Wednesday, June 13, 2012

Oracle Apps Security

Purpose:The purpose of this blog article is to cover security aspects of Oracle Apps and how to handle this. We need to look at all the layers, from the top to bottom, like Applications, DB, OS etc.

Changing database password (like APPS, SYSTEM, SYS etc)
Important Note: Please do not use special characters like @ / # / $ / % etc in any database passwords.

Changing password of SYS, SYSTEM, DBSNMP

Login to database server and issue following commands

Sqlplus “/as sysdba”
Alter user system identified by <new_password>;
Alter user sys identified by <new_password>;
Alter user dbsnmp identified by <new_password>;

Once the passwords are changed, these needs to be changed in EM (if its installed and used). For this, login to EM using sysman account. Then navigate to Preferences > Proffered Credentials > Database Instances > click on set credentials, then against appropriate Database change the passwords. Also change password of dbsnmp user in DB config form.

Document all the steps to perform the password change of DB users
General Guide lines regarding the Schema password.
1)    APPS password should be different than other Applications base schemas like AP, GL, AR etc.
2)    User called ROAPPS (Read Only APPS) should be created who need read access to APPS schema.
3)    Regarding base schemas (like AP, AR, GL) they can have same pattern like AP/AP2008, GL/GL2008 or they can have different passwords. This depends on, if some schema passwords are shared to others.
4)    Password change procedure should be tested in TEST instance first, documented and then only should be executed on PROD.
5)    Please don’t keep same password in TEST and PROD.
6)    Use relevant tools to change password, like FNDCPASS for APPS, GL etc.

Important: Also its is recommended to implement Oracle Applications Auditing feature, to track the changes in important tables.

Changing OS (Operating system passwords)

Document all the steps to be followed for changing OS Passwords
For those who need access to check log fines and stuff like that user called “viewer” in-group “viewer” and password as “viewer” should be created and given to the required user. Also we need to change the vncserver password if it’s started from root or normal unix user. And lastly, its recommended to have a separate username for each DBA, so that first he has to login to server using his own username and then su - <application / database owner user>. In this case the direct access to root, application / database user should be restricted.

Procedure to change Applications User Passwords (Like SYSADMIN)

Document the steps to change Applications passwords of SYSADMIN user.
SYSADMIN password should not be shared with any other user. This password should be with only DBA’s.

There are quite a few profile options available in Applications, which can be used to tighten the front-end security, such as,
a.    Signon Password Hard to Guess => Yes
The password contains at least one letter and at least one number.
The password does not contain the username.
The password does not contain repeating characters.

b.    Signon Password Length => 8 to 10
Signon Password Length sets the minimum length of an Applications signon password. If no value is entered the minimum length defaults to 5.

c.    Signon Password No Reuse  => 10000
This profile option specifies the number of days that a user must wait before being allowed to reuse a password.

d.    Signon Password Failure Limit =>3
The maximum number of login attempts before the user's account is disabled.

e.    ICX:Session Timeout => 20 Min / 60 min
Will prevent the misuse of unlocked desktop.
This profile option determines the length of time (in minutes) of inactivity in a user's session before the session is disabled. If the user does not perform any operation in Oracle Applications for longer than this value, the session is disabled. The user is provided the opportunity to re-authenticate and re-enable a timed-out session. If re-authentication is successful, the session is re-enabled and no work is lost. Otherwise, Oracle Applications exit without saving pendingwork.

f.     Sign-On:Notification => Yes
Displays a message at login that indicates:
If any concurrent requests failed since your last session,
How many times someone tried to log on to Oracle Applications with your username but an incorrect password, and
When the default printer identified in your user profile is unregistered or not specified.

Apart from this, Customer should monitor the list of users who has powerful responsibilities like GL super user, System Administrator etc and reduce such users as far as possible.
Lastly the inactive users should be locked from in the system if they don’t login in last 3-6 months.

Other guidelines for DBA’s:

  • Do Not Allow Shared Accounts
  • Do Not Use Generic Passwords
  • Treat All Non-Production Instances With The Security As Production
  • Restrict Network Access - Set Password on Database Listener
  • Minimize Passwords Contained In OS Files
  • Secure Default Database Accounts
  • Be Proactive!
  • Apply all prior, and plan in advance to apply any new Oracle Security Patches
  • Limit Access To Forms Allowing SQL Entry
  • Stop isqlplus process on server side (if started)
  • Restrict Network Access - Limit Direct Access To The Database
  • Change the passwords at least once in 3 months

No comments: