Securing Oracle EBS on Oracle Cloud Infrastructure

1. Securing Oracle
E-Business Suite
on OCI
Everything you need to know about
OCI Security
Vasu Balla
Principal Architect and Co-Founder
BlueKevlar
Raj Mareddi
Founder and CEO
SSOGEN

2. About US – Vasu Balla
• Principal Cloud Architect
• Co-Founder - BlueKevlar
• Over 20 years of Oracle Experience
• Many complex projects under the belt
• OCI Certified Architect
• ISC2 – Certified Cloud Security
Professional
• Speaker at multiple OAUG
conferences
• https://slideshare.net/vasuballa
• BlueKevlar.com

3. About US - Raj Mareddi
• Founder and CEO of:
• SSOGEN Corporation
• Recrusa LLC
• Raj Mareddi has spent over 25 years in
IAM/SSO
• One of the first 100 Oracle Certified
Masters in the world
• Led more than 100 Oracle
SSO/OAM/OID/IDCS implementations
• Implemented SSOGEN for 200+ Oracle
EBS Customers
• https://www.linkedin.com/in/raj-mareddi/

4. Agenda
• EBS Overview
• OCI Overview
• Data at rest
• Data in transit
• Securing DMZ deployments
• WAF
• Custom Firewall
• Network Security
• NSG
• ZPR
• Securing User Identity - MFA
• IDCS
• Third party – SSOGEN
• Securing the perimeter
• Cloud Guard
• Security Zones
• CIS Landing Zones

5. E-Business Suite Overview
3 Tier Architecture
• Client Tier – Web Browser with
Java Forms
• App Tier – OHS, Weblogic,
Concurrent Managers
• DB Tier – Oracle Database and
Listener

6. Oracle Cloud Infrastructure
IaaS:
• Compute VMs, Block Volumes, Object
storage, File Storage
PaaS:
• OKE, DevOps, Resource Manager
• Oracle Base Database Service
• Oracle Autonomous DB
• ExaCS
• Network – FastConnect, IPSEC, Flex Load
Balancer

7. EBS on OCI

8. Cloud Paradigm
• Provides Scalability
• Subscription pricing
• Gets you out of
datacenter business
• Assume someone is
always listening
• Assume someone can get
to your data

9. Data at rest
• OCI Encrypts all data that is stored on disk
• It uses oracle managed keys to encrypt data in block volumes,
object storage, file storage
• PaaS Database offerings like Base Database VM, ExaCS are
encrypted using TDE

10. Data at rest - contd
• DBCS - Key to encryption is stored in
same Database VM by default
• Recommended to use your own
”customer managed” keys using OCI
Vault
• Limitations: Cross region replication
is restricted with customer managed
keys

11. Data in transit
• Encrypting network traffic is customer responsibility
• Assume any data going over the network is being listened to

12. Data in transit
• PaaS offerings like DBCS, EXCS encrypt SQL*Net Traffic by default
• For Databases running in VMs, enable it. ANO is free with EE
• Encryption for Block Volume attachments is also available
• Things that are often overlooked
• Loadbalancer to App server traffic
• Fastconnect

13. DMZ – Web Application Firewall
• Additional layer of protection for EBS DMZ URL exposed to
Internet
• Allows
• Conditional Access
• Geo-blocking
• Rate limiting
• Block threats like Cross site scripting, SQL injection
• OWASP rules
• Things to remember
• Periodically go in and enable new version of OWASP rules

14. DMZ – Network Firewall
• WAF is focused on Web application security at layer 7 ( http )
• NFW works at Layer 3 to Layer 7 powered by Palo Alto
• NFW can inspect
• TLS traffic
• Virus Scanning
• Intrusion Prevention
• URL filtering for outbound traffic ( which NAT gateway lacks)
• Hub and Spoke is recommended

15. DMZ – Custom Firewall
• Often customer who are multi-cloud,
prefer to use same firewall vendor at all
sites
• Custom Firewalls can be deployed from
OCI Marketplace
• Palo Alto
• Fortinet
• Checkpoint
• Hub n Spoke using DRG is recommended
• Both Active/Active or Active/Passive
mode are supported

16. Network Security - NSGs
• Default Security Lists feature only limits
access based on IP Address and Ports
• With cloud, IP Addresses change in a
growing environment, which forces us to
whitelist whole subnet CIDR blocks in
security lists
• NSGs help avoid this situation and enables
micro-segmentation
• Enables point to point whitelisting
• When a new VM is tagged with same NSG,
its IP will inherit all the security rules

17. Network Security - ZPR
• Zero Trust Packet Routing
is the next generation of
NSG
• Allow the rules to defined
using plain language

