Oracle E-Business Suite Security

About Oracle E-Business Suite Security

Oracle E-Business Suite Architecture

the picture is described in the document text

This section contains security recommendations for configurations within Oracle E-Business Suite.

Hardening

Hardening the Operating Environment

Follow the hardening instructions for Operating Environment Security.

Setting Workflow Notification Mailer SEND_ACCESS_KEY to N

When SEND_ACCESS_KEY is set to 'Y', the workflow notification email bypasses the Oracle E-Business Suite sign-on process; email notifications contain an access key. The key allows the user to access the Notification Details web page directly without authenticating. Set SEND_ACCESS_KEY to N to prevent inclusion of the key with the Notification Detail link. When set to 'N', an unauthenticated user who clicks on the notification link must sign on before accessing the Notification Details web page.

For more information, refer to the Oracle Workflow Administrator's Guide.

Ensuring You Know Who is a Workflow Admin

Verify the setting in WF_RESOURCES to see who workflow considers a workflow administrator:

select TEXT from WF_RESOURCES where NAME = 'WF_ADMIN_ROLE' ;

Ensure that the value is not set to "*" which means that everybody is a workflow administrator.

Setting Tools Environment Variables

You should prevent forms users from using the enter-query feature on a production system.

In Oracle E-Business Suite Release 12, the Forms parameters are set in the configuration file:

/x/inst/apps/VIS12_dbs01/ora/10.1.2/forms/server/default.env

Forms Environment Variable Value
FORMS_RESTRICT_ENTER_QUERY TRUE

Securing Attachments

Utilize the profile options described in the following sections to secure attachments. In addition to the information below, see My Oracle Support Knowledge Document 1357849.1, Security Configuration Mechanisms in the Attachments Feature in Oracle E-Business Suite, for more details.

File Download

Profile option FND: Security File Download Time Limit (FND_GFM_ACCESS_DURATION) specifies the maximum length of time (in minutes) for accessing a Generic File Manager (GFM) file download URL. It was introduced in the July 2019 Oracle E-Business Suite Critical Patch Update (CPU).

The GFM file download URL is most commonly generated when downloading an attachment file or performing an export from an Oracle Form or Oracle Application Framework page. The default value of the profile is five minutes. The five minutes begin when the download URL is initially generated. This download URL cannot be accessed beyond the allotted five minutes. However, once the access is authenticated, the download itself can take as much time as needed.

To set the FND: Security File Download Time Limit profile option, see: Setting Profile Options, Oracle E-Business Suite Setup Guide.

Upload File Size Limit

Profile option Upload File Size Limit (UPLOAD_FILE_SIZE_LIMIT) specifies the maximum allowable file size in KB for uploaded attachments for Oracle Application Framework and core attachments. This profile option is set with a default value of 4194304 KB (4GB) at the Site level.

For example, if you set the profile option value to 2000KB (2MB) and try to upload a file that exceeds this value, an error message similar to the following is displayed:

    The file you are trying to upload has exceeded the maximum size of 2000 KB. Please upload a file of size less than 2000 KB or contact your Systems Administrator for assistance.

To address this error, set the value of the Upload File Size Limit profile option to a value that matches the size of the file to upload.

Note that for particular iRecruitment responsibilities, this profile option is more restrictive. Other levels may be set so if there are issues uploading a file due to size, the profile should be checked at all levels.

See My Oracle Support Knowledge Document 1357849.1, Security Configuration Mechanisms in the Attachments Feature in Oracle E-Business Suite.

To set the Upload File Size Limit profile option, see: Setting Profile Options, Oracle E-Business Suite Setup Guide.

File Type Validation

This feature was originally delivered in the Oracle E-Business Suite October 2011 CPU and updated in subsequent CPUs.

Before this change, users could upload any file type without any restrictions. With this enhancement, users will be limited as to what file types of attachments they can upload. File types can be explicitly allowed.

With this feature enabled, users receive an error message, "This file type is not allowed. Please choose another file" when attempting to upload a single file with a restricted file type. This feature applies when uploading attachments through the user interface (using the Generic File Manager). Bulk file uploads by administrators will not be restricted.

File types are defined in the fnd_mime_types table. The combination of Media Type (formerly known as MIME type) and file extension uniquely identifies a file type. File types with 'N' for the column ALLOW_FILE_UPLOAD value are explicitly disallowed. These file types are listed in the following table.

