A review of the Oracle Critical Patch Update (CPU) for October 2011 and the impact on the Oracle E-Business. This presentation includes a discussion of individual security vulnerabilities fixed by the CPU and information on the CPU patches.

Out of the Fire - Adding Layers of Protection when Deploying Oracle E-Business Suite to the Internet
Thursday, March 8, 2:00pm - 3:00pm EST

When you externally deploy Oracle E-Business Suite Internet enabled modules such as iSupplier, iRecruitment, or iStore, you have potentially opened your entire environment to the Internet including all your financial and HR data.  There are specific risks and inherent weaknesses in an Oracle E-Business Suite external deployment that must be properly addressed to prevent data loss or malicious use.

This education webinar follows our previous webinar "Into the Fire" (available upon request) and will discuss additional steps required for a secure implementation beyond the Oracle recommended configuration including deploying a web application firewall, a reverse proxy, and encryption.

Click here to register for the Oracle E-Business Suite webinar.

A quick reference guide for securing the Oracle E-Business Suite (EBS).  The guide includes information on (1) default EBS application users, (2) database accounts, (3) EBS password change utilities (FNDCPASS, AFPASSWD), (4) security related profile options, (5) AutoConfig variables for configuration security, (6) APPLSYSPUB permissions, (7) application auditing WHO columns, (8) end-user application auditing, (9) default Oracle EBS network ports, (10) recommended Oracle EBS file permissions, and (11) Integrigy recommended My Oracle Support notes.

Upcoming Webinar: The Manager's Guide to Securing the Oracle E-Business Suite

The Manager's Guide to Securing the Oracle E-Business Suite
Wednesday, June 20, 2:00pm - 3:00pm EDT

For those of you that missed this session at the recent Collaborate12 conference, please read on.

The Oracle E-Business Suite is usually an organization’s most important application and the consequences of having it compromised could be catastrophic. However, often CIOs, project managers, and technical managers have little understanding of Oracle E-Business Suite security and compliance risks and issues. This session will provide a managerial level overview of how to properly secure the application and comply with requirements such as SOX, PCI, and HIPAA, including key questions to ask DBAs and IT Security.

Click here to register for this Oracle Database Security webinar.

Upcoming Webinar: Credit Cards and Oracle E-Business Suite - Security and PCI Compliance Issues

Credit Cards and Oracle E-Business Suite - Security and PCI Compliance Issues
Thursday, August 16, 2:00pm - 3:00pm EDT

Credit card data breaches are headline news, thus organizations must properly protect credit card data or risk being tomorrow's headline. Oracle E-Business Suite implementations that "store, process, or transmit cardholder data" must comply with Payment Card Industry (PCI) security standards regardless of size or transaction volume. PCI is focused on securely handling cardholder data, but also has a significant emphasis on general IT security. The difficultly with the Oracle E-Business Suite and achieving PCI compliance is that even though credit card processing may be only a one minor feature, the entire application installation must be fully PCI compliant due to the tight-integration and data model of the Oracle E-Business Suite. This presentation will review the credit card processing within the Oracle E-Business Suite and will provide general guidance for the Oracle E-Business Suite implementations on securing cardholder data and complying with relevant PCI requirements.

Click here to register for this Oracle E-Business Suite educational webinar.

Credit card data breaches are headline news, thus organizations must properly protect credit card data or risk being tomorrow's headline. Oracle E-Business Suite implementations that "store, process, or transmit cardholder data" must comply with Payment Card Industry (PCI) security standards regardless of size or transaction volume. This presentation will review the credit card processing within the Oracle E-Business Suite and will provide detailed guidance for securing cardholder data and complying with PCI-DSS.

The Oracle E-Business Suite is usually an organization’s most important application and the consequences of having it compromised could be catastrophic. However, often CIOs, project managers, and technical managers have little understanding of Oracle E-Business Suite security and compliance risks and issues. This session will provide a managerial level overview of how to properly secure the application and comply with requirements such as SOX, PCI, and HIPAA, including key questions to ask DBAs and IT Security.

