Overview of Secure Configuration

About Oracle E-Business Suite Secure Configuration

In today’s environment, securing your computing infrastructure is essential. Effective security measures must carefully balance the risk of potential exposure, associated security costs, and the overall value of the protected information. Each organization will determine its own optimal balance based on specific needs and priorities. To support this process, we offer practical configuration guidance to help secure Oracle E-Business Suite.

The security recommendations in this guide address all layers of the three-tier architecture that make up an Oracle E-Business Suite installation. This architecture consists of:

The following diagram is an overview of the Oracle E-Business Suite architecture.

Oracle E-Business Suite Architecture

the picture is described in the document text

The recommendations in these next chapters generally fall into one of five categories:

We cover security for the database and listener, the application server, Oracle E-Business Suite, and individual desktops. We follow this with advice for hardening operating systems including a sample Linux hardening.

System-Wide Advice

Some advice applies to the entire Oracle E-Business Suite deployment and the infrastructure in which it operates.

Using the Secure Configuration Console

To help you review the most critical security configurations in your environment, you can use the Secure Configuration Console. This tool offers a centralized dashboard that allows you to assess whether your Oracle E-Business Suite environment meets key secure configuration guidelines.

Note: If you have not already done so, you should run the Secure Configuration Console now to assess your environment and then remediate any issues.

For more information see Secure Configuration Console.

While many of the items documented in this guide are automatically configured and the Secure Configuration Console can help assess compliance with many of these recommendations, you should also review the documentation thoroughly to ensure compliance with all guidelines.

Keeping Software Up-to-Date

Keep your Oracle E-Business Suite environment up-to-date with patching and by applying Critical Patch Updates (CPUs) and fixes for Security Alerts.

Keep Your Oracle E-Business Suite Environment Up-to-Date with Patching

Security features and fixes are deployed regularly with patches delivered as one-off patches, cumulative updates (CUPs), Release Updates (RUPs), and Maintenance Packs (MPs).

For information on Oracle E-Business Suite features see:

For more information on the latest Oracle E-Business Suite security features:

One of the basic principles of secure configuration is to keep all software up-to-date with the latest releases. Throughout this document, we assume the following:

Apply Critical Patch Updates and Fixes for Security Alerts

You must regularly review CPUs and Security Alerts. The primary program for the release of security fixes for Oracle E-Business Suite is the Critical Patch Update (CPU) program. CPUs are released on a quarterly basis. Security Alerts are released on an as-needed basis. Oracle always recommends applying all fixes for Critical Patch Update security patches and Security Alerts without delay.

Note: This configuration is checked by the Secure Configuration Console based upon recommended security guidelines. For more information, see the details for the check "Oracle E-Business Suite CPU Patch Level is the Expected Level or Later". For an overview of all security features that are checked by the console, see Checked Security Guidelines.

For Oracle E-Business Suite Release 12.2, refer to:

For Oracle E-Business Suite Release 12.1.3 and 11i customers that have a Market Driven Support (MDS) contract, refer to the appropriate My Oracle Support article:

Restricting Network Access to Critical Services

Oracle E-Business Suite secure configuration deployment guidelines include the following:

Following the Principle of Least Privilege

The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Over ambitious granting of responsibilities, roles, grants, etc., especially early on in an organization's life cycle when people are few and work needs to be done quickly, often leaves a system wide open for abuse. User privileges should be reviewed periodically to determine relevance to current job responsibilities.

Monitoring System Activity

System security is built on three key pillars: robust security protocols, proper system configuration, and ongoing system monitoring. Auditing and regular review of audit records are essential to effective monitoring. Each system component offers varying levels of monitoring features. To support strong security, follow the auditing recommendations in this guide and consistently review your audit records. For more information, see Guidelines for Auditing and Logging.

Keeping Up-to-Date on Latest Security Information

Oracle is committed to ongoing enhancements of its software and documentation. Designated individuals or teams within your organization should regularly review the following resources:

Oracle continually improves its software and documentation. Check this document regularly for revisions.

Oracle's Critical Patch Updates, security alerts, and bulletins are summarized at the following URL: https://www.oracle.com/security-alerts/.