Oracle E-Business Suite Architecture
Oracle clients communicate with the database using the Transparent Network Substrate (TNS) protocol. When the listener receives a connection request (tcp port 1521, by default), it starts up a new database process and establishes a connection between the client and the database. This chapter contains security recommendations for the database TNS listener.
Follow the hardening instructions for Operating Environment Security.
Valid Node Checking allows or denies access from specified IP addresses to Oracle services. Oracle recommends using an allowlist of IP addresses that are authorized to make a TCP connection to the database listener. To enable Valid Node Checking, set the following parameters in
tcp.validnode_ checking = YES tcp.invited_nodes = ( x.x.x.x, hostname.domain, ... )
The first parameter turns on Valid Node Checking. The next parameter specify the IP addresses or host names that are permitted to make network connections to the database. Replace x.x.x.x with the application tiers' IP addresses. Application tier components include web servers, forms servers, concurrent managers, terminal servers, central administrator machines, and any remote monitoring tool that uses SQL*Net.
Note: The use of SQLNet desktop clients such as sqlplus , sqldeveloper, toad , or ADI from a windows desktop is not recommended on production databases. If implemented, the desktop cannot use DHCP (unless the DHCP server is configured with address reservation). Oracle recommends that only trusted servers be allowed to make direct database connections.
Additional Information: See also My Oracle Support Knowledge Document 2277369.1, Oracle E-Business Suite Support Implications for Discoverer 11gR1.
AutoConfig supports automated configuration of this setting. If the profile option "SQLNet Access" (FND_SQLNET_ACCESS) is set to "ALLOW_RESTRICTED" at the site level when AutoConfig is run on the database server, AutoConfig will add IP restrictions to
sqlnet.ora. The list of host will be all those from the FND_NODES table that are registered as an Oracle E-Business Suite node.
For more information, refer to the "Technical Configuration" chapter of the Oracle E-Business Suite Setup Guide, Release 12.2.
The easiest way to verify this is to implement a manual check from a node not in the allowlist. You should not be able to connect (by using Telnet, for example) to the database listener port. When connecting through an untrusted node, it should look like this:
bash$ telnet ebs.example.com 1521 Trying 115.X.X.X... Connected to ebs.example.com Escape character is '^]` Connection closed by foreign host.
$TNS_ADMIN/listener.ora , set the following parameter:
CONNECT_TIMEOUT_$ORACLE_SID = 10
CONNECT_TIMEOUT_PRD12 = 10
Where PRD12 is the value of the ORACLE_SID in this example.
Use the parameter CONNECT_TIMEOUT to specify the amounts of time, in seconds, for the Oracle listener to wait for the connection from a client to complete.
In 2012, Oracle issued a security alert to have customers configure the Dynamic Registration feature in the listener securely. Dynamic Registration is a feature that allows the database process PMON to register itself with a running database TNS listener. The Oracle E-Business Suite default installation uses static registration, meaning the databases for a listener are defined in
There is no "software fix" to be applied to resolve this issue. Customers are advised to use the "Class of Secure Transport" (COST) parameters to set up their listeners securely. The alert points to the following My Oracle Support Knowledge Documents:
1340831.1, Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC
1453883.1, Using Class of Secure Transport (COST) to Restrict Instance Registration
The overall conclusion is that for single node databases forcing the secure registration to the IPC or TCP protocol will work whereas for multinode databases TCPS must be used. The TPCS configuration specifies SSL with use of server and client certificates.
Ensure that the TNS network traffic (SQL*Net traffic) in your Oracle E-Business Suite environment is not sent "in-the-clear" by enabling encryption of the TNS (aka SQL*Net) traffic.
Network encryption was formerly an optional database feature available at extra cost as part of the Advanced Security Option. It is now part of the Oracle Database Enterprise Edition and no additional license is required for Oracle E-Business Suite customers. As of Oracle E-Business Suite Release 12, the encryption functionality is also available in the client code. You can configure the database server to require encryption by performing the following steps:
Add the following lines to the
$TNS_ADMIN/sqlnet_ifile.ora in your database Oracle home:
SQLNET.ENCRYPTION_TYPES_SERVER=(AES256,AES192,AES128) SQLNET.CRYPTO_SEED=<SEED> SQLNET.ENCRYPTION_SERVER=REQUIRED SQLNET.CRYPTO_CHECKSUM_SERVER=REQUIRED SQLNET.CRYPTO_CHECKSUM_TYPES_SERVER=(SHA1)
The value for
SQLNET.CRYPTO_SEED for your deployment should be a random string up to 70 characters.
Restart the database listener.
For terminal releases of the 9i database series, setting a password for the listener was one of the most important hardening procedures. Setting a password prevented remote administration (shutdown) of the listener.
However starting with Oracle Database Release 10g, the listener password is no longer required as the listener implements OS-Authentication. This means that the OS user that owns the software installation can start and stop the listener without requiring an additional, listener-specific password. For these database releases, you should only set a password if remote admin access to the listener configuration is required.
If you decide to set a password for the listener, follow the instructions below or set the AutoConfig variable
s_enable_listener_password to ON and run AutoConfig on the database server.
These instructions assume that the listener name is VIS12. The default listener name for oracle databases in general is "LISTENER" while for Oracle E-Business Suite databases it is set to the SID of the database.
Start the listener control program:
Set the current listener, then change the password.
LSNRCTL> set current_listener VIS12 Current Listener is VIS12 LSNRCTL> change_password Old password: -- just hit return New password: -- new, secure password Reenter new password: -- new, secure password Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbs01)(PORT=1541))) Password changed for VIS12 The command completed successfully LSNRCTL> set password Password: The command completed successfully LSNRCTL> save_config Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=dbs01)(PORT=1541))) Saved DBLSNR configuration parameters. Listener Parameter File /x/db/tech_st/10.2.0/network/admin/VIS12_dbs01/listener.ora The command completed successfully
This added the following lines to listener.ora:
#----ADDED BY TNSLSNR 13-JAN-2007 11:47:56--- PASSWORDS_VIS12 = D911537D50B15546 #--------------------------------------------
To undo these steps:
tnslsnr process (using
lsnrctl or use
ps to find the pid and
kill to kill it).
listener.ora and remove the
Restart the listener (using
Note, password protecting the TNS listener has the following effects:
The listener process requires a password to list
This may "break" some monitoring and remote administration tools, if they do not expect to provide a password.
You should configure the database listener with ADMIN_RESTRICTIONS set to ON. When ADMIN_RESTRICTIONS is ON, all the set commands in
lsnrctl are disabled and the only way to change the configuration is to edit the
$TNS_ADMIN/listener.ora, set the following parameter:
VIS12 is the name of the listener (equal to
ORACLE_SID in Oracle E-Business Suite)
AutoConfig can set this if you set the AutoConfig variable s_admin_restrictions to ON and run AutoConfig on the database server.
To enable logging, in
$TNS_ADMIN/listener.ora set the following parameters:
LOG_STATUS = ON
LOG_DIRECTORY_$ORACLE_SID = $TNS_ADMIN
LOG_FILE_$ORACLE_SID = $ORACLE_SID
LOG_STATUS = ON
LOG_DIRECTORY_VIS12 = /u/db/tech_st/10.2.0/network/admin/VIS12_dbs01
LOG_FILE_VIS12 = VIS12
VIS21 is the
This is done by default in Release 12.
Notice that newer database versions use the richer ADR log settings, this silently overrides/ignores the older LOG settings. See Oracle Database documentation for more details.