Note that depending on the version you are running and how you arrived at that version, some of these settings may have been set by default. All you have to do in that case is verify that the settings are as described here. This chapter contains security recommendations for the database.
Follow the hardening instructions for Operating Environment Security.
To support XDB, the TNS listener process listens on two additional TCP ports: 2100 for FTP access and 8080 for http access. Oracle E-Business Suite does not require these services; they should be disabled.
To disable XDB, remove or comment out the line in init.ora that reads:
*.dispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)'
Review database links in both production and development environments and drop those that are not required in your environment.
Transparent data encryption (TDE) protects the data at rest by encrypting the data stored in the database data files. Although TDE is an optional database feature, it is highly recommended. See the following My Oracle Support articles for details:
Column level TDE has a number of restrictions related to data types and indexed columns. Tablespace TDE is the certified method for encryption for Oracle E-Business Suite Release 12.2 with Oracle Database 19c and later.
Network Access Control Lists (ACLs) are used to configure network access from the database to services (hosts and ports) external to the database.
See the following My Oracle Support articles for more details:
Note: This configuration is checked by the Secure Configuration Console based upon recommended security guidelines. For more information, see the details for the check "Database Network Access List (ACL) is Configured". For an overview of all security features that are checked by the console, see Checked Security Guidelines.
Oracle E-Business Suite application services on the application tier log on to the database through application schemas rather than end-user accounts. Administrators and super users may require direct access to the application database using their own schema.
This setting prevents the database from using an insecure logon protocol. Make sure init.ora contains:
REMOTE_OS_AUTHENT=FALSE
Note: This configuration is checked by the Secure Configuration Console based upon recommended security guidelines. For more information, see the details for the check "Database Initialization Parameters Have Been Set to Recommended Values". For an overview of all security features that are checked by the console, see Checked Security Guidelines.
Following an installation, the application database instance contains default, open schemas with default passwords. These accounts and corresponding passwords are well-known, and they should be changed, especially for a database to be used in a production environment. Default schemas come from different sources:
Default database administration schemas
Schemas belonging to optional database features neither used nor patched by Oracle E-Business Suite
Schemas belonging to optional database features used but not patched by Oracle E-Business Suite
Schemas belonging to optional database features used and patched by Oracle E-Business Suite
Schemas common to all Oracle E-Business Suite products
Schemas associated with specific Oracle E-Business Suite products
Note: Starting in Oracle E-Business Suite Release 12.1.2, a new command-line utility named AFPASSWD is available to replace FNDCPASS. The new utility does not require passwords on the command line. Just like FNDCPASS, AFPASSWD is installed on the application tier and requires the libraries from the Tools Oracle home.
For the schemas in categories 1, 2, and 3, use standard database commands to change a password:
SQL> alter user <SCHEMA> identified by <NEW_PASSWORD>;
For the schemas in categories 4, 5, and 6 where Oracle E-Business Suite is "managing" the passwords, use the application password change tool AFPASSWD (or FNDCPASS):
$ AFPASSWD -c apps -o <SCHEMA>
You will be prompted for the APPS password and the new password (twice).
To save time, category six (6) schema passwords may be changed en masse using AFPASSWD. This is really handy as there are more than 200 schema passwords. AFPASSWD takes the -a option which will change all category 6 passwords to the new password (this works the same as the ALLORACLE mode in FNDCPASS).
$ AFPASSWD -c apps -a
You will be prompted for the APPS password and the new password (twice).
To determine which schemas are managed by Oracle E-Business Suite (categories 4, 5, and 6), run the AD adutconf.sql script.
Appendix B: Database Schemas Found in Oracle E-Business Suite contains a list of the schemas by category, instructions, and notes for managing schema passwords.
AFPASSWD only prompts for the passwords required for the current operation, allowing separation of duties between application administrators and database administrators. This also improves interoperability with Oracle Database Vault.
AFPASSWD is documented in the Oracle E-Business Suite Maintenance Guide.
Note: This configuration is checked by the Secure Configuration Console based upon recommended security guidelines.
For more information, see the details for the following security guidelines:
Application Users Default Passwords Have Been Changed to Non-Default Values
Database Users Default Passwords Have Been Changed to Non-Default Values
For an overview of all security features that are checked by the console, see Checked Security Guidelines.
Database profiles provide the ability to limit database resources and define password policies. Oracle E-Business Suite provides the EBS_APPS database profile with the recommended password policies for application schemas such as APPS. In addition to the application profile, you should create an administrator profile for named user database accounts for your corporate database administrators and super users in addition to any additional users that may have been granted access to the database.
Note: This configuration is checked by the Secure Configuration Console based upon recommended security guidelines. For more information, see the details for the check "Database Profiles Have Been Created in the EBS Database for Database User Password Management". For an overview of all security features that are checked by the console, see Checked Security Guidelines.
