oow16 - ready or not: applying secure configuration to oracle e-business suite [con6712]

Ready or Not: A l i S C fi tiApplying Secure Configuration to Oracle E‐Business Suite

Eric Bing, Senior Director, Applications Product SecurityElke Phelps, Senior Principal Product ManagerApplications TechnologyOracle E Business Suite DevelopmentOracle E‐Business Suite Development

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted

Program AgendaProgram Agenda

Follow secure deployment recommendations1 p y

Reduce your attack surface

F ll di i id li

2

Follow auditing guidelines

Migrate to TLS 1.2

3

4

Learn about EBS on Oracle Cloud security features5

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Oracle E‐Business Suite Secure Configuration TimelineOracle E Business Suite Secure Configuration Timeline 12.2 12.2.4 12.2.5 12.2.611i 12.112.0

11i Secure Config ration

5/200212.1 Secure C fi ti

9/201112 Secure

C fi ti



9/2016

Configuration Guide

Configuration Guide

Configuration Guide

Configuration Chapter

12 DMZConfiguration

1/2007

Secure 9/2012

EM Compliance 5/2013

Auditing 9/2015

12.2 Secure 9/201611i DMZ

Configuration

6/2004

Configuration Chapter (update)

Configuration Check Scripts

12.2 Secure 9/2012

Checks for EBS

12.2 Allowed 9/2013

12.2 Allowed 9/2014

Guidelines and Scripts

Configuration Console

12.2 “Allowed” F i

9/2016

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 4

Installation JSPs Redirects Features on in installs and upgrade

An analysis of researcher reported attacks againstAn analysis of researcher reported attacks against Oracle E‐Business Suite 12.2 showed that if you deployed your environment per our Secure Configuration Guidelines you would haveConfiguration Guidelines you would have reduced your vulnerability exposure by 77%.

Turning off products that are not used will reduce your exposure even further.

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 5

What’s Available Now to Assist You?New

• New content throughout • New tool to assist with • Allowed JSPs

What s Available Now to Assist You?Documentation Secure Configuration Console On By Default (12.2.6)

the Security Administration Guide– Secure Configuration Chapter updated

secure configuration

• Easy to see where you are out of compliance

– Defines whitelist of allowed JSPs for Oracle E‐Business Suite Release 12.2Prevents access to JSPsChapter updated

– Auditing and Logging chapter updated

– New Secure Configuration

• Enable features via the console

• Guidance is provided for

– Prevents access to JSPs which are not used

• Allowed RedirectsDefines whitelist of allowedNew Secure Configuration

Console chapter

• Enabling TLS 1.2 MOS notes updated

• Guidance is provided for features that cannot be turned on via the console

– Defines whitelist of allowed redirect destinations for Oracle E‐Business Suite 12.2

– Prevents redirects that are not listed as allowed


• Security FAQ

Confidential – Oracle Internal/Restricted/Highly Restricted 6

not listed as allowed

Follow Secure Deployment RecommendationsFollow Secure Deployment Recommendations

Stay current with patching

F ll d l d i

A

Follow secure deployment recommendationsB


How to Deploy Oracle E‐Business Suite SecurelyHow to Deploy Oracle E Business Suite Securely

• Apply Critical Patch Updates (CPUs) + Security Alerts

Stay Current with Patching

pp y p ( ) y– Critical Patch Advisory Pagehttp://www.oracle.com/technetwork/topics/security/alerts‐086861.htmP d t S it U d t (PSU ) ti f th d t b– Product Security Updates (PSUs) are an option for the database• PSUs include CPUs + other database recommended patches• EBS customers may apply either CPUs or PSUs for the DB• As of 12c only PSUs will be released• As of 12c only PSUs will be released

• Apply latest maintenance pack or release update pack– Yes, Oracle E‐Business Suite maintenance packs release update packs improve


security as well

How to Deploy Oracle E‐Business Suite SecurelyHow to Deploy Oracle E Business Suite Securely

