1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

The Top 10 (Free) Things

You Can Do to Secure Your
Oracle E-Business Suite
Instance
Eric Bing
Applications Product Security

2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

 The following is intended to outline our general product
direction It is intended for information purposes only
direction. only, and
may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing
decisions. The development, release, and timing of any
f t
features or functionality
f ti lit described
d ib d ffor O
Oracle's
l ' products
d t
remains at the sole discretion of Oracle.

3 Copyright © Oracle
2012, Oracle
and/or and/or
3 its affiliates. All reserved.
rights
Copyright © 2012, its affiliates. All rights
reserved.
Agenda
g

 Deployment and Configuration

 Secure Configuration Scripts
 Top 10: 1-5
 Top 10: 6-10
 Top 10: Bonus
– Credit Card Encryption
 E-Business Suite template for Data Masking Pack

4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Deployment and
Configuration

5 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Secure E-Business Suite Deployment
p y

 General EBS advice

– Stay current with patching
 Apply Critical Patch Updates (CPUs) + Security Alerts
– Patch
P t hSSetup
t U Update
d t (PSU
(PSUs)) are an option
ti ffor ttechstack
h t k
 Apply most recent maintenance pack (yes, security improves as well)
– Follow our recommendations for secure deployment
p y
 Secure Configuration Guide for Oracle E-Business Suite
 Oracle E-Business Suite Configuration in a DMZ
Note: Follow this if deploying any parts of EBS to the Internet

6 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

E-Business Suite Secure Configuration Guides
(previously known as “Best Practice” documents)

Release 11i, MOS Note 189367.1

Release 12, MOS Note 403537.1

7 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

E-Business Suite Secure Configuration
g Guides

 Advice for security-related “switches” to set/verify

 Many recommendations automated via AutoConfig and Oracle
Application Manager (OAM)
 Advice
Ad i also
l provided
id d for
f optional
ti l security
it related
l t d products
d t ((such
h as
database options)
 Guidelines are based upon
p current p
patch levels
– 11.5.10 and up – 12.0.6 and up – 12.1.2 and up
 Please raise an SR with support against the Guides if you feel there
are problems
bl or omissions
i i with
ith th
the advice
d i

8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Secure Configuration
g Scripts
p

 Current State vs Recommendations

– ERRORS – Likely vulnerable to issues
– WARNINGS – Likely violating Secure Config Guidelines
 Run
R anywhere
h
– Scripts attempt to identify code level when required
– Any supported version of EBS
– Any supported version of the DB

9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Secure Config
g Scripts
p

 Packaged as SQL and Shell scripts

– EBSSecConfigChecks.sql – runs all (12) other SQL scripts
 Compiles them into a single report
 Script
S i t comments
t often
ft have
h hints
hi t for
f resolution
l ti
– EBSCheckModSecurity.sh – shell script
 Ongoing “Health
Health Checks
Checks” to ensure critical security functionality
– Run them early and often…
– Once you have a baseline check for diffs
 Roadmap: Online Dashboard with alerts

10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Top Ten

11 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

What makes the “Top
p 10” cut?
Biggest bang for the buck
 Most common issues seen at customer sites
 Not as well known / new features
 Least effort
 Applicable to many releases
 Free

12 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Top 10: Items 1-5

1. Check Profile Settings

2. Change Default Passwords
3 Secure APPLSYSPUB
3.
4. Activate Server Security
5 Implement IP address restrictions
5.

13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

1. Profile Settings
g
Note 946372.1 “Secure Configuration of E-Business Suite Profiles”
 Check script - EBSCheckProfilesMissing.sql
– Reports on missing profiles
 Check script - EBSCheckProfileErrors.sql
– Reports on configuration errors
 Check script - EBSCheckProfileWarnings.sql
– Reports on configuration warnings

