Managing Oracle E-Business Suite Security Erik Graversen, Senior Principal Software Developer Elke Phelps, Senior Principal Product Manager Oracle E-Business Suite Applications Technology Oracle Open World, September 2014
Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
Program Agenda 1 2 3 Follow Oracle E-Business Suite Secure Deployment & Configuration Guidelines Leverage the Oracle Technology Stack to Deploy Additional Security Options Utilize New Security Features in Oracle E-Business Suite Release 12.2
Follow Oracle E-Business Suite Secure Deployment & Configuration Guidelines
How to Deploy Oracle E-Business Suite Securely 1 2 Stay current with patching Follow secure deployment recommendations
How to Deploy Oracle E-Business Suite Securely 1 2 Stay current with patching Follow secure deployment recommendations
How to Deploy Oracle E-Business Suite Securely Stay Current with Patching Apply Critical Patch Updates (CPUs) + Security Alerts Critical Patch Advisory Page http://www.oracle.com/technetwork/topics/security/alerts-086861.htm Patch Setup Update (PSUs) are an option for the database PSUs include CPUs + other database recommended patches EBS customers may apply either CPUs or PSUs for the DB As of 12c only PSUs will be released Apply latest maintenance pack or release update pack Yes, Oracle E-Business Suite maintenance packs release update packs improve security as well
How to Deploy Oracle E-Business Suite Securely 1 2 Stay current with patching Follow secure deployment recommendations
How to Deploy Oracle E-Business Suite Securely Follow Secure Deployment Recommendations Secure Configuration Guide for Oracle E-Business Suite Previously known as Best Practice documents Release 11i, MOS Doc ID 189367.1 Release 12.0.x, 12.1.x and 12.2.x, MOS Doc ID 403537.1 Oracle E-Business Suite Configuration in a DMZ Follow this guide if your Oracle E-Business environment is internet accessible Release 11i, MOS Note 287176.1 Release 12.0.x and 12.1.x, MOS Note 380490.1 Release 12.2.x, MOS Note 1375670.1
How to Deploy Oracle E-Business Suite Securely Follow Secure Deployment Recommendations Guidelines are based upon current patch levels 11.5.10+, 12.0.6+, 12.1.2+, and 12.2.2+ Advice for security-related switches to set/verify Advice also provided for optional security related products (such as database options) Many recommendations automated via AutoConfig and Oracle Application Manager (OAM) Please raise an SR with support against the Guides if you feel there are problems or omissions with the advice
Secure Configuration Scripts MOS Note 403537.1, Secure Configuration Guide for Oracle E-Business Suite Scripts are packaged as SQL and Shell scripts Periodically check for updated scripts EBSSecConfigChecks.sql runs all (12) other SQL scripts Results are compiled into a single report Comments in the scripts often contain hints for resolution EBSCheckModSecurity.sh shell script You should perform routine configuration Health Checks Create a baseline for your environment Run scripts often and compare against your baseline check for differences
Oracle Enterprise Manager: Oracle E-Business Suite Plug-In Compliance Rules Out-of-box security compliance checks for Oracle E-Business Suite Integration with Enterprise Manager compliance framework Security compliance violations and trends are generated Real-time observations of security compliance in your environment
Leverage the Oracle Technology Stack to Deploy Additional Security Options
Enable SSL/TLS for Web Listener Enable SSL (https) for web listener R12, MOS Doc ID 376700.1 R12.2, MOS Doc ID 1367293.1 Tip: Avoid weak ciphers and protocols (<128 bit & SSLv2) Use Telnet Mobile Web Apps? Mechanism for securing MWA Telnet communication with SSL MOS Doc ID 1493091.1
Encrypting SQL*Net Traffic SQL*Net encryption now provided as a free option In R12 add the following lines to the sqlnet_ifile.ora file: SQLNET.ENCRYPTION_SERVER = REQUIRED SQLNET.ENCRYPTION_TYPES_SERVER= (AES256, AES192, 3DES168) SQLNET.CRYPTO_SEED = somelongandrandomstring
