Wednesday, December 17, 2025

detail

Runbook: Hardening Oracle E-Business Suite (R12.2) - All Secure Configuration Chapters 

As the Oracle EBS DBA Team Lead, I own the end-to-end stability, performance, and lifecycle of our complex Oracle E-Business Suite (EBS) landscapes across DEV, TEST, UAT, and PROD environments in multiple regions. This includes hands-on administration of EBS R12.2 and underlying Oracle Database (19c or higher), while leading a team of DBAs to ensure 24x7 availability, controlled changes, and alignment with business priorities. This runbook provides a detailed, copy-paste-ready guide for hardening EBS based on Part 2 (Chapters 6-13) of the Oracle E-Business Suite Security Guide (Release 12.2, Part E22952-42, October 2025). These chapters focus on secure configuration across tiers. 

This runbook integrates with our broader security strategy, assuming prerequisites like latest CPUs/RUs (e.g., October 2025 or later) applied, TLS enabled (MOS 1367293.1), and testing in non-prod first. Assign junior DBAs to initial scans/configs; seniors to AutoConfig runs and validation. Coordinate with infra/security teams for IP/firewall changes; schedule in CAB for PROD. Post-implementation, monitor via OAM and run DR drills to confirm no regressions. Update local SOPs with any customizations. 

Prerequisites for All Chapters 

  • Verify EBS R12.2.6+ with relevant patches (e.g., 24737426:R12.FND.C for Allowed Resources). 

  • Apply latest Critical Patch Update (CPU) – e.g., October 2025. 

  • Backup configurations: Copy $FMW_HOME, $APPL_TOP, $ORACLE_HOME, and context files. 

  • Test environment: Clone DEV/TEST; validate functionality post-changes. 

  • Tools: Access to OAM, AutoConfig (adautocfg.sh), SQL*Plus as APPS, lsnrctl. 

  • References: MOS 387859.1 (AutoConfig), MOS 1375686.1 (Load Balancers), Chapter 4 (Allowed Resources/Redirects), Appendix E (Security Checklist). 

Chapter 6: Overview of Secure Configuration 

Purpose: Provides system-wide advice for secure deployment, balancing risk, cost, and protection. No specific steps, but follow principles like least privilege, monitoring, and software updates. 

Steps: 

  1. Keep software up-to-date: Apply latest AutoConfig (TXK) and Patch Tools (AD). Run patch set checker for compliance. 

  1. Command: Check MOS for latest TXK/AD RUPs; apply via adpatch. 

  1. Restrict network access: Use separate subnets for app/DB tiers, firewalls between tiers/internet, and DMZ for external access (MOS 1375670.1). 

  1. Follow least privilege: Review user privileges periodically; use su/sudo for oracle/root. 

  1. Monitor system: Enable auditing/logging (Chapters 14-18); review AWR/ASH/ADDM. 

  1. Stay informed: Subscribe to Oracle security alerts. 

Validation: Run Secure Configuration Console (Chapter 13) to verify overall health. Rollback: N/A (overview only). Reference: Page 6-1 to 6-6. 

Chapter 7: Oracle TNS Listener Security 

Purpose: Secure the TNS Listener to prevent unauthorized DB access. 

Steps: 

  1. Hardening Operating Environment: Apply OS hardening from Chapter 12. 

  1. Harden EXTPROC Services (if used, e.g., Multimedia/Email Center): 

  1. Create separate EXTPROC listener: Edit $TNS_ADMIN/listener.ora for IPC only. 

  1. Example: 

text 

SID_EXTPROC =  
(ADDRESS_LIST =  
 (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC<SID>)) 
) 
SID_LIST_<SID>_EXTPROC =  
(SID_LIST =  
 (SID_DESC =  
   (SID_NAME = PLSExtProc) 
   (ORACLE_HOME = $ORACLE_HOME) 
   (PROGRAM = extproc) 
 ) 
) 
STARTUP_WAIT_TIME_<SID>_EXTPROC = 0 
CONNECT_TIMEOUT_<SID>_EXTPROC = 10 
TRACE_LEVEL_<SID>_EXTPROC = OFF 
LOG_DIRECTORY_<SID>_EXTPROC = $TNS_ADMIN 
LOG_FILE_<SID>_EXTPROC = <SID>_EXTPROC 
TRACE_DIRECTORY_<SID>_EXTPROC = $TNS_ADMIN 
TRACE_FILE_<SID>_EXTPROC = <SID>_EXTPROC 

