patchVantage E-Business Suite Security Patching

Post on 03-Oct-2021

4 views 0 download

Transcript of patchVantage E-Business Suite Security Patching

patchVantage E-Business Suite Security Patching

Abstract Understand our Engagement Model Ensure your ERP system, is secure and compliant


Managed Security Upgrades ..................................................3

1.1 Introduction ................................................................ 3

1.2 Engagement Model ...................................................... 6

1.3 Additional Costs ........................................................... 6

1.4 Pricing......................................................................... 7

1.5 Cloud Mirror ................................................................ 7

1.6 Deployment Methods ................................................. 7

1.7 Documentation ........................................................... 7

1.8 Components Patched ................................................. 8


1.9 PatchVantage Platform ................................................. 9

1.10 Example E-Business Suite Patch Analysis ......................... 9

1.11 Example of Generated Patch Executions.................. 10

1.12 Sample 12.2 Security Upgrade Release ................... 10

1.13 Driver Files and Automated Patching Elements ............... 12

Managed Security Upgrades E-Business Suite

1.1 Introduction Oracle E-Business (EBS) is a leading enterprise resource planning (ERP) solution designed to help organizations manage a global business, improve decision making, reduce costs and increase corporate performance. Over 21,000 global organizations use EBS for mission critical applications, including financial management, customer relationship management (CRM) ,supply chain management (SCM),human capital management (HCM) ,logistics, retail ,procurement and more. According to Onapsis of the 21000 E-Business Suite customers less than half applied Jan CPU patches.

However, with more ERP applications directly connected to the web and large fines introduced by new laws like CCPA it will become a necessity to resolve this. One of the main reasons Cleveland Police are re-platforming is because of the need to apply security patches. Many organizations are adding modules which interface their E-Business Suite systems with the web. Our solution is will reduce both operational and cyber risk – thereby avoiding expensive data breaches


1 2 3 4 5

Weeks or months • Create interim infrastructure or operations • Take or prepare for legal action • Address regulatory and audit issues • Manage client, partner, and other relationships

Months or years • Repair damage to the business • Re-design processes and assets • Invest in cyber programs to

emerge stronger

Days or weeks • Stop compromises in progress • Remediate security controls • Communicate with customers, partners, and other

external parties • Address disruption and business continuity issues







Business recovery

Impact management

Incident triage

Incident triage efforts comprise

<10% Of total impact

Recovery stretches over years


Our solution is to offer a quarterly patching service which will quickly progress the testing and acceptance of the security patches at minimal cost. Typically, E-Business Suite DBA’s cost around 200K USD per annum but we are offering specific services at a fraction of that cost. We primarily use automation to lower the costs of the service to the customer but also because it delivers better outcomes. We would completely manage the setup and initial application every 3 months. The customer gets a comprehensive solution that includes all the required CPU’s(plus ETCC). In addition, the software generates key documentation to verify and inform the customer of the upgrades. The result is a very short engagement that offers less downtime, more accuracy, less reliance on skilled DBA’s ,a detailed audit trail and full documentation. Most large companies prefer transparent processes that are proven to work. Military, Police and Defense contractors require fast and accurate patch updates to protect key infrastructure against attacks. Our solution is compatible for both 12.1 and 12.2 versions of E-Business Suite

1.2 Engagement Model Based on actual events the following engagement model will be offered and has proven results . Delivery times are estimates for customers who have up-to-date PSU systems only.

Table 1 How the service will be delivered

Task Description Duration

Setup and Discovery This is a free service combining health check and installation of software.

1 or 2 Days(one off task)

Analysis Each Quarter we provide the patches for all version of EBS. However, some patches may need to be rolled back or other ones included

1 Day 15th Jan, Apr, Jul, Oct

Download Patches

Automated Script per customer downloads patches. For legal reasons it must use the Oracle CSI. Patch Analysis zips will be provided to customer.

0.5 Day Automated

ETCC Oracle provide a script one month after the CPU which indicate the exact patches required for Middleware and Database Interoperability

0.5 Day 15th Feb, May, Aug, Nov

Patch Per Environment

Apply Patches (RDBMS, APPS, FMW, Java) 0.5 Day per system Automated

Documentation Check Space Requirements, Compatibility with other patches etc.


