2.

DEFAULT ORACLE DATABASE ACCOUNTS
All database passwords should be changed including both default Oracle Database as well as Oracle Applications database accounts. Use the FNDCPASS utility to change the passwords in both the application and database. ACCOUNT NAME
4

4. SECURITY RELATED PROFILE OPTIONS
PROFILE OPTION Sign-On:Audit Level Sign-on:Notification Signon Password Failure Limit Signon Password Hard to Guess Signon Password Length Signon Password No Reuse Signon Password Case (RUP4) Utilities:Diagnostics Concurrent:Report Access Level AuditTrail:Activate DEFAULT (none) No (none) No 5 (none)
insensitive

SUGGEST Form Yes 6 Yes 8 720 sensitive No User Yes

ORACLE APPLICATIONS 11i SECURITY QUICK REFERENCE
VERSION 2.0 – MARCH 2007

1. DEFAULT ORACLE APPLICATIONS USERS
Default passwords for all standard Oracle Applications user accounts should be changed and all unused accounts should be disabled. DEFAULT ORACLE APPLICATIONS USERS USER NAME AME_INVALID_APPROVER APPSMGR ASGADM ASGUEST AUTOINSTALL CONCURRENT MANAGER FEEDER SYSTEM GUEST IBE_ADMIN IBE_GUEST IBEGUEST IEXADMIN INITIAL SETUP IRC_EMP_GUEST IRC_EXT_GUEST MOBILEADM OP_CUST_CARE_ADMIN OP_SYSADMIN STANDALONE BATCH PROCESS SYSADMIN WIZARD XML_USER
1

SYS, SYSTEM CTXSYS, MDSYS, ORDSYS, … 1, 2 APPS 1 APPLSYS APPLSYSPUB EDWREP, ODM AD_MONITOR OWAPUB PORTAL30, PORTAL30_* SSOSDK 3 SCHEMAS (ABM … ZX)
1

CHANGE PASSWORD yes yes yes yes 5 optional yes yes yes yes yes yes

No User No

“Signon Password Hard to Guess” Rules  The password contains has the following attributes o at least one letter o at least one number o does not contain the username o does not contain repeating characters

M ODULE AME AOL/FND ASG AS AOL/FND AOL/FND AOL/FND AOL/FND IBE, ONT IBE IBE, IBU IEX AOL/FND IRC IRC ASG XDP XDP AOL/FND AOL/FND AOL/FND AOL/FND

DISABLE

1

yes yes see module see module yes yes yes no see module see module see module see module yes see module see module see module see module see module yes no yes yes

APPS and APPLSYS passwords must be identical After changing the APPS password, AutoConfig must be run to update the password in the following files: <iAS_HOME>/Apache/modplsql/cfg/wdbsvr.app <ORACLE_HOME>/reports60/server/CGIcmd.dat 3 Change all schema passwords – over 250 schemas 4 Other standard Oracle, third-party, or custom database accounts may exist and default password should be changed. 5 Changing the APPLSYSPUB password is recommended, but may cause issues as the password change is not properly handled by the application. Also, using ADI and other client tools may require the new password.
2

5. APPLSYSPUB PERMISSIONS
The APPLSYSPUB account should have only these grants INSERT ON FND_UNSUCCESSFUL_LOGINS INSERT ON FND_SESSIONS EXECUTE ON FND_DISCONNECTED EXECUTE ON FND_MESSAGE EXECUTE ON FND_PUB_MESSAGE EXECUTE ON FND_SECURITY_PKG EXECUTE ON FND_SIGNON EXECUTE ON FND_WEBFILEPUB SELECT ON FND_APPLICATION SELECT ON FND_APPLICATION_TL SELECT ON FND_APPLICATION_VL SELECT ON FND_LANGUAGES_TL SELECT ON FND_LANGUAGES_VL SELECT ON FND_LOOKUPS SELECT ON FND_PRODUCT_GROUPS SELECT ON FND_PRODUCT_INSTALLATIONS These permissions are set in – <FND_TOP>/admin/sql/afpub.sql To check permissions – SELECT * FROM dba_tab_privs where grantee = 'APPLSYSPUB'

3. FND CHANGE PASSWORD UTILITY
Change Oracle Database Passwords FNDCPASS command changes the password in the Applications and in the database. FNDCPASS apps/apps 0 Y system/manager \ ORACLE <account> <password> Change Applications User Passwords FNDCPASS apps/apps 0 Y system/manager \ USER <user> <password>

If the module is not being used, the account can be disabled. Otherwise, see the module documentation for more information on this account.

