Wednesday, December 24, 2025

hard

 Existing,Recommended,Modified

Root login enabled via SSH,Disable direct root SSH login and enforce sudo-based access,

X server installed on DB server,Remove X server from DB and App servers,

Oracle user allowed direct remote login,Disallow direct remote login to oracle user,

Listener has EXTPROC in main listener,Separate EXTPROC into dedicated listener,

EXTPROC listener running as oracle user,Run EXTPROC listener as unprivileged OS user,

ADMIN_RESTRICTIONS not enabled on listener,Set ADMIN_RESTRICTIONS_<listener>=ON,

Listener logging disabled or minimal,Enable listener logging with LOG_STATUS=ON,

XDB service enabled in database,Disable XDB and remove XDB dispatcher,

Default database accounts not reviewed,Lock or change passwords for default accounts,

REMOTE_OS_AUTHENT parameter enabled,Set REMOTE_OS_AUTHENT=FALSE,

Unused database links exist,Remove unused database links,

Database auditing disabled,Enable database auditing and audit trail retention,

APPL_TOP permissions too permissive,Restrict APPL_TOP permissions to applmgr only,

trusted.conf allows open access,Restrict admin URLs to trusted IPs only,

s_admin_ui_access_nodes not configured,Configure trusted admin IPs via AutoConfig,

Allowed Resources feature not configured,Enable and configure Allowed Resources allowlist,

Allowed Redirects not restricted,Configure allowed_redirects.conf and custom include file,

Allow Unrestricted Redirects profile enabled,Set Allow Unrestricted Redirects to No,

Weak TLS or SSL protocols enabled,Enforce TLS 1.2 and disable weak protocols,

Weak cipher suites enabled,Disable RC4 and ciphers below 128-bit,

HTTP security headers not enforced,Enable X-Frame-Options SAMEORIGIN and nosniff,

Guest user enabled unnecessarily,Disable Guest user access where not required,

Unlimited session timeout configured,Set ICX_SESSION_TIMEOUT to 30 minutes,

Weak password length allowed,Set SIGNON_PASSWORD_LENGTH to minimum 8,

Password reuse allowed,Set SIGNON_PASSWORD_NO_REUSE to 180 days,

Case-insensitive passwords allowed,Enable case-sensitive passwords,

High failed login attempts allowed,Set SIGNON_PASSWORD_FAILURE_LIMIT to 5,

Concurrent program credentials exposed,Use ENCRYPT option for HOST executables,

File upload type unrestricted,Restrict file types using fnd_mime_types,

Unlimited file upload size allowed,Configure UPLOAD_FILE_SIZE_LIMIT,

AntiSamy HTML filter disabled,Enable AntiSamy HTML filter,

Workflow mailer access key enabled,Set WF_MAILER SEND_ACCESS_KEY to No,

Secure Configuration Console not used,Run SCC and remediate HIGH severity findings,

Audit trail not enabled for sensitive tables,Enable Audit Trail on critical tables,

Proxy user delegation unrestricted,Restrict proxy access and enable proxy auditing,

Desktop Java version outdated,Upgrade to certified Java version,

Browser cache storing sensitive data,Enable FND_SEC_FILESTREAM_NOSTORE=SECURE


Posted by at No comments:

Wednesday, December 17, 2025

detail

Runbook: Hardening Oracle E-Business Suite (R12.2) - All Secure Configuration Chapters 

As the Oracle EBS DBA Team Lead, I own the end-to-end stability, performance, and lifecycle of our complex Oracle E-Business Suite (EBS) landscapes across DEV, TEST, UAT, and PROD environments in multiple regions. This includes hands-on administration of EBS R12.2 and underlying Oracle Database (19c or higher), while leading a team of DBAs to ensure 24x7 availability, controlled changes, and alignment with business priorities. This runbook provides a detailed, copy-paste-ready guide for hardening EBS based on Part 2 (Chapters 6-13) of the Oracle E-Business Suite Security Guide (Release 12.2, Part E22952-42, October 2025). These chapters focus on secure configuration across tiers. 