14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Missing
g Profiles
Note 946372.1 “Secure Configuration of E-Business Suite Profiles”
 Check script - EBSCheckProfilesMissing.sql
 Server Security (discussed in detail later)
FND_SERVER_SEC / FND_SERVER_IP_SEC missing:
– Patch#12715586:R12.FND.A delivers these missing profiles for R12.0.4+
– Patch#12715586:R12.FND.B delivers these missing profiles for R12.1.1+
 Attachments Secure Configuration (discussed later)
FND_SECURITY_FILETYPE_RESTRICT_DFLT /
FND_DISABLE_ANTISAMY_FILTER
– Introduced with January 2012 CPU

15 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Profiles – Configuration
g Errors
Note 946372.1 “Secure Configuration of E-Business Suite Profiles”
 Check settings of critical profile options
– FND Validation Level Error
– FND Function Validation Level Error
– Framework
F k Validation
V lid ti L Levell E
Error
– Restrict Text Input Y
– Attachments Secure Configuration
g ((discussed later))
 “Validation Level” Profiles will be removed in 12.2

16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Profiles – Configuration
g Warnings
g
Note 946372.1 “Secure Configuration of E-Business Suite Profiles”
 Check settings of profile warnings
– FND Diagnostics No
– Utilities Diagnostics No
– Personalize
P li S Self-service
lf i D Defn
f N
No
– Attachments Secure Configuration (discussed later)

17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

2. Default Passwords
E-Business Suite User Passwords
 Check script - EBSCheckUserPasswords.sql
– Checks EBS User passwords for default passwords
 Secure seeded application accounts, end date, and change password
 See the Secure Configuration Guide
– Oracle E-Business Suite Security / Authentication

18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

2. Default Passwords
Database Passwords
 Check script - EBSCheckDBPasswords.sql
– Checks User and DB passwords
select * from dba_users_with_defpwd (11g only)
 Fix
Fi using:
i
– AFPASSWD / FNDCPASS – APPS controlled accounts
– Password / alter user… - for non-APPS controlled
accounts
 The Secure Configuration Guide – Appendix C lists each user and
provides advice

19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

3. Secure APPLSYSPUB

 Change password
– Only in R12
– Must run AutoConfig to populate the change to configuration files
– APPLSYSPUB password
d mustt always
l be
b uppercase
(even if Case Sensitive Passwords have been turned on)

20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

3. Secure APPLSYSPUB
SCG - REVOKE UNNECESSARY GRANTS GIVEN TO APPLSYSPUB
 Check script - EBSCheckApplsyspubPrivs.sql
– Check privileges
 Fix privs:
– Run $FND_TOP/patch/115/sql/afpubfix.sql
$

21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

4. Activate Server Security
y
Secure Config Guide - ACTIVATE SERVER SECURITY
 Check script - EBSCheckServerSecurity.sql
select 'Server Security is on’
from FND_NODES
where server_address
server address = '*' and server_id=
server id='SECURE'
SECURE

 Switch “Server Security”

y to SECURE mode
 System Administrators Guide, Administering Server Security

22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

“Server Security”
y feature
Sample DBC file created by AdminAppServer or AdminDesktop
GWYUID=APPLSYSPUB/PUB
GUEST USER PWD GUEST/ORACLE
GUEST_USER_PWD=GUEST/ORACLE
FNDNAM=APPS
APPL_SERVER_ID=AC70BE2E89CAC15F…64235254236135131826220
TWO TASK PROD
TWO_TASK=PROD
DB_PORT=1521
DB_HOST=pdb1213.example.com
APPS JDBC URL=jdbc\:oracle\:thin\:@(DESCRIPTION\= (ADDRESS\=
APPS_JDBC_URL=jdbc\:oracle\:thin\:@(DESCRIPTION\=
(PROTOCOL\=tcp)(HOST\=pdb1213.example.com)(PORT\=1521)))(CONNEC
T_DATA\=(SERVICE_NAME\=PROD)))
JDBC\:oracle jdbc maxCachedBufferSize=358400
JDBC\:oracle.jdbc.maxCachedBufferSize=358400

23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Using
g AdminDesktop
p
Use AdminDesktop to create DBC files for non-EBS nodes
 Non-EBS nodes are BPEL and WebService nodes
– Create the DBC file on an EBS AppTier node
– Create it to be IP Address specific
– Maintain
M i t i mode
d 600 while
hil creating
ti and
d copying
i tto th
the recipient
i i t node
d
 Documented in Note: 974949.1 "AppsDataSource, Java Authentication
and Authorization Service,, and Utilities for Oracle E-Business Suite".

24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

5. Implement
p IP address restrictions
387859.1: Using AutoConfig to Manage System Configurations…
 Use a whitelist of IP addresses
 Profile: Allow Restricted (FND_SQLNET_ACCESS)
– Tells autoconfig to automate this when run on the DB server
 $TNS_ADMIN/sqlnet.ora:
– tcp.validnode_checking = YES
– tcp.invited_nodes
tcp invited nodes = ( X
X.X.X.X,
X X X hostname
hostname, ... )

25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

5. Implement
p IP address restrictions
387859.1: Using AutoConfig to Manage System Configurations…
 No automated check via scripts
 Manual check from a node not in white list
– Should get a hang up:
bash$$ telnet ebs.example.com 4443
Trying 115.X.X.X...
Connected to ebs.example.com
E
Escape character
h t is
i '^]‘
Connection closed by foreign host.

26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Top 10: Items 6-10

6. Migrate to Password Hashing

7. Enable Application Tier Secure Socket
Layer (SSL)
8. Move
M Off off Client/Server
Cli t/S
Components
9 Secure Configuration of Attachments
9.
10. Turn on ModSecurity

27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

6. Migrate Oracle Applications User Passwords
to Non-Reversible Hash Password
MOS Note 457166.1 - FNDCPASS Utility New Feature…
 Check script - EBSCheckHashedPasswords.sql
select 'Hashed passwords are not on' "Password Mode"
from dual where FND_WEB_SEC.GET_PWD_ENC_MODE is null;
 Switch to hashed passwords for applications users Note 457166
457166.1
1
– FNDCPASS apps/apps 0 Y system/manager USERMIGRATE SHA1

 Upgrade any desktop clients FNDPUB DLL/Libraries

– Discoverer, Configurator, Desktop ADI…
– Or even better, replace these with their web variant

28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

7. Enable SSL/TLS for web listener
Note 376700.1 Enabling SSL for Oracle Applications Release 12
 Check script - EBSCheckSSL.sql
– Checks via FND_WEB_CONFIG.PROTOCOL
 Enable SSL (https) for web listener
 Avoid weak ciphers and protocols (<128 bit & SSLv2)
 Using Telnet Mobile Web Apps?
– Mechanism for securing MWA Telnet communication via Stunnel (Note
1493091.1)

29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

8. Move off of client/server components
p

 End User PCs should not have a direct DB connection

 Switch to equivalent Web components when possible
– Desktop ADI -> Web ADI and Report Manager
 Put client/server components on a secured server (Note 277535.1)
– Windows Server Terminal Services
– Secure Global Desktop
 Users should not be able to access the DBC file directly

30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

9. Secure Configuration
g of Attachments

 Check script – Part of the profile checks

 File Upload Limits for Attachments
 Attachments file type validation
 Tag scanning of HTML Attachments

31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

File Upload
p Limits for Attachments
Note 604458.1 - How to Limit The Attachment File Size?
 Allowing unlimited attachment sizes can allow for a Denial of Service
attack (DOS)
 Profile: Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT)
– Limits
Li it th
the maximum
i Att
Attachment
h t file
fil size
i ththatt can b
be uploaded
l d d
– Specified in KB (e.g. 2000KB)

32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Attachments File Type
yp Validation
Note 1357849.1 - Security Configuration Mechanism in Attachments
Delivered as part of January 2012 CPU
 Profile: Attachment File Upload Restriction Default
– Yes (default): Blacklist behavior – Disallow types marked as ‘N’
– No (recommended): Whitelist behavior – Only allow types marked as ‘Y’
 Attachments file type validation
New column - FND_MIME_TYPES.
FND MIME TYPES ALLOW_FILE_UPLOAD
ALLOW FILE UPLOAD – values N & Y
Configured by default as a “black list”

33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Tag
g scanning
g of HTML Attachments
Note 1357849.1 - Security Configuration Mechanism in Attachments
Delivered as part of January 2012 CPU
 Tag scanning of HTML Attachments
 OWASP Antisamy – allows a specific (white list) of HTML tags
 Profile: FND: Disable Antisamy Filter
– False (default / recommended) – sanitize HTML pages

The document you uploaded has been modified to remove restricted

tags. Please check the document and replace it if necessary.

