Secure Configuration Console

Overview

The Secure Configuration Console provides a centralized dashboard for monitoring high-priority security configuration concerns. It enables you to review, understand, and resolve potential problems efficiently. The console’s checks and recommendations are based on Oracle’s security guidelines, which are detailed in the section Checked Security Guidelines.

Features

The Secure Configuration Console provides:

• Restricted Login

  • Access to the system is fully restricted when in "Locked Down" mode.

  • Access can be granted by implementing recommended secure configurations or by acknowledging security recommendations.

• Centralized Security Health Dashboard

  • Provides a consolidated view of all security recommendations across network, database, and application layers.

  • Displays detailed descriptions of security configurations.

  • Enables review of each configuration’s current status, severity level, and resolution type (autofixable or manual).

  • Delivers a comprehensive overview of the system's security status.

• Secure Configuration Management

  • Analyzes the current state of security configurations.

  • Automatically resolved autofixable configurations based on Oracle E-Business Suite recommendations.

  • Allows administrators to mute or unmite specific configuration checks as needed.

Benefits

Automating the management of high-priority security configurations provides the following benefits:

• Helps prevent security threats by ensuring the system is securely configured.

• Blocks system access until security configurations are reviewed and concerns are remediated, reducing vulnerabilities.

• Provides a centralized location to review all high-priority Oracle E-Business Suite security configurations.

• Reduces reliance on manual, error-prone configuration processes.

• Enables quick and efficient configuration management.

Using the Secure Configuration Console

Unlock the Your System

After upgrading to the latest ATG_PF Release Update Pack, your system will be "locked down" until a local system administrator resolves or acknowledges the recommended security configurations in the Secure Configuration Console.

To unlock your system and access the console, a user must have a responsibility that includes the Applications System (OAM_APP_SYSTEM) function privilege, such as the seeded System Administration or System Administrator responsibilities, and must be registered as a local user with Oracle E-Business Suite.

The administrator must log in to Oracle E-Business Suite using the local login page (http(s)://[host]:[port]/OA_HTML/AppsLocalLogin.jsp) to navigate to the console and unlock the system. If a user with local system administrator privileges is not available, you can access the Secure Configuration Console through a command line utility (described later in this section).

Once the system is unlocked for normal usage, the Secure Configuration Console is available for administrators to access, as described in the following section.

Access the Secure Configuration Console

There are two methods to access the Secure Configuration Console home page.

• Using the Functional Administrator responsibility:

  On the Oracle E-Business Suite home page, select the Functional Administrator responsibility in the Navigator pane. Then, on the Functional Administrator page, select the Configuration Manager tab.

• Using the OAM Security Dashboard:

  On the Oracle E-Business Suite home page, select System Administrator in the Navigator pane. Then select Oracle Applications Manager, then OAM Security Dashboard. On the dashboard, under the Configuration Management section is a link to the Secure Configuration Console.

View the Secure Configuration Console

The Secure Configuration Console bases its recommendations on recommended security guidelines. They are listed in more detail in the following section, Checked Security Guidelines.

You can search for a recommendation by guideline, code, configuration type, status, or level of severity in the Search section or by perusing through the table itself.

The following actions are available:

• Check - Discover the status of selected guideline check before configuring

• Fix - Resolve the status of a selected failed guideline check

• Suppress - Mute guidelines that are not relevant to your system

• Unsuppress - Unmute previously suppressed guidelines

• Check All - Discover the status of all unsuppressed guidelines

More details about the Secure Configuration Console user interface is found in the section Navigating the Secure Configuration Console.

Checked Security Guidelines

The Secure Configuration Console checks high-priority security guidelines listed in the tables found in this section.

