Secure Configuration Console

Overview

The Secure Configuration Console automates the security configuration process, consolidates everything under one user interface, and creates a single checkpoint entry into the system. It ensures that high priority security configuration problems are reviewed, understood, and remediated, ensuring a secure Oracle E-Business Suite environment.

After you upgrade to the latest ATG_PF Release Update Pack, your system will be "locked down" until a local system administrator resolves or acknowledges the recommended security configurations in the Secure Configuration Console.

To access this console, a user must have a responsibility that includes the Applications System (OAM_APP_SYSTEM) function privilege, such as the seeded System Administration or System Administrator responsibilities, and must be registered as a local user with Oracle E-Business Suite. The administrator must log in to Oracle E-Business Suite using the local login page (http(s)://[host]:[port]/OA_HTML/AppsLocalLogin.jsp) to navigate to the console and unlock the system. If a user with local system administrator privileges is not available, you can access the Secure Configuration Console through a command line utility (described later in this section).

Once the system is unlocked for normal usage, the Secure Configuration Console is still available for administrators under the Functional Administrator responsibility.

Feature Overview

The Secure Configuration Console provides:

Restricted login
- Login into the system is completely restricted in "Locked Down" mode.
- Access to the system is provided by performing the recommended secure configuration or acknowledging secure configuration recommendations.
A single view of the system's security health
- Consolidated view of all security recommendations for different layers such as network, database, and application.
- View detailed descriptions of security configurations.
- Review the current status, severity level, and type (autofixable/manual) of security configurations.
- Provides complete picture of security health of the system.
Secure configuration management
- Analyzes the current state of the configuration.
- Resolves on-the-fly autofixable secure configurations as per Oracle E-Business Suite recommendations.
- Mute or unmute the configurations as per administrator choice.

Benefits

Automating the high priority security configuration process provides the following benefits:

Security threats are prevented by ensuring secured configuration of the system.
Security vulnerabilities can be resolved as entry into the system is prevented until it is reviewed for security configuration.
All high-priority Oracle E-Business Suite secure configurations are available to review in one place.
Manual configurations, which are cumbersome and error-prone, are minimized.
Management of configurations is quick and easy.

Using the Secure Configuration Console

There are two methods to access the Secure Configuration Console home page.

Using the Functional Administrator responsibility:

On the Oracle E-Business Suite home page, select the Functional Administrator responsibility in the Navigator pane. Then, on the Functional Administrator page, select the Configuration Manager tab.
Using the OAM Security Dashboard:

On the Oracle E-Business Suite home page, select System Administrator in the Navigator pane. Then select Oracle Applications Manager, then OAM Security Dashboard. On the dashboard, under the Configuration Management section is a link to the Secure Configuration Console.

The Secure Configuration Console bases its recommendations on recommended security guidelines. They are listed in more detail in the following section, Checked Security Guidelines.

You can search for a recommendation by guideline, code, configuration type, status, or level of severity in the Search section or by perusing through the table itself.

The following actions are available:

Check - Discover the status of selected guideline check before configuring
Fix - Resolve the status of a selected failed guideline check
Suppress - Mute guidelines that are not relevant to your system
Unsuppress - Unmute previously suppressed guidelines
Check All - Discover the status of all unsuppressed guidelines

Checked Security Guidelines

Updates to the checks performed by the Secure Configuration Console are delivered with Oracle E-Business Suite ATG Release Updates (RUPs) or Critical Patch Updates (CPUs). We highly recommend that you apply the latest ATG RUP or latest CPU to ensure that all recommended secure configuration checks are available for your environment. See the following My Oracle Support knowledge documents for more information:

Document 1583092.1 - E-Business Suite RUP, AD and TXK RUP Information, Release 12.2
Document 2484000.1 - Identifying the Latest Critical Patch Update for Oracle E-Business Suite Release 12.2

If you are not running the latest release of the Secure Configuration Console, see Obsolete Secure Configuration Console Checks for Security Guidelines for obsolete checks which may still be running in your environment.

If any of the guidelines listed in the following table fail the secure configuration check, you can either fix or suppress the failure. For a secure environment, Oracle recommends that you address all failures that are applicable to your environment.

