Oracle® Fusion Applications Administrator's Guide 11g Release 6 Refresh 4 (11.1.6) Part Number E14496-14 |
|
|
PDF · Mobi · ePub |
This chapter describes how to utilize the Enterprise Manager Cloud Control Configuration and Compliance Framework to enforce implementation and operational best practices for Fusion Applications. In particular, it describes the seeded Compliance Rules that are delivered in the Cloud Control Plug-in 12.1.0.3, for Oracle. Fusion Applications.
This chapter includes the following topics:
Introduction: What Is Compliance? (Section 5.1)
Understanding Rules, Standards, and Frameworks (Section 5.1.1)
Prerequisites and Related Documentation (Section 5.1.2)
Implement Compliance (Section 5.2)
Access Rules, Standards, and Frameworks in the Compliance Library (Section 5.2.1)
Apply Pre-Seeded Standards to Targets in Your Fusion Instance (Section 5.2.2)
Monitor and Manage Compliance Activity (Section 5.3)
Use the Compliance Results Interface (Section 5.3.1)
Oracle has determined an array of configuration details that optimize the performance and handling of Oracle Fusion Applications, and now delivers seeded compliance rules with Cloud Control 12c. "Compliance" means having a system adhere to, or comply with, such performance standards. This chapter explains how compliance Rules are defined, and how they are organized (into Standards and Frameworks). It explains how to associate the Standards to your Fusion instance, how to create, edit, or delete configurations if desired, and how subsequently to monitor and respond to the results in Cloud Control.
Compliance is implemented as a hierarchy, wherein configuration details -- such as cache sizes, connection time-outs, and more-- are codified into individual Rules. The Rules are collected into logical groups called Standards, which are further organized into a Framework.
Out of the box, you can associate the predefined compliance Standards to your own installation. Each of these components-- Rules, Standards, and Frameworks-- can also be created, edited, or deleted by a Fusion Applications administrator who has the appropriate privileges. You can freely mix-and-match custom Rules or Standards with predefined ones.
It is also possible to create "real-time monitoring facets" if you want to create security warnings associated with particular files on your system. Facets, which can be associated with multiple Rules, define particular entities that should be monitored on an ongoing basis. (Only critical files should be chosen, to avoid excess CPU load and data generation.) See Section 5.2.2.2 for more information.
It is necessary to have the Fusion Applications plug-in for Oracle Enterprise Manager Cloud Control 12c, version 12.1.0.3 or above, installed and configured.
There are two additional guides that contain how-to steps on using the Compliance interface. This guide gives specific cross-references to them when needed. These guides are:
This section explains how to access and implement the Compliance components for Fusion Applications.
The Compliance components are created, edited, and stored in the Compliance Library.
Log in to the Cloud Control Console.
Select Enterprise and Compliance and Library.
The Compliance Library homepage is displayed.
Select the relevant tab for the Compliance component you want to use.
To find the Rules delivered for Oracle Fusion Applications:
Access the Compliance Library, as described in Section 5.2.1.1.
Select the Compliance Standard Rules tab.
Expand the Search item at the top left of the page, and select Applicable To: Fusion Instance in the Search drop-down.
The defined Rules for Oracle Fusion Applications are listed in the table.
To adjust the columns that you see, click View, and Columns. You can select/deselect items to include in the overview. Note: selecting Manage Columns has the same effect.
Follow the same steps to search for the Fusion Applications-specific Standards or Frameworks.
The 42 defined Rules are organized in four separate Standards. This section describes the primary details of the Rules delivered in:
Table 5-2, "Oracle HTTP Server Configuration Standard Rules"
Table 5-4, "Java Virtual Machine Configuration Standard Rules"
Note:
All the compliance Rules for Fusion Applications currently share the following attributes:
Type: Repository Rule
Compliance Rule State: Production
Severity: Minor warning
Description: Fusion Applications Configuration Rule for <Rule name>.