Reverse Proxy Server Makes requests to the Oracle E- Business Suite application server on behalf of the client Allows use of standard ports (80, 443) on external side; higher ports internally Filters requests to web server via rules
Demilitarized Zone (DMZ) Perimeter network Single or multi-segment DMZ-based servers have restricted responsibilities Security breaches remain contained within DMZ
Oracle E-Business Suite DMZ Features Reduce Attack Surface Limited number of Oracle E-Business Suite products certified for internet access Release 11i, MOS Doc ID 287176.1 Release 12.0.x and 12.1.x, MOS Doc ID 380490.1 Release 12.2.x, MOS Doc ID 1375670.1 External Oracle E-Business Suite application tier access limited by setting Node Trust Level Responsibilities available for external use only upon configuration URL Firewall exposes only the pages that are required
Oracle Audit Vault and Database Firewall Consolidate database audit trail into secure centralized repository Detect and alert on suspicious activities, including privileged users Out-of-the box compliance reports for SOX, PCI, and other regulations For example; privileged user audit, entitlements, failed logins, regulated data changes Integrates with Oracle E-Business Suite security system
Oracle Audit Vault and Database Firewall Monitor inbound SQL activity in passive mode Alert security operations of unexpected activity Execute standard or develop custom reports
Oracle Database Vault Privileged Account Controls Enforce least privilege by defining who, where, when, and how data can be accessed Securely enable applications consolidation and outsourcing / offshoring Default realm for E-Business Suite is available use it as-is or choose a subset
Oracle Database Vault Define Access by Application Server Protect sensitive objects based upon application tier Create custom realm with command rules to define access
Oracle E-Business Suite Security Architecture Multiple Layers of Protection, Multiple Components for Monitoring DMZ Reverse Proxy External App Server Secure VLAN Audit Vault and Database Firewall Database Vault
Transparent Data Encryption Defense in Depth, Guard Against Out-of-Band Attacks Encrypt data at rest Decrypt data on-the-fly while E- Business Suite is running Encrypt tablespaces or individual columns Store keys in Oracle Wallet Hardware Device
Oracle E-Business Suite 12.1.3 Data Masking Template Enterprise Manager 11g, 12c Data Masking Pack What is data masking? Production LAST_NAME SSN SALARY AGUILAR 203-33-3234 40,000 BENSON 323-22-2943 60,000 Non-Production LAST_NAME SSN SALARY ANSKEKSL 111 23-1111 75,000 BKJHHEIEDK 222-34-1345 45,000 The act of anonymizing customer, financial, or company-confidential data to create new, legible data that retains the data's properties, such as its width, type, and format Why mask your data? To protect confidential data in nonproduction environments when the data is shared with non-production users without revealing sensitive information
Utilize New Security Features in Oracle E- Business Suite Release 12.2
New Security Features in Oracle E-Business Suite 12.2 1 2 3 4 Cookie Domain Scoping Allowed JSPs Allowed Redirects Proxy User
Feature Overview for Cookie Domain Scoping Principles Reduces the attack surface of Oracle E-Business Suite Provides additional protection for communication between the browser and the Oracle E-Business Suite web tier Provides the ability to define the scope for cookie sharing to avoid unnecessary exposure Allows for a custom scope to be defined
What is a Cookie? Not just a baked goodie, in the World Wide Web, a cookie is also a mechanism of storing state across web requests When a site is accessed, a user s browser stores information in the cookie such as a session identifier When the site is accessed again, the information in the cookie can be reused «Set-Cookie: mycookie=7er852» Cookie: mycookie=7er852 apps.us.example.com
What is a Cookie? If a domain is not specified, the browser does not send the cookie beyond the originating host If you explicitly set the cookie domain scope this tells the browser where the cookie can be sent «Set-Cookie: mycookie=7er852 ; domain=.us.example.com» Cookie: mycookie=7er852 apps.us.example.com