• Secure Configuration Guide for Oracle E‐Business Suite

Follow Secure Deployment Recommendations

g– Previously known as “Best Practice” documents– Release 12.1, MOS Doc ID 403537.1– Release 12 2 Security Administration Guide Secure Configuration Chapter– Release 12.2, Security Administration Guide, Secure Configuration Chapter

• Oracle E‐Business Suite Configuration in a DMZ– Follow this guide if your Oracle E‐Business environment is internet accessible– Release 12.1., MOS Note 380490.1– Release 12.2., MOS Note 1375670.1


Secure Configuration ScriptsSecure Configuration Scripts • Scripts are packaged as SQL and Shell scripts

– Check for updated scripts on a periodic basis– EBSSecConfigChecks.sql – runs all (12) other SQL scripts

• Results are compiled into a single report• Comments in the scripts often contain hints for resolutionEBSCh kM dS i h– EBSCheckModSecurity.sh

– EBSCheckFormsBlockChar.sh

• You should perform routine configuration “Health Checks” – Create a baseline for your environment– Run scripts often and compare against your baseline…check for differences


MOS Note 2069190.1, Security Configuration and Auditing Scripts for Oracle E‐Business Suite

Secure Configuration ConsoleNew

•Check – Run the checks

•Configure – Fix a fi ti hi h i t

Secure Configuration Console

configuration which is out of compliance

•Suppress - Mute checks that are not relevant to your system

•Unsuppress - Unmutepreviously suppressed checkschecks



Secure Configuration ConsoleFailure Details



Security Guideline DetailsSecure Configuration Console


Oracle Enterprise Manager: Oracle E‐Business Suite Plug‐In

Out‐of‐box security compliance checks for

Compliance RulesOracle Enterprise Manager: Oracle E Business Suite Plug In

compliance checks for Oracle E‐Business Suite

Integration with Enterprise Manager compliance framework

Security compliance violations and trends are generatedgenerated

Real‐time observations of security compliance in your environment


Oracle E‐Business Suite 12.2 Data Masking TemplateNew

What is data masking?

Oracle E Business Suite 12.2 Data Masking Template• Enterprise Manager 13c Data Masking Pack

• The act of anonymizing customer, financial, or company‐confidential data to create new, legible data that retains the data's properties such as its width type

LAST_NAME SSN SALARY

AGUILAR 203‐33‐3234 40,000

BENSON 323‐22‐2943 60,000

Production

data s properties, such as its width, type, and format

Why mask your data?Non Production • To protect confidential data in non‐

production environments when the data is shared with non‐production users without revealing sensitive information

LAST_NAME SSN SALARY

ANSKEKSL 111—23‐1111 75,000

BKJHHEIEDK 222‐34‐1345 45,000

Non‐Production


without revealing sensitive information

17




F ll di i id li

2


Migrate to TLS 1.2

3

4



Reduce Your Attack Surface• Allowed JSPs

– Defines whitelist of allowed JSPs for Oracle E‐B i S i R l 12 2

• Cookie Domain Scoping– Provide additional protection for

i i b h b d h

Reduce Your Attack Surface

Business Suite Release 12.2– Prevents access to JSPs which are not used– Enables configuration of allowed JSPs to avoid unnecessary exposure

communication between the browser and the Oracle E‐Business Suite web tier

– Define the scope for cookie sharing to avoid unnecessary exposureunnecessary exposure

• Allowed Redirects– Defines whitelist of allowed redirects for Oracle E B i S i 12 2

• DMZ Configuration– Limited number of Oracle E‐Business Suite

d ifi d f iE‐Business Suite 12.2– Prevents redirects that are not listed as allowed

– Enables configuration of allowed redirects to

products certified for internet access– Responsibilities available for external use only upon configuration