  1. Update tnsnames.ora: 

text 

extproc_connection_data =  
 (DESCRIPTION =  
  (ADDRESS_LIST =  
     (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC<SID>)) 
   ) 
  (CONNECT_DATA =  
     (SID = PLSExtProc) 
     (PRESENTATION = RO) 
   ) 
 ) 

  1. Run EXTPROC as low-privilege user (e.g., nobody); set permissions 600 on listener.ora. 

  1. Enable Valid Node Checking: tcp.validnode_checking = YES, tcp.invited_nodes = (list). 

  1. Add IP Restrictions: In sqlnet.ora: 

text 

tcp.validnode_checking = YES 
tcp.invited_nodes = (x.x.x.xhostname.domain, ...) 

  1. Specify Connection Timeout: In listener.ora: 

text 

CONNECT_TIMEOUT_<SID> = 10 

  1. Enable Encryption: Use NNE (AES128/AES192/AES256) in sqlnet.ora (see Chapter 7 for configs 1-3). 

  1. Enable TNS Listener Password (if required): Use lsnrctl passwd; set local_os_authentication_listener = OFF. 

  1. Enable Admin Restrictions: In listener.ora: 

text 

ADMIN_RESTRICTIONS_<listener> = ON 

  1. Enable Logging: In listener.ora: 

text 

LOG_STATUS = ON 
LOG_DIRECTORY_<SID> = $TNS_ADMIN 
LOG_FILE_<SID> = <SID> 

Validation: Test EXTPROC with sample SQL (page 7-4); attempt unauthorized connection (expect denial); check listener log. Rollback: Comment out changes in listener.ora/sqlnet.ora; restart listener. Reference: MOS 1367293.1 (TLS), MOS 2500511.1 (ACLs). 

Chapter 8: Oracle Database Security 

Purpose: Secure the Oracle Database instance. 

Steps: 

  1. Hardening Operating Environment: Apply OS hardening from Chapter 12. 

  1. Disable XDB: Comment out in init.ora: 

text 

*.dispatchers='(PROTOCOL=TCP)(SERVICE=<sid>XDB)' 

  1. Review Database Links: Query DBA_DB_LINKS; drop unused. 

  1. Remove OS Trusted Remote Logon: init.ora: 

text 

REMOTE_OS_AUTHENT = FALSE 

  1. Change Default Passwords: Use ALTER USER for admin schemas; AFPASSWD for EBS-managed (e.g., $ AFPASSWD -c APPS -a for all). 

  1. Implement Two Profiles: Create EBS_MIDTIER_PROFILE (FAILED_LOGIN_ATTEMPTS=5, PASSWORD_LIFE_TIME=90) and EBS_DEFAULT_PROFILE (UNLIMITED for APPS); assign via ALTER USER. 

  1. Restrict SQL Trace Files: init.ora: 

text 

_TRACE_FILES_PUBLIC = FALSE 

  1. Remove OS Trusted Remote Roles: init.ora: 

text 

REMOTE_OS_ROLES = FALSE 

  1. Limit File System Access in PL/SQL: Revoke UTL_FILE from PUBLIC; grant to specific schemas. Use UTL_FILE_DIR or directories (MOS 2525754.1). 

  1. Limit Dictionary Access: init.ora: 

text 

O7_DICTIONARY_ACCESSIBILITY = FALSE 

  1. Revoke Unnecessary Grants from APPLSYSPUB: Run afpub.sql/afpubfix.sql (FND_TOP/patch/115/sql). 

  1. Enable Unified Auditing: Apply policies for logins/DDL/sensitive data (MOS 2777404.1). 

  1. Audit Activities: Audit connections, schema changes, admin actions, etc. 

Validation: Run fnddefpw.sql for passwords; query profiles/grants; test unauthorized access. Rollback: Restore init.ora backups; re-grant privileges. Reference: MOS 1585296.1 (TDE Tablespace), MOS 1585696.1 (TDE Column), Appendix B (Schemas). 

Chapter 9: Oracle Application Tier Security 

Purpose: Secure the middle tier (OHS, WebLogic). 

