Secure Configuration Console

Overview

The Secure Configuration Console automates the security configuration process, consolidates everything under one user interface, and creates a single checkpoint entry into the system. It ensures that high priority security configuration problems are reviewed, understood, and remediated, ensuring a secure Oracle E-Business Suite environment.

After you upgrade to the latest ATG_PF Release Update Pack, your system will be "locked down" until a local system administrator resolves or acknowledges the recommended security configurations in the Secure Configuration Console.

To access this console, a user must have a responsibility that includes the Applications System (OAM_APP_SYSTEM) function privilege, such as the seeded System Administration or System Administrator responsibilities, and must be registered as a local user with Oracle E-Business Suite. The administrator must log in to Oracle E-Business Suite using the local login page (http(s)://[host]:[port]/OA_HTML/AppsLocalLogin.jsp) to navigate to the console and unlock the system. If a user with local system administrator privileges is not available, you can access the Secure Configuration Console through a command line utility (described later in this section).

Once the system is "Unlocked" for normal usage, the Secure Configuration Console is still available for administrators under the 'Functional Administrator' responsibility.

Feature Overview

The Secure Configuration Console provides:

Benefits

Automating the high priority security configuration process provides the following benefits:

Using the Secure Configuration Console

There are two methods to access the Secure Configuration Console home page.

The Secure Configuration Console bases its recommendations on recommended security guidelines. They are listed in more detail in the following section, "Checked Security Guidelines."

You can search for a recommendation by guideline, code, configuration type, status, or level of criticality in the Search section or by perusing through the table itself.

The following actions are available:

Checked Security Guidelines

The Secure Configuration Console currently checks the following high priority secure configuration guidelines:

Security Guidelines
Guideline Description Code Severity Reference(s)
Application Users Default Password Check whether all application users default passwords have been changed to non-default values. FND_APPS_DEF_PSWD 1 Changing Passwords for Seeded Application User Accounts
Attachment File Type Profiles Check whether attachment upload profiles are available and set correctly in the system. FND_MISS_ATT_PROF 1 Securing Attachments
Clickjacking Protection
(New in Release 12.2.7)
Check whether clickjacking protection is configured. CLICKJACK_PROTECTION 1 Using Certified HTTP Security Headers
Critical Security Profile Values Check whether critical security profile values are set correctly. FND_PROF_ERRORS 1 Setting Other Security Related Profile Options
Database Users Default Passwords Check whether all database users default passwords have been changed. FND_DB_DEF_PSWD 1 Changing Default Installation Passwords
My Oracle Support Knowledge Document 361482.1, Frequently Asked Questions about Oracle Default Password Scanner
Diagnostic Web Pages Protected
(New in Release 12.2.7)
Check whether diagnostic web page protection is configured. DIAG_WEB_PAGE_PROTEC 1 Protecting Administrative Pages
Forms Blocking of Bad Characters Check whether the Forms blocking of "bad" characters on the web server is active. FND_FORMS_BLOCK_CHR 1 Log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed Forms Blocking of Bad Characters check.
Missing Server Security Profile Check whether site level security profiles are available in the system. FND_MISS_PROF 1 Log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed Missing Server Security Profile check.
ModSecurity Configuration Check whether ModSecurity on the web server is active. FND_MOD_SEC 1 Log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed ModSecurity Configuration check.
PUBLIC Privileges
(New in Release 12.2.7)
Check whether the PUBLIC role privileges are restricted. FND_APPS_IND_PUBLIC 1 This checks whether unnecessary privileges to Oracle E-Business Suite object have been granted to the Oracle Database PUBLIC role. You should revoke unnecessary privileges from the PUBLIC role. Oracle E-Business Suite database objects should not have privileges granted to the PUBLIC role. Any privileges granted to the PUBLIC role from Oracle E-Business Suite objects should be revoked. Certain privileges, such as the ability to create indexes, can be leveraged for privilege escalation in the database and should be removed.
WebLogic Server Default Password
(New in Release 12.2.9)
Check whether WebLogic Server default password has been changed to a non-default value. FND_WLS_DEF_PSWD 1 Change Password for WebLogic Server Admin User
Workflow Email Link Login
(New in Release 12.2.7)
Check whether Oracle Workflow generated emails that reference URLs in Oracle E-Business Suite require additional user authentication (login). WF_EMAIL_LOGIN 1 Setting Workflow Notification Mailer SEND_ACCESS_KEY to N
Activate Server Security Check whether server security (Secure Flag in DBC file) is enabled. FND_SERVER_SEC 2 Activating Server Security
Allowed Redirects Check whether the Allowed Redirects feature is enabled. FND_UNREST_REDIR 2 Allowed Redirects
Configuring Allowed Redirects
Allowed Resources Configuration
(New in Release 12.2.7)
Check whether the Allowed Resources feature is enabled. FND_JSP_UNREST_ACC 2 Allowed Resources
Allowed Resources Whitelist Configuration
(New in Release 12.2.7)
Check whether required whitelist configuration for the allowed resources feature is correct and up-to-date. TXK_JSP_WHITELIST 2 Allowed Resources
APPLSYSPUB Privileges Check whether APPLSYSPUB privileges are properly restricted. FND_APPLSYSPUB 2 Revoking Unnecessary Grants Given to APPLSYSPUB
Auditing Profiles Values Check whether auditing profiles are set. FND_AUDIT_PROF 2 "Using Oracle Application Object Library Profile Options to Configure Logging," Oracle E-Business Suite Maintenance Guide
"Page Access Tracking and Sign-On Audit," Oracle E-Business Suite Maintenance Guide
Sign-On Audit
Cookie Domain Scoping Configuration Check whether Cookie Domain Scoping is configured. FND_COOKIE_DOM 2 Cookie Domain Scoping
Using Certified HTTP Security Headers
Database Parameters (init*.ora)
(New in Release 12.2.7)
Check whether secure configuration recommended database initialization parameters have been set. FND_INIT_ORA 2 Removing Operating System Trusted Remote Logon
Removing Operating System Trusted Remote Roles
Restricting Access to SQL Trace Files
Limiting File System Access Within PL/SQL
Limiting Dictionary Access
Database Password Profiles
(New in Release 12.2.7)
Check if secure configuration recommended database profiles have been created in the Oracle E-Business Suite database. SEC_DB_PSWD_PROF 2 Implementing Two Profiles for Password Management
Hashed Passwords Check whether application user passwords have been migrated to hashed passwords. FND_PSWD_HASH 2 Switching to Hashed Passwords
HTTPS Configuration Check whether HTTPS is enabled. FND_SSL_ENABLED 2 Using TLS to Encrypt Oracle E-Business Suite Connections
iRecruitment File Upload Profile
(New in Release 12.2.7)
Check whether iRecruitment file upload security profile value is set. IREC_FILE_UPLOAD 2 Setting Other Security Related Profile Options
Oracle iRecruitment Implementation and User Guide, Release 12.2
Workflow Admin Access
(New in Release 12.2.7)
Check whether Oracle Workflow Admin access is restricted. WF_ADMIN_NOT_PUBLIC 2 Ensuring You Know Who is a Workflow Admin