The Secure Configuration Console currently checks the following high priority secure configuration guidelines:

Security Guidelines Checked by the Secure Configuration Console
Security Guideline	Description	Code	Severity	References
Allowed Resources Configuration (Release 12.2.7 and later)	Check whether the Allowed Resources feature is enabled.	FND_JSP_UNREST_ACC	1	Allowed Resources
Application Users Default Password	Check whether all application users' default passwords have been changed to non-default values.	FND_APPS_DEF_PSWD	1	Changing Passwords for Seeded Application User Accounts
Attachment File Type Profiles	Check whether attachment upload profiles are available and set correctly in the system.	FND_MISS_ATT_PROF	1	Securing Attachments
Clickjacking Protection (Release 12.2.7 and later)	Check whether clickjacking protection is configured.	CLICKJACK_PROTECTION	1	Using Certified HTTP Security Headers
Critical Security Profile Values	Check whether critical security profile values are set correctly at all levels (for example: site, responsibility, user).	FND_PROF_ERRORS	1	Setting Other Security-Related Profile Options
Database Users Default Passwords	Check whether all database users default passwords have been changed.	FND_DB_DEF_PSWD	1	Changing Default Installation Passwords My Oracle Support Knowledge Document 361482.1, Frequently Asked Questions about Oracle Default Password Scanner
Diagnostic Web Pages Protected (Release 12.2.7 and later)	Check whether diagnostic web page protection is configured.	DIAG_WEB_PAGE_PROTEC	1	Protecting Administrative Pages
Forms Blocking of Bad Characters	Check whether the Forms blocking of "bad" characters on the web server is active.	FND_FORMS_BLOCK_CHR	1	Log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed Forms Blocking of Bad Characters check.
Missing Server Security Profile	Check whether site level security profiles are available in the system.	FND_MISS_PROF	1	Log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed Missing Server Security Profile check.
ModSecurity Configuration	Check whether ModSecurity on the web server is active.	FND_MOD_SEC	1	Log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed ModSecurity Configuration check.
Oracle E-Business Suite CPU Patch Level Check	Check whether the Oracle E-Business Suite Critical Patch Update patch in the system is greater or equal to the configured value of the FND_SEC_MIN_CPU_PATCH_LEVEL (FND: Minimum CPU Patch Level) profile option.	FND_MIN_CPU_LEVEL	1	My Oracle Support Knowledge Document 2484000.1, Identifying the Latest Critical Patch Update for Oracle E-Business Suite Release 12
PUBLIC Privileges (Release 12.2.7 and later)	Check whether the PUBLIC role privileges are restricted.	FND_APPS_IND_PUBLIC	1	This checks whether unnecessary privileges to Oracle E-Business Suite object have been granted to the Oracle Database PUBLIC role. You should revoke unnecessary privileges from the PUBLIC role. Oracle E-Business Suite database objects should not have privileges granted to the PUBLIC role. Any privileges granted to the PUBLIC role from Oracle E-Business Suite objects should be revoked. Certain privileges, such as the ability to create indexes, can be leveraged for privilege escalation in the database and should be removed.
WebLogic Server Default Password (Release 12.2.9 and later)	Check whether WebLogic Server default password has been changed to a non-default value.	FND_WLS_DEF_PSWD	1	Change Password for WebLogic Server Admin User
Workflow Email Link Login (Release 12.2.7 and later)	Check whether Oracle Workflow generated emails that reference URLs in Oracle E-Business Suite require additional user authentication (login).	WF_EMAIL_LOGIN	1	Setting Workflow Notification Mailer SEND_ACCESS_KEY to N
APPLSYSPUB Privileges	Check whether APPLSYSPUB privileges are properly restricted.	FND_APPLSYSPUB	2	Revoking Unnecessary Grants Given to APPLSYSPUB
Activate Server Security	Check whether server security (Secure Flag in DBC file) is enabled.	FND_SERVER_SEC	2	Activating Server Security
Allowed Redirects	Check whether the Allowed Redirects feature is enabled.	FND_UNREST_REDIR	2	Allowed Redirects Configuring Allowed Redirects
Auditing Profile Values	Check whether the FND: Debug Log and Sign-on Audit profile values are set correctly.	FND_AUDIT_PROF	2	"Using Oracle Application Object Library Profile Options to Configure Logging," Oracle E-Business Suite Maintenance Guide "Page Access Tracking and Sign-On Audit," Oracle E-Business Suite Maintenance Guide Sign-On Audit
Cookie Domain Scoping Configuration	Check whether Cookie Domain Scoping is configured.	FND_COOKIE_DOM	2	Cookie Domain Scoping Using Certified HTTP Security Headers
Database Network Access Control List (Release 12.2.10 and later)	Check if Database Network Access Control List has been enabled.	SEC_DB_NETWORK_ACL	2	My Oracle Support Knowledge Document 2500511.1, Implementing Database Network Access Control Lists
Database Parameters (init*.ora) (Release 12.2.7 and later)	Check whether secure configuration recommended database initialization parameters have been set.	FND_INIT_ORA	2	Removing Operating System Trusted Remote Logon Removing Operating System Trusted Remote Roles Restricting Access to SQL Trace Files Limiting File System Access Within PL/SQL Limiting Dictionary Access
Database Password Profiles (Release 12.2.7 and later)	Check if secure configuration recommended database profiles have been created in the Oracle E-Business Suite database.	SEC_DB_PSWD_PROF	2	Implementing Two Profiles for Password Management
FND Generic File Manager (FNDGFM) Authorization Configuration	Check whether the system is compliant with the recommended configuration for FND Generic File Manager (FNDGFM) authorization.	FNDGFM_AUTH_CONFIG	2	My Oracle Support Knowledge Document 1357849.1, Security Configuration Mechanisms in the Attachments Feature in Oracle E-Business Suite
HTTPS Configuration	Check whether HTTPS is enabled.	FND_SSL_ENABLED	2	Using TLS to Encrypt Oracle E-Business Suite Connections
Hashed Passwords	Check whether application user passwords have been migrated to hashed passwords.	FND_PSWD_HASH	2	Switching to Hashed Passwords
iRecruitment File Upload Profile (Release 12.2.7 and later)	Check whether the iRecruitment File Upload profile (IRC: XSS Filter) value is set.	IREC_FILE_UPLOAD	2	Oracle iRecruitment Implementation and User Guide, Release 12.2
Unused Allowed Resources	Check whether unused resources are denied.	SEC_UNUSED_RESOURCES	2	It is recommended to deny access to resources which have not been used in a year. These can be viewed in the Management by Resource tab on the Allowed Resources user interface. For more information, see Allowed Resources.
Workflow Admin Access (Release 12.2.7 and later)	Check whether Oracle Workflow Admin access is restricted.	WF_ADMIN_NOT_PUBLIC	2	Ensuring You Know Who is a Workflow Admin

Updates to the checks performed by the Secure Configuration Console are delivered with Oracle E-Business Suite ATG Release Updates (RUPs). We highly recommend that you apply the latest ATG RUP to ensure that all recommended secure configuration checks are available for your environment. See My Oracle Support Knowledge Document 1583092.1, E-Business Suite RUP, AD and TXK RUP Information, Release 12.2, for more information.

If any of the guidelines listed in the previous table fail the secure configuration check, you can either fix or suppress the failure. For a secure environment, Oracle recommends that you address all failures that are applicable to your environment.

Navigating Through the Secure Configuration Console

On the main screen of the console are four predefined filtered criteria in tiles added in Oracle E-Business Suite Release 12.2.10. Click on each tile to view the filtered guidelines in the table displayed.

Failed Guidelines - By default, this filter provides all Severity 1 and Severity 2 level failures, but not guideline checks that have been suppressed.
Passed Guidelines - This shows all guideline checks that have passed, but not those that have been suppressed.
Suppressed Guidelines - This shows all guideline checks that have been suppressed (or muted).
Unsuppressed Guidelines - This shows all guidelines that have not been suppressed. These are the security guidelines that are being checked.

The "Guidelines were last checked on" date above the left most tile is the date in which the security guidelines were checked against using the Secure Configuration Console.

