Skip navigation.

APPS Blogs

Deploying OAM in high availability across data centres in Active Active cluster : New Feature in OAM 11gR2 PS2

Online Apps DBA - Tue, 2014-02-04 17:17
  I discussed about IAM (OAM, OIM, OES, OAAM) 11gR2 PS2 (11.1.2.2) availability here  and changes introduced in installation of 11gR2 PS2 (11.1.2.2) here In this post I am going to cover new feature introduced in Oracle Access Manager i.e. to deploy OAM in high availability (Active-Active) across Data Centres. For list of all the new features introduced [...]

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Oracle E-Business Suite PCI Compliance

The next few blog postings will focus on PCI and the Oracle E-Business Suite. All Oracle E-Business Suite implementations that "store, process, or transmit cardholder data" must comply with Payment Card Industry (PCI) Data Security Standard regardless of size or transaction volume.  The PCI Data Security Standard (DSS) is a set of stringent security requirements for networks, network devices, servers, and applications.  PCI DSS details specific requirements in terms of security configuration and policies and all the requirements are mandatory.  PCI DSS is focused on securely handling credit card data, but also has a significant emphasis on General IT security controls.

To meet PCI DSS requirements for an environment, even though credit card processing may be only one minor feature of the application, the entire application installation and the entire environment must be fully PCI DSS compliant.  In a large global implementation that may include financials, manufacturing, projects, sales/CRM or human resources, PCI compliance can be a daunting endeavor and will impact operations and management of the non-card processing modules as well as the underlying supporting environment.

Basic Guidelines for PCI DSS
  • Do not store sensitive authentication data
  • Do not store cardholder data unless it’s absolutely necessary
  • Use strong cryptography to render unreadable cardholder data that you do store
  • Do not permit any unauthorized people to access stored cardholder data
  • Understand the data flow for the entire transaction process
How do you know if PCI is enabled?

The Oracle E-Business Suite’s standard functionality to help meet PCI compliance is disabled by default. The functionality must be manually enabled. The following is a quick check to confirm if one of the basic E-Business Suite configurations is set for the encryption of credit cards. If the select statement below returns a value of ‘None’ then PCI is not enabled. If you see ‘SCHEDULED’ OR ‘IMMEDIATE’ then PCI, or parts of it, may be enabled. For further information please refer to our whitepaper in the link below.

select cc_encryption_mode
from iby.iby_sys_security_options

In the next blog posting we will review a common question with regard to Corporate Cards, PCI compliance and the E-Business Suite.

If you have questions, please contact us at info@integrigy.com

 -Michael Miller, CISSP-ISSMP

References Tags: CompliancePCIOracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Adding Temp File in Temporary tablespace ORA-01652: unable to extend temp segment by 128 in tablespace

Online Apps DBA - Sat, 2014-02-01 16:04
. I recently encountered issue ORA-01652 unable to extend temp segment by 128 in tablespace DEV_IAS_TEMP while upgrade of application which is self explanatory. If you hit above error then check v$sort_segment _______ SQL> SELECT TABLESPACE_NAME,TOTAL_BLOCKS,USED_BLOCKS,FREE_BLOCKS FROM V$SORT_SEGMENT;   Output in my case  TABLESPACE_NAME                 TOTAL_BLOCKS USED_BLOCKS FREE_BLOCKS...

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Oracle E-Business Suite PCI DSS Credit Card Encryption

PCI requirement 3.4 mandates that the Primary Account Number (PAN) is unreadable anywhere it is stored using one-way hashes or strong encryption. The Oracle E-Business Suite Release 12 meets this requirement first by centralizing cardholder data (into the Secure Payments Repository) and then applying strong encryption.

Oracle Payments offers two modes of encryption, full or partial, as well as immediate or scheduled. Which encryption options are selected should be the result of discussions with legal counsel, compliance and risk management. 

