OAUG ApplicationsTechnology Stack Special Interest Group September 28 th 2014 Session ID: SIG9074...
32
OAUG ApplicationsTechnology Stack Special Interest Group September 28 th 2014Session ID: SIG9074 Moscone West – 300912:00PM - 12:45PM Sandra Vucinic, Moderator Michael Barone Marvin Sanchez
-
Upload
sylvia-harper -
Category
Documents
-
view
214 -
download
0
Transcript of OAUG ApplicationsTechnology Stack Special Interest Group September 28 th 2014 Session ID: SIG9074...
OAUG ApplicationsTechnology Stack Special Interest Group
September 28th 2014Session ID: SIG9074Moscone West – 300912:00PM - 12:45PM
Sandra Vucinic, Moderator
Michael Barone
Marvin Sanchez
Agenda
Welcome & Introduction – Sandra Vucinic Introductions
Securing Your E-Business Suite Environment – Michael Barone and Marvin Sanchez
EBS Applications Technology SIG Panel
EBS Applications Technology SIG
The general purpose of the ATS SIG is to inform and educate our members on current and future middleware components as they relate to the Oracle E-Business Suite.
Join the EBS Applications Technology SIG! http://ebsatssig.oaug.org
Send papers/presentations for inclusion on
the website to
We are on LinkedIn: OAUG EBS Applications Technology Stack SIG
EBS Applications Technology SIG Board
President: Sandra Vucinic, VLAD Group, Inc. Vice President: Jon Walthour, CNO Financial Group Program Director: Jain Ashish, Gallup Membership Director: Marvin Sanchez, Pharmavite Web Site Director: Michael Barone, OATC, Inc. Meeting Director: Christina Blincoe, Burns &
McDonnell Past President: Srini Chavali, Oracle
Connect with the OAUG at OpenWorld
Booth 3131 in Moscone West and Users Group Pavilion in Moscone South Ask questions and share answers with other Oracle
Applications users and experts. Visit oaug.org/openworld to join the discussion
Special membership offers 15 months for the price of 12 3 months at ¼ of the regular price
OAUG: E-Business Suite Security
E-Business Suite Security Areas:
• Role Based Access• Virtual Private
Database• Database Vault• Digital signatures• Credit card encryption
SecuringAuthorization
Procurement
HR
Finance
• Strong user authentication
• Smartcards / CAC
• Biometrics
SecuringAuthentication
SecuringData in Flight
• SSL encryption for EBS clients
• ANO encryption for database traffic
SecuringCopies
• Transparent Data Encryption
• Data Masking in cloned databases
OAUG: E-Business Suite Security
2014: Over Twenty (20) High-Profile Security Breaches:
Aaron Brothers Craft Stores Jimmy Johns Sandwich ShopsAdobe – Software KickStarter (Crowd Funding Application)Albertson’s Super Value Stores Linked-In (Social Network Site)California DMV Michael’s Craft StoresDairy Queen Restaurants P.F.Changs RestaurantseBay – OnLine Auction Site Smuckers Jams and JellyGoodWill Stores StubHub Ticket SiteHealthCare.gov (Medical Records) Target Super StoresHome Depot Home Improvement Stores US Department of Homeland SecurityHospitals – Patient-Records Security Breach Yahoo
OAUG: E-Business Suite SecurityE-Business Suite 11i
OAUG: E-Business Suite SecurityE-Business Suite 12.0/12.1
OAUG: E-Business Suite SecurityE-Business Suite 12.2
OAUG: E-Business Suite SecurityE-Business Suite Release Dates:
11.5.10 Nov 2004Apache
Oracle8i Forms and Reports
12.0 Jan 2007
12.1 May 2009 12.1.2 Dec 2009 12.1.3 Aug 2010
OC4J, ApacheOracleg10g Forms and Reports
12.2 (Early-Adopter/General-Release -- October 2013) 12.2.2 October 2013 12.2.3 December 2013 12.2.4 September 2014
Oracle HTTP Server (OHS) Weblogic Server (WLS)Oracle Developer 10.1.2 - Apache 2.2, WebLogic JSP, BC4J - UIX 11g, BI Publisher, Forms
OAUG: E-Business Suite SecurityE-Business Support Dates: Cliff Godwin, Oracle Sr. VP OOW 2013
OAUG: E-Business Suite Security
2014: Security Advisory http://krebsonsecurity.com/2014/04/critical-java-update-plugs-37-security-holes/ Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37 security vulnerabilities in the widely-installed program. Several of these flaws are so severe that they are likely to be exploited by malware or attackers in the days or weeks ahead. So — if you have Java installed — it is time to update. The latest update for Java 7 (Java Runtime Environment (JRE) 1.7) (the version most users will have installed) brings the program to Java 7 Update 68. Those who’ve chosen to upgrade to the newer, “feature release” version of Java — Java 8 — will find fixes available in Java 8 Update 5 (Java 8 doesn’t work on Windows XP). According to Oracle, only four (4) of the 37 security-holes that are fixed in this release earned a Common Vulnerability Scoring System (CVSS) of 10.0 (most severe); easily exploited without Authentication and can result in a complete compromise of the host operating system.
OAUG: E-Business Suite Security
E-Business Suite AppsTier ORACLE_HOME Upgrade: (Java 7)
For EBS 11i:• Support Note: 290807.1
Deploying Sun JRE (Native Plug-in) for Windows Clients_EBS 11i • Support Note: 290807.1
Upgrading Developer 6i with Oracle E-Business Suite 11i For EBS 12• Support Note: 393931.1
Deploying Sun JRE (Native Plug-in) for Windows Clients EBS 12• Support Note: 437878.1
Upgrading OracleAS 10g Forms and Reports in Oracle E-Business
OAUG: E-Business Suite Security
E-Business Suite AppsTier ORACLE_HOME Upgrade: (Java 7)
Prerequisites for 32-bit and 64-bit JRE certificationsPC-Clients: JRE 1.70_21 32-bit + EBS 12.0 & 12.1• Windows XP SP3, Windows Vista SP1 and SP2• Windows 7 and Windows 7 SP1• Forms 10g overlay patch 14614795 (Note 437878.1)• SSL Users: 10.1.0.5 version of Patch 6370967 applied to AS 10.1.3 with OPatch. This fix is already included in the April 2011 AS 10.1.3.5 CPU patch and later.