Updates to the checks performed by the Secure Configuration Console are delivered with Oracle E-Business Suite Critical Patch Updates (CPUs) or ATG Release Updates (RUPs). We recommend that you apply the latest ATG RUP or latest CPU to ensure that all recommended secure configuration checks are available for your environment. See the following My Oracle Support articles for more information:

• KB719432, Oracle E-Business Suite Release 12.2: Suite-Wide Release Update Pack and AD/TXK Delta Information

• KA923, Identifying the Latest Critical Patch Update for Oracle E-Business Suite Release 12.2

If you are not running the latest release of the Secure Configuration Console, see Obsolete Secure Configuration Console Checks for Security Guidelines for obsolete checks which may still be running in your environment.

If any of the guidelines listed in the following tables fail the secure configuration check, you can either fix or suppress the failure. For a secure environment, Oracle recommends that you address all failures that are applicable to your environment.

The following outlines the security checks made by the Secure Configuration Console and is categorized by severity. Full descriptions of each security check are found in the sections that follow.

Security Checks Performed by the Secure Configuration Console - Severity 1

Security Check
Allowed Resources is enabled
Application users default passwords have been changed to non-default values
Attachment upload profiles are available and set correctly
Clickjacking protection is configured
Critical security profile values are set correctly
Database users default passwords have been changed to non-default values
Diagnostic web page protection is configured
Forms blocking of bad characters on the web server is active
ModSecurity on the web server is active
Oracle E-Business Suite CPU patch level is the expected level or later
PUBLIC role privileges are restricted
Site level server security profiles are available in the system
WebLogic Server default admin user password has been changed to non-default value
Workflow generated emails that reference URLs in EBS require additional user authentication

Security Checks Performed by the Secure Configuration Console - Severity 2

Security Check
Allowed Redirects is enabled
Allowed Resources that are unused are denied
Application users passwords have been migrated to hashed passwords
APPLSYSPUB privileges are properly restricted
Auditing profiles are correctly set
Cookie Domain scoping is configured
Database initialization parameters have been set to recommended values
Database Network Access List (ACL) is configured
Database profiles have been created in the EBS database for database user password management
FND Generic File Manager (FNDGFM) Authorization is properly configured
HTTPS is enabled
iRecruitment file upload security profile value is set
Server security (Secure Flag in DBC file) is enabled
Unified Auditing is enabled
Workflow Admin access is restricted

Security Check Details

The following sections provide more details on each Secure Configuration Console security check listed in the previous tables, including the security guideline being checked, a description of the check, the internal code name, and so on. If any of the checks fail, you can either fix or suppress the failure. See the "Next Steps" listed in each check for further information and instructions.

For a secure environment, Oracle recommends that you address all failures that are applicable to your environment.

Allowed Resources is Enabled

• Security Guideline: Allowed Resources Configuration

• Description: Check whether the Allowed Resources feature is enabled.

• Code: FND_JSP_UNREST_ACC

• Severity: 1

• Initial Release: EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7

• Next Steps: As this check only validates that the Allowed Resources feature is enabled, the feature must still be properly configured. See Allowed Resources for configuration details.

Application Users Default Passwords Have Been Changed to Non-Default Values

• Security Guideline: Application Users Default Password

• Description: Check whether all application users' default passwords have been changed to non-default values.

• Code: FND_APPS_DEF_PSWD

• Severity: 1

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: See Changing Passwords for Seeded Application User Accounts.

Attachment Upload Profiles are Available and Set Correctly

• Security Guideline: Attachment File Type Profiles

• Description: Check whether attachment upload profiles are available and set correctly in the system.

  This check reviews the values of the following profiles:

  • Attachment File Upload Restriction Default

  • Upload File Size Limit

• Code: FND_MISS_ATT_PROF

• Severity: 1

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: See Securing Attachments.

Clickjacking Protection is Configured

• Security Guideline: Clickjacking Protection

• Description: Check whether clickjacking protection is configured.

• Code: CLICKJACK_PROTECTION

• Severity: 1

• Initial Release: EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7

• Next Steps: See Using Certified HTTP Security Headers.

Critical Security Profile Values are Set Correctly

• Security Guideline: Critical Security Profile Values

• Description: Check whether critical security profile values are set correctly at all levels (for example: site, responsibility, user).

