delta application.
• Avoid bouncing of Database during adop cycle for applying AD-TXK Delta.
• fs_clone to be run post AD-TXK Delta. If not, next prepare will
automatically run fs_clone.
39

• New prepare phase parameter (sync_mode) to control synchronization
behavior.
• adop phase=prepare sync_mode=(delta|patch) [default: patch]
– adop phase=prepare sync_mode=patch (default)
– adop phase=prepare sync_mode=delta (new file based)
• sync_mode=patch
– Default behavior.
– adop will synchronize the file systems by applying patches applied in the previous
patching cycle to the patch file system.

• sync_mode=delta
– As a faster alternative, you can specify the parameter/value pair sync_mode=delta to
synchronize the file systems by running a user-specified third-party file
synchronization (copy) utility.
– Delta style synchronization uses the file system synchronization command specified
in: $AD_TOP/patch/115/etc/delta_sync_drv.txt
– Only files changed in the previous patching cycle are synchronized
– The delta_sync_drv.txt file includes examples for setting up synchronization using
rsync on UNIX or RoboCopy on Windows
– Automatic support for customizations

Improved Log Directory Structure
• Improved structure of log directories
– Log directories organized in a logical hierarchical structure
• $ADOP_LOG_HOME/<session_id>/<execution_id>/<phase>/<node>/
– Consistent naming of top level log file
• adop.log
– Validation logs in a named directory
42
• $ADOP_LOG_HOME
– 120
‒20171020_152612
‒prepare
‒rws1401232
• $ADOP_LOG_HOME
– <session_id>
‒<execution_id>
–<phase>
‒<node>

• Patch 25525148 (Rapid install consolidated one-off bundle on top of
Startcd 51)
• To patch the stage area created using startCD 12.2.0.51 (Patch#22066363)
• Prerequisite: Create the stage area using startCD 12.2.0.51 and latest
Oracle E-Business Suite Release 12.2 Media Pack.
• Download and Unzip patch 25525148
• Execute patchRIStage.sh (patchRIStage.cmd in case of Windows); Provide
Rapid Install stage area as input parameter.

• Oracle E-Business Suite Maintenance Guide Release 12.2 – (Part#E22954)
• Applying the Latest AD and TXK Release Update Packs to Oracle E-Business
Suite Release 12.2 (Doc ID 1617461.1)
• Oracle E-Business Suite Applications DBA and Technology Stack Release
Notes for R12.AD.C.Delta.10 and R12.TXK.C.Delta.10 (Doc ID 2295390.1)
• Oracle E-Business Suite Setup Guide, Release 12.2 – (Part#E22953)
• Oracle E-Business Suite Installation Using Rapid Install Guide –
(Part#E22950)
Where to find more information ?

1
2
3
4

12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17

12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17

Similar to 12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17 (20)

Recently uploaded

Recently uploaded (20)

12.2 secure configureconsole_adop_changes_aioug_appsdba_nov17