Downloaded 17 times
![Apps Web - Allowed JSPs/Resources
[oracle@apps secure]$ view allowed_jsps.conf
# +======================================================================+
# | Copyright (c) 2005, 2016 Oracle and/or its affiliates. |
# | All rights reserved. |
# | Version 12.0.0 |
# +======================================================================+
# $Header: allowed_jsps.conf 120.0.12020000.14 2016/07/08 04:32:20 sbandla noship $
/OA_HTML/AppsLocalLogin.jsp
/OA_HTML/cabo/jsps/a.jsp
/OA_HTML/cabo/jsps/frameRedirect.jsp
/OA_HTML/fndgfm.jsp
/OA_HTML/jsp/fnd/close.jsp
/OA_HTML/jsp/fnd/fnderror.jsp
/OA_HTML/OADownload.jsp
/OA_HTML/OAFrame.jsp
/OA_HTML/jsp/fnd/AOLDataStreaming.jsp
/OA_HTML/jsp/fnd/fndhelpbuilder.jsp
ā¦
ā¦
ā¦
include allowed_jsps_FIN.conf
include allowed_jsps_HR.conf
include allowed_jsps_Leasing.conf
include allowed_jsps_Procurement.conf
include allowed_jsps_SCM.conf
include allowed_jsps_CRM.conf
include allowed_jsps_VCP.conf
include allowed_jsps_diag_tests.conf
include allowed_jsps_PA.conf](https://image.slidesharecdn.com/securingoraclee-businesssuite12-180425113202/85/Securing-oracle-e-business-suite-12-1-and-12-2-technology-infrastructure-7-320.jpg)
More Related Content
![[NDC17] Kubernetesė” ź°ė°ģė² ź°ėØķ ģ°ģ“ė“źø°](https://cdn.slidesharecdn.com/ss_thumbnails/ndc-170529041601-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
![OOW16 - Planning Your Upgrade to Oracle E-Business Suite 12.2 [CON1423]](https://cdn.slidesharecdn.com/ss_thumbnails/con1423-annecarlson-ebs-122-upgrade-planning-160930185753-thumbnail.jpg?width=640&height=640&fit=bounds)
![OOW16 - Planning Your Upgrade to Oracle E-Business Suite 12.2 [CON1423]](https://cdn.slidesharecdn.com/ss_thumbnails/con1423-annecarlson-ebs-122-upgrade-planning-160930184503-thumbnail.jpg?width=640&height=640&fit=bounds)
![OOW16 - Testing Oracle E-Business Suite Best Practices [CON6713]](https://cdn.slidesharecdn.com/ss_thumbnails/con6713-testingoraclee-businesssuitebestpractices-160930182725-thumbnail.jpg?width=640&height=640&fit=bounds)
![OOW16 - Personalizing Oracle E-Business Suite: The Next Generation [CON6716]](https://cdn.slidesharecdn.com/ss_thumbnails/con6716-senthilkumarramalingam-personalizing-oracle-ebs-the-next-generation-160930182720-thumbnail.jpg?width=640&height=640&fit=bounds)
![OOW16 - Oracle E-Business Suite in Oracle Cloud: Technical Insight [CON6723]](https://cdn.slidesharecdn.com/ss_thumbnails/con6723-veshaalsingh-ebsoncloudtechnicalinsight-160930182652-thumbnail.jpg?width=640&height=640&fit=bounds)
![OOW16 - Maintenance Strategies for Oracle E-Business Suite [CON6725]](https://cdn.slidesharecdn.com/ss_thumbnails/con6725-elkephelps-maintenance-strategies-for-oracle-e-business-suite-160930182637-thumbnail.jpg?width=640&height=640&fit=bounds)
Securing oracle e-business suite 12.1 and 12.2 technology infrastructure
- 1. Session ID: Prepared by: Rememberto complete your evaluation for this session within the app! 10452 Securing Oracle E-Business Suite 12.1 and 12.2 Technology Infrastructure 21-Feb-2018 Vasu Balla Principal Consultant Pythain @r12dba
- 2. Agenda Talk about notso popular options in Oracle E-Business Suite that make it even more secure
- 3. About Me Vasu Balla ā15Years of Apps DBA Experience āPrincipal Consultant with Pythian āOracle EBS ATG CAB Member āBased out of Ottawa, Canada ā@r12dba
- 4. ABOUT PYTHIAN Pythianās 400+IT professionals help companies adopt and manage disruptive technologies to better compete 4
- 5. Systems currently managed byPythian EXPERIENCED Pythian experts in 35 countries GLOBAL Millennia of experience gathered and shared over 19 years EXPERTS 11,800 2400 5
- 6. Apps Web -Allowed JSPs/Resources ā¢ Next gen URL Firewall ā¢ Defines whitelist of allowed JSPs/Servlets for EBS 12.2 ā¢ Prevents access to JSPs which are not used ā¢ $FND_TOP/secure/allowed_jsps.conf ā¢ Oracle Doc Bug
- 7. Apps Web -Allowed JSPs/Resources [oracle@apps secure]$ view allowed_jsps.conf # +======================================================================+ # | Copyright (c) 2005, 2016 Oracle and/or its affiliates. | # | All rights reserved. | # | Version 12.0.0 | # +======================================================================+ # $Header: allowed_jsps.conf 120.0.12020000.14 2016/07/08 04:32:20 sbandla noship $ /OA_HTML/AppsLocalLogin.jsp /OA_HTML/cabo/jsps/a.jsp /OA_HTML/cabo/jsps/frameRedirect.jsp /OA_HTML/fndgfm.jsp /OA_HTML/jsp/fnd/close.jsp /OA_HTML/jsp/fnd/fnderror.jsp /OA_HTML/OADownload.jsp /OA_HTML/OAFrame.jsp /OA_HTML/jsp/fnd/AOLDataStreaming.jsp /OA_HTML/jsp/fnd/fndhelpbuilder.jsp ā¦ ā¦ ā¦ include allowed_jsps_FIN.conf include allowed_jsps_HR.conf include allowed_jsps_Leasing.conf include allowed_jsps_Procurement.conf include allowed_jsps_SCM.conf include allowed_jsps_CRM.conf include allowed_jsps_VCP.conf include allowed_jsps_diag_tests.conf include allowed_jsps_PA.conf