  In addition to verifying that critical security profile values are set as recommended, as of EBS Release 12.2.15 or R12.ATG_PF.C.Delta.14 this check now confirms that the Developer Console is disabled.

  This check reviews the values of the following profiles:

  • FND: Diagnostics

  • Utilities:Diagnostics

  • FND: Developer Console

  • Personalize Self-Service Defn

  • Attachment File Upload Restriction Default

  • FND: Disable AntiSamy Filter

  • Restrict Text Input

  • BNE Allow No Security Rule

  • Export Secure Output Format

  • FND: Authn Service Token Scope

• Code: FND_PROF_ERRORS

• Severity: 1

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: See Setting Other Security-Related Profile Options.

Database Users Default Passwords Have Been Changed to Non-Default Values

• Security Guideline: Database Users Default Passwords

• Description: Check whether all database users default passwords have been changed.

  As of EBS Release 12.2.15 or R12.ATG_PF.C.Delta.14, this check now validates password changes only for Oracle Database 11g Release 2 (11.2.0.4) and later. It no longer checks database releases prior to 11.2.0.4.

• Code: FND_DB_DEF_PSWD

• Severity: 1

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: See Changing Default Installation Passwords.

Diagnostic Web Page Protection is Configured

• Security Guideline: Diagnostic Web Pages Protected

• Description: Check whether diagnostic web page protection is configured.

• Code: DIAG_WEB_PAGE_PROTEC

• Severity: 1

• Initial Release: EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7

• Next Steps: See Protecting Diagnostic Pages.

Forms Blocking of Bad Characters on the Web Server is Active

• Security Guideline: Forms Blocking of Bad Characters

• Description: Check whether the Forms blocking of "bad" characters on the web server is active.

• Code: FND_FORMS_BLOCK_CHR

• Severity: 1

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: If this check fails, log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed Forms Blocking of Bad Characters check.

ModSecurity on the Web Server is Active

• Security Guideline: ModSecurity Configuration

• Description: Check whether ModSecurity on the web server is active.

• Code: FND_MOD_SEC

• Severity: 1

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: If this check fails, log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed ModSecurity Configuration check.

Oracle E-Business Suite CPU Patch Level is the Expected Level or Later

• Security Guideline: Oracle E-Business Suite CPU Patch Level Check

• Description: Check whether the Oracle E-Business Suite Critical Patch Update patch in the system is greater or equal to the configured value of the FND_SEC_MIN_CPU_PATCH_LEVEL (FND: Minimum CPU Patch Level) profile option.

  As of EBS Release 12.2.15 or R12.ATG_PF.C.Delta.14, this check now defaults to verifying that the latest quarterly Critical Patch Update (CPU) has been applied to your environment.

• Code: FND_MIN_CPU_LEVEL

• Severity: 1

• Initial Release: EBS Release 12.2.11 or R12.ATG_PF.C.Delta.10

• Next Steps: See My Oracle Support article KA923, Identifying the Latest Critical Patch Update for Oracle E-Business Suite Release 12.2.

PUBLIC Role Privileges are Restricted

• Security Guideline: PUBLIC Privileges

• Description: Check whether the PUBLIC role privileges are restricted.

• Code: FND_APPS_IND_PUBLIC

• Severity: 1

• Initial Release: EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7

• Next Steps: This checks whether unnecessary privileges to Oracle E-Business Suite object have been granted to the Oracle Database PUBLIC role. You should revoke unnecessary privileges from the PUBLIC role. Oracle E-Business Suite database objects should not have privileges granted to the PUBLIC role. Any privileges granted to the PUBLIC role from Oracle E-Business Suite objects should be revoked. Certain privileges, such as the ability to create indexes, can be leveraged for privilege escalation in the database and should be removed.

Site Level Server Security Profiles are Available in the System

• Security Guideline: Missing Server Security Profile

• Description: Check whether site level security profiles are available in the system.

• Code: FND_MISS_PROF

• Severity: 1

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: If this check fails, log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed Missing Server Security Profile check.