Rationale: <Rule name>
Table 5-1 Java Platform Security Standard Rules
Rule Name | Recommended Value |
---|---|
JPS_jps.authz |
ACC |
JPS_jps.combiner.lazyeval |
true |
JPS_jps.combiner.optimize |
true |
Java Platform Security permission cache size |
1000 |
Java Platform Security permission cache strategy |
PERMISSION_FIFO |
Java Platform Security Enable Policy Lazy Load Property |
TRUE |
JPS_jps.policystore.hybrid.mode |
false |
Java Platform Security rolemember cache size |
1000 |
Java Platform Security rolemember cache strategy |
FIFO |
Java Platform Security rolemember cache type |
'STATIC |
Table 5-2 Oracle HTTP Server Configuration Standard Rules
Rule Name | Recommended Value |
---|---|
Oracle HTTP Server keep alive timeout |
61 |
Oracle HTTP Server maximum clients |
1000 |
Oracle HTTP Server maximum keep alive requests |
0 |
Oracle HTTP Server server limit |
20 |
Fusion Applications Configuration rule for Oracle HTTP Server StartServers |
10 |
Oracle HTTP Server threads per child |
50 |
Oracle HTTP Server WLIOTimeoutSecs |
900 |
Table 5-3 WebLogic Server Configuration Standard Rules
Rule Name | Recommended Value |
---|---|
WebLogic domain log severity |
Error |
WebLogic log file severity |
Warning |
WebLogic memory buffer severity |
Error |
WebLogic stdout severity |
Error |
Table 5-4 Java Virtual Machine Configuration Standard Rules
Rule Name | Recommended Value |
---|---|
JVM_HTTPClient.socket.connectionTimeout |
300000 |
JVM_HTTPClient.socket.readTimeout |
300000 |
JVM_HeapDumpOnOutOfMemoryError |
+HeapDumpOnOutOfMemoryError |
JVM_VOMaxFetchSize |
n/a |
JVM_Xgc |
genpar |
JVM_Xmanagement |
1 |
JVM_Xverbose |
gc |
JVM_jbo.ampool.minavailablesize |
1 |
JVM_jbo.ampool.timetolive |
-1 |
JVM_jbo.doconnectionpooling |
true |
JVM_jbo.load.components.lazily |
true |
JVM_jbo.max.cursors |
5 |
JVM_jbo.recyclethreshold |
75 |
JVM_jbo.txn.disconnect_level |
1 |
JVM_jps.auth.debug |
FALSE |
JVM_jrockit |
jrockit |
JVM_weblogic.ProductionModeEnabled |
true |
JVM_weblogic.SocketReaders |
3 |
JVM_weblogic.http.client.weblogic.http.client.defaultConnectTimeout |
300000 |
JVM_weblogic.http.client.defaultReadTimeout |
300000 |
JVM_weblogic.security.providers.authentication.LDAPDelegatePoolSize |
20 |
To associate the compliance Rules on your own Oracle Fusion Applications instance, it is necessary to apply the relevant Standards to the relevant targets.
To associate predefined Standards to targets:
Select Enterprise, then Compliance, then Library, and choose the Compliance Standards tab.
Expand the Search item at the top of the page and choose Applicable To: Fusion Instance. Click Search.
The predefined Standards are listed.
Select a Standard and click Associate Targets.
On the Target Association page, click +Add. A search page is displayed.
Choose the relevant target name(s) from the list and click Select.
The host(s) appear in the Target Association page.
Select the host(s) and click Enable.
Once a Compliance Standard is associated to a specific target, the results can be seen almost immediately in the Compliance Results page. See Section 5.3 for details.
Rules, Standards, and Frameworks can all be created, edited, or deleted as desired. To do so requires having the correct user permissions. Thereafter, it is a simple matter to click the appropriate button (such as Create) and fill out the subsequent page.
For information on Compliance user permissions, see: "Privileges and Roles Needed to Use the Compliance Features", in the "Managing Compliance" chapter of the Oracle® Enterprise Manager Lifecycle Management Administrator's Guide.
For information on how to create, edit, or delete, see:
"Operations on Compliance Frameworks,"
"Operations on Compliance Standards," and
"Operations on Compliance Standards Rules," in the Oracle® Enterprise Manager Lifecycle Management Administrator's Guide
Real-time monitoring facets allow an administrator to receive warnings that are generated on-the-fly, should certain sensitive files be accessed or changed. This is especially useful as a security alert in case of any potential unauthorized activity to important parts of the system.
There are no real-time monitoring facets delivered with Cloud Control 12c, version 12.1.0.3, for Fusion Applications. To create your own and apply them to your system, see "Real Time Monitoring Facets" in the "Managing Compliance" chapter of Oracle® Enterprise Manager Lifecycle Management Administrator's Guide
Once a Standard is associated with your Fusion Applications target(s), the system begins to evaluate that target's adherence to the Compliance Rules. Violations to a Compliance Rule will be displayed in the Results page. Depending on the Severity level assigned in the Rule, violation warnings may be categorized as minor, warning, or critical. See below for links describing how to interpret and resolve any violations and other compliance reporting.
Once a Compliance Standard is associated to a specific target, the results can be seen almost immediately in the Compliance Results page.
From the Enterprise menu, select Compliance, then select Results.
If desired, search by Fusion Instance, Standard, or to narrow the list.
Results can be viewed by Compliance Framework, Compliance Standard, and Target. The Target Compliance tab shows the compliance score of a target across all compliance Standards. This allows users to focus on their least compliant targets by sorting by the average score column. Likewise the Compliance Standard tab shows the results of each Compliance Standard currently being evaluated. Compliance Standards that do not have any targets associated with them do not show in the list.
See "1.3 Viewing and Understanding Compliance Results," in the Oracle Enterprise Manager Cloud Control Oracle Database Compliance Standards, for details on interpreting the results and tips on how to research any violations and bring your system back into compliance.
Note:
It is also possible to select Enterprise, then Compliance, then Dashboard to see the same information in a more graphical display.