1.3 Additional Costs Depending on the implementation additional costs will apply

▪ RAC – Multiple nodes require dual node patching with significant enhancements to DataPatch

▪ GRID – CPU patching of the GRID is a complex procedure which we can execute.

▪ Multiple EBS Nodes – Additional patching on 12.1.3 (12.2 adop does not require this)

▪ Active Data Guard – Customers such as NATO who are moving to Azure will implement ADG instead of RAC, but this still requires patching of the standby server

▪ Impact Analysis – Most customers have customizations. We provide a list of the patches to analyze. We can also automate this procedure for a small additional cost.

▪ Cloning– We expect recent copies of Production to test the patches. This means the customer is responsible for Cloning. We do however provide our fully automated cloning procedure for a one-off implementation charge. Scripts can compress pro0duction cores to smaller development servers.

▪ Production – Normally we would apply the solution on the DBA and UAT environments. The customer would then use the software to finalize on Production. We can operate this procedure at extra cost.

▪ Enterprise Tools – Configuration with OEM and Ansible can be provided at extra cost

1.4 Pricing Initially we recommended that we limit patching to essential environments such as DBA and UAT which will offer a low price point and encourage faster decisions. This reduces risk for the customers and once the service is established, they can purchase more time if they want. Our model is more pay-as-you-go and obtain enhanced DBA services using automation for a fraction of the normal price.

1.5 Rapid Critical Updates Service For military or police organizations we guarantee emergency and battle-short service. All consultants have security clearance.

1.6 Cloud Mirror We will maintain a VISION version of E-Business Suite on AWS at no extra cost. This will be used to pre-test deployments and specific to the customers EBS version.

1.7 Deployment Methods There are multiple ways to deploy the software.

COMMAND LINE(CLI) – Easy to use script (Python)

OEM – Customers with agents installed can deploy using Console or emcli

ANSIBLE– Agentless SSH solution for customers who have already configured this.

PATCHVANTAGE – Agent/Agentless with web service and console interface

1.8 Documentation Security patching without repudiation is practically worthless. It may be scrutinized by auditors and pen testers. In the event of a breach jobs will depend on it.

Content Details Target Audience Format

History Signed Report Verifying Applied Patch History

Managers Ensure nothing missing

Instructions Detailed Patch Executions Backup Manual Approach

DBA’s – Ensure Safe & Compliant

Log Files All Oracle Patch Log Filles Collected from Database & Apps Servers

DBA’s Inspect for errors and repudiation

Release Exact Contents of Security Upgrade

End User / Business Unit

ETCC Validation Oracle Security Success End User / Manager

Proof Quarterly Update Done

1.9 Components Patched

Here is a definitive list of the software components patch across all tiers.