Updates to the checks performed by the Secure Configuration Console are delivered with Oracle E-Business Suite Release Updates (RUPs) and Critical Patch Updates (CPU). We highly recommend that you apply the latest RUP and CPU to ensure that all recommended secure configuration and checks are available for your environment. See My Oracle Support Knowledge Document 1583092.1, E-Business Suite RUP, AD and TXK RUP Information, Release 12.2, for more information.

If any of the guidelines listed in the previous table fail the secure configuration check, you can either fix or suppress the failure. For a secure environment, Oracle recommends that you address all failures that are applicable to your environment.

Navigating Through the Secure Configuration Console

The following screenshot is of the main page of the Secure Configuration Console. On the main screen of the console below the Search section, click Check to compute the status of all configurations on your system.

Secure Configuration Console Main Page

the picture is described in the document text

Once the status is computed, the configurations will display as either Pass or Fail (green check mark or red X, respectively) in the Status column.

Click on the arrow in the Details column for more information as to why a certain configuration passed, failed, or produced an error during configuration.

Secure Configuration Console Checked Guideline Table

the picture is described in the document text

To automatically remediate failed configuration checks, select configurations in 'Failed' status and of type 'Autofixable' and click Fix to resolve the reported issues.

Click Suppress to mute the configurations that are NOT applicable to your system. Suppressed configurations will no longer be displayed nor require further review in the console when deselecting the Muted Security Configuration check box.

Click Unsuppress to unmute the previously muted configurations.

Each Security Guideline is a hyperlink, which when clicked, opens a new page with a detailed description of the configuration.

If the configuration requirement involves a manual fix, more information on the necessary manual steps will be found by clicking the hyperlink. For example, when clicking the "Database Password Profiles" hyperlink, the Security Guideline Details page is displayed, providing the security guideline description and detailed information about the check:

Security Guideline Details Page

the picture is described in the document text

As mentioned previously, until the recommended security configurations have been implemented or acknowledged by a local system administrator, the Secure Configuration Console will prevent entry into the system. Until then, users will see an error message when trying to log in which says: "Oracle E-Business Suite has been placed into locked-down mode. Please contact system administrator for further assistance."

Locked-Down Mode Error Message

the picture is described in the document text

Command Line Utility

If a user with local system administrator privileges is not available, you can access the Secure Configuration Console by using the AdminSecurityCfg utility.

This utility is provided for the following tasks:

To use the AdminSecurityCfg utility, use the following syntax which will then will prompt you for your <APPS Username> and <APPS password>. Note that all parameters can, if desired, be entered on the same command line; they are shown here on different lines (using the UNIX '\' continuation character) for clarity.

java oracle.apps.fnd.security.AdminSecurityCfg \
<-check|-fix|-status|-lock|-unlock> \
DBC=<DBC File Path> \
[CODES=<code1>,<code2>,<code3>...]

Where:

-check - Runs the utility in check mode. You can specify the configurations to check by adding [CODES=<code1>,<code2>,<code3>...] to the command. These correspond to the security guideline codes found in Security Guidelines.

For example: java oracle.apps.fnd.security.AdminSecurityCfg -check DBC=<DBC File Path> CODES=FND_DB_DEF_PSWD,FND_PROF_ERRORS

If you do not specify a CODES attribute, then the utility will check all configurations.

-fix - Runs the utility in fix mode. You can specify the configurations to fix by adding [CODES=<code1>,<code2>,<code3>...] to the command.

For example: java oracle.apps.fnd.security.AdminSecurityCfg -fix DBC=<DBC File Path> CODES=FND_UNREST_REDIR,FND_AUDIT_PROF

If you do not specify a CODES attribute, then the utility will fix all configurations of type "Autofixable".

-status - Determines the status of all configurations. Specifying the CODES attribute is not necessary for this mode.

-lock - Places the system in locked down mode.

-unlock - Takes the system out of locked down mode.