When you externally deploy Oracle E-Business Suite Internet enabled modules such as iSupplier, iRecruitment, or iStore, you have potentially opened your entire environment to the Internet including all your financial and HR data. There are specific risks and inherent weaknesses in an Oracle E-Business Suite external deployment that must be properly addressed to prevent data loss or malicious use. This education webinar follows our previous webinar "Into the Fire - The Risks of Deploying Oracle E-Business to the Internet" (available upon request at info@integrigy.com) and will discuss additional steps required for a secure implementation beyond the Oracle recommended configuration, including deploying a web application firewall, a reverse proxy, and encryption.

ERP Risk Advisors is kicking off a new educational webinar series titled "In-Source Your IT Audit". Please join us for the first webinar in this series titled "How to Audit the Top 10 Oracle E-Business Suite Security Risks". The presentation is based on two of Oracle's "best practice" security documents and interspersed with practical real world steps in complying with these practices. Industry experts Jeffrey T. Hare, CPA CISA CIA from ERP Risk Advisors and Stephen Kost from Integrigy will be hosting the webinar.

When you externally deploy Oracle E-Business Suite Internet enabled modules such as iSupplier, iRecruitment, or iStore, you have potentially opened your entire environment to the Internet including all your financial and HR data. This educational webinar will discuss the risks and dangers associated with externally deploying the Oracle E-Business Suite and the steps required for a secure configuration including configuration of the responsibility governor and the URL firewall. Security measures that can be implemented to improve your security will also be discussed.

The upgrade from Oracle E-Business Suite (EBS) 11i to R12 is a unique opportunity to improve the security of your implementation by resolving existing security issues, configuring R12 securely, and taking advantage of new security features in R12. This one hour education session highlights R12 security changes and discuss a framework for a security focused R12 upgrade project. Topics include 11i and R12 differences and changes that impact security, R12 security enhancements and new features, and improving security throughout the R12 upgrade process.

Guarding against fraud within the Oracle E-Business Suite requires multiple actions on several fronts – within the ERP applications, written policies and procedures, and IT security. Setting up roles and responsibilities to ensure segregation of duties, developing anti-fraud policies and procedures, and implementing effective monitoring are required. IT Security must be implemented by installing rigorous controls and configurations, requiring operational best practices and procedures, and monitoring for fraudulent activities. Please join us for this one hour educational webinar from ERP Risk Advisers and Integrigy to learn about the Top Ten Fraud Risks in the Oracle E-Business Suite. Topics to include: Effective Segregation of Duties, Anti-Fraud Policies and Procedures, Meaningful Monitoring within the Applications, Monitoring for IT Security, Secure Passwords, and Guarding Access to Data

The upgrade from Oracle E-Business Suite (EBS) 11i to R12 is a unique opportunity to improve the security of your implementation by resolving existing security issues, configuring R12 securely, and taking advantage of new security features in R12. This one hour education session will highlight R12 security changes and discuss a framework for a security focused R12 upgrade project. Topics will include (1) 11i and R12 differences and changes that impact security (2) R12 security enhancements and new features (3) Improving security throughout the R12 upgrade process.

Internal Auditors are trained to understand the financial aspects and the end user functionally of an ERP solution. However, most Internal Auditors have not been trained in the security features of an ERP system. This one hour auditing primer webinar will highlight the basic security that should be found within all implemented Oracle E-Business Suite (EBS) systems. Topics will include: (1) Compliance issues regarding PCI, HIPAA, SOX, (2) Protection of Sensitive Data within the Oracle EBS, (3) Best Practices for securing the Oracle EBS, (4) Concerns and risks with user privileges, excessive access, insecure access, and (5) Secure external access to Oracle EBS (iStore, iSupplier, iRecruitment, iSupport, etc.).

This is the fifth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Physically deploying SOAP-based web services for the Oracle E-Business Suite is more complicated than for REST. SOAP interfaces are best used to support heavy-duty solutions such as Business-to-Business (B2B) interfaces. To deploy SOAP services for the Oracle E-Business Suite, the Oracle SOA Suite must be licensed and configured. Once the SOA Suite is installed and configured, two (2) WebLogic servers will exist. The first WebLogic server is the initial WebLogic server supporting the Oracle E-Business Suite and the second WebLogic Server is the WebLogic server supporting the SOA Suite. Integration between the two WebLogic Servers is done through both through HTTP and the ISG client. The ISG client is installed on the SOA Suite’s WebLogic server and uses Oracle’s proprietary T3 protocol to do the majority of the heavy lifting for communication with the E-Business Suite.