Partial encryption refers only to the encryption of the PAN. Full encryption refers to the encryption of the Primary Account Number (PAN) along with the cardholder name and card expiration date. The cardholder name and expiration date are also referred to in the documentation as supplemental data.

Immediate encryption encrypts cardholder data as it is being written to the database. Scheduled encryption leaves cardholder data unencrypted until a concurrent request is run manually or scheduled at a later point in time to encrypt cardholder data. Integrigy Corporation strongly recommends only using immediate encryption.

Specifically, to meet requirement 3.4, Oracle Payments uses a chained encryption key approach and a Triple Data Encryption Algorithm (TDEA, Triple DEA, TDES or 3DES) symmetric-key block cipher.  A master encryption system key is used to encrypt sub-keys.  This master key is stored in the Oracle Payment Wallet (cwallet.sso).

The sub-keys are 156-bit-length system generated and are encrypted using 3DES and the master key as the key. The encrypted sub-keys are then stored in the table IBY.IBY_SYS_SECURITY_SUBKEYS.

Cardholder data collected by the Secure Payments Repository is stored in the table IBY.IBY_CREDITCARD. When encryption is enabled, the records in IBY.IBY_CREDITCARD are flagged as being encrypted and the specific PCI cardholder data is moved to the table IBY.IBY_SECURITY_SEGMENTS. 

Cardholder data in IBY.IBY_SECURITY_SEGMENTS is encrypted using the 156-bit sub-keys and a 3DES algorithm. The standard Oracle package DBMS_OBFUSCATION_TOOLKIT performs the encryption. The 156-bit key exceeds the PCI DSS required minimum of double-length keys for 3DES. It is also interesting to note that the Oracle E-Business Suite is using the depreciated DBMS_OBFUSCATION_TOOLKIT package rather than the newer DBMS_CRTYPO package.

Remember to Rotate Wallet Keys Annually

PCI requirement 3.6 requires that encryption keys be rotated on a regular basis – at a minimum of annually. This means that the Oracle Payment Wallet keys needs to be rotated. Changing the password for the wallet does not change the key. The process of rotating the wallet key for Oracle Payments requires that an entire new wallet be created, and the old wallet destroyed (both the *.p12 and the *.sso files) through a secure wipe – not just deleted from the file system. 

Further Information

For further information on PCI compliance, Corporate Cards and the E-Business Suite please refer to our whitepaper in the link below.

If you have questions, please contact us at info@integrigy.com

- Michael Miller, CISSP-ISSMP

References Tags: EncryptionPCIOracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Risk of Information Leakage from the Oracle E-Business Suite - Validation Levels

Through parameter and URL tampering an attacker, or nefarious insider, can manipulate and/or construct URLs to expose information and/or attempt to circumnavigate Oracle E-Business Suite functionality - including parts of application security. There are several profile options that provide defense in depth against cross-site scripting (XSS), HTML injection attacks, and parameter and URL tampering. Setting these profile options to the recommended values below will contribute to reducing your information leakage risks.

If you have questions, please contact us.

Profile Option

Default Value

Recommended Value

FND: Validation Level

Error as of R12

Error

(R12.2 does not allow to be changed)

FND: Function Validation Level

Error as of 11.5.10 CU 10

Error

(R12.2 does not allow to be changed)

Framework Validation Level

Error as of 11.5.10 CU 10

Error

(R12.2 does not allow to be changed)

Restricted Text Input

Yes

Yes

FND: Fixed Key Enabled

Null

Yes

FND: Fixed Key

None

Yes, only at User level

References
  • Secure Configuration of Oracle E-Business Suite Profiles (MOS Doc ID 946372.1)
  • Oracle Application Framework Profile Options (MOS Doc ID 1107970.1)
Tags: Oracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Oracle IAM installation changes in 11gR2 PS2 (11.1.2.2)

Online Apps DBA - Thu, 2014-01-30 14:52
. I mentioned about availability of Oracle Identity & Access Management version 11gR2 PS2 (11.1.2.2). This post covers changes in installation from previous version of these components (OIM, OAM, OAAM, OES, OPAM) i.e. a) 11gR1 – 11.1.1.3, 11.1.1.5, 11.1.1.7 b) 11gR2 – 11.1.2.0, 11.1.2.1   Installation steps are more or less same as 11gR1 or 11gR2 (including [...]

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Risk of Information Leakage from the Oracle E-Business Suite – Attached Files

Attached files are an information leakage risk for the Oracle E-Business Suite. There are two sources, and the second is not commonly recognized.

The first source is straight forward. Users of the E-Business Suite are free to upload and attach files with content at their discretion. There is nothing to prevent users from attaching files with confidential information such as credit card and/or social security numbers other than business policies supported by security awareness training. Because of this, the risk of information leakage with attached files is best mitigated by purging attached files on a regular basis.

The second source is less obvious and stems from the fact that, besides attachments, the Oracle E-Business Suite also retains file exports in the same table with attachments. There is a risk of information leakage with these file exports. For example, if your Human Resources department regularly exports to Excel from Forms, it is likely you will have a large number of export files. Due to the nature of Human Resources data, this probably means that you have sensitive information stored in these files.

By design the Oracle E-Business Suite needs to purge attached files. It is through the purge process for attached files that file-exports files are removed. However, many organizations do not regularly purge attachments. Integrigy’s security assessment services can assist with scanning your attached files for sensitive data.

If you have any questions about this or Oracle E-Business Security, please contact us at info@integrigy.com

 -Michael Miller, CISSP-ISSMP

References
  • Questions on Purge Obsolete Generic File Manager Data (MOS Doc ID 1165208.1)
  • Purging Strategy for eBusiness Suite 11i (MOS Doc ID 732713.1)
Tags: Sensitive DataOracle E-Business Suite
Categories: APPS Blogs, Security Blogs

Risk of Information Leakage from the Oracle E-Business Suite - Diagnostics

It is rare to find customers who are not using Diagnostics to support their Oracle E-Business Suite. However, Diagnostics is commonly overlooked as a source of information leakage. By design, Diagnostics should not be enabled in production, or if it is, it should be enabled only at the user level and for a limited period of time. If your non-production instances have DMZ nodes, then the same advice applies.

Setting the profile option ‘FND: Diagnostics’ from its default of ‘No’ to ‘Yes’ causes a Diagnostics global button to be rendered on every page. As well, enabling this profile option renders the ‘About This Page’ link at the bottom of every OA Framework page. With Diagnostics enabled, and access to About This Page, configuration data, diagnostic, and other log messages is displayed to anyone who clicks on the button or link. This information should only be displayed to appropriately privileged and trusted personnel. Making diagnostics globally available to all users, including external DMZ users such as for iStore and iRecruitment, is not a best practice.

What is not commonly understood is that the Diagnostics profile option setting changes the behavior of several purpose-built diagnostic and monitoring pages shipped with the E-Business Suite. These pages provide large amounts of information on critical configurations and system performance and are intended only to be used by system and database administrators. While arguably these monitoring and diagnostics pages should be protected by the Oracle EBS URL Firewall (if enabled and properly configured), and may be obscure, they may be known to somebody attempting to attack you from the outside or an insider with nefarious purposes. These pages should not be accessible by general users and certainly not by anonymous Internet users. Turning Diagnostics off greatly reduces, if not completely disables, access to these diagnostics pages. This is another reason that best practice is to set Diagnostics off and only enable at the user level as needed.

How do you know if Diagnostics is enabled?
  • Check your system profile option ‘FND: Diagnostics’. It should be set to ‘No’ at the Site level.

If you have questions, please contact us.

References
Categories: APPS Blogs, Security Blogs

How to debug OID : LDAP Error code 50 – Insufficient Access Rights

Online Apps DBA - Fri, 2014-01-24 06:23
I recently configured access control in OID to grant READ/WRITE access on one of the OU in OID to a group. This post cover steps to debug Access Control issues (READ/DELETE/MODIFY) in OID. If you encounter “Insufficient Access Rights” in OID then enable Debug in OID (Set orcldebugflag to 8192 and orcldebugop to 8 to OID [...]

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Risk of Information Leakage from the Oracle E-Business Suite

The Oracle E-Business Suite provides a large number of diagnostic and monitoring solutions. While these solutions offer comprehensive and in-depth information about your implementation, they can also be the source of serious information leakages. Especially if you have Internet facing applications such iStore, iSupplier or iRecruitment, you need to take steps to secure your implementation against accidental information leakage and provide as little information as possible to anyone who might want to attack you.

URL Firewall

If you are running the E-Business Suite with a DMZ, such as for iStore or iSupplier, you must use the URL firewall. If you don’t, you will be exposing your implementation to serious security risks and leaking large amounts of information.

The Oracle E-Business Suite automatically installs all 250+ modules and all related web pages.  Even though many of these modules are not selected to be installed, licensed, or configured, the web pages are nevertheless installed and accessible.  In order to block these 15,000+ web pages when deploying Oracle E-Business Suite in a DMZ, Oracle developed the URL firewall.  The URL firewall is a whitelist of permitted web pages and is enabled through autoconfig.

How to know if your URL Firewall is running
  • Review your autoconfig settings for the variable: s_enable_urlfirewall. If you see a ‘#’, the URL firewall is off. Integrigy also recommends reviewing the Apache httpd.conf files on each server in your DMZ to ensure that the url firewall is being called.

Integrigy's AppDefend, our Web Application Firewall optimized for Oracle E-Business Suite, provides another layer of security to block unused modules like the URL Firewall, but also provides real-time protection from web application vulnerabilities like SQL injection and cross-site scripting (XSS) and blocks Oracle Critical Patch Update vulnerabilities.

If you have questions, please contact us.

References

Tags: DMZ/ExternalOracle E-Business Suite
Categories: APPS Blogs, Security Blogs

OAM 10g integration with Cisco Prime Service Catalog

Online Apps DBA - Wed, 2014-01-22 15:05
I’ve got an opportunity to integrate Cisco Prime Service Catalog application 10.1 with Oracle Access Manager 10g.  FYI: OAM 10g is not certified with Cisco Prime Service Catalog product for SSO integration. Here is the requirement: There are lot of applications in the organizations which are integrated with OAM 10g for SSO. Cisco Prime Service [...]

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

OIA cluster deployment for High Availability in Active-Active Cluster

Online Apps DBA - Tue, 2014-01-21 19:45
I discussed about Oracle Identity Analytics (OIA) installation here. In this post I am going to cover key points when deploying OIA in cluster for High Availability (Active-Active). Note: This post assumes that you are familiar with deploying OIA in single node and steps here are only specific to cluster configuration.   1. OIA is a [...]

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Oracle IAM 11gR2 PS2 (11.1.2.2) is now available : Software download & Documentation

Online Apps DBA - Fri, 2014-01-17 05:21
Oracle Identity & Access Management (IAM) 11gR2 PS2 (11.1.2.2) is now available to download here   Following IAM products are available as part of 11gR2 PS2 Oracle Identity Manager (OIM) Oracle Access Manager (OAM), OAM SDK, WebGates Oracle Entitlement Server (OES) & Security Modules (OES SM) Oracle Adaptive Access Manager (OAAM) Oracle Privileged Account Manager (OPAM) Oracle [...]

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

WebLogic Admin Server Start Up hangs at ‘Log Management’ BEA-170019 IIOP subsystem enabled

Online Apps DBA - Wed, 2014-01-15 16:19
I earlier discussed about WebLogic Server startup hanging at “Initializing self-tuning thread pool”, in today’s post I covers fix for WebLogic Server hang but this time while writing ‘Log File‘ and ‘IIOP subsystem enabled‘ in Server logs. I verified disk space (not 100%), enogh space in /tmp and O.S. user was able to write to [...]

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Working with Access Server SDK 10.1.4.3 and OAM 10g

Online Apps DBA - Tue, 2014-01-14 18:27
Hi All, I’ve written a post earlier about working with 10g Access Gates using Oracle Access Manager 11g. Today, I would like to give insights into implementation of 10g Access Gates using Oracle Access Manager 10g. Access Server SDK 10g is used for Access Gates where out of the box webgates are not available for [...]

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Auditing in Oracle Entitlement Server (OES ) 11g

Online Apps DBA - Tue, 2014-01-14 18:06
This post covers everything you must know about Auditing in Oracle Entitlement Server (OES) . With auditing enabled ON in OES, you can get information like who did what, when, how (Policy Modification, GRANT/DENY of resource etc ) 1. Auditing in OES is based on Fusion Middleware Audit Framework and is DISABLED by default. 2. OES consists of OES Administration [...]

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

Error in OWSM after setting subject precedence (Context Switching) : Exception oracle.security. jps. service. credstore. Credential Access

Online Apps DBA - Mon, 2014-01-13 18:54
I recently configured SAML Identiy Switching by setting subject.precedence=false in OWSM policy protecting Web Service . This post covers error encountered after configuring Context Switching ( Subject.Precedence) in OWSM policy. For Identity Switching to work you must set permission for class oracle.wsm.security.WSIdentityPermission as described here If you don’t set permisson you will see error like ___ access denied...

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs

11.5.10 Sustaining Support - Security Patches Through October 2015

As of December 1, 2013, Oracle E-Business Suite 11.5.10 moved into Sustaining Support.  Normally, Oracle Sustaining Support does not include security fixes in the form of Critical Patch Updates.  However, for 11.5.10, there is an exception until December 2015 and Severity 1 fixes, payroll/1099 updates, and Critical Patch Updates will be available.

Oracle E-Business Suite Critical Patch Updates (CPU) will be available for 11.5.10 up to and including the October 2015 CPU.  No Oracle E-Business Suite CPUs or security fixes will be released after the October 2015 CPU.  In order to continue applying security patches after October 2015, you will need to upgrade to at least Oracle E-Business Suite 12.1.  CPU support for 12.0 will end January 2015 with the end of Extended Support.

CPUs for the Oracle E-Business Suite database will be dependent on the version being used and currently CPUs are only available for 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1.  For the application server, which is very old and is basically on life support, was last patched in the October 2012 CPU.

Tags: Oracle E-Business SuiteOracle Critical Patch Updates
Categories: APPS Blogs, Security Blogs

weblogic.store.PersistentStoreFatalException: The persistent file store "WLS_DIAGNOSTICS" canno t open file WLS_DIAGNOSTICS000000.DAT

Vikram Das - Tue, 2014-01-07 20:47
After bouncing an EBS R12.2 VM, weblogic adminserver wouldn't start up.

I examined $EBS_DOMAIN_HOME/servers/AdminServer/logs/AdminServer.log and found this error:

