This section contains security recommendations for the Oracle E-Business Suite application tier.
Follow the hardening instructions for Operating Environment Security.
As of Oracle E-Business Suite Release 12.2.6 with Patch 24737426:R12.FND.C, the feature formerly known as Allowed JSPs has been enhanced and is now called Allowed Resources. This feature is an allowlist of resources that are authorized to be called by your system. The purpose of this configuration option is to reduce the attack surface of the deployed Oracle E-Business Suite instance. When Oracle E-Business Suite is installed, it installs resources for all modules in Oracle E-Business Suite. As you probably do not run every existing Oracle E-Business Suite module, you should configure your system to only allow the resources actually used in your deployment.
For more information on this feature, see Allowed Resources. You can also find detailed instructions on how to disable and enable products at the family level in Management by Product Hierarchy.
The Allowed Redirects security feature in Oracle E-Business Suite, introduced in Release 12.2.4, provides defense in-depth protection against phishing redirect attacks by enabling the configuration of allowed redirects to avoid unnecessary exposure.
Similar to the Allowed Resources feature, Allowed Redirects restrict redirects by utilizing an allowlist mechanism, defining hosts with allowed access to a resource and denying access to those that are not in the allowed listing.
For more information, see Allowed Redirects.
Within Oracle Application Server, a number of web pages provide administrative and diagnostics functionality. These pages offer information about various services, the server's state, and its configuration. While useful for debugging, these pages must be restricted or disabled in a production system.
The Apache configuration file trusted.conf is used to limit access to "administrative pages."
Oracle E-Business Suite ships with a number of pages that are useful when you need them, but the general user population should not have access to them. The pages include functionality used for monitoring and diagnostics, so access should be restricted to a number of fixed IP addresses such as the application tiers themselves and the administrator's fixed IP workstation.
The trusted.conf file contains directives such as the following:
<Location of "uri-to-protect"> Order deny, allow Deny from all Allow from localhost <list of TRUSTED IPs> </Location>
The uri-to-protect is the path to the page that will be restricted. The <list of TRUSTED IPs> will be replaced with the value of the AutoConfig variable s_admin_ui_access_nodes which you should set to the list of host machines from which administrators connect.
To allow the administrators access to the restricted pages, enter the fixed IP address (or resolvable host name) of their workstation in the AutoConfig variable s_admin_ui_access_nodes and run AutoConfig.
The previously described restrictions work well when OHS is your web entry point.
If you put a reverse proxy or a load balancer in front of OHS, OHS will only see the IP address of the proxy or load balancer. To access restricted pages only from trusted hosts, you have two options:
Make the proxy pass the IP address of the client to OHS and make OHS read it - then trusted.conf will work as-is.
Implement equivalent rules in your proxy/load balancer and then either list the load balancer's IP address as trusted in trusted.conf
For more information about using reverse proxies or load balancers with Oracle E-Business Suite, see My Oracle Support Knowledge Document 1375686.1, Using Load-Balancers with Oracle E-Business Suite Release 12.2.
If you find other pages that you wish to place similar restrictions on, you can add them to a customized version of the AutoConfig template for trusted.conf or to custom.conf. The custom.conf file is for your own additions to the OHS configuration; it will never be overwritten by AutoConfig.
Note that since the rules in trusted.conf is basically a blocklist, the slash "/" characters will have to dealt with using regular expressions; i.e. "/" is written as "(/)+". This is to avoid trivial blocklist bypasses, for example if /OA_HTML/secret2.jsp is blocked, a URL /OA_HTML//secret2.jspwould not match, and thus would not be blocked, but would still call /OA_HTML/secret2.jsp.
For more information, refer to My Oracle Support Knowledge Document 387859.1, Using AutoConfig to Manage System Configurations with Oracle Applications Release 12.
If your network topology and/or load balancer configuration allows direct access to the WebLogic Server (WLS) ports, follow these instructions to reduce the WLS attack surface:
Only Allow Access to Oracle WebLogic Server Administration Ports from Trusted Hosts, Oracle E-Business Suite Setup Guide
Only Allow Direct Access to Oracle WebLogic Server from Trusted Hosts, Oracle E-Business Suite Setup Guide
Disabling Web Services Atomic Transactions, Oracle E-Business Suite Setup Guide