Oracle Applications DBA Blog

Oracle Applications Security Checklist

Often the default installation of Oracle Applications itself might not be secure enough specially when you are doing a production installation. Also since your applications would be likely to be subject to audits its vitals that you secure your installation as far as feasible. The default installation of Oracle Applications comes with a number of default password both at the application level and at the database level to point out a example. The current post speaks about the general checklists which can help in securing your Oracle Applications installation. The list is not an exhaustive one and also it does not deal with the exact technical steps required in implementing the checks.

• Change the passwords for the seeded Oracle Applications accounts. A base installation of Oracle Applications comes with more that 20 seeded applications accounts. You must change the passwords for them and preferably disable most of them with the exception SYSADMIN and GUEST.
• Change the passwords for database user accounts which includes the APPS,APPLSYS and the database user ids for all the products installed with Oracle Applications. You must use FNDCPASS to do this change. In case you are on RUP3 you could also user the 'ALLORACLE' option to the password for all the schemas in one go.
• Avoid creation of a APPS Read Only Schema. It is a general practice to create a READ ONLY SCHEMA in Oracle Applications inheriting read only access to objects accessible to the APPS. This only results in the newly created user having access to the APPLSYS.FND_USER and APPLSYS.FND_ORACLE_USERID. So do not create any such account on your production unless you date your auditor.
• Implement Validate Node Checking. By default this is enabled in all default installations starting from 11.5.10 onwards. In case this is not there you can implement the same through sqlnet.ora. Though it may be a tedious job in cases you have to access your Database from a large number of hosts. But again on production systems it is vital that you implement this check.
• The APPLSYSPUB account has a default password which cannot be changed. The sole purpose of having this account is to enable the login validation in Oracle Applications. Check and ensure that no unnecessary objects are associated or accessible with this schema.
• Change the password for the GUEST application user, The password for the GUEST account should be changed from the default of ORACLE or GUEST. Change this using metalink Note ID 396537.1.
• Enforce password polices like expiry time while creating a new Oracle Applications user.
• Oracle Applications release 11.5.10 introduced a new User Management(UMX) module. When new users are created via this module it ensures a strong password policy to be adopted for them by default. Implement UMX if you are on 11.5.10 or higher. It also streamlines your responsibilities mapping.
• Avoid using generic Oracle Applications user accounts, for the propose of scheduling concurrent programs or running batch jobs.
• You must also enable logging for your Oracle Applications Database listener. This helps you trace back all connections to your database and detect any unwarranted ones.
• The default installation of Oracle Applications does not have a password associated with the database Listener. You must change this and make sure that at least that your database listener is password enabled.
• Upgrade to the latest certified database with your version of Oracle Applications, for e.g. with 11.5.10.2 upgrade to the 10g release 2.Upgrading to the latest certified database release comes with the advantage of a fewer security risks.
• Apply the latest Critical Patch Updates which are release by Oracle at every quarter. A CPU release addresses priority security threats identified by Oracle. Most of the CPUs are cumulative in nature.
• Review and apply the latest Security Alerts released by Oracle pertaining to Oracle Applications.
• Implement autoconfig in your Oracle Applications, though autoconfig is implemented by default in all latest releases of Oracle Applications ion case your installation is not autoconfig enabled you must implement it as autoconfig includes the latest security fixes also.
• Enable auditing at the database level to include user sessions database links as well as audit sessions even if you do not plan to implement a full fledged auditing of your database considering the overheads involved.
• Enable Oracle Applications Audit Trails to include at least the critical Oracle Applications Tables. Be careful not to overdo the auditing as it can severely impact the performance of your applications. Also enable the sign-on audit to from level in Oracle Applications.
• Disable all access to the developers to production. This might not earn you a lot of friends but surly will go a long way in securing your Oracle Applications and pleasing the auditor.
• Review and remove any unused database links that may exist in your Oracle Applications Database.
• Disable indexing for your Oracle Applications web server. This will restrict the information available as well as block access to unwanted areas.
• In case you are implementing advanced configurations like DMZ in your Oracle Applications, it would be recommended that you also implement reverse proxies and firewalls so as not to expose your web application tier completely to the outside world.
• In case of cloned instances that is from production to test/development you must ensure that you change the passwords for all application and database user accounts after the cloning process. This prevents anyone from decrypting the passwords from a relatively unsecured development environment.
• You Oracle Applications can only be secure as far as the operating system it runs on is secure. Ensure you have strong password for the root applmgr and oracle users. Also ensure that you do not have unnecessary permissions on your filesyetms. Additionally you can also enable auditing for your OS users root applmgr and oracle.
  

