Download presentation
1
Best Practices for Securing Oracle EBS R12
Oracle EBS R12 - Security Best Practices for Securing Oracle EBS R12
2
Agenda Overview Oracle TNS Listener Security Oracle Database Security
Oracle Application Tier Security E-Business Suite Security Desktop Security Operating Environment Security Q&A
3
Overview In today’s environment, a properly secured computing infrastructure is critical. When securing the infrastructure, a balance must be struck between risk of exposure, cost of security and value of the information protected. Each organization determines its own correct balance. To that end, this presentation describes security measures that will be put in place for securing Oracle E-Business Suite R12.
4
Overview - Continued
5
Oracle TNS Listener Security
Enable “Validate Node Checking” tcp.validnode_checking = YES tcp.invited_nodes = ( X.X.X.X, hostname, ... ) tcp.excluded_nodes = ( hostname, X.X.X.X, ... ) Specify Connection Timeout CONNECT_TIMEOUT_$ORACLE_SID = 10 Enable TNS Listener Password $lsnrctl LSNRCTL> set current_listener $ORACLE_SID LSNRCTL> change_password LSNRCTL> set password LSNRCTL> save_config $ echo "ADMIN_RESTRICTIONS_DBLSNR = ON" >> listener.ora LSNRCTL> reload Enable Admin Restrictions ADMIN_RESTRICTIONS_$ORACLE_SID=ON Enable TNS Listener Login LOG_STATUS = ON LOG_DIRECTORY_$ORACLE_SID = $TNS_ADMIN LOG_FILE_$ORACLE_SID = $ORACLE_SID
6
Oracle Database Security
Disable XDB dispatchers='(PROTOCOL=TCP) (SERVICE=sidXDB)' Remove OS trusted login REMOTE_OS_AUTHENT=FALSE Implement two or more profiles for password management Password Parameters Application Profile Administrator Profile FAILED_LOGIN_ATTEMPTS Unlimited 5 PASSWORD_LIFE_TIME 90 PASSWORD_REUSE_TIME 180 PASSWORD_REUSE_MAX PASSWORD_LOCK_TIME 7 PASSWORD_GRACE_TIME 14 PASSWORD_VERIFY_FUNCTION Recommended
7
Oracle Database Security - Continued
Change default installation passwords Default database administration schemas Schemas belonging to optional database features neither used nor patched by E-Business Suite Schemas belonging to optional database features used but not patched by E-Business Suite Schemas belonging to optional database features used and patched by E-Business Suite Schemas common to all E-Business Suite products Schemas associated with specific E-Business Suite products Restrict Access to SQL trace files _TRACE_FILES_PUBLIC=FALSE Remove OS trusted roles REMOTE_OS_ROLES=FALSE Limit file system access within PL/SQL Avoid: UTL_FILE_DIR = * Limit dictionary access O7_DICTIONARY_ACCESSIBILITY = FALSE Configure DB for Auditing AUDIT_TRAIL = OS AUDIT_FILE_DEST = /u01/logs/db/audit Audit DB Connections SQL> audit session; Audit DB schema changes SQL> audit user;
8
Oracle Application Tier Security
Remove Application Server Banner Set ServerSignature off Set ServerTokens Prod Protect Administrative Web Pages <Location "uri-to-protect"> Order deny,allow Deny from all Allow from localhost <list of TRUSTED IPs> </Location> Disable Test Pages <Location ~ "^/fcgi-bin/echo.*$"> Configure Logging
9
E-Business Suite Security - Continued
Change Passwords for Seeded Application User Accounts Account Product/Purpose Change Disable ANONYMOUS FND/AOL – Anonymous for non-logged users Y APPSMGR Routine maintenance via concurrent requests ASGADM Mobile gateway related products N ASGUEST Sales Application guest user AUTOINSTALL AD CONCURRENT MANAGER FND/AOL: Concurrent Manager FEEDER SYSTEM AD – Supports data from feeder system GUEST Guest application user
10
E-Business Suite Security - Continued
Consider Using Single Sign-On (SSO) Refer to ML Doc ID Create New User Accounts Safely Create Shared Responsibilities Instead of Share Accounts Configure Concurrent Manager for Safe Authentication Activate Server Security Tighten Logon and Session Profile Options 30 ICX_SESSION_TIMEOUT 180 SIGNON_PASSWORD_NO_REUSE Yes SIGNON_PASSWORD_HARD_TO_GUESS 8 SIGNON_PASSWORD_LENGTH Recommendation Profile Option Name
11
Desktop Security Configure Browser Update Browser
Refer to ML Doc ID Update Browser Turn off Browser Auto Complete Set Policy for Unattended PC Sessions
12
Operating Environment Security
Cleanup file ownership and access Cleanup file permissions Eliminate Telnet connections Eliminate FTP connections Verify Network configuration
13
QA
14
Copyright Information
Neither TUSC or the authors guarantee this document to be error-free. Please provide comments/questions to: TUSC © This document cannot be reproduced without expressed written consent from an officer of TUSC
15
References Best Practices for Securing Oracle E-Business Suite/Oracle Corporation Version 3.0.2 Oracle Metalink Oracle Technology Network (OTN)
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.