Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation

2. Brent MosherSenior Sales Consultant Applications Technology Oracle Corporation

3. Oracle E-Business Suite Security Management

4. Agenda • Security Guidelines • Secure Architectures • 11i.10 User Management • Questions and Answers

5. SecurityGuidelines

6. Security Policy Not just for the paranoid any more! • Authentication • Authorization • Auditing

7. Patching • Security Alerts • Oracle Quarterly Critical Patch Update (CPU) • Middle of January, April, July, October • Covers all Oracle products • http://www.oracle.com/technology/deploy/security • Also monitor alerts for your Hardware platform. • Operating System • Java • Management tools, …

8. 11i Security Best Practices • MetaLink article 189367.1 • Maintained continuously, check periodically for updated advice (see change log) • Major document update released 12/06/2004 • Assumes current patch level • 11.5.9 + Recommended Patch Level or 11.5.10 • Most advice is now automated via latest AutoConfig and OAM

9. Oracle Database • Get to recommended database: 9.2.0.5+ • Harden the database and server machine… • Check privileges on APPLSYSPUB/PUB • $FND_TOP/patch/115/sql/afpub.sql • Change default passwords for Apps accounts • Listed in FND_ORACLE_USERID • Use FNDCPASS

10. Oracle Database • Do not expose APPS password • Create alternate accounts • Named accounts per human/system • Limited grants to APPS, according to role • Audit changes to database security and setup • Heavy auditing on human accounts, less on APPS • Restrict access to audit information

11. OAM Trusted Host Registration

12. OAM Security Dashboard

13. OAM Page Flow Logging

14. SecureArchitectures

15. Application Server • Use SSL (HTTPS) for Web Listener • Recommended for internal use as well • New SSL Setup wizard in OAM 11.5.10 • Manual Setup: Metalink 123718.1, 277574.1 • Performance considerations • mod_ssl: about 15% increase in CPU load • Hardware accelerators now supported

16. OAM SSL Configuration Wizard

17. External Server Security External PC External Server Internal PC Internal Server Control which responsibilities are externally available. Users accessing from outside your firewall will see a restricted set of Responsibilities in the Navigator.

18. External Server Security • Mark External Servers • Node Trust Level (Server Profile Option) • Set to "External" for externally facing servers • Set to "Normal" at Site level • Mark Externally available Responsibilities • Responsibility Trust Level (Profile Option) • Set to "External" for externally available resps • Set to "Normal" at Site level' • External access restricted by security system

19. DMZ Reverse Proxy (future) • Relays valid requests to Application Server • Apache or WebCache • No Applications Code on this tier • URL filtering limits access to specific pages • External product teams will supply URL patterns • Mitigates the "unnecessary code" problem • Certification in progress • Look for white paper in process note 287176.1

20. E-Business Suite Configuration • Harden EBS Security Setup • Check GUEST user privileges • Review access to powerful forms (Security, SQL) • Check settings of critical profile options • Enable Auditing • Sign-on Audit at the "Form" level • Audit Trail for key security tables

21. 11i.10UserManagement

22. 11i Basic Security • Responsibility  User • Menu(s) • Function(s) Resp Resp Resp Resp Resp

23. New Model: User Management • Optional 11i.10 permission repository • Full registry of what is available • Administration at the business level • Roles simplify administration • Grants to Roles represent policy, rarely change • Hierarchical Roles reuse common setup • Allows for delegated administration • Security Administrator defines Role Permissions • Role Administrators manage Role Membership

24. Role Based Access Control • A Role is the actions and activities assigned to a person or group. • A role can be modeled using • Responsibilities • Permissions • Function Security Policies • Data Security Policies • A user can be assigned several roles. • A role can be assigned to several users.

25. Role Based Access Control Description Permissions Responsibilities Roles Data Security Rules Function Security Rules

26. User Management Key Features • Role Based Management • Role Inheritance • Self Service Registration • Delegated User Management

27. Role Based Management

28. Registration ProcessDescription Types of Registration Processes • Self Service Account Requests • Requests for Additional Access • Account Creation and Access Role Assignment by Administrators

29. Registration Process Link generated using User Management’s registration link generator

30. Request Access

31. Delegated Administration • Create a role that that represents a set of local administrators • Identify the subset of users the admin can manage and the administrative functions that can performed on this user set • Identify the organizational relationships the admin can manage • Choose roles that the administrator can administer • Grant any other permissions if necessary

32. Delegated Administration Create Role

33. Delegated Administration

34. Delegated Administration Org A Reseller of Partner Admin Of Org A Org B

35. Delegated AdministrationHow to Setup this Feature

36. Resources

37. User Management Strategic Implementation Program • Ensure smooth implementations for new products • Requires willingness and commitment • Discuss with local applications sales team

38. Oracle Metalink Notes • Note 258281.1 - About User Management • Note 189367.1 – Security Best Practices • Note 287176.1 – DMZ Configuration • RBAC http://csrc.nist.gov/rbac/rbac-std-ncits.pdf

39. Q & Q U E S T I O N S A N S W E R S A