Protecting Oracle E-Business Suite: Activate Server Security

As most of our regular readers may know, the Onapsis Research Labs have been working on developing Oracle Security for several months. We’ve done this by updating our readers with analysis on quarterly patch updates, and to date have released over one hundred advisories for this platform. In our continous goal to provide the industry with greater resources to secure their business critical applications, starting today we will be publishing a series of weekly blog posts focusing on different areas of protecting Oracle E-Business Suite.

Oracle E-Business Suite is deployed in a multi-tier configuration with one database server and many possible middle-tier application servers. The application servers may include Apache JSP/Servlet, Forms, Discoverer, among others. Any program which makes a SQLNet connection to the Oracle Applications database needs to be trusted at some level. The Server Security feature ensures that login (FNDLogin) connections originate from trusted machines. Below, we will take a deep dive into how it works and what its advantages are.

Server Security Feature

The Application Server Security feature is activated by default, so all you should do is to verify that the setting is set to SECURE: this means that only registered application servers and trusted code modules may connect.

The other two values that you can find are OFF and ON. If a value is set to OFF, it means that it is not enabled, and that no servers or code IDs are checked (recommended only for development systems without production data). If a value is set to ON, the situation is a bit more tricky: it does not mean that security is enabled, and despite it limits, there are servers that according to Oracle can connect (limited to Application Servers registered with the database or specific trusted modules), however, it is not recommended in terms of security for production servers.

The Server Security feature of the Application Object Library supports authentication of application server machines and code modules in order to access the database. When the Server Security is activated, application servers are required to supply server IDs (like passwords) and/or code IDs to access a database server. Server IDs identify the machine from which the connection is originating. Code IDs identify the module and patch level from which the connection is originating, and are included in applications code by development.

The database server can be set to allow access only from specific machines, and/or by code at a desired patch level.

Examples & Step-by-Step

So, let’s see an example of how this works. Oracle EBS allows the possibility to connect directly to Forms, using the url: http://hostname.domain:port/forms/frmservlet

oracle3
Example: with security configuration set “SECURE”

In this case, the error message confirms that that we can not use the database from an unauthorized node. This error persists using any application. Whenever the Server Security is OFF, you can access directly to all forms (see image with the insecure configuration over the same system):

oracle4

How to check & modify config

You can check the Server Security status using the STATUS command in the AdminAppServer utility before activating server security to ensure that all desired Application Servers have been registered.


$ java oracle.apps.fnd.security.AdminAppServer apps/
STATUS DBC=$FND_SECURE/$TWO_TASK.dbc

Database Server
—————
DATABASE_ID: EBS1224
AUTHENTICATION: OFF
Application Server
——————
APPL_SERVER_STATUS: VALID
APPL_SERVER_ID: 4FBCDB3F320276DAE05367E1A4C0B0C782575937229267617094091991671493

Another way to verify that server security is set to secure is to run the following SQL query while connected as APPS: (more fast)

oracle5

How to modify these configurations?

In order to properly configure Server Security, follow this steps:

oracle7

Conclusion

In conclusion, this is a useful feature that some companies disable in order to make the development process quicker, but it is strongly recommended to keep this feature enabled in order to keep your information and business critical application secure. Oracle strongly recommends not to disable this feature in production environments. You can check the following reference notes for more information:

In the following weeks, we will be sharing more information about Oracle E-Business Suite Security, keep tuned to our blog!

  • How To Access Forms Directly In Oracle Applications R12 (Doc ID 552301.1)
  • How to Administer Server Security in Release 12 (Doc ID 443978.1)