Managing Oracle E-Business Suite Security

Transcription

1

2 Managing Oracle E-Business Suite Security Erik Graversen, Senior Principal Software Developer Elke Phelps, Senior Principal Product Manager Oracle E-Business Suite Applications Technology Oracle Open World, September 2014

3 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.

4 Program Agenda Follow Oracle E-Business Suite Secure Deployment & Configuration Guidelines Leverage the Oracle Technology Stack to Deploy Additional Security Options Utilize New Security Features in Oracle E-Business Suite Release 12.2

5 Follow Oracle E-Business Suite Secure Deployment & Configuration Guidelines

6 How to Deploy Oracle E-Business Suite Securely 1 2 Stay current with patching Follow secure deployment recommendations

7 How to Deploy Oracle E-Business Suite Securely 1 2 Stay current with patching Follow secure deployment recommendations

8 How to Deploy Oracle E-Business Suite Securely Stay Current with Patching Apply Critical Patch Updates (CPUs) + Security Alerts Critical Patch Advisory Page Patch Setup Update (PSUs) are an option for the database PSUs include CPUs + other database recommended patches EBS customers may apply either CPUs or PSUs for the DB As of 12c only PSUs will be released Apply latest maintenance pack or release update pack Yes, Oracle E-Business Suite maintenance packs release update packs improve security as well

9 How to Deploy Oracle E-Business Suite Securely 1 2 Stay current with patching Follow secure deployment recommendations

10 How to Deploy Oracle E-Business Suite Securely Follow Secure Deployment Recommendations Secure Configuration Guide for Oracle E-Business Suite Previously known as Best Practice documents Release 11i, MOS Doc ID Release 12.0.x, 12.1.x and 12.2.x, MOS Doc ID Oracle E-Business Suite Configuration in a DMZ Follow this guide if your Oracle E-Business environment is internet accessible Release 11i, MOS Note Release 12.0.x and 12.1.x, MOS Note Release 12.2.x, MOS Note

11 How to Deploy Oracle E-Business Suite Securely Follow Secure Deployment Recommendations Guidelines are based upon current patch levels , , , and Advice for security-related switches to set/verify Advice also provided for optional security related products (such as database options) Many recommendations automated via AutoConfig and Oracle Application Manager (OAM) Please raise an SR with support against the Guides if you feel there are problems or omissions with the advice

12 Secure Configuration Scripts MOS Note , Secure Configuration Guide for Oracle E-Business Suite Scripts are packaged as SQL and Shell scripts Periodically check for updated scripts EBSSecConfigChecks.sql runs all (12) other SQL scripts Results are compiled into a single report Comments in the scripts often contain hints for resolution EBSCheckModSecurity.sh shell script You should perform routine configuration Health Checks Create a baseline for your environment Run scripts often and compare against your baseline check for differences

13 Oracle Enterprise Manager: Oracle E-Business Suite Plug-In Compliance Rules Out-of-box security compliance checks for Oracle E-Business Suite Integration with Enterprise Manager compliance framework Security compliance violations and trends are generated Real-time observations of security compliance in your environment

14 Leverage the Oracle Technology Stack to Deploy Additional Security Options

15 Enable SSL/TLS for Web Listener Enable SSL (https) for web listener R12, MOS Doc ID R12.2, MOS Doc ID Tip: Avoid weak ciphers and protocols (<128 bit & SSLv2) Use Telnet Mobile Web Apps? Mechanism for securing MWA Telnet communication with SSL MOS Doc ID

16 Encrypting SQL*Net Traffic SQL*Net encryption now provided as a free option In R12 add the following lines to the sqlnet_ifile.ora file: SQLNET.ENCRYPTION_SERVER = REQUIRED SQLNET.ENCRYPTION_TYPES_SERVER= (AES256, AES192, 3DES168) SQLNET.CRYPTO_SEED = somelongandrandomstring

