That light at the end of the tunnel might be a freight train
If you’re running 12.2 and considering 12.2.6 any time in the near future, you need to be aware of significant changes coming to the security requirements of EBS. At the East Coast Oracle conference in Raleigh a few weeks back, I sat in a session by Elke Phelps (Oracle) entitled “Ready or Not: Applying Secure Configuration to Oracle E – Business Suite“. Oracle EBS is getting serious, if not belligerent, about security.
Bottom line: If you don’t comply with their security recommendations, your users will not be able to log into EBS. That’s right. This is probably the most concerning thing about the changes: they’re not suggested. Don’t believe me? Check out Doc 2174164.1 section 3.1:
The Secure Configuration Console automates the security configuration process by consolidating the security configuration process onto one user interface and creating a single checkpoint entry into the system. It checks your system against 16 high-priority security configuration guidelines and makes recommendations to the system administrator to either fix or suppress the failure. Until the system administrator acknowledges these checks, users will be denied entry into the system.
Do I have you attention now?
Here’s the thing: most of the things it appears to be concerned with are either simple fixes or common sense. While I haven’t seen it myself, I’ve been assured there is a page somewhere (in OAM?) where the apps DBA can go in and check boxes saying “I understand I’ve broken security rules, now please let me use my ERP”. Think: DEV environments.
One problem with all of this is it’s implemented in Oracle’s typical unwieldy and disparate manner. Start by grinding your way through the 468 page Oracle Ebusiness Suite R12.2 security guide. Let me just say it’s not a real page turner and I’ve had less reading in graduate level courses.
So we move on to 2069190.1 where you can find a nifty set of scripts called EBSSecConfigChecks.zip. This is run against your database, and comes back with somewhat actionable results. I will admit, it found some things I wasn’t aware of, but it’s not perfect. By the numbers:
- Check: Security Profiles: Configuration ERRORS
- This checks POVs to see if you’re doing anything wrong. In my case, it didn’t like a site level POV called Framework Validation Level (value was set to none). The problem with this assessment, is that this isn’t a POV I can find in any way. As in, I can’t query it up in forms, and when I try to use fnd_profile.save to change it, it errors. First check and I have to open an SR. Great start!
- Check: Security Profiles: Configuration WARNINGS
- This appears to check and see who has the ability to run diagnostics in EBS, as well as who can attach files and personalize self service bits. The problem is, it doesn’t bother to check and see if the EBS user with these privs is end dated. So I wound up with a list of end-dated consultants from our R12.2 upgrade, none of which can log in, and a list of IT super users.
- Check: Security Profiles: Configuration MISSING
- No idea, I “passed” this one
- Check: Application Users with Default Passwords
- I’ll give Oracle credit on this one, it found some interesting things here. I had to change my guest password, and disable autoinstall. Hint: try to find that user.. when you get tired of that game, run FND_USER_PKG.DISABLEUSER(‘AUTOINSTALL’);
- It also found some schemas which had the default password. As in, all the new schemas presumably introduced by the 12.2 upgrade, so kudos to Oracle there. Mine were ddr, dna, dpp, gmo, ibw, inl, ipm, jmp, mth, qpr and rrs. Obviously I hadn’t run FNDCPASS against “ALL” since the upgrade, and so these were just hanging around.
- Check: DB Users With Default Passwords
- Again, a handful out there, but if the script would exclude “EXPIRED & LOCKED” that’d be great. Most significant was applsyspub. I swear it used to be you were told not to change this, but it’s easy enough to fix with FNDCPASS
- Check: For excessive privs in APPLSYSPUB
- Passed this one
- Check: Oracle Applications User Passwords Migrated to Non-Reversible Hash Password
- Yeah, I hadn’t done this. It’s an easy fix see 457166.1
- Check: Server Security Status
- Passed this one
- Check: SSL Status
- You need to be using TLS 1.2. See 2143101.1. If you’re not familiar with the process, welcome to a lot of work. And now you get to keep up with an external signing authority! Yay work!
- Check: Credit Card Encryption Status
- Beats me, I failed this, but we don’t store this in the database, so perhaps that would be helpful to note.
- Check Status of 12.2 Security Features
- I had a recommendations here, because I allowed unrestricted JSP access, unrestricted redirects and a setting it didn’t like for Cookie Domain. This is probably legitimate, but it’s going to cause havoc with our Oracle APEX implementation and will likely take time to fix. There’s a script called txkCfgJSPWhitelist.pl in $FND_TOP/patch/115/bin which may help you (“Oracle E-Business Suite Release 12.2.6 delivers a configuration script which can assist in configuring the products in your Allowed JSP lists. Products will be turned off in the Allowed JSP family configuration files based on whether recent transactions are detected for the product. Customers are strongly recommended to configure the Allowed JSPs using this script.”). Check out the Oracle EBS Security Guide
- Check: Users with Access to Sensitive Pages
- Disabled by default. I guess I pass?
Where this falls apart for me
They’re going to hold your EBS hostage until you address security gaps? Unacceptable. While it’s true, you’re not going to wake up one morning to users unable to log into production, it’s still a rather arrogant shift. I happen to know my company paid a fortune for their software, but now I’m not so confident we own it. This feels like some back room legal department at Oracle decided to get a record that “so and so” at XYZ company deliberately agreed to ignore our security recommendations, and we have it on the record because they checked boxes acknowledging they assume the risk. Except the reciprocal is not true. If I get hacked despite having complied with Oracle recommendations, I’m pretty sure Oracle isn’t going to write me a check to help me fix it.
Oracle is making assumptions about my environment and punishing me if I don’t comply. What if I have no internet exposure? What if this is a DEV environment where I don’t care or can’t afford to keep up with TLS 1.2?
Instead, a warning message (old school nag screen) at login to any user stating something like “Your corporate EBS may be at risk to security vulnerabilities, please contact your system administrator” would have been equally effective. I’m not going to let that screen be up there for the world to see, and I will get phone calls. But if something happens beyond my control, my users can still get into EBS.