Cookie Domain Scoping Configuration Profile Option Profile: Oracle Applications Session Cookie Domain Profile code : ICX_SESSION_COOKIE_DOMAIN Profile scope: Profile may be set at the Site or Server level Default value: DOMAIN Profile Value HOST DOMAIN Description Domain attribute of the cookie will not be set Cookie will be scoped to the originating server Minimal attack surface Domain attribute of the cookie will be set Value is derived from the APPS_WEB_AGENT profile option [CUSTOM] User defined value for the domain
New Security Features in Oracle E-Business Suite 12.2 1 2 3 4 Cookie Domain Scoping Allowed JSPs Allowed Redirects Proxy User
Feature Overview of Allowed JSPs Principles Reduces the attack surface of Oracle E-Business Suite Defines whitelist of allowed JSPs for Oracle E-Business Suite Release 12.2 A whitelist is an explicit list of items that are allowed for access Prevents access to JSPs which are not used Enables configuration of actively allowed JSPs to avoid unnecessary exposure Allows custom JSPs to be defined in the list of allowed JSPs
Allowed JSPs Compared to DMZ Whitelist Principles Internet User DMZ Web Tier Database Tier Internal Web Tier Intranet User DMZ tier has a whitelist mechanism (URL Firewall) Controls resources exposed to internet Allowed JSPs implementation on internal web tier is similar to DMZ web tier whitelist mechanism
Using Allowed JSPs What You Should Do Evaluate product family usage Cross-check restricted JSPs against access_log Add used Oracle E-Business Suite and custom JSPs to configuration files Turn on the Allowed JSPs feature Continue to refine the list Comment out Product Families not used Comment out Products not used Add custom JSPS as needed
Allowed JSPs Configuration Overview Configuration files $FND_SECURE/allowed_jsps.conf - master configuration file $FND_SECURE/allowed_jsps_<Family>.conf $FND_SECURE/allowed_jsps_<Family>_<Product>.conf Profile Option Allow Unrestricted JSP Access A mid-tier restart is not required for configuration files and profile option updates to go into effect.
Allowed JSP Configuration Profile Option Profile: Allow Unrestricted JSP Access Profile code : FND_SEC_ALLOW_JSP_UNRESTRICTED_ACCESS Profile scope: Profile may be set at the Site or Server level Default value: YES at Site level Profile Value YES NO NULL Description Unrestricted access to JSPs Restricted access to the allowed JSPs per the JSP whitelist filter If the JSP servlet filter is configured, then restricted access is enabled
New Security Features in Oracle E-Business Suite 12.2 1 2 3 4 Cookie Domain Scoping Allowed JSPs Allowed Redirects Proxy User
Feature Overview for Allowed Redirects Principles Provides defense-in-depth protection against phishing redirect attacks Defines whitelist of allowed redirects for Oracle E-Business Suite 12.2 A whitelist is an explicit list of hosts that are allowed for redirects Prevents redirects that are not listed as allowed Enables configuration of allowed redirects to avoid unnecessary exposure Allows custom redirects to be defined in the list of allowed redirects Allows all redirects by default
Which Redirects Should Be Allowed? Configuration Delivered in Configuration File Oracle E-Business Suite built-in use of redirects for functionality Examples include: Report Launcher, Self-Service Applications, Help System Single sign-on integration with Oracle Access Manager using Oracle E-Business AccessGate and Oracle Internet Directory Reporting with Oracle Discoverer Viewer, Oracle Discoverer Server and Oracle Business Intelligence Enterprise Edition Integration with Oracle Portal irecruitment Background Check URL
Which Redirects Should Be Allowed? Configuration You Need to Add to the Configuration File Oracle E-Business Suite iprocurement with Punchout Add host or domain entry for each Punchout site Oracle E-Business Suite Configurator integration with Agile or Siebel using Oracle Application Integration Architecture Add host or domain entry for each integration point Any custom redirects used in your environment