34 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Tag
g scanning
g of HTML Attachments
Note 1357849.1 - Security Configuration Mechanism in Attachments
Warning: Antisamy scan requires the character set to be known:
 Can cause character set issues for binary attachments
– Fix (patch14141465) will use meta tag or
FND NATIVE CLIENT ENCODING
FND_NATIVE_CLIENT_ENCODING

 Need to take this p

patch up
p if yyou see character set issues in binary
y
attachments

35 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

10. Ensure ModSecurity
y is on

 Check script - EBSCheckModSecurity.sh

– Usage: EBSCheckModSecurity.sh https://ebs.example.com:4443
– Shell script – not included in EBSSecConfigChecks.sql
 ModSecurity
M dS it - Web
W bAApplication
li ti Fi Firewallll apache
h module
d l
– Part of iAS 1.0.2.2 and OHS 10.1.3
– Automatically configured
 ModSecurity blocks “bad” requests (black list) – can also white list
– Null bytes, directory crawling, URL encoding, UTF-8 encoding
– Stops “obviously bad” requests early

36 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Top 10: Bonus

11. Encrypt Credit Card Data

12. Separation of Duties: Review Access
To “Sensitive Administrative Pages”

37 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

11. Credit Card Encryption
yp

 Check script - EBSCheckCCEncryption.sql

 1. Checks whether credit cards are encrypted in ‘Immediate’ mode
– Info on encryption - Payments User Implementation guide.
– For more info on PA-DSS compliance - Note 981033.1 .

38 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

11. Credit Card Encryption
yp
New features
 Check script - EBSCheckCCEncryption.sql
 2. Checks Supplemental Credit Card Data Encryption
– Encrypts expiration date and card holder name
– MOS Note 981033.1 - 'Payments 12.1.2 Release Notes'
 3. Enhanced Hashing
– Defends against brute forcing of hashes
– Concurrent program to rehash
– Patch 13114025:R12.IBY.B

39 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

12. Sensitive Administrator Functionality
y
Note 1334930.1 “Sensitive Administrative Pages in Oracle EBS”
 Security Administrator
– Control of access to pages and profiles
 Administrator / Developer Functionality
– Pages / profiles which allow for Application Development at Runtime
 SQL fragments, HTML fragments, OS commands
– Should be disabled, controlled, and audited in production environments
 Flexfield definitions
 Forms and Framework personalization…
– Designed-in
g SQL injections
j or XSS injections
j

40 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

12. Sensitive Administrator Functionality
y
Note 1334930.1 “Sensitive Administrative Pages in Oracle EBS”
 Identifies new categories of sensitive functionality:
– Oracle Forms-based Forms Controlled by Function Security (~40)
– HTML Pages Controlled by Function Security (~25)
– Pages and Forms Controlled by Profile Options (3)
– Pages Controlled by JTF Roles and Permissions (3)

41 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

12. Sensitive Administrator Functionality
y
Note 1334930.1 “Sensitive Administrative Pages in Oracle EBS”

 Check Script: EBSCheckSensitivePageAccess.sql

– Not called by default from EBSSecConfigChecks.sql
– SQL scripts drive off of page and form names (not functions)
– Slower,
Sl b
butt ensures we pick
i k up custom
t ffunctions
ti th
thatt iinclude
l d th
these
 Reduce and eliminate access to these pages by admins in production
 Use Fine Grained Auditing to audit the tables associated with these
pages

43 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

44 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.