Additional References
Pete Finnigan's Oracle security weblog
http://www.integrigy.com/oracle-security-blog
Metalink Note ID 189367.1 Best Practices for Securing the E-Business Suite

Posted by Sam at 10:33 PM | Permalink | Comments (2) | TrackBacks (0)

Interesting Release 12 Changes

With the next release of Oracle Applications Release 12 due in less than a couple of weeks time,31st January as of now. In today’s post I decided to write about some of the interesting changes from a technical point of view that can be expected in Release 12.Some of these have been already talked about in my previous posts in detail. The current post is based mainly in 
the Release Content Documents and The Oracle Open World Sessions relating to Release 12.

• Mixed Case Passwords
  Another interesting feature in Release 12 is that it now has support for having case sensitive mixed case passwords for user ids, for the purpose of backward compatibility case - insensitive passwords are also accepted.
• On Demand User Creation
  In case of SSO environments where a user has an account in OID but not in the E-Business Suite, the user account now gets created on the fly the moment users visits Ebusiness Suite.
• Product Schemas Locked
  In release 12 the Product schemas are kept locked and are unlocked only when required like patching.
• Request Set Restarting
  In case a request set fails in between, in release 12 the user can fix the problem and simply restart the request without  having manually complete the request remaining in that request set.
• New Tablespace in OATM
  In OATM a new 'TOOLS' tablepsace has been introduced which allows store objects related to other tools used with Oracle Applications, like for creating the End User Layer for discoverer.
• Changes To Patch Impact Analysis in OAM
  In the Oracle Applications Manager under patch impact analysis, now the impact of the patch on customized files can also be seen. Additionally OAM now also allows the user to create a list of patches whose impact analysis can be done at one  go.
• Workflow Notification Mailer Enhancements
  There have been some enhancements in Oracle Workflow Notification mailer which includes simplified configuration by way of simple and advanced setup screens. Also SSL support over IMAP and SMTP  mail server is now being supported. The workflow engine itself now implements a bulky array interface which offers performance benefits.
• Grid Control Plug-in
  Grid Control Plug-in is available for Oracle Applications which allows the integration of Oracle Grid Control within Oracle Applications Manger thereby allowing improved System Management.
• mod_oc4j
  In release 12 the support for mod_plsql module is now withdrawn. The mod_oc4j replace mod_plsql in Release 12 of Oracle Applications.
• File System Changes
  One of the major changes at the file system level in Release 12 is the introduction of the INSTANCE_TOP. The INSTANCE_TOP aims to get a clear distinction between the shared file system and the file system unique to an instance.
• Read Only Shared Application Tier Filesystem
  Oracle Applications Release 12 allows for the deployment of a shared Application Tier Filesystem in on Read Only File system also.
• Multi-Org Access Control
  Release 12 implements Multi-org Access Control which allows the user to submit requests and view access data of different operating units without having to switch between responsibilities.
• Multiple Domain Support
  Release 12 also allows that your application server nodes and the database server nodes to have different domain names.
• RAC Cloning
  The Rapidclone with Oracle Applications Release 12 allows you to extend rapidclone to clone Oracle Applications Environments deployed on the Real Application Clusters technology as well.
• XML Publisher Enhancements
  Release 12 also has a number of enhancements that have been introduced in XML Publishers like allowing support for bookmarks in PDF documents, changes to the template builder and template viewer and new features included in the graphics support.
• Web ADI Enhancements
  The Web ADI also has its set of enhancements which have been included in Release 12. These new features cover both the Web ADI product and the Software Development Kit (SDK) of the Web ADI.
• Sub-Set User Provisioning
  Release 12 also allows for new deployment scenarios for Single Sign on where in a single LDAP server and the synchronization of only a sub set of the users is done to the E-Business Suite.

Posted by Sam at 04:39 PM | Permalink | Comments (5) | TrackBacks (0)

Working with CONCSUB

Last week I had taken off for a vacation so did not find time to blog, now once back it great to be back posting.

In today's post I will talk about the one of the lesser used, but important to understand Oracle Applications utilities  the CONCSUB utility.

The CONCSUB is a utility which allows you to submit a concurrent program to the concurrent manager from the operating system level without having to log on to Oracle Applications.
The CONCSUB executable is located at $FND_TOP/bin/CONCSUB.

The functionality of the CONCSUB can be categorized into the following

• Submitting Concurrent Requests
• Controlling Concurrent Managers

Submitting Concurrent Requests
You can use the CONCSUB to execute both seeded and custom programs in Oracle Applications. In case of custom programs they must first be registered in Oracle Applications before you can execute them with CONCSUB.

The following can be used in Oracle Applications to run the active users report from the command line without logging in the  applications

CONCSUB APPS/APPS SYSADMIN "System Administrator" SYSADMIN WAIT=N CONCURRENT FND FNDSCURS PROGRAM_NAME='"Active Users"'
Submitted request 2866136 for CONCURRENT FND FNDSCURS PROGRAM_NAME="Active Users"

The log and out file for this program is also created at the location defined by your $APPLCSF/$APPLLOG and $APPLCSF/$APPLOUT respectively.

The WAIT=Y/N is used to specify weather to wait for the first concurrent request to be completed before the second is submitted or not.

You can also use various printing parameters with the COCNCSUB to directly print the output of your concurrent request.

PRINTER=<printer name>
NUMBER_OF_COPIES=<number of reports to be printed>
PRINT_STYLE=<printer style to be used>    
LANGUAGE=<language to be used>

Also you could specify the start date and completion options along with CONCSUB by using the following parameters

START=<Requested Start Date>
REPEAT_DAYS=<Repeat Interval>
REPEAT_END=<Request Resubmission End Date>

Controlling Concurrent Managers
Apart from submitting concurrent request the CONCSUB can also be used to shutdown your concurrent managers

CONCSUB apps/apps_password SYSADMIN 'System Administrator' SYSADMIN WAIT=N CONCURRENT FND SHUTDOWN

Sometimes the shutdown of the concurrent managers via the CONCSUB utility using the SHUTDOWN clause hangs and you may want to terminate your concurrent managers, in such a case you can use the ABORT clause with CONCSUB to do a force shutdown of your concurrent managers.

CONCSUB apps/apps SYSADMIN 'System Administrator' SYSADMIN WAIT=N CONCURRENT FND ABORT

In this case a concurrent request to terminate the concurrent managers is fired with a -75 priority. In case of the shutdown  the priority is 0 and default priority is of a concurrent request 50, by assigning a -75 priority the CONCSUB ensures abort is executed before shutdown.

Needless to say that the shutdown would fail in case the SYSADMN user or the System Administrator responsibility is inactive.

However to start the concurrent managers the CONCSUB is not used instead the startmgr executable is used.(Though possible)
This is located at $FND_TOP/bin/startmgr.

$startmgr sysmgr=apps/apps@sam
Starting icm@sam Internal Concurrent Manager
Default printer is

By default if no manager name is specified the ICM or the Internal Concurrent Manager is started. You can also start a specific manager by using the mgrname clause

To use CONCSUB to start the concurrent managers the STARTUP clause is used

$ CONCSUB apps/apps SYSADMIN 'System Administrator' SYSADMIN WAIT=N CONCURRENT FND STARTUP
Submitted request 2849496 for CONCURRENT FND STARTUP

Posted by Sam at 05:23 PM | Permalink | Comments (10) | TrackBacks (0)

ADPATCH Options

After having talked about the best practices related to applications patching. In today’s post i will talk about some  frequently used options with adpatch. It is important to note here that the options described here are for information purposes only and you must understand them completely before using them on your system. Also any special instructions specified in the patch readme file automatically overrides the information cointained in this post.

You can execute adpatch by logging in as the applications OS user and sourcing the appropriate environment file.

#su - applmgr
$cd SAMAPPL
$. ./APPSORA.env
$adpatch

By default adpatch does not take any clause, but there are some clauses that you could use with adpatch

Running a patch in test mode
You can use the apply clause with adpatch to specify weather to run the patch in TEST mode or not, when you run the patch in  test mode it does not do any changes but runs generates a log fiule with all the actions it would have performed.

$adpatch apply=n|y
The default is apply=y

Pre-install Mode
You can also run a patch in pre install mode, this would be done normally during an upgrade or consolidated update. When a patch is applied in a preinstall mode the all the AD utilities are updated before the upgrade or update.

$adpatch preinstall=y
The default is preinstall=n

Other Options with adpatch
You can use the options clause to specify some of the other options available with adpatch.

Autoconfig
You can use the options=noautoconfig top specify autopatch that you do not wish to run autoconfig as a part of the patch  application. This can be useful when applying a large number of patches when they are not merged. By default autoconfig is run  as a part of adpatch.

$adpatch options=noautoconfig

Checkfile
The chekfile option of adpatch tells adpathc to check for already executed exec, SQL, and exectier commands.You can use  options=nocheckfile skips this check, however this can cause performance overheds so should be used only when specified.

$adpatch options=nocheckfile

Compile Database
By defaulty autopatch compiles the invalid objects after the patch application, in case you wish not to do so you can specify  options=nocompiledb along with autopatch.

$adpatch options=nocompiledb

Compile JSP
By defaulty autopatch compiles the java server pages (jsp) after the patch application, in case you wish not to do so you can specify options=nocompilejsp along with autopatch.

$adpatch options=nocompilejsp

Copy Portion
If you wish adpatch not to execute the commands present in the copy driver portion of the patch you can use the  options=nocopyportion.

$adpatch options=nocopyportion

Database Portion
If you wish adpatch not to execute the commands present in the database driver portion of the patch you can use the options=nodatabaseportion.

$adpatch options=nodatabaseportion

Generate Portion
If you wish adpatch not to execute the commands present in the generate driver portion of the patch you can use the options=nogenerateportion

$adpatch options=nogenerateportion

Maintenance Mode
If you wish to apply a patch regardless of the system being in maintenance mode you can use options=hotpatch.

$adpatch options=hotpatch

Integrity Check
If you wish to check the integrity of the patch you can use the options=integrity. Since metalink patches are pre checked for  their integrity it is generally not required to do an explicit check and the default value is nointegrity.

$adpatch options=integrity

Maintain MRC
You can use the maintainmrc option to specify weather you wish adpatch to execute the Maintain MRC schema as a part of the patch application or not. By default maintain MRC is done for standard patches and is disbaled for tarnslation and documentation patches.

$adpatch options=nomaintainmrc

Pre requisite Patch Check
If you wish adpatch not to check for pre requisite patches before application of the main patch you can use options=noprereq.By default pre requsite checking is enabled.

$adpatch options=noprereq

Validate Schemas
If you wish adpatch to explicitly validate all the registed schems by making a connection you can use options=validate. By  default this validation is not performed.

$adpatch options=validate

Java Classes
If you wish adpatch not to copy new java classes from the patch you can use options=nojcopy.By default java classes are copied.

$adpatch options=nojcopy

Force Copy
By default adpatch copies the files without check the version of the existing files already present on the system.If you do  not wish the newer version of the file to be replaced by the older version contained in the patch use options=noforcecopy.

$adpatch options=noforcecopy

Relinking
If you wish adpatch not do perform relinking you can use options=nolink.

$adpatch options=nolink

Generate Forms
If you wish adpatch not to generate the forms files you can specify options=nogenform.

$adpatch options=nogenform

Generate Reports
If you wish adpatch not to generate the report files you can specify options=nogenrep.

$adpatch options=nogenrep

You could specify multiple options at the command line using the , delimiter.

$adpatch options=hotpatch,nojcopy

Posted by Sam at 05:48 PM | Permalink | Comments (8) | TrackBacks (0)

Getting Familiar with RTCCTL

One of the components that comes with Oracle Collaboration Suite is the Real Time Collaboration or RTC. The two main components of Real-Time Collaboration are

• Oracle Web Conferencing
• Oracle Messenger

Other than using OPMNCTL as described in my previous post to manage the services of Oracle Collaboration Suite, Oracle has also provided a utility rtcctl which can be used to manage the specific components which relate to Oracle Web Conferencing and Oracle Messenger. The rtcctl is a command-line utility which provides an interface to configure and administer your

Real-Time Collaboration components. This configuration and administration for RTC components is done through a set of properties which control the behavior of your RTC environment.

The rtcctl utility is located in the $ORACLE_HOME/imeeting/bin directory in your Oracle Collaboration Suite middle tier servers.

The RTCCTL utility allows you to

• View the status of the process related to Real-Time Collaboration.
• Start and stop all or specific components.
• View the value of Real-Time Collaboration specific components.
• Set the value of Real-Time Collaboration specific components.
• To view and Modify an RTC user's Access.
• Creating and Using a Broadcast Group.

To get the status of RTC
The getstate command executed within rtcctl show you the status of the components related to Real-Time Collaboration

rtcctl> getstate
ID      COMPONENT_NAME TYPE      STATUS         NUM_PROCS
10007   rtc-connmgr    connmgr   UP             2
10000   rtc-confsvr    confsvr   UP             4
10006   rtc-imrtr      imrtr     ACTIVE-OK      1
10008   rtc-voiceproxy voiceproxyUP             1
10004   rtcpm          rtcpm     UP             1
10003   rtc-rdtr       rdtr      UP             1
10002   rtc-mx         mx        UP             1

Setting RTC porperty Values
The getProperties command show a list of properties that are applicable to the current instance of RTC

rtcctl> getProperties
ApacheProtocolSecure="false"
ApacheWebHost="samlnx.appsdbablog.com"
ApacheWebPort="7780"
ApacheWebSecurePort="8250"
DefaultTimeZoneName="America/Los_Angeles"
EmailEnabled="false"
IMDomainNames="["appsdbablog.com"]"
RTCSSLSupportEnabled="false"
SmtpHost="samlnx.appsdbablog.com"
SmtpPort="25"
VoiceDialinPrefix=""

To get a the value of a specific property you could use the getpropety command with the -pname clause which refers to the property name

rtcctl> getproperty -pname IMDomainNames
The effective value for instance of the property "IMDomainNames" is "["appsdbablog.com"]"

The getproperties command along with the -maxlevel all clause displays a complete list of all RTC related properties.

The setProperty command allows you to set the value for a specific property

rtcctl> setProperty -pname property-name -pvalue property-name

You can use the rtcctl utility to configure and administer multiple instances of RTC running at your site.
To set properties at an instance level you can use the -i clause and to set it at a system level use the -system clause. By default the properties are set at the system level.

