Secure Configuration Console

Overview

The Secure Configuration Console automates the security configuration process, consolidates everything under one user interface, and creates a single checkpoint entry into the system. It ensures that high priority security configuration problems are reviewed, understood, and remediated, ensuring a secure Oracle E-Business Suite environment.

After you upgrade to the latest ATG_PF Release Update Pack, your system will be "locked down" until a local system administrator resolves or acknowledges the recommended security configurations in the Secure Configuration Console.

To access this console, a user must have a responsibility that includes the Applications System (OAM_APP_SYSTEM) function privilege, such as the seeded System Administration or System Administrator responsibilities, and must be registered as a local user with Oracle E-Business Suite. The administrator must log in to Oracle E-Business Suite using the local login page (http(s)://[host]:[port]/OA_HTML/AppsLocalLogin.jsp) to navigate to the console and unlock the system. If a user with local system administrator privileges is not available, you can access the Secure Configuration Console through a command line utility (described later in this section).

Once the system is unlocked for normal usage, the Secure Configuration Console is still available for administrators under the Functional Administrator responsibility.

Feature Overview

The Secure Configuration Console provides:

Benefits

Automating the high priority security configuration process provides the following benefits:

Using the Secure Configuration Console

There are two methods to access the Secure Configuration Console home page.

The Secure Configuration Console bases its recommendations on recommended security guidelines. They are listed in more detail in the following section, Checked Security Guidelines.

You can search for a recommendation by guideline, code, configuration type, status, or level of severity in the Search section or by perusing through the table itself.

The following actions are available:

Checked Security Guidelines

The Secure Configuration Console currently checks the following high priority secure configuration guidelines.

Updates to the checks performed by the Secure Configuration Console are delivered with Oracle E-Business Suite ATG Release Updates (RUPs) or Critical Patch Updates (CPUs). We highly recommend that you apply the latest ATG RUP or latest CPU to ensure that all recommended secure configuration checks are available for your environment. See the following My Oracle Support knowledge documents for more information:

If you are not running the latest release of the Secure Configuration Console, see Obsolete Secure Configuration Console Checks for Security Guidelines for obsolete checks which may still be running in your environment.

If any of the guidelines listed in the following tables fail the secure configuration check, you can either fix or suppress the failure. For a secure environment, Oracle recommends that you address all failures that are applicable to your environment.

The following tables, organized by severity, list the security checks made by the Secure Configuration Console and the releases in which they are made available. Full descriptions of each security check are found in the sections that follow.

Security Checks Performed by the Secure Configuration Console - Severity 1
Security Check Available as of the Listed Release and Later
Allowed Resources is enabled. EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7
Application users default passwords have been changed to non-default values. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
Attachment upload profiles are available and set correctly. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
Clickjacking protection is configured. EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7
Critical security profile values are set correctly. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
Database users default passwords have been changed to non-default values. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
Diagnostic web page protection is configured. EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7
Forms blocking of bad characters on the web server is active. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
ModSecurity on the web server is active. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
Oracle E-Business Suite CPU patch level is the expected level or higher. EBS Release 12.2.11 or R12.ATG_PF.C.Delta.10
PUBLIC role privileges are restricted. EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7
Site level server security profiles are available in the system. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
WebLogic Server default admin user password has been changed to non-default value. EBS Release 12.2.9 or R12.ATG_PF.C.Delta.8
Workflow generated emails that reference URLs in EBS require additional user authentication. EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7
Security Checks Performed by the Secure Configuration Console - Severity 2
Security Check Available as of the Listed Release and Later
Allowed Redirects is enabled. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
Allowed Resources that are unused are denied. EBS Release 12.2.11 or R12.ATG_PF.C.Delta.10
Application users passwords have been migrated to hash passwords. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
APPLSYSPUB privileges are properly restricted. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
Auditing profiles are correctly set. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
Cookie Domain scoping is configured. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
Database initialization parameters have been set to recommended values. EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7
Database Network Access List (ACL) is configured. EBS Release 12.2.10 or R12.ATG_PF.C.Delta.9
Database profiles have been created in the EBS database for database user password management. EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7
FND Generic File Manager (FNDGFM) Authorization is properly configured. EBS Release 12.2.11 or R12.ATG_PF.C.Delta.10
HTTPS is enabled. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
iRecruitment file upload security profile value is set. EBS Release 12.2.7 or R12.ATG_PF.C.Delta.7
Server security (Secure Flag in DBC file) is enabled. EBS Release 12.2.6 or R12.ATG_PF.C.Delta.6
Workflow Admin access is restricted. EBS Release 12.2.9 or R12.ATG_PF.C.Delta.8

Security Check Details

The following sections provide more details on each Secure Configuration Console security check listed in the previous tables, including the security check name as found in the console, a description of the check, the internal code name, and so on. If any of the checks fail, you can either fix or suppress the failure. See the "Next Steps" listed in each check for further information and instructions.

For a secure environment, Oracle recommends that you address all failures that are applicable to your environment.

Allowed Resources is Enabled

Application Users Default Passwords Have Been Changed to Non-Default Values

Attachment Upload Profiles are Available and Set Correctly

Clickjacking Protection is Configured

Critical Security Profile Values are Set Correctly

Database Users Default Passwords Have Been Changed to Non-Default Values

Diagnostic Web Page Protection is Configured

Forms Blocking of Bad Characters on the Web Server is Active

ModSecurity on the Web Server is Active

Oracle E-Business Suite CPU Patch Level is the Expected Level or Later

PUBLIC Role Privileges are Restricted

Site Level Server Security Profiles are Available in the System

WebLogic Server Default Admin User Password Has Been Changed to Non-Default Value

Workflow Generated Emails that Reference URLs in EBS Require Additional User Authentication

Allowed Redirects is Enabled

Allowed Resources that are Unused are Denied

Application Users Passwords Have Been Migrated to Hash Passwords

APPLSYSPUB Privileges are Properly Restricted

Auditing Profiles are Correctly Set

Cookie Domain Scoping is Configured

Database Initialization Parameters Have Been Set to Recommended Values

Database Network Access List (ACL) is Configured

Database Profiles Have Been Created in the EBS Database for Database User Password Management

FND Generic File Manager (FNDGFM) Authorization is Properly Configured

HTTPS is Enabled

iRecruitment File Upload Security Profile Value is Set

Server Security (Secure Flag in DBC File) is Enabled

Workflow Admin Access is Restricted

Navigating Through the Secure Configuration Console

On the main screen of the console are four predefined filtered criteria in tiles added in Oracle E-Business Suite Release 12.2.10. Click on each tile to view the filtered guidelines in the table displayed.

The "Guidelines were last checked on" date above the left most tile is the date in which the security guidelines were checked against using the Secure Configuration Console.

Secure Configuration Console Main Page

the picture is described in the document text

You can further refine each tile's criteria by utilizing the Saved Search drop-down. The drop-down allows you to add additional filter criteria which displays in the Filter section on the left, where you can save your search for future use.

In the table on the main console page, click Check to compute the status of all configurations on your system against the selected guidelines. Click Check All to select and check all guidelines.

Once the status is computed, the guideline will display as either as Pass or Fail (green check mark or red X, respectively) in the Status column.

Click on the arrow in the Details column for more information as to why a certain configuration passed, failed, or produced an error during the configuration check.

Secure Configuration Console Checked Guidelines Table

the picture is described in the document text

To automatically remediate failed configuration checks, select guideline checks with a Failed status and of the type Autofixable and click Fix located at the top of the table to resolve the reported issues.

Click Suppress to mute selected guideline checks that are NOT applicable to your system. Suppressed guidelines will no longer be displayed, nor will they require further review in the console when deselecting the Muted Security Configuration checkbox.

Click Unsuppress to unmute the previously muted guideline checks.

Each security guideline is a link, which when clicked, opens a new page with a detailed description of the configuration requirement.

If the configuration requirement involves a manual fix, more information on the necessary manual steps can be found by clicking the link. For example, when clicking the "Database Password Profiles" link, the Security Guideline Details page is displayed, providing the security guideline description and detailed information about the check.

Security Guideline Details Page

the picture is described in the document text

As mentioned previously, until the recommended security configurations have been implemented or acknowledged by a local system administrator, the Secure Configuration Console will prevent entry into the system. Until then, users will see an error message when trying to log in which says: "Oracle E-Business Suite has been placed into locked-down mode. Please contact system administrator for further assistance."

Locked-Down Mode Error Message

the picture is described in the document text

When an Oracle E-Business Suite instance has been placed into locked-down mode, as soon as a user with system administrator privileges logs in the Secure Configuration Console will appear.

At this point, the system administrator should resolve or address any failed security guideline checks. When ready to unlock the instance, the system administrator should select either of the following options prior to clicking Proceed:

Once you click Proceed, the Oracle E-Business Suite instance is unlocked.

Command Line Utility

If a user with local system administrator privileges is not available, you can access the Secure Configuration Console by using the AdminSecurityCfg utility.

This utility is provided for the following tasks:

To use the AdminSecurityCfg utility, use the following syntax which will then will prompt you for your <APPS Username> and <APPS password>. Note that all parameters can, if desired, be entered on the same command line; they are shown here on different lines (using the UNIX '\' continuation character) for clarity.

java oracle.apps.fnd.security.AdminSecurityCfg \
<-check|-fix|-status|-lock|-unlock> \
DBC=<DBC File Path> \
[CODES=<code1>,<code2>,<code3>...]

Where:

-check - Runs the utility in check mode. You can specify the configurations to check by adding [CODES=<code1>,<code2>,<code3>...] to the command. These correspond to the security guideline codes found in Security Guidelines.

For example: java oracle.apps.fnd.security.AdminSecurityCfg -check DBC=<DBC File Path> CODES=FND_DB_DEF_PSWD,FND_PROF_ERRORS

If you do not specify a CODES attribute, then the utility will check all configurations.

-fix - Runs the utility in fix mode. You can specify the configurations to fix by adding [CODES=<code1>,<code2>,<code3>...] to the command.

For example: java oracle.apps.fnd.security.AdminSecurityCfg -fix DBC=<DBC File Path> CODES=FND_UNREST_REDIR,FND_AUDIT_PROF

If you do not specify a CODES attribute, then the utility will fix all configurations of type Autofixable.

-status - Determines the status of all configurations. Specifying the CODES attribute is not necessary for this mode.

-lock - Places the system in locked down mode.

-unlock - Takes the system out of locked down mode.