WebLogic Server Default Admin User Password Has Been Changed to Non-Default Value

• Security Guideline: WebLogic Server Default Password

• Description: Check whether WebLogic Server default password has been changed to a non-default value.

• Code: FND_WLS_DEF_PSWD

• Severity: 1

• Initial Release: EBS Release 12.2.9 or R12.ATG_PF.C.Delta.8

• Next Steps: See Change Password for WebLogic Server Admin User.

Workflow Generated Emails that Reference URLs in EBS Require Additional User Authentication

• Security Guideline: Workflow Email Link Login

• Description: Check whether Oracle Workflow generated emails that reference URLs in Oracle E-Business Suite require additional user authentication (login).

• Code: WF_EMAIL_LOGIN

• Severity: 1

• Initial Release: EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7

• Next Steps: See Setting Workflow Notification Mailer SEND_ACCESS_KEY to N.

Allowed Redirects is Enabled

• Security Guideline: Allowed Redirects

• Description: Check whether the Allowed Redirects feature is enabled.

• Code: FND_UNREST_REDIR

• Severity: 2

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: See Allowed Redirects.

Allowed Resources that are Unused are Denied

• Security Guideline: Unused Allowed Resources

• Description: Check whether unused resources are denied.

  As of EBS Release 12.2.15 or R12.ATG_PF.C.Delta.14, if the required access data has been collected, then the check will pass if all allowed resources have been accessed or fail if there are resources that are allowed but have never been accessed. If the required access data has not been collected because the Allowed Resources feature is not enabled in your environment, then the check is automatically disabled.

• Code: SEC_UNUSED_RESOURCES

• Severity: 2

• Initial Release: EBS Release 12.2.11 or R12.ATG_PF.C.Delta.10

• Next Steps: It is recommended to deny access to resources which have not been used in a year. These can be viewed in the Management by Resource tab on the Allowed Resources user interface. For more information, see Allowed Resources.

Application Users Passwords Have Been Migrated to Hashed Passwords

• Security Guideline: Hashed Passwords

• Description: Check whether application user passwords have been migrated to hashed passwords.

• Code: FND_PSWD_HASH

• Severity: 2

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: See Migrate to Hashed Passwords.

APPLSYSPUB Privileges are Properly Restricted

• Security Guideline: APPLSYSPUB Privileges

• Description: Check whether APPLSYSPUB privileges are properly restricted.

• Code: FND_APPLSYSPUB

• Severity: 2

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: See Revoking Unnecessary Grants Given to APPLSYSPUB.

Auditing Profiles are Correctly Set

• Security Guideline: Auditing Profile Values

• Description: Check whether the FND: Debug Log and Sign-on Audit profile values are set correctly.

  The following profile values are checked:

  • FND: Debug Level Enabled - Yes

  • FND: Debug Log Level - Unexpected

  • Sign-On: Audit Level - Form at the Site level

• Code: FND_AUDIT_PROF

• Severity: 2

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: See the following references for more information.

  • Using Oracle Application Object Library Profile Options to Configure Logging, Oracle E-Business Suite Maintenance Guide

  • Sign-On Audit

Cookie Domain Scoping is Configured

• Security Guideline: Cookie Domain Scoping Configuration

• Description: Check whether Cookie Domain Scoping is configured.

• Code: FND_COOKIE_DOM

• Severity: 2

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: See the following references for more information.

  • Cookie Domain Scoping

  • Using Certified HTTP Security Headers

Database Initialization Parameters Have Been Set to Recommended Values

• Security Guideline: Database Parameters (init*.ora)

• Description: Check whether secure configuration recommended database initialization parameters have been set.

• Code: FND_INIT_ORA

• Severity: 2

• Initial Release: EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7

• Next Steps: See the following references for more information.

  • Removing Operating System Trusted Remote Logon

  • Removing Operating System Trusted Remote Roles

  • Restricting Access to SQL Trace Files

  • Limiting File System Access Within PL/SQL

  • Limiting Dictionary Access

Database Network Access List (ACL) is Configured

• Security Guideline: Database Network Access Control List

• Description: Check if Database Network Access Control List has been enabled.

• Code: SEC_DB_NETWORK_ACL

• Severity: 2

• Initial Release: EBS Release 12.2.10 or R12.ATG_PF.C.Delta.9

• Next Steps: See My Oracle Support article KA1233, Implementing Database Network Access Control Lists.

Database Profiles Have Been Created in the EBS Database for Database User Password Management

• Security Guideline: Database Password Profiles

• Description: Check if secure configuration recommended database profiles have been created in the Oracle E-Business Suite database.

• Code: SEC_DB_PSWD_PROF

• Severity: 2

• Initial Release: EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7

• Next Steps: See Implementing Two Profiles for Password Management.

FND Generic File Manager (FNDGFM) Authorization is Properly Configured

• Security Guideline: FND Generic File Manager (FNDGFM) Authorization Configuration

• Description: Check whether the system is compliant with the recommended configuration for FND Generic File Manager (FNDGFM) authorization.

• Code: FNDGFM_AUTH_CONFIG

• Severity: 2

• Initial Release: EBS Release 12.2.11 or R12.ATG_PF.C.Delta.10

• Next Steps: See Securing Attachments.

HTTPS is Enabled

• Security Guideline: HTTPS Configuration

• Description: Check whether HTTPS is enabled.

• Code: FND_SSL_ENABLED

• Severity: 2

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: See Using TLS to Encrypt Oracle E-Business Suite Connections.

iRecruitment File Upload Security Profile Value is Set

• Security Guideline: iRecruitment File Upload Profile

• Description: Check whether the iRecruitment File Upload profile (IRC: XSS Filter) value is set.

• Code: IREC_FILE_UPLOAD

• Severity: 2

• Initial Release: EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7

• Next Steps: See Oracle iRecruitment Implementation and User Guide, Release 12.2.

Server Security (Secure Flag in DBC File) is Enabled

• Security Guideline: Activate Server Security

• Description: Check whether server security (Secure Flag in DBC file) is enabled.

• Code: FND_SERVER_SEC

• Severity: 2

• Initial Release: EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6

• Next Steps: See Activating Server Security.

Unified Auditing is Enabled

• Security Guideline: Unified Auditing

• Desscription: Check for whether Unified Auditing is supported and enabled.

  This check fails if Unified Auditing and the recommended default EBS Unified Auditing policies are not enabled.

• Code: FND_UNIFIED_AUDITING

• Severity: 2

• Initial Release: EBS Release 12.2.15 or R12.ATG_PF.C.Delta.14

• Next Steps: See the following resources for more information.

  • Database Auditing in Oracle E-Business Suite Security Guide

  • My Oracle Support article KA1086, Enabling Unified Auditing in Oracle E-Business Suite Release 12.2 with Oracle AI Database 26ai, Oracle Database 19c, or Oracle Database 12c

Workflow Admin Access is Restricted

• Security Guideline: Workflow Admin Access

• Description: Check whether Oracle Workflow Admin access is restricted.

• Code: WF_ADMIN_NOT_PUBLIC

• Severity: 2

• Initial Release: EBS Release 12.2.9 or R12.ATG_PF.C.Delta.8

• Next Steps: See Ensuring You Know Who is a Workflow Admin.

Navigating the Secure Configuration Console

On the main screen of the console are four predefined filtered criteria in tiles added in Oracle E-Business Suite Release 12.2.10. Click on each tile to view the filtered guidelines in the table displayed.

• Failed Guidelines - By default, this filter provides all Severity 1 and Severity 2 level failures, but not guideline checks that have been suppressed.

• Passed Guidelines - This shows all guideline checks that have passed, but not those that have been suppressed.

• Suppressed Guidelines - This shows all guideline checks that have been suppressed (or muted).

• Unsuppressed Guidelines - This shows all guidelines that have not been suppressed. These are the security guidelines that are being checked.

The "Guidelines were last checked on" date above the left most tile is the date in which the security guidelines were checked against using the Secure Configuration Console.