Startup and Shutdown Of RTC Services
The stop command shutsdown down all RTC managed process

rtcctl> stop
rtcctl> getstate
ID      COMPONENT_NAME TYPE      STATUS         NUM_PROCS
10007   rtc-connmgr    connmgr   DOWN           0
10000   rtc-confsvr    confsvr   DOWN           0
10006   rtc-imrtr      imrtr     DOWN           0
10008   rtc-voiceproxy voiceproxyDOWN           0
10004   rtcpm          rtcpm     DOWN           0
10003   rtc-rdtr       rdtr      DOWN           0
10002   rtc-mx         mx        DOWN           0

The start command startsup up the RTC managed processes

rtcctl> start
rtcctl> getstate
ID      COMPONENT_NAME TYPE      STATUS         NUM_PROCS
10007   rtc-connmgr    connmgr   UP             2
10000   rtc-confsvr    confsvr   UP             4
10006   rtc-imrtr      imrtr     ACTIVE-OK      1
10008   rtc-voiceproxy voiceproxyUP             1
10004   rtcpm          rtcpm     UP             1
10003   rtc-rdtr       rdtr      UP             1
10002   rtc-mx         mx        UP             1

Individual components can be started and stopped either by using the component type or the component name clause along with the start or stop command.

rtcctl> stop -cname rtc-confsvr
The stops the rtc-confsvr component.

rtcctl> start -ctype confsvr
This starts the confsvr type component.

RTC user Management
The modifyRole command can be used to modify the existing role of user

rtcctl> modifyRole -username sam -rolename businessadmin

Broadcast Groups
You can also use the RTCCTL utility to create broadcast groups.

rtcctl> addGroup -groupname APPS_DBA_SUPPORT -type A -owner sam@appsdbablog.com -subscription S -permission R  -groupdisplayname "DBA Support Team"
Add group 'APPS_DBA_SUPPORT', type = A, owner = sam@appsdbablog.com, subscription = S, permission = R, groupdisplayname = DBA Support Team

You can user the -permission = O to create a open group which does not require approval for joining

The getGroups command displays the available groups in the system

rtcctl> getGroups
Groups:
Group IM Address: apps_dba_support@groups.appsdbablog.com
Group Display Name: DBA Support Team
Owner IM Address: sam@appsdbablog.com
Type: A
Subscription Type: S
Subscription Permission: R
Number of Members: 0

You can use the addGroupMember to add a new member to this group explicitly

rtcctl> addGroupMember -groupname APPS_DBA_SUPPORT -username samtest
Add Member 'samtest' to group 'APPS_DBA_SUPPORT'

Similarly the deleteGroupMember command removes a user from the group explicilty.

The deleteGroup command can be used to delete an existing group

rtcctl> deleteGroup -groupname APPS_DBA_SUPPORT
Delete group 'APPS_DBA_SUPPORT'

Getting real Time Statistics
The getMonitorStats command allows you to get real time statistics of your RTC environment.

rtcctl> getMonitorStats
Instance - OCSMI_home.samlnx.appsdbablog.com:
Component Name: rtc-confsvr, Component Type: confsvr
SERVICE_NAME                                 TMTGS CMTGS CLTS TMEM    UMEM
confsvr:OCSMI_home.samlnx.appsdbablog.com.rtc-confsvr.00     0     0    4,100K  2,620K
confsvr:OCSMI_home.samlnx.appsdbablog.com.rtc-confsvr.10     0     0    4,092K  2,782K
confsvr:OCSMI_home.samlnx.appsdbablog.com.rtc-confsvr.20     0     0    4,092K  2,800K
confsvr:OCSMI_home.samlnx.appsdbablog.com.rtc-confsvr.30     0     0    4,092K  2,588K
Component Name: rtc-imrtr, Component Type: imrtr presence                                    

Testing RTC
Th runTest command allows you to run a series of tests against your RTC environment to test the configuration.

rtcctl> runtests
Instance - OCSMI_home.samlnx.appsdbablog.com:
TEST NAME      SUCCESS
mtgtest        true
dbtest         true
apptest        true
proxytest      false
emailtest      false
imtest         true
servletAccessTesttrue

Posted by Sam at 04:57 PM | Permalink | Comments (3) | TrackBacks (0)