– URL Firewall exposes only the pages that are


Enables configuration of allowed redirects to avoid unnecessary exposure

URL Firewall exposes only the pages that are required

Reduce Your Attack Surface• Allowed JSPs

– Defines whitelist of allowed JSPs for Oracle E‐B i S i R l 12 2

• Cookie Domain Scoping– Provide additional protection for

i i b h b d h

Reduce Your Attack Surface

Business Suite Release 12.2– Prevents access to JSPs which are not used– Enables configuration of allowed JSPs to avoid unnecessary exposure

communication between the browser and the Oracle E‐Business Suite web tier

– Define the scope for cookie sharing to avoid unnecessary exposureunnecessary exposure

• Allowed Redirects– Defines whitelist of allowed redirects for Oracle E B i S i 12 2

• DMZ Configuration– Limited number of Oracle E‐Business Suite

d ifi d f iE‐Business Suite 12.2– Prevents redirects that are not listed as allowed

– Enables configuration of allowed redirects to

products certified for internet access– Responsibilities available for external use only upon configuration

– URL Firewall exposes only the pages that are


Enables configuration of allowed redirects to avoid unnecessary exposure

*On by default with EBS 12.2.6

URL Firewall exposes only the pages that are required

Feature Overview of Allowed JSPsFeature Overview of Allowed JSPs

• Reduces the attack surface of Oracle E‐Business Suite

Principles

• Defines whitelist of allowed JSPs for Oracle E‐Business Suite Release 12.2– A whitelist is an explicit list of items that are allowed for access

• Prevents access to JSPs which are not used• Enables configuration of actively allowed JSPs to avoid unnecessary exposureexposure

• Allows custom JSPs to be defined in the list of allowed JSPs


Allowed JSPsAllowed JSPs

• Configuration Files

Configuration Overview

Configuration Files$OA_HTML/WEB-INF/web.xml$FND_SECURE/allowed_jsps.conf - master configuration file$FND SECURE/allowed jsps <Family>.conf$ _ / _j p _ y$FND_SECURE/allowed_jsps_<Family>_<Product>.conf

– Custom configuration files may also be defined

• Profile Option– Allow Unrestricted JSP Access


Overview of Configuring Allowed JSPsOverview of Configuring Allowed JSPsOn By Default in E‐Business Suite 12.2.6

1 Evaluate product family usage1. Evaluate product family usage

2. Cross‐check restricted JSPs against access_log

3 Add custom JSPs3. Add custom JSPs

4. Continue to refine the list (comment out JSPs not used)


Allowed JSPsNew

Allowed JSPs

• Automatically configure products in your allowed JSP configuration for you

Automatic configuration

y g p y g y– txkCfgJSPWhitelist.pl – Currently only available in 12.2.6

C fi i b d• Configuration based on–Whether we detect transactional data– How commonly the product is used


Allowed JSPsNew

Allowed JSPs

• Two modes –

Automatic configuration

– REPORT – reports on current status, product usage and what the script will do– UPDATE – modifies the configuration files

• Usage:$ perl txkCfgJSPWhitelist.pl -contextfile=$CONTEXT_FILE -mode=reportConfiguration file Current Status Transactional Data Updated Statusallowed_jsps_CRM_ASL.conf ACTIVE ABSENT INACTIVE…allowed_jsps_CRM_AMV.conf ACTIVE AVAILABLE ACTIVE…


Whitelisted ResourcesRoadmap

Whitelisted Resources

• Expanding out Allowed JSP feature to additional Allowed Resources

Allowed Servlets

p g– Explicit list of servlets that are exposed– Rebranding ‐ New Profile

• Security: Whitelisted Resources• Security: Whitelisted Resources– Values: All, JSPs, None

• Replaces Allow Unrestricted JSP Access





F ll di i id li

2


Migrate to TLS 1.2

3

4



Auditing and LoggingAuditing and Logging• Documentation

–Oracle E‐Business Suite 12.2 Security Guide, Auditing and Logging Chaptery g gg g p–MOS Note 2069190.1, Security Configuration and Auditing Scripts for Oracle E‐Business Suite

• Scriptsp– Download EBSAuditScripts.zip (contains multiple SQL scripts)

• Validate audit configuration• Query audit tablesQ y• Configure database auditing