Allowed Redirects Configuration Overview Configuration files $FND_SECURE/allowed_redirects.conf Content should be a list of hosts, domains, site/server level profiles and/or additional configuration files Profile Option Allow Unrestricted Redirects
Allowed Redirects Configuration Profile Option Profile: Allow Unrestricted Redirects Profile code : FND_SEC_ALLOW_UNRESTRICTED_REDIRECT Profile scope: Profile may be set at the Site or Server level Default value: YES at Site level Profile Value YES NO NULL Description Unrestricted access to all redirects Restricted access to the allowed redirects per the redirect whitelist filter If the redirect servlet filter is configured, then restricted access is enabled
New Security Features in Oracle E-Business Suite 12.2 1 2 3 4 Cookie Domain Scoping Allowed JSPs Allowed Redirects Proxy User
Proxy User Terminology Delegator: user who needs to delegate functionality to another user (the proxy user) Proxy User: user who is the delegate or proxy who uses functionality on behalf of the delegator
Feature Overview for Proxy User Reasons to Delegate Access Executive delegates to assistant for routine tasks User going on vacation or leave delegates to coworker, manager, or subordinate User delegates to help desk agent or other agent for assistance or training Users delegate to internal audit personnel to monitor compliance Several users access a shared account as proxy users to make tracking easier Benefits of Delegating Access Keep business running smoothly when key personnel are out Allow users to share work without sharing passwords Control who can delegate what to whom
Feature Overview for Proxy User Users can delegate some or all of their access to Oracle E-Business Suite functionality to other users, who can then act on the delegator s behalf. Functionality works seamlessly across all Forms and OA Framework-based Oracle E-Business Suite modules Simple delegation interface for users Users can delegate by responsibility or workflow notification type Delegation is not all or nothing functionality Delegator can audit proxy user access along with time of access
Feature Overview for Proxy User The Role of the Proxy User Administrator Defines who can use the proxy user functionality Defines which responsibilities cannot be delegated Example: Employee self-service with payslips and personal information Defines who the delegator can delegate to as a proxy user Seeded policies Direct Line of Command, Second Line of Command, Third Line of Command Immediate Supervisor and peers, Supervisor s peers and his peers All employees, All Users, Custom delegation policies may also be created
Administrator Setup Define the Roles and Responsibilities Allowed to Delegate to Proxy
Administrator Setup Restrict Responsibilities from Delegation
Administrator Setup Define Who Can Be a Proxy User
Example: User Delegating to Proxy Logon as Self, then Go to Tools and Click on Preferences
Example: User Delegating to Proxy Navigate to Manage Proxies, then Click Add Proxy
Example: User Delegating to Proxy One Page Setup for Proxy User
Example: User Delegating to Proxy Add the User Name of the Proxy User
Example: User Delegating to Proxy Grant the Responsibility Access to the Proxy User
Example: User Delegating to Proxy Grant Workflow Notification Type to Proxy
Example: User Delegating to Proxy Your Proxy User is Now Defined
Example: Perform Work as Proxy on Behalf of Delegator Logon as Self, then Switch User Switch user to work as proxy user
Example: Perform Work as Proxy on Behalf of Delegator Next, Choose which User to Switch To (Proxy)
Example: Perform Work as Proxy on Behalf of Delegator Choose Actions to Perform Your User Name Delegator Name
Example: Perform Work as Proxy on Behalf of Delegator Choose Actions to Perform No Preferences or Favorites Your User Name Delegator Name
Example: Perform Work as Proxy on Behalf of Delegator Choose Actions to Perform No Preferences or Favorites Your User Name Delegator s Granted Responsibilities Delegator Name Delegator s Worklist (limited to delegated types)
Example: Perform Work as Proxy on Behalf of Delegator Appearance in Forms-based Interface Your User Name Delegator Name
Example: Delegator Reviewing Proxy User Activity