*** RAC and GRID Supported

Database Versions Supported: 12c,18c,19c

E-Business Suite Versions Supported: 12.1.3,12.2.x

Tier Software Utility

Grid Generic script using oautopatch is applied oautopatch

RDBMS Full Database Patching (apply & rollback, ) opatch

RDBMS Data Patch – Post SQL datapatch

RDBMS Java Updated: JRE in ORACLE_HOME/appsutil jre

FMW 10.1.2 Forms in ORACLE_HOME (12.1.3) opatch

FMW 10.1.3 Forms in IAS_ORACLE_HOME (12.1.3) opatch

FMW FMW_HOME/webtier opatch

FMW FMW_HOME/oracle_common opatch

FMW WebLogic BSU bsu

EBS APPL_TOP 12.2.3 adpatch

EBS APPL_TOP 12.2.x adop

EBS TXK and AD Latest Technology Stack(bi-annually) adop

EBS Java Updated: JDK 32-bit in ORACLE_HOME jdk

EBS Java Updated: JDK 32-bit in IAS_ORACLE_HOME jdk

EBS Java Updated: JDK 32-bit in ORACLE_HOME jdk

EBS Java Updated: JDK 64-bit n IAS_ORACLE_HOME jdk

EBS Java Updated: JDK 64-bit n COMMON_TOP/util jdk

EBS Java Updated: JDK 32-bit n COMMON_TOP/util jdk

EBS DBA Analyzers: Automatically add new releases of DBA Analyzers shell

Appendix Centralize ,Collaborate and Scale

1.10 PatchVantage Platform The patchVantage platform enables organizations to automate the execution of patching, cloning, backups and other administration functions for Oracle and other databases and target types. In addition to being initiated through the web interface, all functions can also be performed through the command line using a set of APIs. The purpose of this document is to guide the reader through executing some API calls to demonstrate the power of the patchVantage platform. Additionally, sample shell scripts are provided to illustrate how these APIs can be integrated into existing systems. The database / server environments used in this document are provided by patchVantage in the AWS cloud. The reader is not required to install or setup any software on their own infrastructure. The technology stack consists of an ORDS web interface running on top of an Oracle Database. It is designed to manage large numbers of Linux Servers, Databases and Applications. The solution falls into the category of Database as a Service (DBaaS).

1.11 Example E-Business Suite Patch Analysis

Analysis using mature OAM and other reports will be used to minimize impact

1.12 Example of Generated Patch Executions Example Auto-generated documentation - customized upon request

1.13 Sample 12.2 Security Upgrade Release

Contents of each release is delivered to ensure customer knows what they are getting

Component Patch Purpose

GRID 30920127 Grid Infrastructure Apr 2020 Release Update

RDBMS 30783885 April 2020 CPU Database Bundle Patch

RDBMS 30783885 Oracle JavaVM Component Database PSU

RDBMS JRE jre1.7.0_261





E-BUSINESS SUITE 30739126 Fix for Bug 30739126

E-BUSINESS SUITE 30980446 Fix for Bug 30980446


MIDDLEWARE WL 13845626 This patch contains Smart Update patch FC8V for WebLogic Server

MIDDLEWARE WL 16684205 This patch contains Smart Update patch XGXM for WebLogic Server

MIDDLEWARE WL 30857748 Oracle WebLogic Server Patch Set Update

MIDDLEWARE WEBTIER 31047338 Interim Patch for Bug: 31047338

MIDDLEWARE WEBTIER 30332567 Interim Patch for Bug: 30332467

MIDDLEWARE FORMS 26825525 Interim Patch for Base Bugs: 26825525


E-BUSINESS SUITE 23645622 GL: Add Java Web Start Support to AHM Java applet

E-BUSINESS SUITE 24498616 AD: Add Java Web Start support to Oracle E-Business Suite

E-BUSINESS SUITE 25380324 Oracle E-Business Suite Java Applets launching with Java Web Start

E-BUSINESS SUITE 25449925 TXK: Add Java Web Start support to Oracle E-Business Suite

E-BUSINESS SUITE 28713780 1OFF:12.2.6+:Oracle Workflow Java Applets launching with Java Web Start


EBA DBA ANALYZERS None Oracle Support Proactive Services Bundle Perl Menu [200.86]

1.14 Driver Files and Automated Patching Elements Configuration management makes use of a human readable driver file that controls the upgrade. The file has a list of elements assigned to an infrastructure Tier (Database, EBS,FMW) During execution software transforms the elements into physical patching actions on the servers. Regular TXK and AD upgrades are included.

Tier Tool Comment

Grid opatchauto ACFS Cluster and Kernel Upgrades

Database opatch Handles apply or rollback.

Database Stop Database + Listener RAC and non-RAC

Database Start Database + Listener RAC and non-RAC

Database Run Database auto config

Database Install latest JRE Location ORACLE_HOME/appsutil

Database Datapatch Includes RDBMS upgrade mode and RAC cluster



Database utlrp Compile Objects

E-Business Suite adop Makes use of internal password files

E-Business Suite adpatch Generates a new defaults file each run

E-Business Suite adadmin All adadmin commands (see Options in later section)

E-Business Suite admkappsutil Generate + Installs on Database Node(s)

E-Business Suite adstrtall Start All Services / Start Primary Node First

E-Business Suite Compile JSP

E-Business Suite adstpall Stop All Services / Manage Concurrent Manager

E-Business Suite Run Application auto config

E-Business Suite adgrants Check version and apply using SYSDBA

E-Business Suite Install latest JDK Multiple Locations

FMW Fusion Middleware opatch used to update multiple locations

E-Business Suite Custom Templates TKX patches require update and merging

FMW Weblogic BSU Patching / Rollback of previous JARS included

E-Business Suite Support Automatically add new releases of DBA Analyzers