BEA-280060 - The persistent store "WLS_DIAGNOSTICS" encountered a fatal error, and it must be shut down: weblogic.store.PersistentStoreFatalException: [Store:280105]The persistent file store "WLS_DIAGNOSTICS" cannot open file WLS_DIAGNOSTICS000000.DAT.
weblogic.store.PersistentStoreFatalException: [Store:280105]The persistent file store "WLS_DIAGNOSTICS" cannot open file WLS_DIAGNOSTICS000000.DAT.
        at weblogic.store.io.file.FileStoreIO.open(FileStoreIO.java:128)
        at weblogic.store.internal.PersistentStoreImpl.recoverStoreConnections(PersistentStoreImpl.java:435)
        at weblogic.store.internal.PersistentStoreImpl.open(PersistentStoreImpl.java:423)
        at weblogic.store.xa.PersistentStoreManagerXA.createFileStore(PersistentStoreManagerXA.java:117)
        at weblogic.diagnostics.archive.DiagnosticStoreRepository.getStore(DiagnosticStoreRepository.java:91)
        at weblogic.diagnostics.lifecycle.ArchiveLifecycleImpl.initialize(ArchiveLifecycleImpl.java:94)
        at weblogic.diagnostics.lifecycle.DiagnosticFoundationService.start(DiagnosticFoundationService.java:108)
        at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused By: java.io.IOException: Error from fcntl() for file locking, Resource temporarily unavailable, errno=11
        at weblogic.store.io.file.direct.DirectIONative.openConsiderLock(Native Method)
        at weblogic.store.io.file.direct.DirectFileChannel.(DirectFileChannel.java:54)
        at weblogic.store.io.file.direct.DirectIOManager.open(DirectIOManager.java:179)
        at weblogic.store.io.file.StoreFile.openInternal(StoreFile.java:138)
        at weblogic.store.io.file.StoreFile.open(StoreFile.java:161)
        at weblogic.store.io.file.Heap.openStoreFile(Heap.java:401)
        at weblogic.store.io.file.Heap.open(Heap.java:325)
        at weblogic.store.io.file.FileStoreIO.open(FileStoreIO.java:117)
        at weblogic.store.internal.PersistentStoreImpl.recoverStoreConnections(PersistentStoreImpl.java:435)
        at weblogic.store.internal.PersistentStoreImpl.open(PersistentStoreImpl.java:423)
        at weblogic.store.xa.PersistentStoreManagerXA.createFileStore(PersistentStoreManagerXA.java:117)
        at weblogic.diagnostics.archive.DiagnosticStoreRepository.getStore(DiagnosticStoreRepository.java:91)
        at weblogic.diagnostics.lifecycle.ArchiveLifecycleImpl.initialize(ArchiveLifecycleImpl.java:94)
        at weblogic.diagnostics.lifecycle.DiagnosticFoundationService.start(DiagnosticFoundationService.java:108)
        at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

A search on support.oracle.com for keywords
resulted in this hit:

E-WL: WebLogic Fails to Start with Error: “The persistent store "WLS_DIAGNOSTICS" encountered a fatal error, and it must be shut down: weblogic.store.PersistentStoreFatalException" (Doc ID 859622.1)

WORKAROUNDS:
1. This is a recurrent workaround. This workaround has to be applied every time the server(s) will be restarted.

Delete the *.dat file under
$PS_HOME\webserv\domain\servers\PIA (or WebLogicAdmin)\data\store\default\ and $PS_HOME\webserv\domain\servers\PIA (or WebLogicAdmin)\data\store\diagnostics\
  
Specifically for EBS R12.2 I did this:

cd $EBS_DOMAIN_HOME/servers/AdminServer/data/store/default
rm *.DAT
 cd $EBS_DOMAIN_HOME/servers/AdminServer/data/store/diagnostics
rm *.DAT

adadminsrvctl.sh start

After keying in apps, system and weblogic passwords, it finally started up.

Have to see if this is a recurrent workaround or fixes the issue for good.

Categories: APPS Blogs

OIM Administrators : Is your OIM database Growing ? Do you purge enough ?

Online Apps DBA - Mon, 2014-01-06 11:39
If you manage Oracle Identity Manager (OIM – is Identity Management and Account Provisioning Software and is part of Oracle Identity Manageemnt Suite) and if you see OIM database growing then this post is for you. This post covers, type of data in OIM database  (OIM purge in detail to follow soon). In Oracle Identity [...]

This is a content summary only. Visit my website http://onlineAppsDBA.com for full links, other content, and more!
Categories: APPS Blogs