This runbook integrates with our broader security strategy, assuming prerequisites like latest CPUs/RUs (e.g., October 2025 or later) applied, TLS enabled (MOS 1367293.1), and testing in non-prod first. Assign junior DBAs to initial scans/configs; seniors to AutoConfig runs and validation. Coordinate with infra/security teams for IP/firewall changes; schedule in CAB for PROD. Post-implementation, monitor via OAM and run DR drills to confirm no regressions. Update local SOPs with any customizations. 

Prerequisites for All Chapters 

  • Verify EBS R12.2.6+ with relevant patches (e.g., 24737426:R12.FND.C for Allowed Resources). 

  • Apply latest Critical Patch Update (CPU) – e.g., October 2025. 

  • Backup configurations: Copy $FMW_HOME, $APPL_TOP, $ORACLE_HOME, and context files. 

  • Test environment: Clone DEV/TEST; validate functionality post-changes. 

  • Tools: Access to OAM, AutoConfig (adautocfg.sh), SQL*Plus as APPS, lsnrctl. 

  • References: MOS 387859.1 (AutoConfig), MOS 1375686.1 (Load Balancers), Chapter 4 (Allowed Resources/Redirects), Appendix E (Security Checklist). 

Chapter 6: Overview of Secure Configuration 

Purpose: Provides system-wide advice for secure deployment, balancing risk, cost, and protection. No specific steps, but follow principles like least privilege, monitoring, and software updates. 

Steps: 

  1. Keep software up-to-date: Apply latest AutoConfig (TXK) and Patch Tools (AD). Run patch set checker for compliance. 

  1. Command: Check MOS for latest TXK/AD RUPs; apply via adpatch. 

  1. Restrict network access: Use separate subnets for app/DB tiers, firewalls between tiers/internet, and DMZ for external access (MOS 1375670.1). 

  1. Follow least privilege: Review user privileges periodically; use su/sudo for oracle/root. 

  1. Monitor system: Enable auditing/logging (Chapters 14-18); review AWR/ASH/ADDM. 

  1. Stay informed: Subscribe to Oracle security alerts. 

Validation: Run Secure Configuration Console (Chapter 13) to verify overall health. Rollback: N/A (overview only). Reference: Page 6-1 to 6-6. 

Chapter 7: Oracle TNS Listener Security 

Purpose: Secure the TNS Listener to prevent unauthorized DB access. 

Steps: 

  1. Hardening Operating Environment: Apply OS hardening from Chapter 12. 

  1. Harden EXTPROC Services (if used, e.g., Multimedia/Email Center): 

  1. Create separate EXTPROC listener: Edit $TNS_ADMIN/listener.ora for IPC only. 

  1. Example: 

text 

SID_EXTPROC =  
(ADDRESS_LIST =  
 (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC<SID>)) 
) 
SID_LIST_<SID>_EXTPROC =  
(SID_LIST =  
 (SID_DESC =  
   (SID_NAME = PLSExtProc) 
   (ORACLE_HOME = $ORACLE_HOME) 
   (PROGRAM = extproc) 
 ) 
) 
STARTUP_WAIT_TIME_<SID>_EXTPROC = 0 
CONNECT_TIMEOUT_<SID>_EXTPROC = 10 
TRACE_LEVEL_<SID>_EXTPROC = OFF 
LOG_DIRECTORY_<SID>_EXTPROC = $TNS_ADMIN 
LOG_FILE_<SID>_EXTPROC = <SID>_EXTPROC 
TRACE_DIRECTORY_<SID>_EXTPROC = $TNS_ADMIN 
TRACE_FILE_<SID>_EXTPROC = <SID>_EXTPROC 

  1. Update tnsnames.ora: 

text 

extproc_connection_data =  
 (DESCRIPTION =  
  (ADDRESS_LIST =  
     (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC<SID>)) 
   ) 
  (CONNECT_DATA =  
     (SID = PLSExtProc) 
     (PRESENTATION = RO) 
   ) 
 ) 

  1. Run EXTPROC as low-privilege user (e.g., nobody); set permissions 600 on listener.ora. 

  1. Enable Valid Node Checking: tcp.validnode_checking = YES, tcp.invited_nodes = (list). 

  1. Add IP Restrictions: In sqlnet.ora: 

text 

tcp.validnode_checking = YES 
tcp.invited_nodes = (x.x.x.xhostname.domain, ...) 