17 Reverse Proxy Server Makes requests to the Oracle E- Business Suite application server on behalf of the client Allows use of standard ports (80, 443) on external side; higher ports internally Filters requests to web server via rules

18 Demilitarized Zone (DMZ) Perimeter network Single or multi-segment DMZ-based servers have restricted responsibilities Security breaches remain contained within DMZ

19 Oracle E-Business Suite DMZ Features Reduce Attack Surface Limited number of Oracle E-Business Suite products certified for internet access Release 11i, MOS Doc ID Release 12.0.x and 12.1.x, MOS Doc ID Release 12.2.x, MOS Doc ID External Oracle E-Business Suite application tier access limited by setting Node Trust Level Responsibilities available for external use only upon configuration URL Firewall exposes only the pages that are required

20 Oracle Audit Vault and Database Firewall Consolidate database audit trail into secure centralized repository Detect and alert on suspicious activities, including privileged users Out-of-the box compliance reports for SOX, PCI, and other regulations For example; privileged user audit, entitlements, failed logins, regulated data changes Integrates with Oracle E-Business Suite security system

21 Oracle Audit Vault and Database Firewall Monitor inbound SQL activity in passive mode Alert security operations of unexpected activity Execute standard or develop custom reports

22 Oracle Database Vault Privileged Account Controls Enforce least privilege by defining who, where, when, and how data can be accessed Securely enable applications consolidation and outsourcing / offshoring Default realm for E-Business Suite is available use it as-is or choose a subset

23 Oracle Database Vault Define Access by Application Server Protect sensitive objects based upon application tier Create custom realm with command rules to define access

24 Oracle E-Business Suite Security Architecture Multiple Layers of Protection, Multiple Components for Monitoring DMZ Reverse Proxy External App Server Secure VLAN Audit Vault and Database Firewall Database Vault

25 Transparent Data Encryption Defense in Depth, Guard Against Out-of-Band Attacks Encrypt data at rest Decrypt data on-the-fly while E- Business Suite is running Encrypt tablespaces or individual columns Store keys in Oracle Wallet Hardware Device

26 Oracle E-Business Suite Data Masking Template Enterprise Manager 11g, 12c Data Masking Pack What is data masking? Production LAST_NAME SSN SALARY AGUILAR ,000 BENSON ,000 Non-Production LAST_NAME SSN SALARY ANSKEKSL ,000 BKJHHEIEDK ,000 The act of anonymizing customer, financial, or company-confidential data to create new, legible data that retains the data's properties, such as its width, type, and format Why mask your data? To protect confidential data in nonproduction environments when the data is shared with non-production users without revealing sensitive information

27 Utilize New Security Features in Oracle E- Business Suite Release 12.2

28 New Security Features in Oracle E-Business Suite Cookie Domain Scoping Allowed JSPs Allowed Redirects Proxy User

29 Feature Overview for Cookie Domain Scoping Principles Reduces the attack surface of Oracle E-Business Suite Provides additional protection for communication between the browser and the Oracle E-Business Suite web tier Provides the ability to define the scope for cookie sharing to avoid unnecessary exposure Allows for a custom scope to be defined

30 What is a Cookie? Not just a baked goodie, in the World Wide Web, a cookie is also a mechanism of storing state across web requests When a site is accessed, a user s browser stores information in the cookie such as a session identifier When the site is accessed again, the information in the cookie can be reused «Set-Cookie: mycookie=7er852» Cookie: mycookie=7er852 apps.us.example.com

31 What is a Cookie? If a domain is not specified, the browser does not send the cookie beyond the originating host If you explicitly set the cookie domain scope this tells the browser where the cookie can be sent «Set-Cookie: mycookie=7er852 ; domain=.us.example.com» Cookie: mycookie=7er852 apps.us.example.com

32 Cookie Domain Scoping Configuration Profile Option Profile: Oracle Applications Session Cookie Domain Profile code : ICX_SESSION_COOKIE_DOMAIN Profile scope: Profile may be set at the Site or Server level Default value: DOMAIN Profile Value HOST DOMAIN Description Domain attribute of the cookie will not be set Cookie will be scoped to the originating server Minimal attack surface Domain attribute of the cookie will be set Value is derived from the APPS_WEB_AGENT profile option [CUSTOM] User defined value for the domain

33 New Security Features in Oracle E-Business Suite Cookie Domain Scoping Allowed JSPs Allowed Redirects Proxy User

34 Feature Overview of Allowed JSPs Principles Reduces the attack surface of Oracle E-Business Suite Defines whitelist of allowed JSPs for Oracle E-Business Suite Release 12.2 A whitelist is an explicit list of items that are allowed for access Prevents access to JSPs which are not used Enables configuration of actively allowed JSPs to avoid unnecessary exposure Allows custom JSPs to be defined in the list of allowed JSPs

35 Allowed JSPs Compared to DMZ Whitelist Principles Internet User DMZ Web Tier Database Tier Internal Web Tier Intranet User DMZ tier has a whitelist mechanism (URL Firewall) Controls resources exposed to internet Allowed JSPs implementation on internal web tier is similar to DMZ web tier whitelist mechanism

36 Using Allowed JSPs What You Should Do Evaluate product family usage Cross-check restricted JSPs against access_log Add used Oracle E-Business Suite and custom JSPs to configuration files Turn on the Allowed JSPs feature Continue to refine the list Comment out Product Families not used Comment out Products not used Add custom JSPS as needed

37 Allowed JSPs Configuration Overview Configuration files $FND_SECURE/allowed_jsps.conf - master configuration file $FND_SECURE/allowed_jsps_<Family>.conf $FND_SECURE/allowed_jsps_<Family>_<Product>.conf Profile Option Allow Unrestricted JSP Access A mid-tier restart is not required for configuration files and profile option updates to go into effect.

38 Allowed JSP Configuration Profile Option Profile: Allow Unrestricted JSP Access Profile code : FND_SEC_ALLOW_JSP_UNRESTRICTED_ACCESS Profile scope: Profile may be set at the Site or Server level Default value: YES at Site level Profile Value YES NO NULL Description Unrestricted access to JSPs Restricted access to the allowed JSPs per the JSP whitelist filter If the JSP servlet filter is configured, then restricted access is enabled

39 New Security Features in Oracle E-Business Suite Cookie Domain Scoping Allowed JSPs Allowed Redirects Proxy User

40 Feature Overview for Allowed Redirects Principles Provides defense-in-depth protection against phishing redirect attacks Defines whitelist of allowed redirects for Oracle E-Business Suite 12.2 A whitelist is an explicit list of hosts that are allowed for redirects Prevents redirects that are not listed as allowed Enables configuration of allowed redirects to avoid unnecessary exposure Allows custom redirects to be defined in the list of allowed redirects Allows all redirects by default

41 Which Redirects Should Be Allowed? Configuration Delivered in Configuration File Oracle E-Business Suite built-in use of redirects for functionality Examples include: Report Launcher, Self-Service Applications, Help System Single sign-on integration with Oracle Access Manager using Oracle E-Business AccessGate and Oracle Internet Directory Reporting with Oracle Discoverer Viewer, Oracle Discoverer Server and Oracle Business Intelligence Enterprise Edition Integration with Oracle Portal irecruitment Background Check URL

42 Which Redirects Should Be Allowed? Configuration You Need to Add to the Configuration File Oracle E-Business Suite iprocurement with Punchout Add host or domain entry for each Punchout site Oracle E-Business Suite Configurator integration with Agile or Siebel using Oracle Application Integration Architecture Add host or domain entry for each integration point Any custom redirects used in your environment