Secure Configuration Console Main Page

the picture is described in the document text

You can further refine each tile's criteria by utilizing the Saved Search drop-down. The drop-down allows you to add additional filter criteria which displays in the Filter section on the left, where you can save your search for future use.

In the table on the main console page, click Check to compute the status of all configurations on your system against the selected guidelines. Click Check All to select and check all guidelines.

Once the status is computed, the guideline will display as either as Pass or Fail (green check mark or red X, respectively) in the Status column.

Click on the arrow in the Details column for more information as to why a certain configuration passed, failed, or produced an error during the configuration check.

Secure Configuration Console Checked Guidelines Table

the picture is described in the document text

To automatically remediate failed configuration checks, select guideline checks with a Failed status and of the type Autofixable and click Fix located at the top of the table to resolve the reported issues.

Click Suppress to mute selected guideline checks that are NOT applicable to your system. Suppressed guidelines will no longer be displayed, nor will they require further review in the console when deselecting the Muted Security Configuration checkbox.

Click Unsuppress to unmute the previously muted guideline checks.

Each security guideline is a link, which when clicked, opens a new page with a detailed description of the configuration requirement.

If the configuration requirement involves a manual fix, more information on the necessary manual steps can be found by clicking the link. For example, when clicking the "Database Password Profiles" link, the Security Guideline Details page is displayed, providing the security guideline description and detailed information about the check.

Security Guideline Details Page

the picture is described in the document text

As mentioned previously, until the recommended security configurations have been implemented or acknowledged by a local system administrator, the Secure Configuration Console will prevent entry into the system. Until then, users will see an error message when trying to log in which says: "Oracle E-Business Suite has been placed into locked-down mode. Please contact system administrator for further assistance."

Locked-Down Mode Error Message

the picture is described in the document text

When an Oracle E-Business Suite instance has been placed into locked-down mode, as soon as a user with system administrator privileges logs in the Secure Configuration Console will appear.

At this point, the system administrator should resolve or address any failed security guideline checks. When ready to unlock the instance, the system administrator should select either of the following options prior to clicking Proceed:

I am done with the security configurations.
Ignore the security configurations.

Once you click Proceed, the Oracle E-Business Suite instance is unlocked.

Command Line Utility

If a user with local system administrator privileges is not available, you can access the Secure Configuration Console by using the AdminSecurityCfg utility.

This utility is provided for the following tasks:

To take the system out of locked down mode.
To compute the status of a certain configuration or all configurations.
To configure a certain configuration or all configurations of type Autofixable.
To view the status of a certain configuration or all configurations.

To use the AdminSecurityCfg utility, use the following syntax which will then will prompt you for your <APPS Username> and <APPS password>. Note that all parameters can, if desired, be entered on the same command line; they are shown here on different lines (using the UNIX '\' continuation character) for clarity.

java oracle.apps.fnd.security.AdminSecurityCfg \
<-check|-fix|-status|-lock|-unlock> \
DBC=<DBC File Path> \
[CODES=<code1>,<code2>,<code3>...]

Where:

-check - Runs the utility in check mode. You can specify the configurations to check by adding [CODES=<code1>,<code2>,<code3>...] to the command. These correspond to the security guideline codes found in Security Guidelines.

For example: java oracle.apps.fnd.security.AdminSecurityCfg -check DBC=<DBC File Path> CODES=FND_DB_DEF_PSWD,FND_PROF_ERRORS

If you do not specify a CODES attribute, then the utility will check all configurations.

-fix - Runs the utility in fix mode. You can specify the configurations to fix by adding [CODES=<code1>,<code2>,<code3>...] to the command.

For example: java oracle.apps.fnd.security.AdminSecurityCfg -fix DBC=<DBC File Path> CODES=FND_UNREST_REDIR,FND_AUDIT_PROF

If you do not specify a CODES attribute, then the utility will fix all configurations of type Autofixable.

-status - Determines the status of all configurations. Specifying the CODES attribute is not necessary for this mode.

-lock - Places the system in locked down mode.

-unlock - Takes the system out of locked down mode.