Oracle E-Business Suite Architecture
This section contains security recommendations for the Oracle E-Business Suite application tier.
Follow the hardening instructions for Operating Environment Security.
In past releases, advice on hardening the Apache configuration included steps such as:
Remove Application Server Banner
Remove Unnecessary Directives
Remove Unnecessary Modules
Prevent Search Engine Indexing (
In Oracle E-Business Suite Release 12, these steps have already been performed in the AutoConfig configuration templates.
As of Oracle E-Business Suite Release 12.2.6 with Patch 24737426:R12.FND.C, the Allowed JSPs feature has been enhanced and is now called Allowed Resources. This feature is an allowlist of resources that are authorized to be called by your system. The purpose of this configuration option is to reduce the attack surface of the deployed Oracle E-Business Suite instance. When Oracle E-Business Suite is installed, it installs resources for all modules in Oracle E-Business Suite. As you probably do not run every existing Oracle E-Business Suite module, you should configure your system to only allow the resources actually used in your deployment.
For more information, see Allowed Resources.
The Allowed Redirects security feature in Oracle E-Business Suite, introduced in Release 12.2.4, provides defense in-depth protection against phishing redirect attacks by enabling the configuration of allowed redirects to avoid unnecessary exposure.
Similar to the Allowed Resources feature, Allowed Redirects restrict redirects by utilizing an allowlist mechanism, defining hosts with allowed access to a resource and denying access to those that are not in the allowed listing.
For more information, see Allowed Redirects.
Within Oracle Application Server, a number of web pages provide administrative and diagnostics functionality. These pages offer information about various services, the server's state, and its configuration. While useful for debugging, these pages must be restricted or disabled in a production system.
The Apache configuration file
trusted.conf is used to limit access to "administrative pages."
Oracle E-Business Suite ships with a number of pages that are useful when you need them, but the general user population should not have access to them. The pages include functionality used for monitoring and diagnostics, so access should be restricted to a number of fixed IP addresses such as the application tiers themselves and the administrator's fixed IP workstation.
trusted.conf file contains directives such as the following:
<Location of "uri-to-protect"> Order deny, allow Deny from all Allow from localhost <list of TRUSTED IPs> </Location>
uri-to-protect is the path to the page that will be restricted. The
<list of TRUSTED IPs> will be replaced with the value of the AutoConfig variable s_admin_ui_access_nodes which you should set to the list of host machines from which administrators connect.
To allow the administrators access to the restricted pages, enter the fixed IP address (or resolvable host name) of their workstation in the AutoConfig variable s_admin_ui_access_nodes and run AutoConfig.
The previously described restrictions work well when OHS is your web entry point.
If you put a reverse proxy or a load balancer in front of OHS, OHS will only see the IP address of the proxy or load balancer. To access restricted pages only from trusted hosts, you have two options:
Make the proxy pass the IP address of the client to OHS and make OHS read it - then
trusted.conf will work as-is.
Implement equivalent rules in your proxy/load balancer and then either list the load balancer's IP address as trusted in
For more information about using reverse proxies or load balancers with Oracle E-Business Suite, see My Oracle Support Knowledge Document 1375686.1, Using Load-Balancers with Oracle E-Business Suite Release 12.2.
If you find other pages that you wish to place similar restrictions on, you can add them to a customized version of the AutoConfig template for
trusted.conf or to
custom.conf file is for your own additions to the OHS configuration; it will never be overwritten by AutoConfig.
Note that since the rules in
trusted.conf is basically a blocklist, the slash "/" characters will have to dealt with using regular expressions; i.e. "/" is written as "(/)+". This is to avoid trivial blocklist bypasses, for example if
/OA_HTML/secret2.jsp is blocked, a URL
/OA_HTML//secret2.jspwould not match, and thus would not be blocked, but would still call
For more information, refer to My Oracle Support Knowledge Document 387859.1, Using AutoConfig to Manage System Configurations with Oracle Applications Release 12.
If your network topology and/or load balancer configuration allows direct access to the WebLogic Server (WLS) ports, follow these instructions to reduce the WLS attack surface:
Only Allow Access to Oracle WebLogic Server Administration Ports from Trusted Hosts, Oracle E-Business Suite Setup Guide
Only Allow Direct Access to Oracle WebLogic Server from Trusted Hosts, Oracle E-Business Suite Setup Guide
Disabling Web Services Atomic Transactions, Oracle E-Business Suite Setup Guide