txt adalldefaults. APPLICATIONS AUDITING (END-USER) Enable auditing by setting System Profile Option Sign-On: Audit Level to FORMS at the site level. AppSentry. END-USER AUDIT TABLES applsys.excluded_nodes=( x.5.x.ora  LOG_DIRECTORY listener. WEB SESSION T IMEOUT Should be set in AutoConfig with the variable s_sesstimeout.validnode_checking = yes tcp.properties session.sh wdbsvr.x.ora  PASSWORDS_<listener name> LISTENER ADMIN RESTRICTIONS listener.app CGIcmd.1 338756. Oracle is a registered trademark of Oracle Corporation and/or its affiliates.1 403294.x.7 – 11.1 123718.x.x. DEFAULT ORACLE APPLICATIONS PORTS 9. DATABASE LISTENER 11.invited_nodes = (x.fnd_unsuccessful_logins icx.ora  ADMIN_RESTRICTIONS_<listener>=ON LISTENER LOGGING listener.5.fnd_login_resp_forms fnd_concurrent_requests applsys. Set these two parameters to be equal (30 minutes = 1800000 seconds).1 340178.ora *.1 7.integrigy.10 CU2 Copyright © 2007 Integrigy Corporation Information in this document is subject to change without notice and does not represent a commitment on the part of Integrigy Corporation. Integrigy.ora  LOG_FILE listener.0 – March 2007 Oracle Applications 11.icx_failures END-USER AUDIT REPORTS Signon Audit Users Signon Audit Responsibilities Signon Audit Forms Signon Audit Concurrent Requests Signon Audit Unsuccessful Logins Port numbers valid for 11.fnd_login_responsibilities applsys.sql *.ora sqlnet. METALINK 11I SECURITY NOTES Best Practices for Securing the Oracle EBusiness Suite 11i DMZ Configuration with Oracle E-Business Suite 11i 11i: A Guide to Understanding and Implementing SSL for Oracle Applications Enabling SSL with Oracle Application Server 10g and the E-Business Suite Encrypting EBS 11i Network Traffic using Advanced Security Option / Advanced Networking Option Oracle Applications Credit Card Encryption Using Transparent Data Encryption (TDE) with the eBusiness Suite (EBS) 189367. x.1 391248. 9i.com Version 2.x | name) tcp.x | name.5.ora  LOG_STATUS ON VALID NODE CHECKING (8i = protocol. and AppDefend are trademarks of Integrigy Corporation.x | name.5.x | name) (see Managed SQL*Net Access in 11. All port numbers may be modified during installation or may be automatically incremented by x during installation where x is a number 1 to 100 (typical less than 10). 8.dat defaults.6.ora) tcp. .10g=sqlnet. System Profile Option – ICX: Session Timeout = <minutes> <ORAHTTP_TOP>/Jserv/etc/zone. RECOMMENDED FILE PERMISSIONS LISTENER PASSWORD listener.timeout=<seconds> http://www.txt All UNIX PERM 0750 0751 0600 0600 0700 0600 0600 0600 0750 12.ora.x.1 287176.fnd_logins applsys.x. x. APPLICATIONS AUDITING (WHO COLUMNS)      CREATION_DATE CREATED_BY  FND_USERS table LAST_UPDATE_LOGIN  FND_LOGINS tables LAST_UPDATE_DATE LAST_UPDATED_BY  FND_USERS table 10.10+.10) COMMON LISTENER SECURITY ERRORS IN LOG TNS-01169  Invalid listener password attempt TNS-12508  Blocked by ADMIN_RESTRICTIONS COMPONENT Database RPC/FNDFS Reports Server Web Server (Apache) Web Proxy JServ oprocmgr Forms Servlet (jserv) Discoverer Servlet (jserv) XML Serlvet (jserv) OA Core Servlet (jserv) Servlet (jserv) – old Web Server (moplsql) Forms Server Metrics Server Data Metrics Server Requests VisiBroker Server Agent MSCA Mobile Server MSCA Mobile Dispatcher JTF Fulfilment Server TCF Server (not used with forms servlet) AUTOCONFIG s_dbport s_rpcport s_repsport s_webport s_webssl_port s_active_webport s_proxyport s_oprocmgr_port s_forms_servlet_ portrange s_disco_servlet _portrange s_xmlsvcs_servlet_ portrange s_oacore_servlet_ portrange s_servletport s_web_port_pls s_formsport s_metdataport s_metreqport s_osagent_port s_mwaportno s_mwadispatcher_ port s_jtfuf_port s_tcfport PORT # 1521 1626 7000 8000 or (80/443) 80 8699 8701-8710 8711-8720 8741-8750 8721-8740 8800 8888 9000 9100 9200 10000 10200 10300 11000 15000 PATH $ORACLE_HOME $ORACLE_HOME/bin $ORACLE_HOME/network/admin/<sid> $ORACLE_HOME/appsutil/install/<sid> $IAS_TOP/Apache/modplsql/cfg $806_HOME/reports60/server $APPL_TOP/admin/<sid> $FND_TOP/secure FILES All All listener.x.