Disallowed File Types
Media (MIME) Type File Extension ALLOW_FILE_UPLOAD column value
application/jsp jsp N
application/octet-stream wsh N
application/octet-stream jse N
application/octet-stream class N
application/octet-stream bin N
application/octet-stream exe N
application/octet-stream com N
application/octet-stream bat N
application/octet-stream cmd N
application/octet-stream wsf N
application/octet-stream vbe N
application/octet-stream vbs N
application/x-javascript js N
application/x-shockwave-flash swf N
application/x-java-archive jar N

The restriction on file types is also controlled by the profile option Attachment File Upload Restriction Default (FND_SECURITY_FILETYPE_RESTRICT_DFLT). This profile determines whether a file type that is not explicitly enabled or disabled from upload is allowed or not. If this profile is NULL for any reason (or does not exist), then the default is to allow uploads (same as the value 'Yes'). The default value of the profile Attachment File Upload Restriction Default is 'Yes' on the Site level.

Blocklist behavior: When the profile Attachment File Upload Restriction Default is set to 'Yes', all file types except those with ALLOW='N' can be uploaded. That is, any file type in which the ALLOW flag is not explicitly set to 'N' in fnd_mime_types is allowed to be uploaded.

Allowlist behavior: When the profile Attachment File Upload Restriction Default is set to 'No', only file types with ALLOW='Y' can be uploaded. That is, only file types in which the ALLOW flag are explicitly set to 'Y' in fnd_mime_types are allowed to be uploaded.

Because a file extension can exist in the fnd_mime_types table multiple times (because the combination of mime type and file extension uniquely identifies a file type), the most restrictive value will be used.

For example, say we have the values listed in the following table:

Example Values
MIME Type File Extension ALLOW_FILE_UPLOAD column value
application/gzip gzip Y
application/x-gzip gzip N

In this example, files with the extension "gzip" will be restricted from upload.

How to Modify the List of File Types Allowed/Disallowed

To change what file types are explicitly allowed and disallowed in the fnd_mime_types table, use the APIs as follows.

The package fnd_file_mime_types_pkg is provided to allow the administrators to insert, update, or delete from the fnd_mime_types table. Note that if you are changing a file type from disallowed to allowed, set the Allowed flag to 'Y'.

Here is the syntax of the procedures:

PROCEDURE INSERT_ROW (X_ROWID in out nocopy VARCHAR2,
                      X_MIME_TYPE in VARCHAR2,
                      X_CP_FORMAT_CODE in VARCHAR2 DEFAULT NULL,
                      X_CTX_FORMAT_CODE in VARCHAR2 DEFAULT 'IGNORE',
                      X_CREATION_DATE in DATE DEFAULT SYSDATE,
                      X_CREATED_BY in NUMBER DEFAULT NULL,
                      X_LAST_UPDATE_DATE in DATE DEFAULT NULL,
                      X_LAST_UPDATED_BY in NUMBER DEFAULT NULL,
                      X_LAST_UPDATE_LOGIN in NUMBER DEFAULT NULL,
                      X_FILE_EXT in VARCHAR2 DEFAULT NULL,
                      X_ALLOW_FILE_UPLOAD in VARCHAR2 DEFAULT NULL);

PROCEDURE UPDATE_ROW (X_MIME_TYPE_ID in NUMBER,
                      X_MIME_TYPE in VARCHAR2 DEFAULT NULL,
                      X_CP_FORMAT_CODE in VARCHAR2 DEFAULT NULL,
                      X_CTX_FORMAT_CODE in VARCHAR2 DEFAULT NULL,
                      X_LAST_UPDATE_DATE in DATE DEFAULT SYSDATE,
                      X_LAST_UPDATED_BY in NUMBER DEFAULT NULL,
                      X_FILE_EXT in VARCHAR2 DEFAULT NULL,
                      X_ALLOW_FILE_UPLOAD in VARCHAR2 DEFAULT NULL);  

PROCEDURE DELETE_ROW (X_MIME_TYPE in VARCHAR2,
                      X_FILE_EXT in VARCHAR2);

PROCEDURE SET_FILE_EXT (X_MIME_TYPE IN VARCHAR2,
                        X_FILE_EXT IN VARCHAR2);
                        X_LAST_UPDATE_DATE in DATE DEFAULT SYSDATE,
                        X_LAST_UPDATED_BY in NUMBER DEFAULT NULL);

PROCEDURE SET_ALLOW_UPLOAD (X_FILE_EXT IN VARCHAR2,
                            X_MIME_TYPE IN VARCHAR2,
                            X_ALLOW_FILE_UPLOAD IN VARCHAR2,
                            X_LAST_UPDATE_DATE in DATE DEFAULT SYSDATE,
                            X_LAST_UPDATED_BY in NUMBER DEFAULT NULL);

Examples

To insert a row into the fnd_mime_types table:

FND_FILE_MIME_TYPES_PKG.insert_row(x_rowid => xrow,
                                   x_mime_type => 'application/mime_value',
                                   x_created_by => <userid>,
                                   x_last_updated_by => <userid>,
                                   x_file_ext => 'ext',
                                   X_ALLOW_FILE_UPLOAD => 'N');

To allow file upload:

FND_FILE_MIME_TYPES_PKG.set_allow_upload(x_file_ext => 'ext',
                                         x_mime_type => 'application/mime_value',
                                         x_allow_file_upload => 'Y');

To use the API fnd_file_mime_types_pkg.update_row first determine the mime_type_id of the record to be updated:

execute FND_FILE_MIME_TYPES_PKG.update_row(x_mime_type_id => 82,X_ALLOW_FILE_UPLOAD => 'Y');

Note: If changes do not immediately take effect, a stop and restart of the application tier may be required.

AntiSamy Check

This feature was originally delivered in the Oracle E-Business Suite October 2011 CPU and updated in subsequent CPUs.

This enhancement leverages the AntiSamy libraries to validate HTML files that are uploaded using the Attachment or File Upload features. For more information on the AntiSamy Project, see the Open Web Application Security Project (OWASP) AntiSamy Project page at https://wiki.owasp.org/index.php/Category:OWASP_AntiSamy_Project.

This AntiSamy Check is available for both Oracle Application Framework and Oracle Application Object Library Attachment/File Upload functionality.

The feature is controlled by profile FND: Disable AntiSamy Filter (FND_DISABLE_ANTISAMY_FILTER). When this profile is set to 'No' (the default value), Oracle E-Business Suite will upload a cleaned-up version of a file with the message "The document you uploaded has been modified to remove restricted tags. Please check the document and replace it if necessary." The internal name of this message is FND_CLEAN_DOCUMENT_UPLOAD.

The AntiSamy check uses the policy file named fnd-antisamy-irec-1_3.xml under $JAVA_TOP/policies/antisamy. See the documentation for AntiSamy if you wish to restrict or relax the HTML tags that are allowed. See My Oracle Support Knowledge Document 122452.1, Global Customer Services Customization Guidelines.

HTML Attachment/Uploading with AntiSamy HTML Sanitizing

AntiSamy HTML sanitizing logic parses the uploaded/attached HTML as a string and removes the malicious pieces of code from it. Oracle E-Business Suite assumes the character encoding of the HTML file as follows:

  1. Character encoding written in the content-type meta tag in the HTML file.

    The HTML file should have a meta tag to specify the HTML character encoding like the following example:

    <meta http-equiv="content-type" content="text/html;charset=utf-8" />

    The character encoding name for this meta tag must be an IANA character encoding name.

  2. FND_NATIVE_CLIENT_ENCODING profile option value.

    If Oracle E-Business Suite cannot detect the character encoding from an HTML meta tag, it will get it from the profile option and assume it is equivalent to that of the HTML file.

To avoid the non-ASCII character corruption in HTML by AntiSamy HTML sanitizing, make sure the HTML file being uploaded has a "content-type" meta tag with the right character encoding. If corrupted characters are seen in an uploaded/attached file, check if the HTML is well-formed and has a meta tag for character encoding. The character encoding detection may fail in the following circumstances:

When there are multiple "content-type" meta tags in one HTML file, the very first one is used. If it fails to parse the very first one, the character encoding detection logic assumes there is no valid character encoding information in the HTML. The rest of the "content-type" meta tags will not be parsed.

If the character encoding cannot be described in an HTML "content-type" meta tag for some reason, use the FND_NATIVE_CLIENT_ENCODING profile option value to specify the HTML character encoding. Note that the value of FND_NATIVE_CLIENT_ENCODING is generally referred in text file uploading, downloading, and data exporting; and not for HTML file uploading/attachment only. Thus, the FND_NATIVE_CLIENT_ENCODING value must be set carefully.

Optional Secure Configurations

Security policy must balance risk of attack, cost of defense and value of data protected. This section contains recommendations that improve security, but may not be appropriate for every deployment.

Encrypting Credit Cards

The technical reference paper in My Oracle Support Knowledge Document 1573912.1, All About Oracle Payments Release 12 Wallets And Payments Data Encryption, describes the credit card encryption features available in Oracle E-Business Suite. The feature is part of Release 12, but needs to be explicitly turned on.

Encryption of credit card numbers is one of many requirements for PCI PA-DSS compliance.

Practicing Safe Cloning

In many production environments, it is part of normal operational procedure to periodically create clones (copies) of production databases for various purposes. These copies are typically used for performance test by DBAs or developers or to test upgrade/patching of the production database.

When these cloned copies of production databases are to be used outside the group of trusted production administrators, there will be concerns about the confidentiality of the data contained in the database as data scrambling routines are typically run on the cloned copy before it is handed over to development. The data scrambling protects the confidentiality of production data such as employee data (Name, Address, Social Security Number, Compensation details) customer data (Name, Address, Credit Card info) and other data considered confidential.

To ensure the integrity of the production database you must also change all the passwords in the clone to ensure that it will not be possible to retrieve passwords from the cloned instance that could be used to compromise the production database either by gaining administrative access or by allowing someone to impersonate another user.

See My Oracle Support Knowledge Document 419475.1, Removing Credentials from a Cloned EBS Production Database, for an example of how to remove production credentials and bootstrap new credentials in a cloned copy of your production database. The steps in Document 419475.1 should be incorporated in your local cloning procedures.

Network

Using Certified HTTP Security Headers

A server can pass additional information with a response using HTTP headers. HTTP security headers can provide additional protection against attacks and security vulnerabilities.

The following table lists HTTP security response headers that are certified for use with Oracle E-Business Suite.

Certified HTTP Security Headers for Oracle E-Business Suite
HTTP Header Description Oracle E-Business Suite Configuration and Reference
X-Frame-Options: SAMEORIGIN Response header to avoid clickjacking attacks by preventing other sites from embedding (framing) your content. In Oracle E-Business Suite Release 12.2, we introduced protections against clickjacking by setting the X-Frame-Options HTTP header for all pages. This is enabled by default with the following configuration line in the Oracle HTTP Server (OHS) oracle_apache.conf file:
Header set X-Frame-Options SAMEORIGIN

Note: If you require the ability to frame Oracle E-Business Suite pages from a site other than the Oracle E-Business Suite site, you may have to temporarily disable this header while working on a permanent solution (such as by rehosting or proxying). To temporarily disable the header, comment out the entry in the httpd.conf file and restart OHS.

X-Content-Type-Options: nosniff Response header that prevents browsers from attempting to guess the MIME type of a file by looking at its content. As of the October 2018 Critical Patch Update (CPU), this configuration is enabled by default.
See My Oracle Support Knowledge Document 2445688.1, Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (October 2018), for more information on the October 2018 CPU.
Strict-Transport-Security (HTTP Strict Transport Security) Response header that specifies that the site should only be contacted using HTTPS. In Oracle E-Business Suite 12.2, we introduced manual configuration to enable HSTS. For additional information regarding HSTS, refer to My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2.

Caution: We recommend that you implement the HSTS only after testing that it does not break any customized code or third-party integrations.

Cookie Domain Scoping Code that specifies the scope of where the browser will send the cookie. In Oracle E-Business Suite Release 12.2, we introduced a configuration option for the domain attribute for the Oracle E-Business Suite ICX session cookie. Manual configuration is required to use this feature. See the "Cookie Domain Scoping" section for additional information.
secure Cookie Attribute A Set-Cookie response header attribute that prevents cookies from being sent with non- HTTPS requests. If you have enabled TLS for Oracle E-Business Suite, the secure cookie flag is automatically added for the Oracle E-Business Suite session cookie (also known as the ICX session cookie) by default. TLS enablement for Oracle E-Business Suite is required for this configuration. See My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2, for additional information.
httpOnly Cookie Attribute A Set-Cookie response header attribute that prevents client side script from accessing the cookie. For Oracle E-Business Suite the httpOnly cookie flag is set by default when the minimum requirements have been met. The application of R12.ATG_PF.C.DELTA.7 (24690680) and enablement of the Java Web Start option for running Forms for Oracle E-Business Suite is required to set the httpOnly cookie flag by default.
Refer to the following for additional information:
  • Readme for R12.ATG_PF.C.DELTA.7 (24690680)

  • My Oracle Support Knowledge Document 2188898.1, Using Java Web Start with Oracle E-Business Suite, for how to implement Java Web Start with Oracle E-Business Suite

samesite Cookie Attribute A Set-Cookie response header attribute that mitigates the risk of cross-site request forgery (CSRF) and information leakage attacks by asserting that the cookie should only be sent with requests initiated from the same registrable domain. Patch 29672027:R12.TXK.C delivers context file parameters to enable and configure the SameSite cookie attribute. The parameters control the SameSite attributes for all cookies set from the HTTP entry point.
After applying Patch 29672027, the default value of the SameSite cookie attribute (s_samesite_cookie_enabled) is set to # which disables the attribute. To enable the SameSite cookie attribute, you must set the value to "blank" as follows:
s_samesite_cookie_enable=""
You can also set the context variable s_samesite_cookie_attribute to 'strict' or 'lax'. By default, s_samesite_cookie_attribute is set to strict. For additional information, refer to: https://tools.ietf.org/html/draft-west-first-party-cookies-07.
If Oracle Access Manager and your Oracle E-Business Suite system do not reside on the same domain, you will need to set the context variable s_samesite_cookie_attribute to 'lax'.
If you are using iProcurement and plan to enable the SameSite cookie attribute, you must also apply Patch 31259179:R12.ICX.D and Patch 31840095:R12.FND.C. Based on the ATG level you are on, you may need to apply an FND one-off patch along with the iProcurement patch.
  • If you are on R12.ATG_PF.C.DELTA.7 (24690680) or later, apply patch 29705896:R12.FND.C.

  • If you are on R12.ATG_PF.C.DELTA.6 (21900895), manually add /OA_HTML/jsp/icx/punchout/PunchoutCallBack.jsp
 to allowed_jsps_Procurement.conf.

  • If your R12.ATG Release Update Pack level is older than R12.ATG_PF.C.DELTA.6 (21900895), no additional FND patch is required.


When enabling the SameSite cookie attribute, make sure to test integrations that are deployed in domains that differ from the Oracle E-Business Suite domain. A few examples of integrations that may have a different domain include iProcurement punchout or single sign-on integration with Oracle Access Manager or Identity Cloud Service.

Using TLS to Encrypt Oracle E-Business Suite Connections

Information sent over the network and across the internet in clear text may be intercepted. Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) are features that provide encryption of network traffic between the user's browser and the Oracle E-Business Suite web server. You should configure your Oracle E-Business Suite environment to use TLS for all inbound (HTTP), outbound, and loopback connections.

If you are enabling encryption for Oracle E-Business 12.2 for the first time, follow the instructions in My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2.

As of October 2014, all versions of SSL are insecure and should not be used. Oracle highly recommends that Oracle E-Business Suite customers migrate from SSL to TLS 1.2. Migrating to TLS 1.2 will address recent security vulnerabilities (such as POODLE, FREAK, Logjam, and RC4 NOMORE). If you are migrating from SSL to TLS, follow the instructions in My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2.

Avoiding Weak Ciphers and Protocols for SSL (HTTPS)

You should avoid all cipher suites with a key size less than 128-bit and any RC4-based cipher suite to avoid the RC4 NOMORE vulnerability (CVE-2015-2808). This can be done by enabling these settings in ssl.conf:

SSLCipherSuite HIGH:MEDIUM:!aNULL:!RC4:+HIGH:+MEDIUM

You should also avoid weak protocols by migrating from any SSL version to TLS. Migrating to TLS avoids being vulnerable to POODLE (CVE-2014-3566), FREAK (CVE-2015-0204), and Logjam (CVE-2015-4000). To migrate from SSL to TLS, follow the instructions in My Oracle Support Knowledge Document 1367293.1, Enabling TLS in Oracle E-Business Suite Release 12.2.

Using External Web Tier if Exposing Any Part of Oracle E-Business Suite to the Internet

If you expose any part of your Oracle E-Business Suite production system to the internet, you should consult My Oracle Support Knowledge Document 1375670.1, Oracle E-Business Suite Release 12.2 Configuration in a DMZ, for our advice for deploying external Oracle E-Business Suite products to the internet. This document describes the role of DMZs, external web tiers, external responsibilities, URL firewall, and reverse proxies in a secure external Oracle E-Business Suite deployment.

Using Terminal Services for Client-Server Programs

Deploy client/server components requiring direct connection to the Oracle E-Business Suite production database on secured, trusted servers rather than on end user desktop machines.

The majority of the Oracle E-Business Suite functionality available to end users does not require direct database access but is web-based. Web browser sessions connect to application tier servers running Oracle Fusion Middleware. The application tier servers then make the database connections.

If you have a well considered need to connect to the production database directly from a desktop, deploy a remote server environment based on Windows Server Terminal Services, Citrix, or Tarantella (now Oracle Secure Global Desktop).

The challenge is to make the server running the client/server program a trusted server. If the end user is running with administrator or power-user privileges, or has physical access to the host, it does not qualify as "trusted."

If the client/server tool uses DBC files these DBC files must be protected from the user while ensuring that the program run by the user has read access to the DBC file.

Further details are provided in these sections "Add IP Restrictions / Enable Valid Node Checking," "Activate Server Security," and "Create DBC Files Securely."

Authentication

Changing Passwords for Seeded Application User Accounts

Oracle ships seeded user accounts with default passwords. Change the default passwords immediately. Depending on product usage, some seeded accounts can or can not be disabled. Disable an application user account by setting the END_DATE for the account.

Note that we ship a script named fnddefpw.sql. If you run this script as APPS, it will list the seeded accounts that still have the default password.

The following table lists the application users shipped with Oracle E-Business Suite Release 12 and indicates:

See description of the columns after the table and notice the footnotes following the table.

Application Users Shipped with Oracle E-Business Suite Release 12
Account Product/Purpose Change Disable NoPwd EndDT
AME_INVALID_APPROVER AME WF migration 11.5.9 to 11.5.10 Y Y    
ANONYMOUS FND/AOL - Anonymous for non-logged users Y Y   x
APPSMGR Routine maintenance via concurrent requests N Y x x
ASADMIN Application Server Administrator N Y x x
ASGADM Mobile gateway related products Y Y(a)    
ASGUEST Sales Application guest user Y Y(b)    
AUTOINSTALL AD Y Y    
CONCURRENT MANAGER FND/AOL: Concurrent Manager Y Y   x
FEEDER SYSTEM AD - Supports data from feeder system Y Y   x
GUEST Guest application user Y(c) N    
IBE_ADMIN iStore Admin user Y Y(d)    
IBE_GUEST iStore Guest user Y Y(d)    
IBEGUEST iStore Guest user Y Y(d)    
IEXADMIN Internet Expenses Admin Y Y    
INDUSTRY DATA   N Y x  
INITIAL SETUP AD Y Y   x
IRC_EMP_GUEST iRecruitment Employee Guest Login Y Y    
IRC_EXT_GUEST iRecruitment External Guest Login Y Y    
MOBILEADM Mobile Applications Admin Y Y    
MOBILEDEV Mobile Applications Development Y Y    
OP_CUST_CARE_ADMIN Customer Care Admin for Oracle Provisioning Y Y    
OP_SYSADMIN OP (Process Manufacturing) Admin User Y Y    
ORACLE12.[0-9].0 Owner for release specific seed data N N x  
PORTAL30 Desupported Portal 3.0.x Account Y Y    
PORTAL30_SSO Desupported Portal 3.0.x Account Y Y    
STANDALONE BATCH PROCESS FND/AOL Y Y    
SYSADMIN Application Systems Admin Y N    
WIZARD AD - Application Implementation Wizard Y Y    
XML_USER Gateway Y Y    

(a) Required for Mobile Sales, Service, and Mobile Core Gateway components.

(b) Required for Sales Application.

(c) If the GUEST password is changed, set the AutoConfig variable s_guest_pass to the new value in the context file before running AutoConfig. AutoConfig must be run to propagate the new password to config files.

Note: The GUEST password must always be in UPPERCASE.

(d) Required for iStore.

In the table, an 'x' in the EndDT column means the account ships end-dated.

In the table, an 'x' in the NoPwd column indicates that the account ships with an "impossible password," this means that the password column in FND_USER contains a clear text string that is never a valid encrypted or hashed password. Thus it is not possible to login as this user, unless you change the password.

The "impossible" value can be "DUMMY," "INVALID," or "INTERNAL USER-NOLOGIN."

Note: If the "impossible" value is not "INVALID", FNDCPASS will log a "cannot decrypt" error which can be ignored. More recent R12 versions consistently use "INVALID".

You can easily identify the users with an impossible password as the length of the impossible password is shorter than the encrypted or hashed password. For example, this SQL statement will list users with an impossible password:

select USER_NAME,END_DATE,ENCRYPTED_USER_PASSWORD from FND_USER
   where length(ENCRYPTED_USER_PASSWORD)<30 order by 1;

In the table, a 'Y' in the Change column indicates that you should change the password for the account as it ships with a default password. A value of 'N' means that you do not have to change anything to get rid of a default password. If the account is used by your Oracle E-Business Suite product mix, you should change the default password to a password of your choosing, and according to the implementation guide for the product that requires it.

Switching to Hashed Passwords

Traditionally, Oracle E-Business Suite has stored the password of the application users (FND_USERs) in encrypted form. Starting with release 12.0.4, it is possible to switch the Oracle E-Business Suite system to store hashed versions of the passwords instead.

To switch Oracle E-Business Suite to use hashed passwords, you must use the AFPASSWD command-line utility in MIGRATE mode. See the Oracle E-Business Suite Maintenance Guide for more details.

Note: This process is irreversible.

Tightening Logon and Session Profile Options

For local application users, the profile option settings below support strong passwords, account lockout after too many failed logons, and session inactivity timeout.

Recommended Values for Tightening Logon and Session Profile Options
Profile Option Name Recommendation
SIGNON_PASSWORD_LENGTH 8
SIGNON_PASSWORD_HARD_TO_GUESS YES
SIGNON_PASSWORD_NO_REUSE 180
SIGNON_PASSWORD_CASE Sensitive
SIGNON_PASSWORD_FAILURE_LIMIT 5(a)
ICX_SESSION_TIMEOUT 30
SIGNON_PASSWORD_CUSTOM implement(b)

(a) Setting automatic account locking after N failed attempts make for a simple denial of service attack. If you set this profile option monitor the FND_UNSUCCESSFUL_LOGINS table.

(b) If your corporate password policy cannot be expressed using the above parameters, you may implement a custom password validation function and register it with Oracle E-Business Suite. See Customize Password Validation.

Optional Secure Configurations

Security policy must balance risk of attack, cost of defense and value of data protected. This section contains recommendations that improve security, but may not be appropriate for every deployment.

Customizing Password Validation

If your corporate password policy cannot be expressed using the "Sign-On" parameters as found in Tighten Logon and Session Profile Options, you can implement a custom function for validating new passwords.

To customize password validation create a Java class that implements the oracle.apps.fnd.security.PasswordValidation Java interface. The interface requires three methods:

  1. public boolean validate(String user, String password

    This method takes a user name and password, and returns True or False, indicating whether the user's password is valid or invalid, respectively.

  2. public String getErrorStackMessageName()

    This method returns the name of the message to display when the user's password is deemed invalid (for example, the validate() method returns False).

  3. public String getErrorStackApplicationName()

    This method returns the application short name for the aforementioned error message.

After writing the customized password validator, set profile option SIGNON_PASSWORD_CUSTOM to the full name of the class. If the name of the Java class is yourco.security.AppsPasswordValidation, then the value of SIGNON_PASSWORD_CUSTOM must be "yourco.security.AppsPasswordValidation". Note, this class must be loaded into the Application database using the loadjava command.

Creating New User Accounts Safely

Oracle User Management (UMX) provides a common user registration flow in which a user can enter a new password or select to have one generated randomly. UMX uses workflow to drive the registration process once a request has been submitted. See UMX documentation for more details.

Creating Shared Responsibilities Instead of Shared Accounts

When users share one account, the system cannot identify which user performs a function, preventing accountability. Users share the same functions or permission sets, while the system tracks individual user actions.

Configuring Concurrent Manager for Safe Authentication

Concurrent manager passes the APPS schema password to concurrent programs on the command line. Because some operating systems allow all machine users to read a program's command line arguments, the password may be intercepted. To prevent this, define the concurrent program executable as a HOST program in the concurrent program executable form. Enter ENCRYPT in the Execution Options field of the concurrent programs window when defining a concurrent program using this executable. ENCRYPT signals the concurrent manager to pass the user name/password in the environment variable FCP_LOGIN. Concurrent manager leaves argument $1 blank.

To prevent the user name/password from being passed, enter SECURE in the Execution Options field. With this change, concurrent manager does not pass the user name/password to the program. This means that the program will have to get the database credentials some other way if it needs to connect to the database.

Configuring Concurrent Manager for Start and Stop Without the APPS Password

Traditionally, the operator starting and stopping the application services needed to know the APPS user name and password in order to start the application services on an application tier that was running the concurrent manager.

Starting with Oracle E-Business Suite Release 12.1.3, it is possible to create an applications user (FND User) with the responsibility "Concurrent Manager Operator" and use this user's user name and password start and stop the application services.

This is implemented by:

Following this change, the application tier services can be started and stopped by calling adstrtal.sh and adstpall.sh with the -secureapps option and the script will prompt for the Application user's user name and password rather than the APPS user name and password.

For example:

[applmgr@app01]$ adstrtal.sh -secureapps

Enter the Applications username: CONCOPER
Enter the Applications password:

Activating Server Security

Oracle E-Business Suite Release 12 is deployed in a multi-tier configuration with one database server and many possible middle-tier application servers. The application servers include Apache JSP/Servlet, Forms, Discoverer. Any program which makes a SQLNet connection to the Oracle Applications database needs to be trusted at some level. The Server Security feature ensures that FNDLogin connections originate from trusted machines.

Additional Information: Concerning Oracle Discoverer, see also My Oracle Support Knowledge Document 2277369.1, Oracle E-Business Suite Support Implications for Discoverer 11gR1.

Setting Up Server Security

The Application Server Security feature is activated by default, all you should do is verify that the setting is set to SECURE.

This setting is controlled by the AutoConfig variable s_appserverid_authentication.

Application Server Security has three states:

Checking Server Security Status

Check the Server Security status using the STATUS command in the AdminAppServer utility before activating server security to ensure that all desired Application Servers have been registered. For details, see the Oracle E-Business Suite Setup Guide, Administering Server Security.

Another way to verify that server security is set to secure is to run the following SQL query while connected as APPS:

SQL> select NODE_NAME,SERVER_ID,SERVER_ADDRESS from FND_NODES
     where SERVER_ADDRESS = '*' ;

NODE_NAME      SERVER_ID     SERVER_ADDRESS
-------------- ------------- ---------------
AUTHENTICATION SECURE        *

Creating DBC Files Securely

Previous versions of documentation documented how to create DBC files for the Oracle E-Business Suite application tiers using the AdminAppServer utility. Oracle E-Business Suite Release 12 already does this automatically through AutoConfig, so you should never have to do this manually.

However when creating DBC files for use by desktop installations or for other, non-Oracle E-Business Suite application tiers that must connect to the Oracle E-Business Suite database, you must use the AdminDesktop utility to create the DBC file.

Examples of such external hosts are a webservice host or a BPEL service host.

Creating DBC files for these external, non-Oracle E-Business Suite tiers involves:

Use of AdminDesktop - and documentation of any patches needed - can be found in My Oracle Support Knowledge Document 974949.1, Oracle E-Business Suite Software Development Kit for Java.

When creating DBC files make sure to make them IP address specific and that the file permissions are set to 600 (-rw-------).

Consider Using Single Sign-On

Oracle E-Business Suite Release 12 support integration with a Single Sign-On (SSO). For more information on Single Sign-On deployments, refer to My Oracle Support Knowledge Document 376811.1, Integrating Oracle E-Business Suite Release 12 with Oracle Internet Directory and Oracle Single Sign-On.

Change Password for WebLogic Server Admin User

Follow the instructions in Changing the Oracle WebLogic Server Administration User Password, Oracle E-Business Suite Setup Guide to change the default password for the Oracle WebLogic administration user. The default password should be changed immediately.

Authorization

Reviewing and Limiting Responsibilities and Permissions

Some forms and pages in Oracle E-Business Suite allow a user to modify the functionality of the applications by specifying values such as SQL statements, SQL fragments such asWHERE clauses, HTML strings, and operating system commands or environment variables. These screens may constitute a security risk if used in an unauthorized fashion. Most of these screens are accessible only from system administration menus and responsibilities, where availability should be limited to a very few trusted users. You should eliminate or minimize access to these screens in a production system and know exactly which users have access to these screens.

There are several types of these sensitive pages in Oracle E-Business Suite, and they are controlled by different mechanisms. They can be grouped them into the following categories:

My Oracle Support Knowledge Document 1334930.1, Sensitive Administrative Pages in Oracle E-Business Suite, lists these forms, pages, profile options and includes a description of how to determine who has access by interactively using UMX User Management or by running SQL scripts.

Setting Other Security Related Profile Options

Refer to the following table and set the suggested values for the profile options.

Suggested Security-Related Profile Option Values
Profile Option Profile Option Name Suggested
Audit Trail:Activate AUDITTRAIL:ACTIVATE Yes
Concurrent:Report Access Level CONC_REPORT_ACCESS_LEVEL User
Sign-On:Notification SIGNONAUDIT:NOTIFY Yes
Utilities:Diagnostics DIAGNOSTICS No
FND:Diagnostics FND_DIAGNOSTICS No
FND Validation Level FND_VALIDATION_LEVEL Error
FND Function Validation Level FND_FUNCTION_VALIDATION_LEVEL Error
Framework Validation Level FRAMEWORK_VALIDATION_LEVEL Error
Restrict Text Input FND_RESTRICT_INPUT Y
IRC: XSS Filter IRC_XSS_FILTER Enable

My Oracle Support Knowledge Document 946372.1, Secure Configuration of E-Business Suite Profiles, describes the Diagnostics and Validation profiles.

Restricting Responsibilities by Web Server Trust Level

When web servers have been assigned a server trust level, the system may restrict access to a responsibility based upon that trust level. Three trust levels are supported:

  1. Administrative

  2. Normal

  3. External

Typically, administrative web servers are used exclusively by system administrators, are considered secure and have full application access with few limitations. Normal web servers are those used by employees within a company's intranet and requiring non-administrative responsibilities. Lastly, customers or employees outside of a company's firewall connect to external servers. These have access to a small set of responsibilities.

Setting the Server Trust Level for a Server

To assign a trust level to a web server, the administrator sets the NODE_TRUST_LEVEL profile option. This option, a server-based profile option, can be set to either 1, 2 or 3. The number 1 means administrative, 2 means normal, and 3 means external. To avoid having to set the NODE_TRUST_LEVEL for every single web server, administrators may wish to set the NODE_TRUST_LEVEL profile to some default level of trust at the site level. If no value is set for NODE_TRUST_LEVEL, the web server is assumed to have a trust level of 1 (administrative).

Restricting Access to a Responsibility

When a user logs on to Oracle Applications using a web server, the system determines which responsibilities are valid for that user, and of those responsibilities, which can be accessed from that particular web server. The system returns only responsibilities appropriate for the web server Trust Level.

To restrict access to a responsibility, set the Application Server Trust Level profile option value for that responsibility to be the number 1, 2 or 3. This indicates that only web servers with the same or greater ordinal trust level may access that responsibility.

For example, a responsibility with an Application Server Trust Level set to 1 (administrative) would only be available if the web server has its Application Server Trust Level set to 1 (administrative), as well. A responsibility with Application Server Trust Level set to 2 (normal) would only be available if the web server has its Server Trust Level set to either 1 (administrative) or 2 (normal).

Profile Option - Application Server Trust Level

Responsibilities or applications with the specified level of trust can only be accessed by an application server with at least the same level of trust. Users can see this profile option, but they cannot update it. The system administrator access is described in the following table:

System Administrator Access Levels
Level Visible Allow Update
Site Yes Yes
Application Yes Yes
Responsibility Yes Yes
User No No

References

For more information on how to enable and use the above security features, refer to Part I of the Oracle E-Business Suite Security Guide.