Secure Configuration Console Main Page

You can further refine each tile's criteria by utilizing the Saved Search drop-down. The drop-down allows you to add additional filter criteria which displays in the Filter section on the left, where you can save your search for future use.

In the table on the main console page, click Check to compute the status of all configurations on your system against the selected guidelines. Click Check All to select and check all guidelines.

Once the status is computed, the guideline will display as either as Pass or Fail (green check mark or red X, respectively) in the Status column.

Click on the arrow in the Details column for more information as to why a certain configuration passed, failed, or produced an error during the configuration check.

Secure Configuration Console Checked Guidelines Table

To automatically remediate failed configuration checks, select guideline checks with a Failed status and of the type Autofixable and click Fix located at the top of the table to resolve the reported issues.

Click Suppress to mute selected guideline checks that are NOT applicable to your system. Suppressed guidelines will no longer be displayed, nor will they require further review in the console when deselecting the Muted Security Configuration checkbox.

Click Unsuppress to unmute the previously muted guideline checks.

Each security guideline is a link, which when clicked, opens a new page with a detailed description of the configuration requirement.

If the configuration requirement involves a manual fix, more information on the necessary manual steps can be found by clicking the link. For example, when clicking the "Database Password Profiles" link, the Security Guideline Details page is displayed, providing the security guideline description and detailed information about the check.

Security Guideline Details Page

As mentioned previously, until the recommended security configurations have been implemented or acknowledged by a local system administrator, the Secure Configuration Console will prevent entry into the system. Until then, users will see an error message when trying to log in which says: "Oracle E-Business Suite has been placed into locked-down mode. Please contact system administrator for further assistance."

Locked-Down Mode Error Message

When an Oracle E-Business Suite instance has been placed into locked-down mode, as soon as a user with system administrator privileges logs in the Secure Configuration Console will appear.

At this point, the system administrator should resolve or address any failed security guideline checks. When ready to unlock the instance, the system administrator should select either of the following options prior to clicking Proceed:

• I am done with the security configurations.

• Ignore the security configurations.

Once you click Proceed, the Oracle E-Business Suite instance is unlocked.

Command Line Utility

If a user with local system administrator privileges is not available, you can access the Secure Configuration Console by using the AdminSecurityCfg utility.

This utility is provided for the following tasks:

• To take the system out of locked down mode.

• To compute the status of a certain configuration or all configurations.

• To configure a certain configuration or all configurations of type Autofixable.

• To view the status of a certain configuration or all configurations.

To use the AdminSecurityCfg utility, use the following syntax which will then will prompt you for your <APPS Username> and <APPS password>. Note that all parameters can, if desired, be entered on the same command line; they are shown here on different lines (using the UNIX '\' continuation character) for clarity.

java oracle.apps.fnd.security.AdminSecurityCfg \
<-check|-fix|-status|-lock|-unlock> \
DBC=<DBC File Path> \
[CODES=<code1>,<code2>,<code3>...]

Where:

-check - Runs the utility in check mode. You can specify the configurations to check by adding [CODES=<code1>,<code2>,<code3>...] to the command. These correspond to the security guideline codes found in Security Guidelines.

For example: java oracle.apps.fnd.security.AdminSecurityCfg -check DBC=<DBC File Path> CODES=FND_DB_DEF_PSWD,FND_PROF_ERRORS

If you do not specify a CODES attribute, then the utility will check all configurations.

-fix - Runs the utility in fix mode. You can specify the configurations to fix by adding [CODES=<code1>,<code2>,<code3>...] to the command.

For example: java oracle.apps.fnd.security.AdminSecurityCfg -fix DBC=<DBC File Path> CODES=FND_UNREST_REDIR,FND_AUDIT_PROF

If you do not specify a CODES attribute, then the utility will fix all configurations of type Autofixable.

-status - Determines the status of all configurations. Specifying the CODES attribute is not necessary for this mode.

-lock - Places the system in locked down mode.

-unlock - Takes the system out of locked down mode.