43 Allowed Redirects Configuration Overview Configuration files $FND_SECURE/allowed_redirects.conf Content should be a list of hosts, domains, site/server level profiles and/or additional configuration files Profile Option Allow Unrestricted Redirects

44 Allowed Redirects Configuration Profile Option Profile: Allow Unrestricted Redirects Profile code : FND_SEC_ALLOW_UNRESTRICTED_REDIRECT Profile scope: Profile may be set at the Site or Server level Default value: YES at Site level Profile Value YES NO NULL Description Unrestricted access to all redirects Restricted access to the allowed redirects per the redirect whitelist filter If the redirect servlet filter is configured, then restricted access is enabled

45 New Security Features in Oracle E-Business Suite Cookie Domain Scoping Allowed JSPs Allowed Redirects Proxy User

46 Proxy User Terminology Delegator: user who needs to delegate functionality to another user (the proxy user) Proxy User: user who is the delegate or proxy who uses functionality on behalf of the delegator

47 Feature Overview for Proxy User Reasons to Delegate Access Executive delegates to assistant for routine tasks User going on vacation or leave delegates to coworker, manager, or subordinate User delegates to help desk agent or other agent for assistance or training Users delegate to internal audit personnel to monitor compliance Several users access a shared account as proxy users to make tracking easier Benefits of Delegating Access Keep business running smoothly when key personnel are out Allow users to share work without sharing passwords Control who can delegate what to whom

48 Feature Overview for Proxy User Users can delegate some or all of their access to Oracle E-Business Suite functionality to other users, who can then act on the delegator s behalf. Functionality works seamlessly across all Forms and OA Framework-based Oracle E-Business Suite modules Simple delegation interface for users Users can delegate by responsibility or workflow notification type Delegation is not all or nothing functionality Delegator can audit proxy user access along with time of access

49 Feature Overview for Proxy User The Role of the Proxy User Administrator Defines who can use the proxy user functionality Defines which responsibilities cannot be delegated Example: Employee self-service with payslips and personal information Defines who the delegator can delegate to as a proxy user Seeded policies Direct Line of Command, Second Line of Command, Third Line of Command Immediate Supervisor and peers, Supervisor s peers and his peers All employees, All Users, Custom delegation policies may also be created

50 Administrator Setup Define the Roles and Responsibilities Allowed to Delegate to Proxy

51 Administrator Setup Restrict Responsibilities from Delegation

52 Administrator Setup Define Who Can Be a Proxy User

53 Example: User Delegating to Proxy Logon as Self, then Go to Tools and Click on Preferences

54 Example: User Delegating to Proxy Navigate to Manage Proxies, then Click Add Proxy

55 Example: User Delegating to Proxy One Page Setup for Proxy User

56 Example: User Delegating to Proxy Add the User Name of the Proxy User

57 Example: User Delegating to Proxy Grant the Responsibility Access to the Proxy User

58 Example: User Delegating to Proxy Grant Workflow Notification Type to Proxy

59 Example: User Delegating to Proxy Your Proxy User is Now Defined

60 Example: Perform Work as Proxy on Behalf of Delegator Logon as Self, then Switch User Switch user to work as proxy user

61 Example: Perform Work as Proxy on Behalf of Delegator Next, Choose which User to Switch To (Proxy)

62 Example: Perform Work as Proxy on Behalf of Delegator Choose Actions to Perform Your User Name Delegator Name

63 Example: Perform Work as Proxy on Behalf of Delegator Choose Actions to Perform No Preferences or Favorites Your User Name Delegator Name

64 Example: Perform Work as Proxy on Behalf of Delegator Choose Actions to Perform No Preferences or Favorites Your User Name Delegator s Granted Responsibilities Delegator Name Delegator s Worklist (limited to delegated types)

65 Example: Perform Work as Proxy on Behalf of Delegator Appearance in Forms-based Interface Your User Name Delegator Name

66 Example: Delegator Reviewing Proxy User Activity

67

68