Overview of Secure Configuration

About Oracle E-Business Suite Secure Configuration

Oracle E-Business Suite Architecture

the picture is described in the document text

In today's environment, a properly secured computing infrastructure is critical. When securing the infrastructure, a balance must be struck between risk of exposure, cost of security, and value of the information protected. Each organization determines its own correct balance. To that end, we provide configuration guidance (practical advice) for securing Oracle's E-Business Suite.

The recommendations that follow cross three tiers of machines (desktop tier, application tier, and database tier) and fall into five categories:

We cover security for the database and listener, the application server, Oracle E-Business Suite, and individual desktops. We follow this with advice for hardening operating systems including a sample Linux hardening.

System-Wide Advice

Some advice applies to the entire Oracle E-Business Suite deployment and the infrastructure in which it operates.

Keeping Software Up-to-Date

One of the principles of good security practice is to keep all software versions and patches up-to-date. Throughout this document, we assume an Oracle E-Business Suite maintenance level of release 12.2 or later. The latest version of AutoConfig (TXK) configures a system following advice from this document. It also contains a patch set checker to assist with patch application. So for many good reasons, including good security practice, move to the latest version of AutoConfig and Patch Tools (AD).

Restricting Network Access to Critical Services

Keep both the Oracle E-Business Suite application tier and the database behind a firewall. In addition, place a firewall between the application tier and the database. The firewalls provide assurance that access to these systems is restricted to a known network route, which can be monitored and restricted, if necessary. As an alternative, a firewall router substitutes for multiple, independent firewalls.

Following the Principle of Least Privilege

The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Over ambitious granting of responsibilities, roles, grants, etc., especially early on in an organization's life cycle when people are few and work needs to be done quickly, often leaves a system wide open for abuse. User privileges should be reviewed periodically to determine relevance to current job responsibilities.

Monitoring System Activity

System security stands on three legs: good security protocols, proper system configuration, and system monitoring. Auditing and reviewing audit records address this third requirement. Each component within a system has some degree of monitoring capability. Follow audit advice in this guide and regularly monitor audit records.

Keeping Up-to-Date on Latest Security Information

Oracle continually improves its software and documentation. Check this document regularly for revisions.

Oracle's Critical Patch Updates, security alerts, and bulletins are summarized at the following URL: https://www.oracle.com/security-alerts/.

Differences Between Oracle E-Business Suite Releases

This section provides an overview of the major differences in the technology stack and components between Oracle E-Business Suite Releases 11i, 12.0 or 12.1, and 12.2.

Updated Technology Stack

Oracle E-Business Suite Release 12 has updated the entire technology stack.

The table below summarizes the changes in Oracle E-Business Suite versions and highlights retired technology pieces.

Differences Between Oracle E-Business Suite Versions
Release 11i Releases 12.0 and 12.1 Release 12.2
Database None None
9iR2 (9.2.0.x) 10g R2 ( 11g R2 (
Application Tier None None
IAS + Developer 6i Fusion Middle Ware Fusion Middle Ware
OHS (1.3.19 fork) OHS 10.1.3 (1.3.34 fork) OHS (2.2.15 fork)
jserv oc4j WLS (10.3.6)
modplsql -eliminated- -eliminated-
Forms 6i Forms Forms
Reports 6i Reports Reports
Tools Oracle_home: 8.0.6 Tools Oracle_home: 10.1.2 Tools Oracle_home: 10.1.2
IAS Oracle_home: Java Oracle_home: 10.1.3 OHS Oracle_home: with: jRocket 1.6.0-29
JDBC 9 or 10 JDBC 10.2.0 JDBC 11.2
Desktop Tier None None
JRE for Forms applet: Oracle Jinitiator JRE for Forms applet: JRE 1.6x._0x JRE for Forms applet: JRE 1.6 or 1.7

Note that the versions listed are those that shipped with the initial, official release. Some of these versions may have gone out of support and been replaced with later point releases from the same overall release. For example, as of May 2019, the supported version for the OHS Oracle home is

Modified Directory Structure

As of Oracle E-Business Suite 12, the way file systems are organized changed. From a security perspective, the most interesting point is the introduction of INSTANCE_TOP which is a new directory that contains instance specific configuration files and log files. This provides a cleaner separation of code directories and directories with instance specific and variable data. See the Oracle E-Business Suite Concepts Guide for more details.

Key Updates in Oracle E-Business Suite Release 12.2

This section describes key updates found in Oracle E-Business Suite Release 12.2.

Online Patching

Oracle E-Business Suite Release 12.2 introduces a dual application tier file system to support online patching. One file system is the runtime file system and the other one is the patching file system. This way the system can keep running from the runtime file system while the patching file system is being patched.

Oracle E-Business Suite Release 12.2 utilizes the Edition-Based Redefinition feature of the Oracle Database to support online patching by using the "editioning view."

Online patching removes the traditional clear separation between runtime and patchtime windows.

Use of Native Fusion Middleware Tools

Another change in Oracle E-Business Suite Release 12.2 is that AutoConfig no longer manages the configuration of the Oracle Fusion Middleware components (OHS and WLS).

In Oracle E-Business Suite Release 12.2, many operations are performed using native Fusion Middleware (FMW) tools and procedures.

This means that following the initial install where configuration files are instantiated through the AutoConfig template files, subsequent modification for many files is performed interactively or scripted using FMW tools. Therefore, fixes/updates can no longer be provided as a patch to AutoConfig template files and instantiated by running AutoConfig.

Native Tech-Stack Secure Configuration Guides

In Oracle E-Business Suite Release 12.2, the various tech stack components are so new at they have their own Secure Configuration Guide document. As part of "going native," you will have to become familiar with these product specific security guides as well.