  1. Specify Connection Timeout: In listener.ora: 

text 

CONNECT_TIMEOUT_<SID> = 10 

  1. Enable Encryption: Use NNE (AES128/AES192/AES256) in sqlnet.ora (see Chapter 7 for configs 1-3). 

  1. Enable TNS Listener Password (if required): Use lsnrctl passwd; set local_os_authentication_listener = OFF. 

  1. Enable Admin Restrictions: In listener.ora: 

text 

ADMIN_RESTRICTIONS_<listener> = ON 

  1. Enable Logging: In listener.ora: 

text 

LOG_STATUS = ON 
LOG_DIRECTORY_<SID> = $TNS_ADMIN 
LOG_FILE_<SID> = <SID> 

Validation: Test EXTPROC with sample SQL (page 7-4); attempt unauthorized connection (expect denial); check listener log. Rollback: Comment out changes in listener.ora/sqlnet.ora; restart listener. Reference: MOS 1367293.1 (TLS), MOS 2500511.1 (ACLs). 

Chapter 8: Oracle Database Security 

Purpose: Secure the Oracle Database instance. 

Steps: 

  1. Hardening Operating Environment: Apply OS hardening from Chapter 12. 

  1. Disable XDB: Comment out in init.ora: 

text 

*.dispatchers='(PROTOCOL=TCP)(SERVICE=<sid>XDB)' 

  1. Review Database Links: Query DBA_DB_LINKS; drop unused. 

  1. Remove OS Trusted Remote Logon: init.ora: 

text 

REMOTE_OS_AUTHENT = FALSE 

  1. Change Default Passwords: Use ALTER USER for admin schemas; AFPASSWD for EBS-managed (e.g., $ AFPASSWD -c APPS -a for all). 

  1. Implement Two Profiles: Create EBS_MIDTIER_PROFILE (FAILED_LOGIN_ATTEMPTS=5, PASSWORD_LIFE_TIME=90) and EBS_DEFAULT_PROFILE (UNLIMITED for APPS); assign via ALTER USER. 

  1. Restrict SQL Trace Files: init.ora: 

text 

_TRACE_FILES_PUBLIC = FALSE 

  1. Remove OS Trusted Remote Roles: init.ora: 

text 

REMOTE_OS_ROLES = FALSE 

  1. Limit File System Access in PL/SQL: Revoke UTL_FILE from PUBLIC; grant to specific schemas. Use UTL_FILE_DIR or directories (MOS 2525754.1). 

  1. Limit Dictionary Access: init.ora: 

text 

O7_DICTIONARY_ACCESSIBILITY = FALSE 

  1. Revoke Unnecessary Grants from APPLSYSPUB: Run afpub.sql/afpubfix.sql (FND_TOP/patch/115/sql). 

  1. Enable Unified Auditing: Apply policies for logins/DDL/sensitive data (MOS 2777404.1). 

  1. Audit Activities: Audit connections, schema changes, admin actions, etc. 

Validation: Run fnddefpw.sql for passwords; query profiles/grants; test unauthorized access. Rollback: Restore init.ora backups; re-grant privileges. Reference: MOS 1585296.1 (TDE Tablespace), MOS 1585696.1 (TDE Column), Appendix B (Schemas). 

Chapter 9: Oracle Application Tier Security 

Purpose: Secure the middle tier (OHS, WebLogic). 

Steps: (From previous runbook, summarized) 

  1. Hardening Operating Environment: Apply Chapter 12. 

  1. Configure Allowed Resources: Apply Patch 24737426; set FND_SEC_ALLOWED_RESOURCES=CONFIG; use webusage.awk for usage data; disable unused via OAM Product Hierarchy. 

  1. Configure Allowed Redirects: Set FND_SEC_ALLOWED_REDIRECTS=CONFIG; define trusted in allowed_redirects.conf. 

  1. Protect Diagnostic Pages: Set s_admin_ui_access_nodes to trusted IPs; use <Location> in trusted.conf; escape '/' as '(/)+'. 

  1. Handle Reverse Proxies/Load Balancers: Pass client IP via X-Forwarded-For; or add proxy IP to trusted.conf (MOS 1375686.1). 

  1. Secure WLS Network: Restrict admin ports (7001) to trusted; disable WSAT if unused. 

  1. Configure Logging: Set OraLogSeverity=WARNING:32 in httpd.conf; enable mod_security. 

Validation: Test denials (403 errors); review logs. Rollback: Set profiles to OFF; rerun AutoConfigReference: Allowed Resources (4-82), MOS 1334930.1. 

Chapter 10: Oracle E-Business Suite Security 

Purpose: Secure EBS-specific configurations. 

Steps: 

  1. Hardening Operating Environment: Apply Chapter 12. 

  1. Set Workflow SEND_ACCESS_KEY=N: In OWF_MGR, prevent direct URL access. 

  1. Ensure Workflow Admin Known: Query WF_RESOURCES; set to trusted role (not '*'). 

  1. Set Tools Env Vars: In default.env: 

text 

FORMS_RESTRICT_ENTER_QUERY = TRUE 

  1. Secure Attachments: Set FND_GFM_ACCESS_DURATION=5; UPLOAD_FILE_SIZE_LIMIT=4194304; FND_SECURITY_FILETYPE_RESTRICT_DFLT=No (allowlist); enable AntiSamy (FND_DISABLE_ANTISAMY_FILTER=No); use APIs for mime types. 

  1. Enable Certified HTTP Headers: X-Frame-Options=SAMEORIGIN in httpd.conf; X-Content-Type-Options=nosniff (Oct 2018 CPU); HSTS (MOS 1367293.1); secure/httpOnly cookies; SameSite (Patch 29672027). 

  1. Use TLS: Enable per MOS 1367293.1; avoid weak ciphers (RC4/SSLv3). 

  1. External Web Tier for Internet: DMZ config (MOS 1375670.1). 

  1. Terminal Services for Client-Server: Use Citrix/Oracle Secure Global Desktop; restrict DBC access. 

  1. Change Seeded Passwords: Use AFPASSWD; run fnddefpw.sql; migrate to hashed (AFPASSWD -MIGRATE). 

  1. Tighten Logon/Session Profiles: SIGNON_PASSWORD_LENGTH=8, HARD_TO_GUESS=YES, NO_REUSE=180, CASE=Sensitive, FAILURE_LIMIT=5, ICX_SESSION_TIMEOUT=30; custom validation if needed. 

  1. Shared Responsibilities: Use individual accounts for accountability. 

  1. Concurrent Manager Auth: Enter ENCRYPT/SECURE in Execution Options. 

  1. Concurrent Manager Start/Stop without APPS: Create CONCOOPER user with responsibility; update AutoConfig vars (s_cp_user, etc.). 

  1. Activate Server Security: Set s_appserverid_authentication=SECURE. 

  1. Create DBC Securely: Use AdminDesktop for external; permissions 600. 

  1. SSO Integration: Per MOS 376811.1. 

  1. Review Responsibilities/Permissions: Limit access to sensitive forms/pages (MOS 1334930.1). 

  1. Set Security Profiles: FND_DIAGNOSTICS=No, DIAGNOSTICS=No, FND_DEVELOPER_CONSOLE=No, FND_CUSTOM_OA_DEFINITION=No, FND_SECURITY_FILETYPE_RESTRICT_DFLT=No, FND_DISABLE_ANTISAMY_FILTER=No, FND_RESTRICT_INPUT=Yes, BNE_ALLOW_NO_SECURITY_RULE=No, FND_EXPORT_FORMAT=Space Escape, FND_AUTHN_SRVC_TOKEN_SCOPE=Header Only. 

  1. Restrict Responsibilities by Trust Level: Set NODE_TRUST_LEVEL=2 (site), 3 (DMZ servers); assign to responsibilities. Validation: Test features; query profiles/grants; monitor FND_UNSUCCESSFUL_LOGINS. Rollback: Restore backups; rerun AutoConfigReference: MOS 1357849.1 (Attachments), MOS 1573912.1 (Credit Cards), MOS 419475.1 (Cloning). 

