In today's environment, a properly secured computing infrastructure is critical. When securing the infrastructure, a balance must be struck between risk of exposure, cost of security, and value of the information protected. Each organization determines its own correct balance. To that end, we provide configuration guidance (practical advice) for securing Oracle's E-Business Suite.
The recommendations for securing your infrastructure cross the three-tier architecture that comprises an Oracle E-Business Suite installation. This architecture is made up of the desktop tier, which provides the user interface via an add-on component to a standard web browser; the application tier, which supports and manages the various Oracle E-Business Suite components, and is sometimes known as the middle tier; and the database tier, which supports and manages the Oracle database. The following diagram shows an overview of the Oracle E-Business Suite architecture.
Oracle E-Business Suite Architecture
The recommendations in these next chapters generally fall into one of five categories:
Hardening covers hardening the file system, programs, products, and configuration.
Network covers physical topology, firewalls, IP restrictions at web server and database listener.
Authentication covers account management, password management, and other account related activities.
Authorization covers restrictions to executables, data files, web pages, administrative tools, and so on.
Audit covers configuration, on-going review, and purging.
We cover security for the database and listener, the application server, Oracle E-Business Suite, and individual desktops. We follow this with advice for hardening operating systems including a sample Linux hardening.
Some advice applies to the entire Oracle E-Business Suite deployment and the infrastructure in which it operates.
One of the principles of good security practice is to keep all software versions and patches up-to-date. Throughout this document, we assume an Oracle E-Business Suite maintenance level of release 12.2 or later. The latest version of AutoConfig (TXK) configures a system following advice from this document. It also contains a patch set checker to assist with patch application. So for many good reasons, including good security practice, move to the latest version of AutoConfig and Patch Tools (AD).
Oracle E-Business Suite secure configuration deployment guidelines include the following:
Use separate network subnets.
Deploy Oracle E-Business Suite application tier nodes in one subnet and the Oracle E-Business Suite database tier nodes in a separate subnet. Using separate subnets creates greater security for your Oracle E-Business Suite environment.
Use firewalls.
Keep both the Oracle E-Business Suite application tier and database tier behind a firewall. In addition, place a firewall between the application tier and database tier.
The firewalls provide assurance that access to these systems is restricted to a known network route, which can be monitored and further restricted, if necessary. As an alternative, a firewall router substitutes for multiple, independent firewalls.
Use demilitarized zones (DMZ).
Follow the DMZ guidelines when exposing Oracle E-Business Suite to the internet. For more information, see My Oracle Support Knowledge <Document 1375670.1>, Oracle E-Business Suite Release 12.2 Configuration in a DMZ.
The principle of least privilege states that users should be given the least amount of privilege to perform their jobs. Over ambitious granting of responsibilities, roles, grants, etc., especially early on in an organization's life cycle when people are few and work needs to be done quickly, often leaves a system wide open for abuse. User privileges should be reviewed periodically to determine relevance to current job responsibilities.
System security stands on three legs: good security protocols, proper system configuration, and system monitoring. Auditing and reviewing audit records address this third requirement. Each component within a system has some degree of monitoring capability. Follow audit advice in this guide and regularly monitor audit records.
Oracle continually improves its software and documentation. Check this document regularly for revisions.
Oracle's Critical Patch Updates, security alerts, and bulletins are summarized at the following URL: https://www.oracle.com/security-alerts/.
This section provides an overview of the major differences in the technology stack and components between Oracle E-Business Suite Releases 11i, 12.0 or 12.1, and 12.2.
Oracle E-Business Suite Release 12 has updated the entire technology stack.
The table below summarizes the changes in Oracle E-Business Suite versions and highlights retired technology pieces.
Release 11i | Releases 12.0 and 12.1 | Release 12.2 |
---|---|---|
Database | None | None |
9iR2 (9.2.0.x) | 10g R2 (10.2.0.2.0) | 11g R2 (11.2.0.3) |
Application Tier | None | None |
IAS 1.0.2.2 + Developer 6i | Fusion Middleware | Fusion Middleware |
OHS 1.0.2.2 (1.3.19 fork) | OHS 10.1.3 (1.3.34 fork) | OHS 11.1.1.6 (2.2.15 fork) |
jserv | oc4j | WLS (10.3.6) |
modplsql | -eliminated- | -eliminated- |
Forms 6i | Forms 10.1.2.0.2 | Forms 10.1.2.3 |
Reports 6i | Reports 10.1.2.0.2 | Reports 10.1.2.3 |
Tools Oracle_home: 8.0.6 | Tools Oracle_home: 10.1.2 | Tools Oracle_home: 10.1.2 |
IAS Oracle_home: 8.1.7.4 | Java Oracle_home: 10.1.3 | OHS Oracle_home: 11.1.1.6 with: jRocket 1.6.0-29 |
JDBC 9 or 10 | JDBC 10.2.0 | JDBC 11.2 |
Desktop Tier | None | None |
JRE for Forms applet: Oracle JInitiator | JRE for Forms applet: JRE 1.6x._0x | JRE for Forms applet: JRE 1.6 or 1.7 |
Note that the versions listed are those that shipped with the initial, official release. Some of these versions may have gone out of support and been replaced with later point releases from the same overall release. For example, as of May 2019, the supported version for the OHS Oracle home is 11.1.1.9.
As of Oracle E-Business Suite Release 12, the way file systems are organized changed. From a security perspective, the most interesting point is the introduction of INSTANCE_TOP
which is a new directory that contains instance specific configuration files and log files. This provides a cleaner separation of code directories and directories with instance specific and variable data. See Oracle E-Business Suite Concepts Guide for more details.
This section describes key updates found in Oracle E-Business Suite Release 12.2.
Oracle E-Business Suite Release 12.2 introduces a dual application tier file system to support online patching. One file system is the run file system and the other one is the patch file system. This way the system can keep running from the run file system while the patch file system is being patched.
Oracle E-Business Suite Release 12.2 utilizes the Edition-Based Redefinition feature of the Oracle Database to support online patching by using the "editioning view."
Online patching removes the traditional clear separation between runtime and patchtime windows.
Another change in Oracle E-Business Suite Release 12.2 is that AutoConfig no longer manages the configuration of the Oracle Fusion Middleware components (OHS and WLS).
In Oracle E-Business Suite Release 12.2, many operations are performed using native Fusion Middleware (FMW) tools and procedures.
This means that following the initial install where configuration files are instantiated through the AutoConfig template files, subsequent modification for many files is performed interactively or scripted using FMW tools. Therefore, fixes and updates can no longer be provided as a patch to AutoConfig template files and instantiated by running AutoConfig.
In Oracle E-Business Suite Release 12.2, the various technology stack components are so new at they have their own Secure Configuration Guide document. As part of "going native," you will have to become familiar with these product specific security guides as well.