Oracle Application Tier Security

About Oracle Application Tier Security

Oracle E-Business Suite Architecture

the picture is described in the document text

This section contains security recommendations for the Oracle E-Business Suite application tier.

Hardening

Hardening Operating Environment

Follow the hardening instructions for Operating Environment Security.

Hardening Apache Configuration

In past releases, advice on hardening the Apache configuration included steps such as:

In Oracle E-Business Suite Release 12, these steps have already been performed in the AutoConfig configuration templates.

Configuring Allowed Resources

As of Oracle E-Business Suite Release 12.2.6 with Patch 24737426:R12.FND.C, the Allowed JSPs feature has been enhanced and is now called Allowed Resources. This feature is an allowlist of resources that are authorized to be called by your system. The purpose of this configuration option is to reduce the attack surface of the deployed Oracle E-Business Suite instance. When Oracle E-Business Suite is installed, it installs resources for all modules in Oracle E-Business Suite. As you probably do not run every existing Oracle E-Business Suite module, you should configure your system to only allow the resources actually used in your deployment.

For more information, see Allowed Resources.

Configuring Allowed Redirects

The Allowed Redirects security feature in Oracle E-Business Suite, introduced in Release 12.2.4, provides defense in-depth protection against phishing redirect attacks by enabling the configuration of allowed redirects to avoid unnecessary exposure.

Similar to the Allowed Resources feature, Allowed Redirects restrict redirects by utilizing an allowlist mechanism, defining hosts with allowed access to a resource and denying access to those that are not in the allowed listing.

For more information, see Allowed Redirects.

Authorization

Within Oracle Application Server, a number of web pages provide administrative and diagnostics functionality. These pages offer information about various services, the server's state, and its configuration. While useful for debugging, these pages must be restricted or disabled in a production system.

Protecting Administrative Pages

The Apache configuration file trusted.conf is used to limit access to "administrative pages."

Oracle E-Business Suite ships with a number of pages that are useful when you need them, but the general user population should not have access to them. The pages include functionality used for monitoring and diagnostics, so access should be restricted to a number of fixed IP addresses such as the application tiers themselves and the administrator's fixed IP workstation.

The trusted.conf file contains directives such as the following:

<Location of "uri-to-protect">
  Order deny, allow
  Deny from all
  Allow from localhost <list of TRUSTED IPs>
</Location>

The uri-to-protect is the path to the page that will be restricted. The <list of TRUSTED IPs> will be replaced with the value of the AutoConfig variable s_admin_ui_access_nodes which you should set to the list of host machines from which administrators connect.

To allow the administrators access to the restricted pages, enter the fixed IP address (or resolvable host name) of their workstation in the AutoConfig variable s_admin_ui_access_nodes and run AutoConfig.

Considerations for Reverse Proxies and Load Balancers

The previously described restrictions work well when OHS is your web entry point.

If you put a reverse proxy or a load balancer in front of OHS, OHS will only see the IP address of the proxy or load balancer. To access restricted pages only from trusted hosts, you have two options:

  1. Make the proxy pass the IP address of the client to OHS and make OHS read it - then trusted.conf will work as-is.

  2. Implement equivalent rules in your proxy/load balancer and then either list the load balancer's IP address as trusted in trusted.conf

For more information about using reverse proxies or load balancers with Oracle E-Business Suite, see My Oracle Support Knowledge Document 1375686.1, Using Load-Balancers with Oracle E-Business Suite Release 12.2.

Considerations for Adding Pages to trusted.conf

If you find other pages that you wish to place similar restrictions on, you can add them to a customized version of the AutoConfig template for trusted.conf or to custom.conf. The custom.conf file is for your own additions to the OHS configuration; it will never be overwritten by AutoConfig.

Note that since the rules in trusted.conf is basically a blocklist, the slash "/" characters will have to dealt with using regular expressions; i.e. "/" is written as "(/)+". This is to avoid trivial blocklist bypasses, for example if /OA_HTML/secret2.jsp is blocked, a URL /OA_HTML//secret2.jspwould not match, and thus would not be blocked, but would still call /OA_HTML/secret2.jsp.

For more information, refer to My Oracle Support Knowledge Document 387859.1, Using AutoConfig to Manage System Configurations with Oracle Applications Release 12.

Network

WLS Network Security

If your network topology and/or load balancer configuration allows direct access to the WebLogic Server (WLS) ports, follow these instructions to reduce the WLS attack surface: