COLLABORATE 14 Presentation Template

Download Report

Transcript COLLABORATE 14 Presentation Template 

OAUG ApplicationsTechnology Stack
Special Interest Group
September 28th 2014 Session ID: SIG9074
Moscone West – 3009 12:00PM - 12:45PM
Sandra Vucinic, Moderator
Michael Barone
Marvin Sanchez
Agenda

Welcome & Introduction – Sandra Vucinic



Introductions
Securing Your E-Business Suite Environment –
Michael Barone and Marvin Sanchez
EBS Applications Technology SIG Panel
EBS Applications Technology SIG

The general purpose of the ATS SIG is to
inform and educate our members on
current and future middleware
components as they relate to the Oracle
E-Business Suite.
Join the EBS Applications
Technology SIG!
http://ebsatssig.oaug.org
Send papers/presentations for inclusion on
the website to
We are on LinkedIn: OAUG EBS
Applications Technology Stack SIG
EBS Applications Technology
SIG Board
 President:
Sandra Vucinic, VLAD Group, Inc.
 Vice President: Jon Walthour, CNO Financial Group
 Program Director: Jain Ashish, Gallup
 Membership Director: Marvin Sanchez, Pharmavite
 Web Site Director: Michael Barone, OATC, Inc.
 Meeting Director: Christina Blincoe, Burns &
McDonnell
 Past President: Srini Chavali, Oracle
Connect with the OAUG at OpenWorld

Booth 3131 in Moscone West and Users Group Pavilion in
Moscone South
 Ask questions and share answers with other Oracle
Applications users and experts.
 Visit oaug.org/openworld to join the discussion

Special membership offers
 15 months for the price of 12
 3 months at ¼ of the regular price
OAUG: E-Business Suite Security
E-Business Suite Security Areas:
Securing
Authentication
Securing
Authorization
Securing
Data in Flight
Securing
Copies
• SSL encryption for
EBS clients
• Transparent
Data Encryption
• ANO encryption
for database
traffic
• Data Masking in
cloned
databases
Procurement
HR
Finance
• Strong user
authentication
• Smartcards /
CAC
• Biometrics
• Role Based Access
• Virtual Private
Database
• Database Vault
• Digital signatures
• Credit card encryption
OAUG: E-Business Suite Security
2014: Over Twenty (20) High-Profile Security Breaches:
Aaron Brothers Craft Stores
Jimmy Johns Sandwich Shops
Adobe – Software
KickStarter (Crowd Funding Application)
Albertson’s Super Value Stores
Linked-In (Social Network Site)
California DMV
Michael’s Craft Stores
Dairy Queen Restaurants
P.F.Changs Restaurants
eBay – OnLine Auction Site
Smuckers Jams and Jelly
GoodWill Stores
StubHub Ticket Site
HealthCare.gov (Medical Records)
Target Super Stores
Home Depot Home Improvement Stores
US Department of Homeland Security
Hospitals – Patient-Records Security Breach
Yahoo
OAUG: E-Business Suite Security
E-Business Suite 11i
OAUG: E-Business Suite Security
E-Business Suite 12.0/12.1
OAUG: E-Business Suite Security
E-Business Suite 12.2
OAUG: E-Business Suite Security
E-Business Suite Release Dates:
11.5.10
Nov 2004
Apache
Oracle8i Forms and Reports
12.0
Jan 2007
12.1
May 2009
12.1.2 Dec 2009
12.1.3 Aug 2010
OC4J, Apache
Oracleg10g Forms and Reports
12.2
(Early-Adopter/General-Release -- October 2013)
12.2.2 October 2013
12.2.3 December 2013
12.2.4 September 2014
Oracle HTTP Server (OHS)
Weblogic Server (WLS)
Oracle Developer 10.1.2
- Apache 2.2, WebLogic JSP, BC4J
- UIX 11g, BI Publisher, Forms
OAUG: E-Business Suite Security
E-Business Support Dates: Cliff Godwin, Oracle Sr. VP OOW 2013
OAUG: E-Business Suite Security
2014: Security Advisory
http://krebsonsecurity.com/2014/04/critical-java-update-plugs-37-security-holes/
Oracle has pushed a critical patch update for its Java SE platform that fixes at least 37
security vulnerabilities in the widely-installed program. Several of these flaws are so
severe that they are likely to be exploited by malware or attackers in the days or weeks
ahead. So — if you have Java installed — it is time to update.
The latest update for Java 7 (Java Runtime Environment (JRE) 1.7)
(the version most users will have installed) brings the program to Java 7 Update 68.
Those who’ve chosen to upgrade to the newer, “feature release” version of
Java — Java 8 — will find fixes available in Java 8 Update 5
(Java 8 doesn’t work on Windows XP).
According to Oracle, only four (4) of the 37 security-holes that are fixed in this release
earned a Common Vulnerability Scoring System (CVSS) of 10.0 (most severe); easily
exploited without Authentication and can result in a complete compromise of the
host operating system.
OAUG: E-Business Suite Security
E-Business Suite AppsTier ORACLE_HOME Upgrade: (Java 7)
For EBS 11i:
• Support Note: 290807.1
Deploying Sun JRE (Native Plug-in) for Windows Clients_EBS 11i
• Support Note: 290807.1
Upgrading Developer 6i with Oracle E-Business Suite 11i
For EBS 12
• Support Note: 393931.1
Deploying Sun JRE (Native Plug-in) for Windows Clients EBS 12
• Support Note: 437878.1
Upgrading OracleAS 10g Forms and Reports in Oracle E-Business
OAUG: E-Business Suite Security
E-Business Suite AppsTier ORACLE_HOME Upgrade: (Java 7)
Prerequisites for 32-bit and 64-bit JRE certifications
PC-Clients: JRE 1.70_21 32-bit + EBS 12.0 & 12.1
• Windows XP SP3, Windows Vista SP1 and SP2
• Windows 7 and Windows 7 SP1
• Forms 10g overlay patch 14614795 (Note 437878.1)
• SSL Users: 10.1.0.5 version of Patch 6370967 applied to AS 10.1.3 with OPatch.
This fix is already included in the April 2011 AS 10.1.3.5 CPU patch and later.
PC-Clients: JRE 1.70_21 64-bit + EBS 12.0 & 12.1
• Windows 7 (64-bit) and Windows 7 SP1 (64-bit)
• Forms 10g overlay patch 14614795 (Note 437878.1)
• SSL Users: 10.1.0.5 version of Patch 6370967 applied to AS 10.1.3 with OPatch.
This fix is already included in the April 2011 AS 10.1.3.5 CPU patch and later.
OAUG: E-Business Suite Security
Oracle Support: Security Scripts 403537.1
Primary Authors: Erik Graversen, Eric Bing
Contributors: David Kerr, George Buzsaki, Deepak Louis,
Andy Philips, Ashok Subramanian, Rajiv Muthyala,
Remi Aimsuphanimit, Emily Nordhagen.
Secure Configuration Guide for Oracle E-Business Suite Release 12
Oracle E-Business Suite Release 12.0, 12.1, and 12.2.
Secure Configuration Guide for Oracle E-Business Suite Release 12
Oracle E-Business Suite Security Configuration Check Scripts (ZIP)
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Overview
Keep software up to date
Restrict network access to critical services
Follow the principle of least privilege
Monitor system activity
Keep up to date on latest security information
Oracle TNS Listener Security
Harden operating environment
Add IP restrictions or enable Valid Node Checking
Specify connection timeout
Enable encryption of network traffic
Enable TNS Listener password (only if required)
Enable admin restrictions
Enable TNS Listener logging
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Oracle Database Security
Harden operating environment
Disable XDB
Review database links
Remove operating system trusted remote logon
Implement two profiles for password management
Change default installation passwords
Restrict access to SQL trace files
Remove operating system trusted remote roles
Limit file system access within PL/SQL
Limit dictionary access
Revoke unneccessary grants given to APPLSYSPUB
Configure the database for auditing
Audit database connections
Audit database schema changes
Audit administrators and their actions
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Oracle Application Tier Security
Harden operating environment
Harden Apache configuration
Protect administrative web pages
Configure logging
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Oracle E-Business Suite Security (01 of 03)
Harden operating environment
Strike passwords from adpatch logs
Set Workflow notification mailer SEND_ACCESS_KEY to N
Set Tools environment variables
Restrict filetypes that may be uploaded
Enable Antisamy HTML filter
Use SSL (HTTPS) between browser and web server
Avoid Weak Ciphers and Protocols for SSL (HTTPS)
Use External Webtier if exposing any part of EBS to the internet
Use Terminal Services for client-server programs
Change passwords for seeded application user accounts
Switch to Hashed Passwords
Tighten logon and session profile options
Consider using Single-Sign-On
Create new user accounts safely
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Oracle E-Business Suite Security (02 of 03)
Create shared responsibilities instead of shared accounts
Configure Concurrent Manager for safe authentication
Configure Concurrent Manager for Start and Stop without the APPS password
Activate Server Security
Create DBC files securely
Review and limit Responsibilities and Permissions
Set other security related profile options
Restrict responsibilities by web server trust level
Set Sign-On audit level
Monitor system activity with OAM
Retrieve audit records using Reports
Retrieve audit records using SQL
Purge audit records
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Oracle E-Business Suite Security (03 of 03)
Review data tracked (no Reports available)
Configuring audit trail
Generate and identify audit trail objects
Choose tables to audit
Retrieve audit records using SQL
Purge audit records
References on Oracle E-Business Suite auditing
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Desktop Security
Configure browser
Update browser
Turn off AutoComplete
Set policy for unattended PC sessions
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Operating Environment Security
Cleanup file ownership and access
Cleanup file permissions
Lockdown operating system libraries and programs
Filter IP packets
Prevent spoofing
Eliminate telnet, rsh and ftp daemons
Verify network configuration
Monitor for attacks
Configure accounts securely
Limit root access
Manage user accounts
Secure NFS
Secure operating system devices
Secure executables
Secure file access
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Extras for Experts
Detect and Prevent Duplicate User Sessions
Customize Password Validation
Encrypt Credit Cards
Advanced Security/Networking Option (ASO/ANO)
Advanced Security/Transparent Data Encryption (ASO/TDE)
Practice Safe Cloning
Hardening External Procedure (EXTPROC) Services
EXTPROC Listener Configuration
EXTPROC Testing Procedure
OAUG: E-Business Suite Security
Oracle Support: Secure Configuration Guide for E-Business 12
Appendixes:
Appendix A: Running Web-Scanning Tools
Appendix B: Sensitive Administrative Pages
Appendix C: Database Schemas found in Oracle E-Business Suite
Appendix D: Processes used by Oracle E-Business Suite
Appendix E: Ports used by Oracle E-Business Suite
Appendix F: Sample Linux Hardening of the Application Tier
Appendix G: Security Check Scripts
Appendix H: References & More Resources
OAUG: E-Business Suite Security
Oracle Support: Security Scripts 403537.1
OAUG: E-Business Suite Security
Additional E-Business Suite Security Areas:
Panel Members
Steven Chan – Oracle
 Elke Phelps – Oracle
 Srini Chavali - Oracle
 Michael Barone – OATC, Inc.
 Marvin Sanchez – Pharmavite
 Sandra Vucinic – VLAD Group, Inc.


Collaborate 2015, Mandalay Bay, Las Vegas,
April 12-16, 2014
 Please
visit collaborate.oaug.org for further details