Note that depending on the version you are running and how you arrived at that version, some of these settings may have been set by default. All you have to do in that case is verify that the settings are as described here. This chapter contains security recommendations for the database.
Follow the hardening instructions for Operating Environment Security.
To support XDB, the TNS listener process listens on two additional TCP ports: 2100 for FTP access and 8080 for http access. Oracle E-Business Suite does not require these services; they should be disabled.
To disable XDB, remove or comment out the line in init.ora that reads:
*.dispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)'
Review database links in both production and development environments and drop those that are not required in your environment.
Security policy must balance risk of attack, cost of defense and value of data protected. This section contains recommendations that improve security, but may not be appropriate for every deployment.
Transparent data encryption (TDE) protects the data at rest by encrypting the data stored in the database data files. Oracle E-Business Suite Release 12.2 is certified with Column Encryption and Tablespace Encryption. See the following My Oracle Support knowledge documents for details:
Document 1585296.1 - Using TDE Tablespace Encryption with Oracle E-Business Suite Release 12.2
Document 1585696.1 - Using TDE Column Encryption with Oracle E-Business Suite Release 12.2
Column level TDE has a number of restrictions related to data types and indexed columns. Tablespace TDE does not have these restrictions and does not increase the storage requirement.
Applications found on the application tier log on to the database through application schemas rather than end-user accounts. Some individuals (IT Administrators) may require direct access to the application database using their own schema.
This setting prevents the database from using an insecure logon protocol. Make sure init.ora contains:
REMOTE_OS_AUTHENT=FALSE
Following an installation, the application database instance contains default, open schemas with default passwords. These accounts and corresponding passwords are well-known, and they should be changed, especially for a database to be used in a production environment. Default schemas come from different sources:
Default database administration schemas
Schemas belonging to optional database features neither used nor patched by Oracle E-Business Suite
Schemas belonging to optional database features used but not patched by Oracle E-Business Suite
Schemas belonging to optional database features used and patched by Oracle E-Business Suite
Schemas common to all Oracle E-Business Suite products
Schemas associated with specific Oracle E-Business Suite products
Note: Starting in Oracle E-Business Suite Release 12.1.2, a new command-line utility named AFPASSWD is available to replace FNDCPASS. The new utility does not require passwords on the command line. Just like FNDCPASS, AFPASSWD is installed on the application tier and requires the libraries from the Tools Oracle home.
For the schemas in categories 1, 2, and 3, use standard database commands to change a password:
SQL> alter user <SCHEMA> identified by <NEW_PASSWORD>;
For the schemas in categories 4, 5, and 6 where Oracle E-Business Suite is "managing" the passwords, use the application password change tool AFPASSWD (or FNDCPASS):
$ AFPASSWD -c apps -o <SCHEMA>
You will be prompted for the APPS password and the new password (twice).
To save time, category six (6) schema passwords may be changed en masse using AFPASSWD. This is really handy as there are more than 200 schema passwords. AFPASSWD takes the -a option which will change all category 6 passwords to the new password (this works the same as the ALLORACLE mode in FNDCPASS).
$ AFPASSWD -c apps -a
You will be prompted for the APPS password and the new password (twice).
To determine which schemas are managed by Oracle E-Business Suite (categories 4, 5, and 6), run the AD adutconf.sql script.
Appendix B: Database Schemas Found in Oracle E-Business Suite contains a list of the schemas by category, instructions, and notes for managing schema passwords.
AFPASSWD only prompts for the passwords required for the current operation, allowing separation of duties between application administrators and database administrators. This also improves interoperability with Oracle Database Vault.
AFPASSWD is documented in the Oracle E-Business Suite Maintenance Guide.
The database provides parameters to enforce password management policies. However, some of the database password policy parameters could lock out the Oracle E-Business Suite. Because of this, we make specific recommendations for or against using certain management features depending upon schema type.