– Check periodically for updates to EBSAuditScripts.zip


Auditing and LoggingAuditing and Logging

• Recent and current activity (monitoring)

Categories

y ( g)– Information about what is happening currently in the system– Information about the last activity performed on a specific record or by a specific session

• Historical activity– Information is similar to recent and current activity that is captured– Information is retained (historical records of activity)o at o s eta ed ( sto ca eco ds o act ty)

• Unexpected events– Unexpected Errors reported by the application or technology stack– Unexpected errors can include security related activity


Unexpected errors can include security related activity

Auditing and Logging

• Data Changes Tracked • Apache Access Logs • Unsuccessful logon

Auditing and LoggingRecent or Current Activity Historical Activity Unexpected Events

with Row Who Columns

• Sign‐On Audit

• Session Auditing

• Page Access Tracking

• Oracle E‐Business Suite AuditTrail

attempts

• Debug logging

• OHS Apache error logs• Session Auditing

• Database connection tagging

AuditTrail

• Proxy User Auditing

• Database listener log

• OHS Apache error logs

• Database listener log

• Database alert log

• Database alert log

• Database auditing


• Fine‐grained auditing




F ll di i id li

2


Migrate to TLS 1.2

3

4



Transport Layer Security (TLS) vs Secure Socket Layer (SSL)Transport Layer Security (TLS) vs Secure Socket Layer (SSL)

• TLS is the successor to SSL; HTTPS is HTTP working on top of TLS

Review

• TLS 1.2 is what we will talk about for Oracle E‐Business Suite going forward

• SSL 3.0 is no longer recommended (dead)

• TLS creates an encrypted connection between two machines allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery

• Industry standards mandating the move to TLS 1.2– OMB NIST mandate (800‐52 rev1) to move to TLS 1.2– PCI council (PCI DSS v3.1) requires new implementations to be on at least TLS 1.1

i i i f S f bl S 2 b 20 8


• Migrate to a minimum of TLS 1.1, preferably TLS 1.2 by June 2018

TLS Addresses Recent Security Vulnerabilities• POODLE

– Padding Oracle On Downgraded Legacy Encryption

• FREAK, Logjam, RC4‐NO‐MORE– Factoring Attack on RSA‐EXPORT Keys

TLS Addresses Recent Security Vulnerabilities

– Migration to TLS (SSLv3 is turned off) – Weak DH parameters (<2048), RC4)– Disable weak cipher suites– Strong cipher suites by default

• For example, EBS R12.2 (FMW 11.1.1.9):

[000a] RSA_DES_192_CBC3_SHA [002f] RSA_WITH_AES_128_SHA [0035] RSA WITH AES 256 SHA Available[0035] RSA_WITH_AES_256_SHA [003c] RSA_WITH_AES_128_CBC_SHA256 [003d] RSA_WITH_AES_256_CBC_SHA256[009c] RSA_WITH_AES_128_GCM_SHA256[009d] RSA_WITH_AES_256_GCM_SHA384

Available withTLS 1.2

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 35

“everything less than TLS 1.2 … is y gcryptographically broken”

– Adam Langley, Google Chrome


TLS Connections in Oracle E‐Business Suite

• Inbound Connections from a client to the Oracle

• Loopback connections from Oracle E‐Business

• Outbound connections from Oracle E‐Business

TLS Connections in Oracle E Business Suite

from a client to the Oracle HTTP Server

from Oracle E Business Suite to itself

from Oracle E Business Suite to External Site(s)

Intranet User

Internet User

ExternalApplication Node

Internal Application Node

EBS Database

ExternalSite


DMZ

39

Examples of TLS Connections in Oracle E‐Business SuiteExamples of TLS Connections in Oracle E Business Suite