18. User Identity
• Typical flow of how Oracle connects to DB
• Same Logic can be used to decrypt User passwords

19. Securing User Identity – IDCS/ IAM Domain
• Oracle EBS doesn’t have built in features to enable MFA or SSO with
external IdP like Azure EntraID
• It depends on external systems like Oracle OAM/OID for this feature
• Cloud native solution to enable this feature is IDCS aka IAM Domains
• IDCS needs users to subscribe to App Premium Domain and pay per
user fee
• Provides an add-on called EBS Asserter which needs to be deployed on
a standalone Weblogic server
• Also provides a provisioning bridge to sync users to EBS
• IDCS can be integrated to Azure AD/OKTA/Ping ID
• Limitations: Costs can escalate for Customers who have high user
count

20. Securing User Identity – SSOGEN
• SSO without IDCS or OAM
• Oracle Validated Integration
• Azure, Okta, and IBM
Technology Partner
• MFA with MS Authenticator App
Oracle Certification:
https://www.oracle.com/opn/gtm/resources/ds-ssogen-sso-integration-ebs12-8186063.pdf
Microsoft Azure Certification
https://learn.microsoft.com/en-us/entra/identity/saas-apps/ssogen-tutorial

21. EBS
Database
EBS App Server
OHS
(SSO Module:
mod_ssogen.so + idp.xml)
WebLogic
EBS_DOMAIN_HOME
(oaea_server1/
fnd_auth.war/
accessgate)
Your Company SSO
(Azure AD/AD/ADFS/PING/Okta)
Notes:
1. SSOGEN library (mod_ssogen.so) integrates with OHS Server in EBS
2. EBS Out of the box component (oaea_server1/fnd_auth.war/accessgate is enabled
3. No new servers are installed, and no new products are installed
4. No network requirements from EBS to Azure AD/Okta and no data sync
5. No administration overhead – adstpall.sh and adstrtal.sh as usual
User Browser
SSOGEN Architecture

22. EBS
Database
EBS App
Server
User Browser
Separate
WLS Serer
EBS Asserter
Oracle IDCS Cloud
(Users, Groups,
Personal Info) User Syn to the Cloud from AD or EBS
Notes:
1. Separate WLS Server needs
to installed and maintained
for EBS Asserter
2. Data Sync to IDCS Cloud
from EBS database or Active
Directory
3. Network access to internet
based IDCS Public Cloud
URL from EBS Server
4. Administration overhead
IDCS Architecture
Your Company SSO
(Azure AD/AD/ADFS/PING/Okta)

23. Why SSOGEN?
• Oracle Validated Integration
• Completely on-prem solution (on EBS Server)
• Small footprint (easy to install and maintain)
• Under 10 minutes implementation
• Support for Azure AD, Shibboleth, Okta, etc
• Does not require internet access
• Does not require data sync to Cloud like IDCS
• Simplified DR and HA process
• No EBS / JSP Customizations
• Standard EBS SSO Connector: adstpall.sh and adstrtal.sh bring SSO up/down automatically
• EBS version agnostic
• EBS Patching and Upgrades do not break SSO

24. • Azure Native Solution
• Implemented in under 10 minutes
• Not another SSO Solution just for EBS, rather just a SSO connector
for EBS
• No SSO Server/Software installation
• Just enable out of the box SSO from Oracle EBS
• Azure AD MFA Compatible
• MFA with MS Authenticator App, Phone call, or Text message
• Complete Walk-through video at:
• https://www.ssogen.com/oracle-ebs-sso/
Azure AD Use case

25. Security Monitoring – CloudGuard - CSPM
• Like a security guard, continuously monitors the tenancy for violations
• Recipes can identify things like public buckets and disable
automatically
• Helps against insider threats as well as Data Loss Prevention

26. Security Monitoring – Security Zone
• Security Zone is powered by Cloud
Guard
• It prevents the users from even deploy
a VM if it violates the policy rules
• Like prevent users from deploying
unapproved OS images
• Prevent users from assigning public IPs
to VMs etc

27. Securing the perimeter – Landing Zone
• Prebuilt Landing Zone that confirms to CIS standards
• Ships with
• IAM Groups/Policies
• Network, Security, App and Databases
compartments
• Cloud Guard, Security Zones recipes
• Vault/Keys
• Enables
• Separation of Duties
• Logging and Auditing
• CIS standards
• https://github.com/oci-landing-zones/

28. Thank You
For Attending!
Please complete the session survey
in the conference app.

29. Q&A
vasu.balla@outlook.com
raj.mareddi@ssogen.com

30. • Oracle EBS SSO
• https://www.ssogen.com/oracle-ebs-sso/
• EBS – Azure AD
• https://www.youtube.com/watch?v=fKOZ_PClP30
• EBS – Microsoft ADFS
• https://www.youtube.com/watch?v=IVeZwhFFaV0
• EBS – PING
• https://www.youtube.com/watch?v=L-uw8lLKAfo
EBS SSO Demos

31. Let’s Connect !
LinkedIn

32. Let’s Connect !
LinkedIn