Database "profiles" contain limits on database resources and password policies. Create two database profiles: one for application schemas on the application tier ("managed schemas") and one for human beings. Assign application schemas on the application tier to the first profile and all accounts used by individual database administrators to the second profile.
| Password Parameters | Application Profile | Administrator Profile |
|---|---|---|
FAILED_LOGIN_ATTEMPTS |
UNLIMITED |
5 |
PASSWORD_LIFE_TIME |
UNLIMITED |
90 |
PASSWORD_REUSE_TIME |
180 | 180 |
PASSWORD_REUSE_MAX |
UNLIMITED |
UNLIMITED |
PASSWORD_LOCK_TIME |
UNLIMITED |
7 |
PASSWORD_GRACE_TIME |
UNLIMITED |
14 |
PASSWORD_VERIFY_FUNCTION |
Recommended | Recommended |
For more information on profiles, see CREATE PROFILE in the Oracle SQL reference documentation.
See Appendix B: Database Schemas Found in Oracle E-Business Suite for a list of all default database users and whether it is a managed schema.
The init.ora parameter _TRACE_FILES_PUBLIC grants file system read access to anyone who has activated SQL tracing. Set this to its default value of False.
_TRACE_FILES_PUBLIC=FALSE
Set the init.ora parameter REMOTE_OS_ROLES to False to prevent insecure remote roles.
REMOTE_OS_ROLES=FALSE
The parameter UTL_FILE_DIR limits file system access for all database accounts using the PL/SQL API UTL_FILE. Oracle E-Business Suite requires the UTL_FILE_DIR database initialization parameter to be set when you are using Oracle Database 11g Release 2 or Oracle Database 12c Release 1. See My Oracle Support Knowledge Document 2525754.1, Using UTL_FILE_DIR or Database Directories for PL/SQL File I/O in Oracle E-Business Suite Releases 12.1 and 12.2.
UTL_FILE_DIR=<dir1>,<dir2>,<dir3>...
Avoid:
UTL_FILE_DIR=*
Set O7_DICTIONARY_ACCESSIBILITY to False to prevent users with the 'Select ANY' privilege from reading data dictionary tables. False is the default for the 10g database.
O7_DICTIONARY_ACCESSIBILITY = FALSE
The following table lists the privileges that should be granted to the APPLSYSPUB schema. These can be set by <FND_TOP>/patch/115/sql/afpub.sql or fixed by <FND_TOP>/patch/115/sql/afpubfix.sql.
| Privileges to be Granted to the APPLSYSPUB Schema |
|---|
| EXECUTE ON FND_DISCONNECTED |
| EXECUTE ON FND_MESSAGE |
| EXECUTE ON FND_PUB_MESSAGE |
| EXECUTE ON FND_SECURITY_PKG |
| EXECUTE ON FND_WEBFILEPUB |
| INSERT ON FND_SESSIONS |
| INSERT ON FND_UNSUCCESSFUL_LOGINS |
| SELECT ON FND_APPLICATION |
| SELECT ON FND_APPLICATION_TL |
| SELECT ON FND_APPLICATION_VL |
| SELECT ON FND_LANGUAGES_TL |
| SELECT ON FND_LANGUAGES_VL |
| SELECT ON FND_LOOKUPS |
| SELECT ON FND_PRODUCT_GROUPS |
| SELECT ON FND_PRODUCT_INSTALLATIONS |
| SELECT ON FND_NEW_MESSAGES |
The following table lists privileges required for online patching in Oracle E-Business Suite Release 12.2:
| Privileges Required for Oracle E-Business Suite Release 12.2 Online Patching |
|---|
| INSERT ON FND_SESSIONS# |
| INSERT ON FND_UNSUCCESSFUL_LOGINS# |
| SELECT ON FND_APPLICATION# |
| SELECT ON FND_APPLICATION_TL# |
| SELECT ON FND_LANGUAGES_TL# |
| SELECT ON FND_PRODUCT_GROUPS# |
| SELECT ON FND_PRODUCT_INSTALLATIONS# |
| SELECT ON FND_NEW_MESSAGES# |
To check permissions, log in as APPS and issue the following query:
SELECT * FROM dba_tab_privs WHERE grantee ='APPLSYSPUB';