- 8. Apps Web -Allowed JSPs/Resources
- 9. Apps Web -Allowed JSPs/Resources ā¢ Enhanced Even further in 12.2.7
- 10. Apps Web -Allowed Redirects ā¢ Defines whitelist of allowed redirect destinations for Oracle EBS 12.2 ā¢ Prevents redirects that are not listed as allowed ā¢ $FND_TOP/secure/allowed_redirects.conf
- 11. Apps Web -Allowed Redirects #---------------- # List of hosts - use full host name # host destination.example.com #---------------- # host <REDIRECT HOST>.<REDIRECT DOMAIN> #------------------------------------------------------------------ # List of domains. A <DOMAIN NAME> matches across hosts - for example # domain example.com will match both host.internal.example.com and # host.external.example.com #------------------------------------------------------------------ # domain <REDIRECT DOMAIN> #-------------------------------------------- # Server level profiles (site or server level) #-------------------------------------------- profile APPS_SERVLET_AGENT # URL for JSP and Servlets profile APPS_WEB_AGENT # URL for PL/SQL agent profile APPS_FRAMEWORK_AGENT # URL for Self Service Applications entry point profile APPS_AUTH_AGENT # URL for OAM integration using EBS AccessGate profile APPS_SSO_POSTLOGOUT_HOME_URL # URL to redirect on logout profile ICX_DISCOVERER_VIEWER_LAUNCHER # URL to launch Discoverer Viewer profile ICX_DISCOVERER_LAUNCHER # URL directed to Discoverer Server profile ICX_REPORT_LAUNCHER # URL for Report Launcher profile ICX_FORMS_LAUNCHER # URL for the Forms Launcher profile FND_OBIEE_URL # URL for Oracle Business Intelligence Suite profile HELP_WEB_AGENT # Base URL for Applications Help profile HELP_WEB_BASE_URL # Base location Applications Help System profile APPS_LOGICAL_AGENT # Logical name for application tiers profile APPS_PORTAL # URL for Portal profile APPS_PORTAL_LOGOUT # URL for Portal Logout # Product team profiles
- 12. Apps Web -Cookie Domain Scoping ā¢ Defines scope of cookie sharing to avoid unnecessary exposure ā¢ Prevents EBS session cookie from getting hijacked ā¢ Controlled by profile option - Oracle Applications Session Cookie Domain ā¢ Set this to HOST for DMZ
- 13. Apps āPassword Hashing SQL>select ENCRYPTED_FOUNDATION_PASSWORD, ENCRYPTED_USER_PASSWORD from fnd_user where user_name ='SYSADMINā
- 14. Apps ā NewPassword Hash ā¢ Enable Nonreversible hashing for passwords ā¢ SHA1 is replaced by SHA256, SHA384 & SHA512 ā¢ Use AFPASSWD utility to migrate to new and more secure hash algos SQL> select FND_WEB_SEC.GET_PWD_ENC_MODE from dual;
- 15. Apps ā HardenPasswords
- 16. Apps ā Passwordshandling ā¢ Use secureapps option of startup shutdown scripts ā¢ Avoids use of apps db account ā¢ Allows separation of duties
- 17. Apps - TLS ā¢Enable TLS Between Web Server and Client Browser ā¢ TLS is successor to SSL and TLS 1.2 is the current recommend protocol ā¢ Make sure to disable SSLv2 & SSLv3 SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:!RC4:+HIGH:+MEDIUM ā¢ SHA1 based certs are deprecated, Migrate to SHA2 based certs ā¢ LetsEncrypt - Free SSL Certs https://blog.pythian.com/using-letsencrypt-certs-oracle-e- business-suite/
- 18. Apps - DMZ ā¢Activate Server Security - Secure Flag in DBC ā¢ Set the NODE_TRUST_LEVEL profile for Server ā¢ Restrict Responsibilities by setting Responsibility Trust Level profile at resp level
- 19.
- 20. DB ā EncryptSQL Traffic ā¢ As of Oracle E-Business Suite Release 12, all components are encryption compatible ā¢ ANO is free with Enterprise Edition ā¢ Just need to add these 2 lines to $TNS_ADMIN/sqlnet_ifile.ora on the DB SQLNET.ENCRYPTION_SERVER = REQUIRED SQLNET.ENCRYPTION_TYPES_SERVER= (AES256, AES192, 3DES168)
- 21. Apps security references ā¢Security Configuration and Auditing Scripts for Oracle E-Business Suite (Doc ID 2069190.1) āSet of SQL and shell scripts that generate report of different areas to secure ā¢ Secure Configuration Console āFunctional administrator > Configuration Manager tab ā¢ Oracle E-Business Suite Security Guide, Release 12.2
- 22. Session ID: Remember tocomplete your evaluation for this session within the app! 10452 balla@pythian.com @r12dba slideshare.net/vasuballa