When a SOAP service is deployed within the Integrated SOA Gateway forms in the Oracle E-Business Suite, the SOAP Web Services Description Language (WDSL) file defining the web service is generated on the second WebLogic Server, the SOA Suite WebLogic Server, not the E-Business Suite’s WebLogic server. The interaction with B2B business partners using the web service then occurs between the Oracle SOA Suite and the business partner’s servers. Ultimately the Oracle E-Business Suite generates or receives the information, but the Oracle E-Business Suite does not directly communicate with the B2B partners.

SOAP Needs a Separate SOA Suite WebLogic Server

Only the SOA Suite communicates with B2B clients

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References

In January 2014 Integrigy published extensive research and recommendations on how best to secure credit cards and bank accounts within the Oracle E-Business Suite. This research is available here Oracle E-Business Suite: Credit Cards and PCI Compliance. 

With Release 12 of the Oracle E-Business Suite, Oracle consolidated into the new Payments module, new functionality to encrypt credit cards and external bank accounts. Integrigy’s recommendation in January 2014 was that if encryption was enabled, that the concurrent programs to optionally decrypt credit cards and external bank accounts also be disabled. Integrigy's rationale for this recommendation was that decryption should only be allowed in a carefully controlled and managed process. End-dating the decryption request set and concurrent programs would prevent the decryption programs from being run accidently or run for nefarious purposes – in production but certainly in non-production databases.

Evidently, Oracle is now once again taking a security recommendation from Integrigy by permanently disabling the decryption programs. Per Oracle’s security team, the decryption programs have been disabled. For more information refer to Oracle Support Note 2209450.1, posted December 1, 2016 - "Is It Possible To Decrypt the Bank Accounts Data After Enabling The Encryption Feature."

If you have questions about protecting credit cards and/or external bank accounts in the Oracle E-Business Suite or have questions about this blog post, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References

• Is It Possible To Decrypt the Bank Accounts Data After Enabling The Encryption Feature (Doc Id 2209450.1) https://support.oracle.com/rs?type=doc&id=2209450.1
• Oracle E-Business Suite: Credit Cards and PCI Compliance 

This is the sixth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

How are web services secured in Oracle 12.2? To start at the beginning, the “front door” of the Oracle E-Business Suite is its web server, the Apache server deployed within the WebLogic server that is installed with release 12.2. To secure an Apache web server largely requires setting various configurations in the Apache configuration file (httpd.conf). For the Oracle E-Business Suite, these critical settings are maintained by Oracle through the AutoConfig utility. 

URL Firewall

The most important setting for Internet-facing clients is the include for the Oracle E-Business Suite’s URL Firewall. When the URL Firewall is included in the httpd.conf, every web request is passed through the URL Firewall, both for forms and for web services. The URL Firewall is non-discretionary and mandatory requirement when the Oracle E-Business Suite is deployed on the Internet.

HTTPD.CONF include for the URL Firewall

The URL Firewall is a template maintained by Oracle that whitelists those forms (e.g. JSP pages) that Oracle Corporation has hardened for use on the Internet. If the JSP is not listed “whitelisted” in the file url_fw.conf it should NOT be used on the Internet. Be sure to use the latest version of the template as Oracle periodically updates the template.

In the template, Oracle comments out all lines which effectively “Denies All.” To use the url_fw.conf, DBAs at each client site need to manually uncomment (“open”) specific JSP pages appropriate to their site. This “opening” by the DBAs must be carefully done and routinely reviewed.

The mechanics of when the url_fw.conf is called or not is determined by the Node's trust level. Most large Oracle E-Business Suite implementations have multiple web servers (referred to as nodes). To deploy the Oracle E-Business Suite on the Internet, one ore more nodes are deployed in a DMZ. If the node making the request of the Apache web server is flagged as an "Internal" web node, the url_fw.conf is skipped. If however the Node's trust level is flagged as "External" because the node is deployed in the DMZ, the url_fw.conf is called.

When called, the url_fw.conf applies regular expressions to the web request to determine if the request is BOTH exists in the whitelist and has been uncommented “opened” by the DBAs. If no match is found, a default-deny result is returned. In security terms, this means all requests are rejected unless explicitly allowed. If a match is found, the web request continues and the WebLogic server will then proceed with authentication and authorization tasks.

