Purpose:The purpose of this blog article is to cover security aspects of Oracle Apps and how to handle this. We need to look at all the layers, from the top to bottom, like Applications, DB, OS etc.
Changing
database password (like APPS, SYSTEM, SYS etc)
Important
Note: Please do not use
special characters like @ / # / $ / % etc in any database passwords.
Changing password of SYS, SYSTEM, DBSNMP
Login to
database server and issue following commands
Sqlplus “/as sysdba”
Alter user system identified by
<new_password>;
Alter user sys identified by
<new_password>;
Alter user dbsnmp identified by
<new_password>;
Once the
passwords are changed, these needs to be changed in EM (if its installed and
used). For this, login to EM using sysman account. Then navigate to Preferences
> Proffered Credentials > Database Instances > click on set
credentials, then against appropriate Database change the passwords. Also
change password of dbsnmp user in DB config form.
Document all
the steps to perform the password change of DB users
General Guide
lines regarding the Schema password.
1) APPS password should be different than
other Applications base schemas like AP, GL, AR etc.
2) User called ROAPPS (Read Only APPS)
should be created who need read access to APPS schema.
3) Regarding base schemas (like AP, AR,
GL) they can have same pattern like AP/AP2008, GL/GL2008 or they can have
different passwords. This depends on, if some schema passwords are shared to
others.
4) Password change procedure should be
tested in TEST instance first, documented and then only should be executed on
PROD.
5) Please don’t keep same password in
TEST and PROD.
6) Use relevant tools to change password,
like FNDCPASS for APPS, GL etc.
Important:
Also its is
recommended to implement Oracle Applications Auditing feature, to track the
changes in important tables.
Changing
OS (Operating system passwords)
Document all
the steps to be followed for changing OS Passwords
For those who
need access to check log fines and stuff like that user called “viewer”
in-group “viewer” and password as “viewer” should be created and given to the
required user. Also we need to change the vncserver password if it’s started
from root or normal unix user. And lastly, its recommended to have a separate
username for each DBA, so that first he has to login to server using his own
username and then su - <application / database owner user>. In this case
the direct access to root, application / database user should be restricted.
Procedure
to change Applications User Passwords (Like SYSADMIN)
Document the
steps to change Applications passwords of SYSADMIN user.
SYSADMIN
password should not be shared with any other user. This password should be with
only DBA’s.
There are
quite a few profile options available in Applications, which can be used to
tighten the front-end security, such as,
a. Signon Password Hard to Guess =>
Yes
The
password contains at least one letter and at least one number.
The
password does not contain the username.
The
password does not contain repeating characters.
b. Signon Password Length => 8 to 10
Signon
Password Length sets the minimum length of an Applications signon password. If
no value is entered the minimum length defaults to 5.
c. Signon Password No Reuse => 10000
This profile option specifies the number of days
that a user must wait before being allowed to reuse a password.
d. Signon Password Failure Limit =>3
The
maximum number of login attempts before the user's account is disabled.
e. ICX:Session Timeout => 20 Min / 60
min
Will
prevent the misuse of unlocked desktop.
This
profile option determines the length of time (in minutes) of inactivity in a
user's session before the session is disabled. If the user does not perform any
operation in Oracle Applications for longer than this value, the session is
disabled. The user is provided the opportunity to re-authenticate and re-enable
a timed-out session. If re-authentication is successful, the session is re-enabled
and no work is lost. Otherwise, Oracle Applications exit without saving
pendingwork.
f. Sign-On:Notification => Yes
Displays
a message at login that indicates:
If
any concurrent requests failed since your last session,
How
many times someone tried to log on to Oracle Applications with your username
but an incorrect password, and
When
the default printer identified in your user profile is unregistered or not
specified.
Apart from
this, Customer should monitor the list of users who has powerful responsibilities
like GL super user, System Administrator etc and reduce such users as far as
possible.
Lastly the
inactive users should be locked from in the system if they don’t login in last
3-6 months.
Other
guidelines for DBA’s:
- Do Not Allow Shared Accounts
- Do Not Use Generic Passwords
- Treat All Non-Production
Instances With The Security As Production
- Restrict Network Access - Set
Password on Database Listener
- Minimize Passwords Contained In
OS Files
- Secure Default Database Accounts
- Be Proactive!
- Apply all prior, and plan in
advance to apply any new Oracle Security Patches
- Limit Access To Forms Allowing
SQL Entry
- Stop isqlplus process on server
side (if started)
- Restrict Network Access - Limit
Direct Access To The Database
- Change the passwords at least once in 3 months