You are on page 1of 27

Security Best Practice for eBS

A Practical Guide

Nikos Plevris
Principal Service Delivery Manager
Agenda

• The Security balance & levels <Insert Picture Here>

• Security considerations
• Database level Authentication
• eBS level Authentication
• Auditing
• Summary
• Q&A
Security balance

• Risk of exposure
• Cost of security
• Value of information protected
APPLICATION TIER
The multi-tier
Apache
environment Mod_plsql

DATABASE TIER
DESKTOP TIER Jerver

ORACLE_HOME
iAS

ORACLE_HOME
Forms Designer RDBMS

TNS Listener
Web Borwser,
Reports
Jinit
Concurrent RAC
Managers

APPL_TOP
ORACLE_HOME
Tools
Security levels

• Across tiers
• Client
• Middle tier
• Db tier
• Across categories
• Hardening
• Network
• Authentication
• Authorization
• Audit
Security levels

• Across tiers
• Client
• Middle tier
• Db tier
• Across categories
• Hardening
• Network
• Authentication
• Authorization
• Audit
Security levels

• Across tiers
• Client
• Middle tier
• Db tier
• Across categories
• Hardening
• Network
• Authentication: Covers account management, password
management and other account related activities.
• Authorization
• Audit
Security Considerations

• The principle of least privilege


• System monitoring by auditing & reviewing audit
records
Agenda

• The Security balance & levels <Insert Picture Here>

• Security considerations
• Database level Authentication
• eBS level Authentication
• Auditing
• Summary
• Q&A
Database level Authentication1

• Database Tier
• REMOTE_OS_AUTHENT=FALSE
• REMOTE_OS_ROLES=FALSE
• Db Profiles for password management
• FAILED_LOGIN_ATTEMPTS UNLIMITED
• PASSWORD_LIFE_TIME UNLIMITED
• PASSWORD_REUSE_TIME 180
• PASSWORD_REUSE_MAX UNLIMITED
• PASSWORD_LOCK_TIME UNLIMITED
• PASSWORD_GRACE_TIME UNLIMITED
• PASSWORD_VERIFY_FUNCTION Recommended

• _TRACE_FILES_PUBLIC=FALSE
• Limit file access from PL/SQL – Avoid UTL_FILE_DIR = *
Database level Authentication2

• Change default schemas’ passwords for


• Core RDBMS [ie, SYS,SYSTEM]
• Schemas used by shared components of eBS [ie,
APPLSYSPUB,APPLSYS,APPS]
• Individual products schemas
• Schemas for Optional database features or 3rd party
products:
• Used by and patched with eBS [ie, CTXSYS, PORTAL30]
• Used by eBS but patched only with the RDBMS [ie,
MDSYS,ORDSYS] 
• Not used schemas [ie, SCOTT]
Database level Authentication2

• Change default schemas’ passwords for


• Core RDBMS [ie, SYS,SYSTEM]
eBS • Schemas used by shared components of eBS [ie,
APPLSYSPUB,APPLSYS,APPS]
eBS •
Individual products schemas
• Schemas for Optional database features or 3rd party
products:
eBS • Used by and patched with eBS [ie, CTXSYS, PORTAL30]
• Used by eBS but patched only with the RDBMS [ie,
MDSYS,ORDSYS] 
• Not used schemas [ie, SCOTT]
Database level Authentication3 - 11i
eBS passwords concerns
• A password for the GATEWAY user APPLSYSPUB
( The default password is 'PUB‘) – Type I
• A password shared between APPLSYS and APPS
(also known as FNDNAM). The default password is
'APPS‘ - Type II
• A password for all of the product-specific base
schemas (Default password for these schemas is
same as the schema name) - Type III
• Optional features schemas used & pacthed by eBS -
Type IV
Database level Authentication4 - Type I
schemas
• APPLSYSPUB schema has sufficient privileges to perform the
authentication of an Applications User (FND user)
• Runs PL/SQL packages to verify the username/password
combination
• Records the success or failure of a login attempt
• How to Change password
• Use OAM to alter s_gwyuid_pass variables in context file
• Shutdown middle tier processes
• Run FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> ORACLE APPLSYSPUB <new_pwd>

• Configuration files being updated


• iAS/Apache/Jserv/etc/formservlet.ini
• FND_TOP/secure/<host_name>_<dbname>.dbc
• $FND_TOP/resource/appsweb.cfg, $OA_HTML/bin/appsweb.cfg
• iAS/Apache/Apache/conf/apps.conf
• Run Autoconfig to propagate pwd changes
• NOTE: Prior to the July 2006 CPU (or 11.5.10-RUP4 or TKX patch 5107107) Autoconfig did not fully
propagate the changed password. (Manual workaround: Add PassEnv GWYUID to iAS configuration file
apps.conf)
• Restart middle tier processes
Database level Authentication5 - Type
II schemas
• APPS is the shared runtime schema for all eBS products
• How to Change password
• Stop middle tier processes
• FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> SYSTEM APPLSYS <new_pwd>
• Run Autoconfig
• Configuration files being updated
• iAS_TOP/Apache/modplsql/cfg/wdbsvr.app
• $ORACLE_HOME/reports60/server/CGIcmd.dat
• $FND_TOP/resource/wfmail.cfg
• The concurrrent manager start script, ie. adcmstrt.sh
• $OA_HTML/bin/appsweb.cfg
• Restart middle tier processes
• Script to prevent a user from changing his password
CREATE OR REPLACE FUNCTION verify_function_fix_pwd (username VARCHAR2, password VARCHAR2,
old_password VARCHAR2)
RETURN boolean IS
BEGIN raise_application_error(-20009, 'SORRY, PASSWORD CANNOT BE CHANGED') ; END ;
-- Create profile to limit PASSWORD_VERIFY_FUNCTION
DROP PROFILE FIXPWD CASCADE;
CREATE PROFILE FIXPWD LIMIT PASSWORD_VERIFY_FUNCTION verify_function_fix_pwd;
Database level Authentication6 - Type
III schemas
• How to Change password
• Specific product schema
• FNDCPASS apps/ /<apps_pwd> 0 Y system/manager ORACLE <oracle user> <new
password>

• ALL product schemas


• FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> ALLORACLE <NEW_PWD>
Database level Authentication7 - Type
IV schemas
• eBS uses the CTXSYS schema
• How to Change password
• SQL> alter user CTXSYS password <new password>

• If using Oracle Login Server and Portal 3.0.9 schemas,


PORTAL30, PORTAL30_SSO
• How to Change password
• $ FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> ORACLE PORTAL30 <new_pwd>
• $ FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> ORACLE PORTAL30_SSO
<new_pwd>

• If NOT using Oracle Login Server and Portal 3.0.9


• How to Change password
• SQL> alter user PORTAL30 account lock;
• SQL> alter user PORTAL30_SSO account lock;

• Or remove schemas
Agenda

• The Security balance & levels <Insert Picture Here>

• Security considerations
• Database level Authentication
• eBS level Authentication
• Auditing
• Summary
• Q&A
eBS level Authentication1

• Change default passwords for eBS seeded Applications users, ie


SYSADMIN, GUEST
• GUEST user credentials
• used for THIN JDBC driver connection to database
• are stored into three different locations
• FND_USER db table
• GUEST_USER_PWD profile option
• DBC file in $FND_TOP/secure/<context>.
• How to change password
• $ FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> USER GUEST <new_pwd>
• From OAM oa_users: Edit context xml file, set the value of
s_guest_user to GUEST and s_guest_pass to <pwd>
• Run autoconfig and restart your instance
• From Applications Forms Interface reset
• the GUEST_USER_PWD profile value
• the GUEST user password from form User -> Define
eBS level Authentication2

• Tighten logOn and session profile options


• SIGNON_PASSWORD_LENGTH 8
• SIGNON_PASSWORD_HARD_TO_GUESS YES
• SIGNON_PASSWORD_NO_REUSE 180
• ICX_SESSION_TIMEOUT 30

• Use User Management (UMX) for a common user


registration flow
• Create shared responsibilities than shared accounts
• ENCRYPT Concurrent programs APPS pwd
• In Multi-tier environments, activate Apps servers
security jre oracle.apps.fnd.security.AdminAppServer
• Use NODE_TRUST_LEVEL to restrict access at the
responsibility level
Agenda

• The Security balance & levels <Insert Picture Here>

• Security considerations
• Database level Authentication
• eBS level Authentication
• Auditing
• Summary
• Q&A
Audit1

• SIGNONAUDIT:LEVEL profile option


• Retrieve audit records by using Audit Reports or OAM
or SQL statements
• Review data tracked (manual reporting)
• Who columns
• CREATION_DATE Date and Time row was created
• CREATED_BY Oracle Applications user ID from FND_USER
• LAST_UPDATE_LOGIN Login ID from FND_LOGINS
• LAST_UPDATE_DATE Date and Time row as last updated
• LAST_UPDATED_BY Oracle Applications user ID from FND_USERS
Audit2 – Audit Trail

• System profile option AuditTrail: Activate to True


• Auditing database row changes is performance
intensive
• Limit auditing to non-transactional data
• Keeps a complete history of changes made at a table
and column level
Summary

• Focus on Authentication
• Proactive password & account management
• At db and eBS level
• Auditing
• Reactive
Q&
A
Support Terminology & Tools

• Best Practices for securing eBS


• 11i SysAdmin - security
• FNDCPASS utility
• Change The Oracle Users, APPS, APPLSYS and Application Module
Passwords
• Note.398942.1Ext/Pub FNDCPASS Utility New Feature ALLORACLE:
• Note.358176.1Int/Pub How to Change the APPLSYSPUB Password
in 11.5.10
• Does 11i support database password complexity?
• Using OA_HTML/AppsLocalLogin.jsp Causes Passwords To
Incorrectly Fail.
• Note.135878.1Ext/Pub Script to prevent a user from changing his
password
• Apps profile options related to password admin

You might also like