Use the following table to assign the recommended parameter value for each type of profile.
| Password Parameters | Parameter Value for Application Profiles (EBS Application Schemas) |
Parameter Value for Administrator Profiles (Named Users) |
|---|---|---|
FAILED_LOGIN_ATTEMPTS |
UNLIMITED |
5 |
PASSWORD_LIFE_TIME |
UNLIMITED |
90 |
PASSWORD_REUSE_TIME |
UNLIMITED |
180 |
PASSWORD_REUSE_MAX |
UNLIMITED |
UNLIMITED |
PASSWORD_LOCK_TIME |
UNLIMITED |
7 |
PASSWORD_GRACE_TIME |
UNLIMITED |
14 |
PASSWORD_VERIFY_FUNCTION |
NULL |
Recommended |
For more information on profiles, see CREATE PROFILE in the Oracle SQL reference documentation.
See Appendix B: Database Schemas Found in Oracle E-Business Suite for a list of all default database users and whether it is a managed schema.
The init.ora parameter _TRACE_FILES_PUBLIC grants file system read access to anyone who has activated SQL tracing. Set this to its default value of False.
_TRACE_FILES_PUBLIC=FALSE
Note: This configuration is checked by the Secure Configuration Console based upon recommended security guidelines. For more information, see the details for the check "Database Initialization Parameters Have Been Set to Recommended Values". For an overview of all security features that are checked by the console, see Checked Security Guidelines.
Set the init.ora parameter REMOTE_OS_ROLES to False to prevent insecure remote roles.
REMOTE_OS_ROLES=FALSE
Note: This configuration is checked by the Secure Configuration Console based upon recommended security guidelines. For more information, see the details for the check "Database Initialization Parameters Have Been Set to Recommended Values". For an overview of all security features that are checked by the console, see Checked Security Guidelines.
The parameter UTL_FILE_DIR limits file system access for all database accounts using the PL/SQL API UTL_FILE.
If you are using Oracle Database 19c or later, specify the directories for PL/SQL file I/O using the supplemental UTL_FILE_DIR parameter provided by Oracle E-Business Suite, which supports the requirements for the UTL_FILE package in these database versions.
If you are using Oracle Database 12c Release 1 or Oracle Database 11g Release 2, specify the directories for PL/SQL file I/O using the UTL_FILE_DIR database initialization parameter.
See My Oracle Support article KA987, Using UTL_FILE_DIR or Database Directories for PL/SQL File I/O in Oracle E-Business Suite Releases 12.1 and 12.2.
UTL_FILE_DIR=<dir1>,<dir2>,<dir3>...
Avoid:
UTL_FILE_DIR=*
Note: This configuration is checked by the Secure Configuration Console based upon recommended security guidelines. For more information, see the details for the check "Database Initialization Parameters Have Been Set to Recommended Values". For an overview of all security features that are checked by the console, see Checked Security Guidelines.
Set O7_DICTIONARY_ACCESSIBILITY to False to prevent users with the 'Select ANY' privilege from reading data dictionary tables. False is the default for the 10g database.
O7_DICTIONARY_ACCESSIBILITY = FALSE
Note: This configuration is checked by the Secure Configuration Console based upon recommended security guidelines. For more information, see the details for the check "Database Initialization Parameters Have Been Set to Recommended Values". For an overview of all security features that are checked by the console, see Checked Security Guidelines.
The following table lists the privileges that should be granted to the APPLSYSPUB schema. These can be set by <FND_TOP>/patch/115/sql/afpub.sql or fixed by <FND_TOP>/patch/115/sql/afpubfix.sql.
| Privileges to be Granted to the APPLSYSPUB Schema |
|---|
| EXECUTE ON FND_DISCONNECTED |
| EXECUTE ON FND_MESSAGE |
| EXECUTE ON FND_PUB_MESSAGE |
| EXECUTE ON FND_SECURITY_PKG |
| EXECUTE ON FND_WEBFILEPUB |
| INSERT ON FND_SESSIONS |
| INSERT ON FND_UNSUCCESSFUL_LOGINS |
| SELECT ON FND_APPLICATION |
| SELECT ON FND_APPLICATION_TL |
| SELECT ON FND_APPLICATION_VL |
| SELECT ON FND_LANGUAGES_TL |
| SELECT ON FND_LANGUAGES_VL |
| SELECT ON FND_LOOKUPS |
| SELECT ON FND_PRODUCT_GROUPS |
| SELECT ON FND_PRODUCT_INSTALLATIONS |
| SELECT ON FND_NEW_MESSAGES |
The following table lists privileges required for online patching in Oracle E-Business Suite Release 12.2:
| Privileges Required for Oracle E-Business Suite Release 12.2 Online Patching |
|---|
| INSERT ON FND_SESSIONS# |
| INSERT ON FND_UNSUCCESSFUL_LOGINS# |
| SELECT ON FND_APPLICATION# |
| SELECT ON FND_APPLICATION_TL# |
| SELECT ON FND_LANGUAGES_TL# |
| SELECT ON FND_PRODUCT_GROUPS# |
| SELECT ON FND_PRODUCT_INSTALLATIONS# |
| SELECT ON FND_NEW_MESSAGES# |
To check permissions, log in as APPS and issue the following query:
SELECT * FROM dba_tab_privs WHERE grantee ='APPLSYSPUB';
Note: This configuration is checked by the Secure Configuration Console based upon recommended security guidelines. For more information, see the details for the check "APPLSYSPUB Privileges are Properly Restricted". For an overview of all security features that are checked by the console, see Checked Security Guidelines.