Skip Headers
Oracle® Fusion Applications Administrator's Guide
11g Release 6 Refresh 4 (11.1.6)

Part Number E14496-14
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 Managing Oracle Fusion Applications Configuration and Compliance

This chapter describes how to utilize the Enterprise Manager Cloud Control Configuration and Compliance Framework to enforce implementation and operational best practices for Fusion Applications. In particular, it describes the seeded Compliance Rules that are delivered in the Cloud Control Plug-in 12.1.0.3, for Oracle. Fusion Applications.

This chapter includes the following topics:

5.1 Introduction: What Is Compliance?

Oracle has determined an array of configuration details that optimize the performance and handling of Oracle Fusion Applications, and now delivers seeded compliance rules with Cloud Control 12c. "Compliance" means having a system adhere to, or comply with, such performance standards. This chapter explains how compliance Rules are defined, and how they are organized (into Standards and Frameworks). It explains how to associate the Standards to your Fusion instance, how to create, edit, or delete configurations if desired, and how subsequently to monitor and respond to the results in Cloud Control.

5.1.1 Understanding Rules, Standards, and Frameworks

Compliance is implemented as a hierarchy, wherein configuration details -- such as cache sizes, connection time-outs, and more-- are codified into individual Rules. The Rules are collected into logical groups called Standards, which are further organized into a Framework.

Out of the box, you can associate the predefined compliance Standards to your own installation. Each of these components-- Rules, Standards, and Frameworks-- can also be created, edited, or deleted by a Fusion Applications administrator who has the appropriate privileges. You can freely mix-and-match custom Rules or Standards with predefined ones.

5.1.1.1 What are Real-Time Monitoring Facets?

It is also possible to create "real-time monitoring facets" if you want to create security warnings associated with particular files on your system. Facets, which can be associated with multiple Rules, define particular entities that should be monitored on an ongoing basis. (Only critical files should be chosen, to avoid excess CPU load and data generation.) See Section 5.2.2.2 for more information.

5.1.2 Prerequisites and Related Documentation

It is necessary to have the Fusion Applications plug-in for Oracle Enterprise Manager Cloud Control 12c, version 12.1.0.3 or above, installed and configured.

There are two additional guides that contain how-to steps on using the Compliance interface. This guide gives specific cross-references to them when needed. These guides are:

5.2 Implement Compliance

This section explains how to access and implement the Compliance components for Fusion Applications.

5.2.1 Understand the Rules, Standards, and Framework in the Compliance Library

The Compliance components are created, edited, and stored in the Compliance Library.

5.2.1.1 Access the Compliance Library

  1. Log in to the Cloud Control Console.

  2. Select Enterprise and Compliance and Library.

    Description of em_compliance_1.gif follows
    Description of the illustration em_compliance_1.gif

    The Compliance Library homepage is displayed.

    Description of em_compliance_2.gif follows
    Description of the illustration em_compliance_2.gif

  3. Select the relevant tab for the Compliance component you want to use.

5.2.1.2 View the Pre-seeded Rules for Oracle Fusion Applications

To find the Rules delivered for Oracle Fusion Applications:

  1. Access the Compliance Library, as described in Section 5.2.1.1.

  2. Select the Compliance Standard Rules tab.

  3. Expand the Search item at the top left of the page, and select Applicable To: Fusion Instance in the Search drop-down.

    The defined Rules for Oracle Fusion Applications are listed in the table.

  4. To adjust the columns that you see, click View, and Columns. You can select/deselect items to include in the overview. Note: selecting Manage Columns has the same effect.

  5. Follow the same steps to search for the Fusion Applications-specific Standards or Frameworks.

The 42 defined Rules are organized in four separate Standards. This section describes the primary details of the Rules delivered in:

Note:

All the compliance Rules for Fusion Applications currently share the following attributes:

Type: Repository Rule

Compliance Rule State: Production

Severity: Minor warning

Description: Fusion Applications Configuration Rule for <Rule name>.

Rationale: <Rule name>

Table 5-1 Java Platform Security Standard Rules

Rule Name Recommended Value

JPS_jps.authz

ACC

JPS_jps.combiner.lazyeval

true

JPS_jps.combiner.optimize

true

Java Platform Security permission cache size

1000

Java Platform Security permission cache strategy

PERMISSION_FIFO

Java Platform Security Enable Policy Lazy Load Property

TRUE

JPS_jps.policystore.hybrid.mode

false

Java Platform Security rolemember cache size

1000

Java Platform Security rolemember cache strategy

FIFO

Java Platform Security rolemember cache type

'STATIC


Table 5-2 Oracle HTTP Server Configuration Standard Rules

Rule Name Recommended Value

Oracle HTTP Server keep alive timeout

61

Oracle HTTP Server maximum clients

1000

Oracle HTTP Server maximum keep alive requests

0

Oracle HTTP Server server limit

20

Fusion Applications Configuration rule for Oracle HTTP Server StartServers

10

Oracle HTTP Server threads per child

50

Oracle HTTP Server WLIOTimeoutSecs

900


Table 5-3 WebLogic Server Configuration Standard Rules

Rule Name Recommended Value

WebLogic domain log severity

Error

WebLogic log file severity

Warning

WebLogic memory buffer severity

Error

WebLogic stdout severity

Error


Table 5-4 Java Virtual Machine Configuration Standard Rules

Rule Name Recommended Value

JVM_HTTPClient.socket.connectionTimeout

300000

JVM_HTTPClient.socket.readTimeout

300000

JVM_HeapDumpOnOutOfMemoryError

+HeapDumpOnOutOfMemoryError

JVM_VOMaxFetchSize

n/a

JVM_Xgc

genpar

JVM_Xmanagement

1

JVM_Xverbose

gc

JVM_jbo.ampool.minavailablesize

1

JVM_jbo.ampool.timetolive

-1

JVM_jbo.doconnectionpooling

true

JVM_jbo.load.components.lazily

true

JVM_jbo.max.cursors

5

JVM_jbo.recyclethreshold

75

JVM_jbo.txn.disconnect_level

1

JVM_jps.auth.debug

FALSE

JVM_jrockit

jrockit

JVM_weblogic.ProductionModeEnabled

true

JVM_weblogic.SocketReaders

3

JVM_weblogic.http.client.weblogic.http.client.defaultConnectTimeout

300000

JVM_weblogic.http.client.defaultReadTimeout

300000

JVM_weblogic.security.providers.authentication.LDAPDelegatePoolSize

20


5.2.2 Apply Standards to Targets in Your Fusion Instance

To associate the compliance Rules on your own Oracle Fusion Applications instance, it is necessary to apply the relevant Standards to the relevant targets.

To associate predefined Standards to targets:

  1. Select Enterprise, then Compliance, then Library, and choose the Compliance Standards tab.

  2. Expand the Search item at the top of the page and choose Applicable To: Fusion Instance. Click Search.

    The predefined Standards are listed.

  3. Select a Standard and click Associate Targets.

  4. On the Target Association page, click +Add. A search page is displayed.

  5. Choose the relevant target name(s) from the list and click Select.

    The host(s) appear in the Target Association page.

  6. Select the host(s) and click Enable.

Once a Compliance Standard is associated to a specific target, the results can be seen almost immediately in the Compliance Results page. See Section 5.3 for details.

5.2.2.1 Optional: Create, Edit, or Delete Compliance Details

Rules, Standards, and Frameworks can all be created, edited, or deleted as desired. To do so requires having the correct user permissions. Thereafter, it is a simple matter to click the appropriate button (such as Create) and fill out the subsequent page.

For information on Compliance user permissions, see: "Privileges and Roles Needed to Use the Compliance Features", in the "Managing Compliance" chapter of the Oracle® Enterprise Manager Lifecycle Management Administrator's Guide.

For information on how to create, edit, or delete, see:

5.2.2.2 Optional: Create Real-Time Monitoring Facets

Real-time monitoring facets allow an administrator to receive warnings that are generated on-the-fly, should certain sensitive files be accessed or changed. This is especially useful as a security alert in case of any potential unauthorized activity to important parts of the system.

There are no real-time monitoring facets delivered with Cloud Control 12c, version 12.1.0.3, for Fusion Applications. To create your own and apply them to your system, see "Real Time Monitoring Facets" in the "Managing Compliance" chapter of Oracle® Enterprise Manager Lifecycle Management Administrator's Guide

5.3 Monitor and Manage Compliance Activity

Once a Standard is associated with your Fusion Applications target(s), the system begins to evaluate that target's adherence to the Compliance Rules. Violations to a Compliance Rule will be displayed in the Results page. Depending on the Severity level assigned in the Rule, violation warnings may be categorized as minor, warning, or critical. See below for links describing how to interpret and resolve any violations and other compliance reporting.

5.3.1 Use the Compliance Results Interface

Once a Compliance Standard is associated to a specific target, the results can be seen almost immediately in the Compliance Results page.

From the Enterprise menu, select Compliance, then select Results.

If desired, search by Fusion Instance, Standard, or to narrow the list.

Results can be viewed by Compliance Framework, Compliance Standard, and Target. The Target Compliance tab shows the compliance score of a target across all compliance Standards. This allows users to focus on their least compliant targets by sorting by the average score column. Likewise the Compliance Standard tab shows the results of each Compliance Standard currently being evaluated. Compliance Standards that do not have any targets associated with them do not show in the list.

See "1.3 Viewing and Understanding Compliance Results," in the Oracle Enterprise Manager Cloud Control Oracle Database Compliance Standards, for details on interpreting the results and tips on how to research any violations and bring your system back into compliance.

Note:

It is also possible to select Enterprise, then Compliance, then Dashboard to see the same information in a more graphical display.