Steps: (From previous runbook, summarized) 

  1. Hardening Operating Environment: Apply Chapter 12. 

  1. Configure Allowed Resources: Apply Patch 24737426; set FND_SEC_ALLOWED_RESOURCES=CONFIG; use webusage.awk for usage data; disable unused via OAM Product Hierarchy. 

  1. Configure Allowed Redirects: Set FND_SEC_ALLOWED_REDIRECTS=CONFIG; define trusted in allowed_redirects.conf. 

  1. Protect Diagnostic Pages: Set s_admin_ui_access_nodes to trusted IPs; use <Location> in trusted.conf; escape '/' as '(/)+'. 

  1. Handle Reverse Proxies/Load Balancers: Pass client IP via X-Forwarded-For; or add proxy IP to trusted.conf (MOS 1375686.1). 

  1. Secure WLS Network: Restrict admin ports (7001) to trusted; disable WSAT if unused. 

  1. Configure Logging: Set OraLogSeverity=WARNING:32 in httpd.conf; enable mod_security. 

Validation: Test denials (403 errors); review logs. Rollback: Set profiles to OFF; rerun AutoConfigReference: Allowed Resources (4-82), MOS 1334930.1. 

Chapter 10: Oracle E-Business Suite Security 

Purpose: Secure EBS-specific configurations. 

Steps: 

  1. Hardening Operating Environment: Apply Chapter 12. 

  1. Set Workflow SEND_ACCESS_KEY=N: In OWF_MGR, prevent direct URL access. 

  1. Ensure Workflow Admin Known: Query WF_RESOURCES; set to trusted role (not '*'). 

  1. Set Tools Env Vars: In default.env: 

text 

FORMS_RESTRICT_ENTER_QUERY = TRUE 

  1. Secure Attachments: Set FND_GFM_ACCESS_DURATION=5; UPLOAD_FILE_SIZE_LIMIT=4194304; FND_SECURITY_FILETYPE_RESTRICT_DFLT=No (allowlist); enable AntiSamy (FND_DISABLE_ANTISAMY_FILTER=No); use APIs for mime types. 

  1. Enable Certified HTTP Headers: X-Frame-Options=SAMEORIGIN in httpd.conf; X-Content-Type-Options=nosniff (Oct 2018 CPU); HSTS (MOS 1367293.1); secure/httpOnly cookies; SameSite (Patch 29672027). 

  1. Use TLS: Enable per MOS 1367293.1; avoid weak ciphers (RC4/SSLv3). 

  1. External Web Tier for Internet: DMZ config (MOS 1375670.1). 

  1. Terminal Services for Client-Server: Use Citrix/Oracle Secure Global Desktop; restrict DBC access. 

  1. Change Seeded Passwords: Use AFPASSWD; run fnddefpw.sql; migrate to hashed (AFPASSWD -MIGRATE). 

  1. Tighten Logon/Session Profiles: SIGNON_PASSWORD_LENGTH=8, HARD_TO_GUESS=YES, NO_REUSE=180, CASE=Sensitive, FAILURE_LIMIT=5, ICX_SESSION_TIMEOUT=30; custom validation if needed. 

  1. Shared Responsibilities: Use individual accounts for accountability. 

  1. Concurrent Manager Auth: Enter ENCRYPT/SECURE in Execution Options. 

  1. Concurrent Manager Start/Stop without APPS: Create CONCOOPER user with responsibility; update AutoConfig vars (s_cp_user, etc.). 

  1. Activate Server Security: Set s_appserverid_authentication=SECURE. 

  1. Create DBC Securely: Use AdminDesktop for external; permissions 600. 

  1. SSO Integration: Per MOS 376811.1. 

  1. Review Responsibilities/Permissions: Limit access to sensitive forms/pages (MOS 1334930.1). 

  1. Set Security Profiles: FND_DIAGNOSTICS=No, DIAGNOSTICS=No, FND_DEVELOPER_CONSOLE=No, FND_CUSTOM_OA_DEFINITION=No, FND_SECURITY_FILETYPE_RESTRICT_DFLT=No, FND_DISABLE_ANTISAMY_FILTER=No, FND_RESTRICT_INPUT=Yes, BNE_ALLOW_NO_SECURITY_RULE=No, FND_EXPORT_FORMAT=Space Escape, FND_AUTHN_SRVC_TOKEN_SCOPE=Header Only. 