Example of URL FW line uncommented

Enabling and configuring the URL Firewall is the first step in securing web services. Unfortunately, Oracle buries the documentation for the URL Firewall in Appendix E of DMZ configuration guide – see the reference section of this paper for more information on the documentation.

To secure web services, it gets more complicated in that a second whitelist is appended to the first. To secure Oracle E-Business Suite web services, the url_fw.conf calls the url_fw_ws.conf. Similar to the configuration of the url_fw.conf, the documentation is buried deep in Appendix E of the DMZ configuration guide.

Different than the url_fw.conf which is supplied as a static listing of JSP pages, a utility (txkGenWebServiceUrlFwConf.pl) is run to generate the file url_fw_ws.conf. After being generated, DBAs similarly need to manually uncomment only those lines for the web services being used. If a web service is not found to be whitelisted, a default-deny rule will be applied; all web services commented out will be denied.

Example of URL FW WS.conf

Errors in selecting a Node’s trust level and configuring either the url_fw.conf and/or the url_fw_ws.conf have serious security consequences and should be routinely reviewed as part of on-going security audits.

Web services can be publically deployed without using the URL Firewall. For example, clients can if they so choose route Internet traffic directly to the E-Business Suite without setting up an External node. Integrigy Corporation highly recommends against doing this. Integrigy Corporation highly recommends always using the URL Firewall when deployed on the Internet, both for forms and for web services.

URL Firewall called by Node Trust Level

httpd.conf calls the URL Firewall

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

This is the seventh posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

Once traffic is accepted and passed by the URL Firewall, WebLogic initiates the standard Oracle E-Business Suite authentication and authorization procedures. Web services are authenticated and authorized no differently than for end-users.

Authorization rules for web services are relatively easy to configure in that all web services are defined as functions. The Oracle E-Business Suite's function security scheme and rules engine apply the same to GUI forms as for web services. In other words, the table APPLSYS.FND_FORM_FUNCTIONS defines all the forms that users use as well as defines all web services deployed. Menus then are built referencing these functions and Oracle E-Business Suite user accounts (APPLSYS.FND_USER) are given responsibilities with the menus of functions. These user accounts can be staff members or can be generic accounts (e.g. to support specific web services). Ensuring that appropriate users and responsibilities can call and use specific web services is the same critical step as ensuring that only appropriate users can use specific forms.

There are two authentication options for web services, local FND_USER passwords and tokens. Tokens can be SAML send vouchers/E-Business Suite Session Ids). Whichever is used, ensure that accounts are not inappropriately over privileged and the passwords and tokens not widely known and/or shared.

If you have any questions, please contact us at info@integrigy.com

-Michael Miller, CISSP-ISSMP, CCSP, CCSK

References

• Oracle E-Business Suite Mobile and Web Services Security - Integrigy Whitepaper
• Oracle E-Business Suite Mobile and Web Services Security - Integrigy Webinar
• Oracle E-Business Suite Release 12.2 Configuration in a DMZ (Note 1375670.1)

Reconciling database events to ticket numbers is a time consuming manual task that can be easily automated. The solution is to populate the client_id context variable that is a standard feature of the Oracle RDBMS. Once set, the Client_id (CLIENT_IDENTIFIER) is written to the Oracle audit logs for any auditing activity generated during that session. By having the ticket id within the audit logs, reconciliation can be easily automated.

Logging and auditing database connections to application users for SAP, PeopleSoft and the E-Business Suite is possible with a standard feature of the Oracle RDBMS. SAP, PeopleSoft and the E-Business Suite all populate a database attribute that is automatically passed to Oracle’s native audit logs. This attribute is the CLIENT_ID and within the Oracle dictionary and documentation is also referred to as CLIENTID and CLIENT_IDENTIFIER.

The CLIENT_ID is an application context. Application contexts are name-value pairs that the Oracle Database stores in memory. Consider application contexts as global variables that hold information for the duration of session, they are not persistent.

The CLIENT_ID context is NOT the same as the CLIENT_INFO context.  The essential difference between the two is one contains application’s end-user username and is passed to the native Oracle audit logs and the other holds an abbreviated application log string and is not passed to Oracle’s native audit logs.