Chapter 11: Desktop Security 

Purpose: Secure client desktops accessing EBS. 

Steps: 

  1. Configure Browser: Follow MOS 389422.1; disable unnecessary plugins. 

  1. Update Browser: Apply latest patches. 

  1. Update Java: Upgrade to JRE 8+; apply latest updates. 

  1. Turn Off Autocomplete: Disable in browser for forms/passwords. 

  1. Unattended PC Policy: Enforce password-locked screensavers. 

  1. Set FileStreaming No-Store: FND_SEC_FILESTREAM_NO=SECURE (prevent caching). 

Validation: Test browser access; confirm no autocomplete. Rollback: Revert browser settings. Reference: MOS 389422.1 (Browsers), MOS 2188898.1 (Java Web Start). 

Chapter 12: Operating Environment Security 

Purpose: Secure OS hosting EBS. 

Steps: 

  1. Cleanup Ownership/Access: chown oracle for $ORACLE_HOME; applmgr for $APPL_TOP; no remote login to oracle/root; use sudo. 

  1. Cleanup Permissions: umask 027; directories 750, executables 700; root .* files 600/700. 

  1. Lockdown Libraries/Programs: Disable X (no X during install); limit printers/email; SSH only (22/TCP); NTP/CRON/monitoring if needed. 

  1. Filter IP Packets: Use firewall/router; default deny; open only required ports (e.g., 8000/4443 for OHS, 7001 for WLS Admin). 

  1. Prevent Spoofing: Disable source routing; use FQDN/IP in hosts file. 

  1. Eliminate Telnet/RSH/FTP: Enforce SSH. 

  1. Verify Network: Scan for violations. 

  1. Monitor Attacks: Install IDS (Snort). 

  1. Configure Accounts: Strong passwords; disable after failures. 

  1. Limit Root: Console login only; UID 0 for root; strong password. 

  1. Manage Users: No shared accounts; disable unused; restricted shells. 

  1. Secure NFS: readonly/nosuid in /etc/exports. 

  1. Secure Devices: /dev/null writable not executable. 

  1. Secure Executables: Checksums from known sources. 

  1. Secure File Access: Minimal writable FS; user writes to home/tmpsetuid sparingly. 

  1. Maintenance: Run security scripts (MOS 2069190.1); apply OS patches; delete/lock unused accounts; monitor logs (btmp/wtmp/syslog/sulog). 

Validation: Scan with tools; test access denials. Rollback: Restore configs. Reference: MOS 2069190.1 (Scripts), MOS 1367293.1 (TLS). 

Chapter 13: Secure Configuration Console 

Purpose: Use console to validate/apply secure configs. 

Steps: 

  1. Access Console: Via Functional Administrator > Configuration Manager > Secure Configuration Console, or System Administrator > OAM Security Dashboard. 

  1. Check Guidelines: Click Check/Check All for status (Pass/Fail). 

  1. Fix Issues: Select Autofixable; click Fix. 

  1. Suppress/Unsuppress: Mute irrelevant guidelines. 

  1. Use Utility if Locked: AdminSecurityCfg <check|-fix|-status|-lock|-unlock> DBC= 

  1. Review Checks: Address Severity 1/2 failures (e.g., Allowed Resources, passwords, profiles). 

Validation: All guidelines pass/suppressed. Rollback: Use -unlock if needed. Reference: Checked Guidelines (13-3), Obsolete Checks (H-2). 

Post-Implementation for All Chapters 

  • Run Secure Configuration Console to validate. 

  • Monitor: Set alerts in OAM; review logs. 

  • Document: Update runbooks with changes; review in team meeting. 

  • Metrics: Track 99.99% availability; denied accesses. 

This runbook ensures robust EBS hardening with minimal downtime. For issues, open SR with diagnostics. Ownership starts here – execute methodically. 

 

Posted by at No comments:
Subscribe to: Comments (Atom)