Oracle E-Business Suite Architecture
In today's environment, a properly secured computing infrastructure is critical. When securing the infrastructure, a balance must be struck between risk of exposure, cost of security, and value of the information protected. Each organization determines its own correct balance. To that end, we provide configuration guidance (practical advice) for securing Oracle's E-Business Suite.
The recommendations that follow cross three tiers of machines (desktop tier, application tier, and database tier) and fall into five categories:
Hardening covers hardening the file system, programs, products, and configuration.
Network covers physical topology, firewalls, IP restrictions at web server and database listener.
Authentication covers account management, password management, and other account related activities.
Authorization covers restrictions to executables, data files, web pages, administrative tools, etc.
Audit covers configuration, on-going review, and purging.
We cover security for the database and listener, the application server, Oracle E-Business Suite, and individual desktops. We follow this with advice for hardening operating systems including a sample Linux hardening.
Some advice applies to the entire Oracle E-Business Suite deployment and the infrastructure in which it operates.
One of the principles of good security practice is to keep all software versions and patches up-to-date. Throughout this document, we assume an Oracle E-Business Suite maintenance level of release 12.2 or later. The latest version of AutoConfig (TXK) configures a system following advice from this document. It also contains a patch set checker to assist with patch application. So for many good reasons, including good security practice, move to the latest version of AutoConfig and Patch Tools (AD).
Keep both the Oracle E-Business Suite application tier and the database behind a firewall. In addition, place a firewall between the application tier and the database. The firewalls provide assurance that access to these systems is restricted to a known network route, which can be monitored and restricted, if necessary. As an alternative, a firewall router substitutes for multiple, independent firewalls.
The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Over ambitious granting of responsibilities, roles, grants, etc., especially early on in an organization's life cycle when people are few and work needs to be done quickly, often leaves a system wide open for abuse. User privileges should be reviewed periodically to determine relevance to current job responsibilities.
System security stands on three legs: good security protocols, proper system configuration, and system monitoring. Auditing and reviewing audit records address this third requirement. Each component within a system has some degree of monitoring capability. Follow audit advice in this guide and regularly monitor audit records.
Oracle continually improves its software and documentation. Check this document regularly for revisions.
Oracle's Critical Patch Updates, security alerts, and bulletins are summarized at the following URL: https://www.oracle.com/security-alerts/.
This section provides an overview of the major differences in the technology stack and components between Oracle E-Business Suite Releases 11i, 12.0 or 12.1, and 12.2.
Oracle E-Business Suite Release 12 has updated the entire technology stack.
The table below summarizes the changes in Oracle E-Business Suite versions and highlights retired technology pieces.
|Release 11i||Releases 12.0 and 12.1||Release 12.2|
|9iR2 (9.2.0.x)||10g R2 (10.2.0.2.0)||11g R2 (188.8.131.52)|
|IAS 184.108.40.206 + Developer 6i||Fusion Middle Ware||Fusion Middle Ware|
|OHS 220.127.116.11 (1.3.19 fork)||OHS 10.1.3 (1.3.34 fork)||OHS 18.104.22.168 (2.2.15 fork)|
|Forms 6i||Forms 10.1.2.0.2||Forms 10.1.2.3|
|Reports 6i||Reports 10.1.2.0.2||Reports 10.1.2.3|
|Tools Oracle_home: 8.0.6||Tools Oracle_home: 10.1.2||Tools Oracle_home: 10.1.2|
|IAS Oracle_home: 22.214.171.124||Java Oracle_home: 10.1.3||OHS Oracle_home: 126.96.36.199 with: jRocket 1.6.0-29|
|JDBC 9 or 10||JDBC 10.2.0||JDBC 11.2|
|JRE for Forms applet: Oracle Jinitiator||JRE for Forms applet: JRE 1.6x._0x||JRE for Forms applet: JRE 1.6 or 1.7|
Note that the versions listed are those that shipped with the initial, official release. Some of these versions may have gone out of support and been replaced with later point releases from the same overall release. For example, as of May 2019, the supported version for the OHS Oracle home is 188.8.131.52.
As of Oracle E-Business Suite 12, the way file systems are organized changed. From a security perspective, the most interesting point is the introduction of
INSTANCE_TOP which is a new directory that contains instance specific configuration files and log files. This provides a cleaner separation of code directories and directories with instance specific and variable data. See the Oracle E-Business Suite Concepts Guide for more details.
This section describes key updates found in Oracle E-Business Suite Release 12.2.
Oracle E-Business Suite Release 12.2 introduces a dual application tier file system to support online patching. One file system is the runtime file system and the other one is the patching file system. This way the system can keep running from the runtime file system while the patching file system is being patched.
Oracle E-Business Suite Release 12.2 utilizes the Edition-Based Redefinition feature of the Oracle Database to support online patching by using the "editioning view."
Online patching removes the traditional clear separation between runtime and patchtime windows.
Another change in Oracle E-Business Suite Release 12.2 is that AutoConfig no longer manages the configuration of the Oracle Fusion Middleware components (OHS and WLS).
In Oracle E-Business Suite Release 12.2, many operations are performed using native Fusion Middleware (FMW) tools and procedures.
This means that following the initial install where configuration files are instantiated through the AutoConfig template files, subsequent modification for many files is performed interactively or scripted using FMW tools. Therefore, fixes/updates can no longer be provided as a patch to AutoConfig template files and instantiated by running AutoConfig.
In Oracle E-Business Suite Release 12.2, the various tech stack components are so new at they have their own Secure Configuration Guide document. As part of "going native," you will have to become familiar with these product specific security guides as well.