Inbound Connections• Browser access• Forms access

Loopback Connections• Workflow notification emails from Concurrent

Outbound Connections• Punchout in iProcurement• XML Gateway connection

li i• Incoming XML Gateway message

• Mobile access via a REST i

Manager tier• Payment call back from database tier

• OAM log viewer

to a partner application• Payments credit card processing

REST service • OAM log viewer


What’s New with the Certification of EBS and TLS 1.2?New

What s New with the Certification of EBS and TLS 1.2?• Oracle E‐Business Suite Release 12.2 and 12.1 Certified with TLS 1.2

– “TLS 1.2 with Backward Compatibility” aka “TLS 1.2 w/BC”p y /–Mandatory prerequisites and configuration

• Oracle E‐Business Suite Release 12.1 Uses OpenSSL• Optional Configurations

– Configuring “TLS 1.2 Only”– Disabling HTTP PortDisabling HTTP Port– Enabling TLS from Oracle HTTP Server (OHS) to Application Server (OC4J / WLS)

• Certified for EBS 12.1: OHS to OC4J• Pending certification for EBS 12 2: OHS to WebLogic Server (WLS )


Pending certification for EBS 12.2: OHS to WebLogic Server (WLS )

Oracle Confidential – Internal/Restricted/Highly Restricted 41

What’s New with the Certification of EBS and TLS 1.2?What s New with the Certification of EBS and TLS 1.2?

EBS 12 2 EBS 12 2

For Reference Only for Existing SSL/TLS 1.0 Customers

Structure and Content for TLS 1.2

EBS 12.2MOS Note 1367293.1

Content for SSLv3 and TLS 1.0

EBS 12.2MOS Note 2143101.1 New

Note ID

New

EBS 12.1 EBS 12.1MOS Note 376700.1 MOS Note 2143099.1 New

Note ID

Content for SSLv3 and TLS 1.0Structure and Content for TLS 1.2New

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 43




F ll di i id li

2


Migrate to TLS 1.2

3

4



Oracle E‐Business Suite on Oracle CloudOracle E Business Suite on Oracle CloudSecurity Lists and Security Rules

Security ListSecList1 SecList3 SecList4 SecList5

Allows you to control network access to or from Oracle Compute Cloud Service

instances.


Oracle E‐Business Suite on Oracle CloudOracle E Business Suite on Oracle CloudSecurity Lists and Security Rules

S it Li tSecurity ListAllows you to control network access to or

from Oracle Compute Cloud Service i

SecList1 SecList2 SecList3 SecList4

Security RuleLike a firewall rule allows you to define

instances.

Like a firewall rule, allows you to define what traffic is permitted between security

lists, instances and external hosts.Allow DB Port


Oracle E‐Business Suite on Oracle CloudOracle E Business Suite on Oracle CloudAdditional Security with Security Lists and Security Rules

EBS App Node 1

EBS EBS i i i

env_appenv_otd env_db[host]_provm

DB Node OTDProvisioning Tools VM

VPN/Security IP List

EBS App Node 2

on-premises



Allow ssh

EBS App Node 1

EBS EBS i i i


Allow ssh


EBS App Node 2

Allow ssh

Allow ssh

on-premises



Allow http/https

EBS App Node 1

EBS EBS i i i




EBS App Node 2

Allow http/https


on-premises Oracle Cloud


Allow required portsAllow required ports

EBS App Node 1

EBS EBS i i i




EBS App Node 2

Allow required ports




Oracle Cloud

dRoadmap


Oracle E‐Business Suite SecurityRoadmap

• Turn additional security • Certify Database 12c • Certify Database Vault for

Oracle E Business Suite SecurityOracle Cloud & On‐Premises Oracle Cloud On‐Premises

features on by default

• Whitelisted Resources

• Add additional checks to

Database Vault (DBCS) with EBS 12.2

• Provide an improved

EBS 12.2 with Database 12c and 11gR2

• Certify Database Vault for • Add additional checks to the Secure Configuration Console

• Certify EBS 12 1 Data

process for enabling TDE with EBS 12.1.3 and EBS 12.2 on DBCS

EBS 12.1.3 and Database 12c

• Certify EBS 12.1 Data Masking Templates with EM13cR1