  1. Restrict Responsibilities by Trust Level: Set NODE_TRUST_LEVEL=2 (site), 3 (DMZ servers); assign to responsibilities. Validation: Test features; query profiles/grants; monitor FND_UNSUCCESSFUL_LOGINS. Rollback: Restore backups; rerun AutoConfigReference: MOS 1357849.1 (Attachments), MOS 1573912.1 (Credit Cards), MOS 419475.1 (Cloning). 

Chapter 11: Desktop Security 

Purpose: Secure client desktops accessing EBS. 

Steps: 

  1. Configure Browser: Follow MOS 389422.1; disable unnecessary plugins. 

  1. Update Browser: Apply latest patches. 

  1. Update Java: Upgrade to JRE 8+; apply latest updates. 

  1. Turn Off Autocomplete: Disable in browser for forms/passwords. 

  1. Unattended PC Policy: Enforce password-locked screensavers. 

  1. Set FileStreaming No-Store: FND_SEC_FILESTREAM_NO=SECURE (prevent caching). 

Validation: Test browser access; confirm no autocomplete. Rollback: Revert browser settings. Reference: MOS 389422.1 (Browsers), MOS 2188898.1 (Java Web Start). 

Chapter 12: Operating Environment Security 

Purpose: Secure OS hosting EBS. 

Steps: 

  1. Cleanup Ownership/Access: chown oracle for $ORACLE_HOME; applmgr for $APPL_TOP; no remote login to oracle/root; use sudo. 

  1. Cleanup Permissions: umask 027; directories 750, executables 700; root .* files 600/700. 

  1. Lockdown Libraries/Programs: Disable X (no X during install); limit printers/email; SSH only (22/TCP); NTP/CRON/monitoring if needed. 

  1. Filter IP Packets: Use firewall/router; default deny; open only required ports (e.g., 8000/4443 for OHS, 7001 for WLS Admin). 

  1. Prevent Spoofing: Disable source routing; use FQDN/IP in hosts file. 

  1. Eliminate Telnet/RSH/FTP: Enforce SSH. 

  1. Verify Network: Scan for violations. 

  1. Monitor Attacks: Install IDS (Snort). 

  1. Configure Accounts: Strong passwords; disable after failures. 

  1. Limit Root: Console login only; UID 0 for root; strong password. 

  1. Manage Users: No shared accounts; disable unused; restricted shells. 

  1. Secure NFS: readonly/nosuid in /etc/exports. 

  1. Secure Devices: /dev/null writable not executable. 

  1. Secure Executables: Checksums from known sources. 

  1. Secure File Access: Minimal writable FS; user writes to home/tmpsetuid sparingly. 

  1. Maintenance: Run security scripts (MOS 2069190.1); apply OS patches; delete/lock unused accounts; monitor logs (btmp/wtmp/syslog/sulog). 

Validation: Scan with tools; test access denials. Rollback: Restore configs. Reference: MOS 2069190.1 (Scripts), MOS 1367293.1 (TLS). 

Chapter 13: Secure Configuration Console 

Purpose: Use console to validate/apply secure configs. 

Steps: 

  1. Access Console: Via Functional Administrator > Configuration Manager > Secure Configuration Console, or System Administrator > OAM Security Dashboard. 

  1. Check Guidelines: Click Check/Check All for status (Pass/Fail). 

  1. Fix Issues: Select Autofixable; click Fix. 

  1. Suppress/Unsuppress: Mute irrelevant guidelines. 

  1. Use Utility if Locked: AdminSecurityCfg <check|-fix|-status|-lock|-unlock> DBC= 

  1. Review Checks: Address Severity 1/2 failures (e.g., Allowed Resources, passwords, profiles). 

Validation: All guidelines pass/suppressed. Rollback: Use -unlock if needed. Reference: Checked Guidelines (13-3), Obsolete Checks (H-2). 

Post-Implementation for All Chapters 

  • Run Secure Configuration Console to validate. 

  • Monitor: Set alerts in OAM; review logs. 

  • Document: Update runbooks with changes; review in team meeting. 

  • Metrics: Track 99.99% availability; denied accesses. 

This runbook ensures robust EBS hardening with minimal downtime. For issues, open SR with diagnostics. Ownership starts here – execute methodically. 

 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)