PC-Clients: JRE 1.70_21 64-bit + EBS 12.0 & 12.1• Windows 7 (64-bit) and Windows 7 SP1 (64-bit)• Forms 10g overlay patch 14614795 (Note 437878.1)• SSL Users: 10.1.0.5 version of Patch 6370967 applied to AS 10.1.3 with OPatch. This fix is already included in the April 2011 AS 10.1.3.5 CPU patch and later.
OAUG: E-Business Suite Security
Oracle Support: Security Scripts 403537.1 Primary Authors: Erik Graversen, Eric Bing Contributors: David Kerr, George Buzsaki, Deepak Louis, Andy Philips, Ashok Subramanian, Rajiv Muthyala, Remi Aimsuphanimit, Emily Nordhagen.
Secure Configuration Guide for Oracle E-Business Suite Release 12 Oracle E-Business Suite Release 12.0, 12.1, and 12.2. Secure Configuration Guide for Oracle E-Business Suite Release 12
Oracle E-Business Suite Security Configuration Check Scripts (ZIP)
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
OverviewKeep software up to dateRestrict network access to critical servicesFollow the principle of least privilegeMonitor system activityKeep up to date on latest security information
Oracle TNS Listener SecurityHarden operating environmentAdd IP restrictions or enable Valid Node CheckingSpecify connection timeoutEnable encryption of network trafficEnable TNS Listener password (only if required)Enable admin restrictionsEnable TNS Listener logging
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Oracle Database SecurityHarden operating environmentDisable XDBReview database linksRemove operating system trusted remote logonImplement two profiles for password managementChange default installation passwordsRestrict access to SQL trace filesRemove operating system trusted remote rolesLimit file system access within PL/SQLLimit dictionary accessRevoke unneccessary grants given to APPLSYSPUBConfigure the database for auditingAudit database connectionsAudit database schema changesAudit administrators and their actions
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Oracle Application Tier SecurityHarden operating environmentHarden Apache configurationProtect administrative web pagesConfigure logging
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Oracle E-Business Suite Security (01 of 03)Harden operating environmentStrike passwords from adpatch logsSet Workflow notification mailer SEND_ACCESS_KEY to NSet Tools environment variablesRestrict filetypes that may be uploadedEnable Antisamy HTML filterUse SSL (HTTPS) between browser and web serverAvoid Weak Ciphers and Protocols for SSL (HTTPS)Use External Webtier if exposing any part of EBS to the internetUse Terminal Services for client-server programsChange passwords for seeded application user accountsSwitch to Hashed PasswordsTighten logon and session profile optionsConsider using Single-Sign-OnCreate new user accounts safely
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Oracle E-Business Suite Security (02 of 03)Create shared responsibilities instead of shared accountsConfigure Concurrent Manager for safe authenticationConfigure Concurrent Manager for Start and Stop without the APPS passwordActivate Server SecurityCreate DBC files securelyReview and limit Responsibilities and PermissionsSet other security related profile optionsRestrict responsibilities by web server trust levelSet Sign-On audit levelMonitor system activity with OAMRetrieve audit records using ReportsRetrieve audit records using SQLPurge audit records
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Oracle E-Business Suite Security (03 of 03)Review data tracked (no Reports available)Configuring audit trailGenerate and identify audit trail objectsChoose tables to auditRetrieve audit records using SQLPurge audit recordsReferences on Oracle E-Business Suite auditing
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Desktop SecurityConfigure browserUpdate browserTurn off AutoCompleteSet policy for unattended PC sessions
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Operating Environment SecurityCleanup file ownership and accessCleanup file permissionsLockdown operating system libraries and programsFilter IP packetsPrevent spoofingEliminate telnet, rsh and ftp daemonsVerify network configurationMonitor for attacksConfigure accounts securelyLimit root accessManage user accountsSecure NFSSecure operating system devicesSecure executablesSecure file access
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Extras for ExpertsDetect and Prevent Duplicate User SessionsCustomize Password ValidationEncrypt Credit CardsAdvanced Security/Networking Option (ASO/ANO)Advanced Security/Transparent Data Encryption (ASO/TDE)Practice Safe CloningHardening External Procedure (EXTPROC) ServicesEXTPROC Listener ConfigurationEXTPROC Testing Procedure
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Appendixes: Appendix A: Running Web-Scanning Tools Appendix B: Sensitive Administrative Pages Appendix C: Database Schemas found in Oracle E-Business Suite Appendix D: Processes used by Oracle E-Business Suite Appendix E: Ports used by Oracle E-Business Suite Appendix F: Sample Linux Hardening of the Application Tier Appendix G: Security Check Scripts Appendix H: References & More Resources
OAUG: E-Business Suite Security
Oracle Support: Security Scripts 403537.1
OAUG: E-Business Suite Security
Additional E-Business Suite Security Areas:
Panel Members
Steven Chan – Oracle Elke Phelps – Oracle Srini Chavali - Oracle Michael Barone – OATC, Inc. Marvin Sanchez – Pharmavite Sandra Vucinic – VLAD Group, Inc.
Collaborate 2015, Mandalay Bay, Las Vegas, April 12-16, 2014Please visit collaborate.oaug.org for further details
