Secure Configuration Console

Overview

The Secure Configuration Console automates the security configuration process, consolidates everything under one user interface, and creates a single checkpoint entry into the system. It ensures that high priority security configuration problems are reviewed, understood, and remediated, ensuring a secure Oracle E-Business Suite environment.

After you upgrade to the latest ATG_PF Release Update Pack, your system will be "locked down" until a local system administrator resolves or acknowledges the recommended security configurations in the Secure Configuration Console.

To access this console, a user must have a responsibility that includes the Applications System (OAM_APP_SYSTEM) function privilege, such as the seeded System Administration or System Administrator responsibilities, and must be registered as a local user with Oracle E-Business Suite. The administrator must log in to Oracle E-Business Suite using the local login page (http(s)://[host]:[port]/OA_HTML/AppsLocalLogin.jsp) to navigate to the console and unlock the system. If a user with local system administrator privileges is not available, you can access the Secure Configuration Console through a command line utility (described later in this section).

Once the system is “Unlocked” for normal usage, the Secure Configuration Console is still available for administrators under the 'Functional Administrator' responsibility.

Feature Overview

The Secure Configuration Console provides:

Benefits

Automating the high priority security configuration process provides the following benefits:

Using the Secure Configuration Console

The Secure Configuration Console bases its recommendations on recommended security guidelines. They are listed in more detail in the following section, "Checked Security Guidelines."

You can search for a recommendation by guideline, code, configuration type, status, or level of criticality in the Search section or by perusing through the table itself.

The following actions are available:

Checked Security Guidelines

The Secure Configuration Console currently checks the following high priority secure configuration guidelines:

Guideline Description Severity Reference(s)
Application Users Default Password Check whether all application users default passwords have been changed to non-default values. 1 "Changing Passwords for Seeded Application User Accounts," Oracle E-Business Suite Security Guide
Attachment File Type Profiles Check whether attachment upload profiles are available and set correctly in the system. 1 "Restricting File Types That May Be Uploaded," Oracle E-Business Suite Security Guide
Clickjacking Protection
(New in Release 12.2.7)
Check whether clickjacking protection is configured. 1 "Using Certified HTTP Security Headers", Oracle E-Business Suite Security Guide
Critical Security Profile Values Check whether critical security profile values are set correctly. 1 "Setting Other Security Related Profile Options," Oracle E-Business Suite Security Guide
Database Users Default Passwords Check whether all database users default passwords have been changed. 1 "Changing Default Installation Passwords," Oracle E-Business Suite Security Guide
My Oracle Support Knowledge Document 361482.1, Frequently Asked Questions about Oracle Default Password Scanner
Diagnostic Web Pages Protected
(New in Release 12.2.7)
Check whether diagnostic web page protection is configured. 1 "Protecting Administrative Pages," Oracle E-Business Suite Security Guide
Forms Blocking of Bad Characters Check whether the Forms blocking of "bad" characters on the web server is active. 1 Log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed Forms Blocking of Bad Characters check.
Missing Server Security Profile Check whether site level security profiles are available in the system. 1 Log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed Missing Server Security Profile check.
ModSecurity Configuration Check whether ModSecurity on the web server is active. 1 Log a Service Request (SR) in My Oracle Support. Reference the Secure Configuration Console and the failed ModSecurity Configuration check.
PUBLIC Privileges
(New in Release 12.2.7)
Check whether the PUBLIC role privileges are restricted. 1 This checks whether unnecessary privileges to Oracle E-Business Suite object have been granted to the Oracle Database PUBLIC role. You should revoke unnecessary privileges from the PUBLIC role. Oracle E-Business Suite database objects should not have privileges granted to the PUBLIC role. Any privileges granted to the PUBLIC role from Oracle E-Business Suite objects should be revoked. Certain privileges, such as the ability to create indexes, can be leveraged for privilege escalation in the database and should be removed.
Workflow Email Link Login
(New in Release 12.2.7)
Check whether Oracle Workflow generated emails that reference URLs in Oracle E-Business Suite require additional user authentication (login). 1 "Setting Workflow Notification Mailer SEND_ACCESS_KEY to N," Oracle E-Business Suite Security Guide
Activate Server Security Check whether server security (Secure Flag in DBC file) is enabled. 2 "Activating Server Security," Oracle E-Business Suite Security Guide
Allowed Redirects Check whether the Allowed Redirects feature is enabled. 2 "Allowed Redirects," Oracle E-Business Suite Security Guide
"Configuring Allowed Redirects," Oracle E-Business Suite Security Guide
Allowed Resources Configuration
(New in Release 12.2.7)
Check whether the Allowed Resources feature is enabled. 2 "Allowed Resources," Oracle E-Business Suite Security Guide
Allowed Resources Whitelist Configuration
(New in Release 12.2.7)
Check whether required whitelist configuration for the allowed resources feature is correct and up-to-date. 2 "Allowed Resources," Oracle E-Business Suite Security Guide
APPLSYSPUB Privileges Check whether APPLSYSPUB privileges are properly restricted. 2 "Revoking Unnecessary Grants Given to APPLSYSPUB," Oracle E-Business Suite Security Guide
Auditing Profiles Values Check whether auditing profiles are set. 2 "Using Oracle Application Object Library Profile Options to Configure Logging," Oracle E-Business Suite Maintenance Guide
"Page Access Tracking and Sign-On Audit," Oracle E-Business Suite Maintenance Guide
"Sign-On Audit," Oracle E-Business Suite Security Guide
Cookie Domain Scoping Configuration Check whether Cookie Domain Scoping is configured. 2 "Cookie Domain Scoping," Oracle E-Business Suite Security Guide
"Using Certified HTTP Security Headers", Oracle E-Business Suite Security Guide
Database Parameters (init*.ora)
(New in Release 12.2.7)
Check whether secure configuration recommended database initialization parameters have been set. 2 "Removing Operating System Trusted Remote Logon," Oracle E-Business Suite Security Guide
"Removing Operating System Trusted Remote Roles," Oracle E-Business Suite Security Guide
"Restricting Access to SQL Trace Files," Oracle E-Business Suite Security Guide
"Limiting File System Access Within PL/SQL," Oracle E-Business Suite Security Guide
"Limiting Dictionary Access," Oracle E-Business Suite Security Guide
Database Password Profiles
(New in Release 12.2.7)
Check if secure configuration recommended database profiles have been created in the Oracle E-Business Suite database. 2 "Implementing Two Profiles for Password Management," Oracle E-Business Suite Security Guide
Hashed Passwords Check whether application user passwords have been migrated to hashed passwords. 2 "Switching to Hashed Passwords," Oracle E-Business Suite Security Guide
HTTPS Configuration Check whether HTTPS is enabled. 2 "Using TLS to Encrypt Oracle E-Business Suite Connections" Oracle E-Business Suite Security Guide
iRecruitment File Upload Profile
(New in Release 12.2.7)
Check whether iRecruitment file upload security profile value is set. 2 "Setting Other Security Related Profile Options," Oracle E-Business Suite Security Guide
Oracle iRecruitment Implementation and User Guide, Release 12.2
Workflow Admin Access
(New in Release 12.2.7)
Check whether Oracle Workflow Admin access is restricted. 2 "Ensuring You Know Who is a Workflow Admin," Oracle E-Business Suite Security Guide

Updates to the checks performed by the Secure Configuration Console are delivered with Oracle E-Business Suite Release Updates (RUPs) and Critical Patch Updates (CPU). We highly recommend that you apply the latest RUP and CPU to ensure that all recommended secure configuration and checks are available for your environment. See My Oracle Support Knowledge Document 1583092.1, E-Business Suite RUP, AD and TXK RUP Information, Release 12.2, for more information.

If any of the guidelines listed in the previous table fail the secure configuration check, you can either fix or suppress the failure. For a secure environment, Oracle recommends that you address all failures that are applicable to your environment.

Navigating Through the Secure Configuration Console

On the main screen of the console below the Search section, click Check to compute the status of all configurations on your system.

the picture is described in the document text

Once the status is computed, the configurations will display as either Pass or Fail (green check mark or red X, respectively) in the Status column.

Click on the arrow in the Details column for more information as to why a certain configuration passed, failed, or produced an error during configuration.

the picture is described in the document text

To automatically remediate failed configuration checks, select configurations in 'Failed' status and of type 'Autofixable' and click Fix to resolve the reported issues.

Click Suppress to mute the configurations that are NOT applicable to your system. Suppressed configurations will no longer be displayed nor require further review in the console when deselecting the Muted Security Configuration check box.

Click Unsuppress to unmute the previously muted configurations.

Each Security Guideline is a hyperlink, which when clicked, opens a new page with a detailed description of the configuration.

If the configuration requirement involves a manual fix, more information on the necessary manual steps will be found by clicking the hyperlink. For example, when clicking the "Database Password Profiles" hyperlink, the Security Guideline Details page is displayed, providing the security guideline description and detailed information about the check:

the picture is described in the document text

As mentioned previously, until the recommended security configurations have been implemented or acknowledged by a local system administrator, the Secure Configuration Console will prevent entry into the system. Until then, users will see an error message when trying to log in which says: "Oracle E-Business Suite has been placed into locked-down mode. Please contact system administrator for further assistance."

the picture is described in the document text

Command Line Utility

If a user with local system administrator privileges is not available, you can access the Secure Configuration Console by using the following command line utility:

java oracle.apps.fnd.security.AdminSecurityCfg <APPS Username/APPS password[@<DB Host>] [-check|-fix|-status|-lock|-unlock] [DBC=<DBC File Path>] [CODES=<code1>,<code2>,<code3>...]

This utility is provided for the following tasks: