This presentation is about how System Administrators and/or Oracle Apps DBAs can improve and meet user authentication security standards in Oracle E-Business Suite by using Oracle Access Manager integration and it's password policy management. We will talk about: - Current Oracle E-Business Suite password security limitations. - Implementation of password policy management in Oracle Access Manager releases. Comparing the capabilities and why you should upgrade your OAM to the latest 11gR2. - A use case example of most common configuration. - Demo.

1. Password Policies in
Oracle Access Manager
How to improve user authentication security
for your Oracle E-Business Suite.
ANDREJS PROKOPJEVS
Lead Applications Database Consultant

2. About me
© 2016 Pythian 2
Apps DBA from Riga, Latvia.
Speaking SQL since 2001.
In Oracle world since 2004.
“In love” with Oracle EBS since 2006.
Andrejs Prokopjevs
Lead Applications Database Consultant
At Pythian since 2011
@aprokopjevs
prokopjevs@pythian.com
https://www.pythian.com/blog/author/prokopjevs/

3. ABOUT PYTHIAN
Pythian’s 400+ IT professionals
help companies adopt and
manage disruptive technologies
to better compete
© 2016 Pythian 3

4. TECHNICAL EXPERTISE
© 2016 Pythian 4
Infrastructure: Transforming and
managing the IT infrastructure
that supports the business
DevOps: Providing critical velocity
in software deployment by adopting
DevOps practices
Cloud: Using the disruptive
nature of cloud for accelerated,
cost-effective growth
Databases: Ensuring databases
are reliable, secure, available and
continuously optimized
Big Data: Harnessing the transformative
power of data on a massive scale
Advanced Analytics: Mining data for
insights & business transformation
using data science

5. Systems currently
managed by Pythian
EXPERIENCED
Pythian experts
in 35 countries
GLOBAL
Millennia of experience
gathered and shared over
19 years
EXPERTS
11,800 2400
© 2016 Pythian 5

6. Agenda
• Why this is important?
• Password policy limitations in Oracle E-Business Suite.
• Implementation of password policy management in OAM. Why 11gR2.
• An example of most common configuration.
• Demo.
© 2016 Pythian 6

7. Why this is important?
© 2016 Pythian 7

8. Why this is important?
• #1 - We now live in the “cloud” era.
• Less people / organizations are storing their sensitive data in the isolated local segment.
• Cloud services (SaaS / PaaS)
• And the shift is still only at the beginning point.
© 2016 Pythian 8

9. Why this is important?
• #2 – Today’s Hardware capacity.
• With modern CPU chip power it takes “seconds” to break your weak password.
• Standard dictionary word password: hours / days / weeks online, seconds offline.
• At least 10 characters with special characters: centuries online, years offline.
• Any idea how these statistics will change in next 5-10 years?
© 2016 Pythian 9

10. Why this is important?
• #3 – Social Engineering.
• One of the most dreadful security concerns today.
© 2016 Pythian 10

11. Why this is important?
• Few examples:
• August 2014 – iCloud famous 10+ celebrity photo leak.
• May 2016 - 100 million LinkedIn member emails and password hashes leaked in 2012.
• August 2016 - 68 million Dropbox logins and password hashes leaked in 2012.
• September 2016 - at least 500 million Yahoo accounts, leak dates back to late 2014.
• October 2016 - AdultFriendFinder - 339 million names, addresses and phone numbers. Stolen
data stretched back over the last 20 years.
© 2016 Pythian 11

12. Few guidelines… as a starter
• #1 – Your password is the first line of defense. It is in your power to make it
stronger.
• #2 – Today’s must-have – Two-Factor Authentication. New trend – Multi-Factor
Authentication.
• #3 – Master rule – everything that is shared online must be considered as “public”,
disregards of the “privacy rules” set.
© 2016 Pythian 12

13. Oracle E-Business Suite
© 2016 Pythian 13

14. So what’s about Oracle E-Business Suite?
• Is it somehow different?
• No, Username / Password is the same first line of defense.
• Non-vulnerable product?
• ~10-20 quarterly released security fixes via CPU patch release.
• “Isolated in my local network” doesn’t mean you are not vulnerable.
• VPN / Work From Home / Bring Your Own Device is a risk.
• Internal threat.
• We are doing bi-yearly security awareness training.
• That’s great. But it’s not a 100% guarantee, is it?
• Enforcing password policies in your organization is something that could make that guarantee
much stronger.
© 2016 Pythian 14

15. Standard password policy in Oracle E-Business Suite
• SIGNON_PASSWORD_% profile options.
© 2016 Pythian 15

16. Standard password policy in Oracle E-Business Suite
• SIGNON_PASSWORD_% profile options.
• Signon Password Case (SIGNON_PASSWORD_CASE).
▪ Case sensitivity for passwords.
• Signon Password Custom (SIGNON_PASSWORD_CUSTOM).
▪ Custom java class which enables the use of custom, client specific, password policy.
• Signon Password Failure Limit (SIGNON_PASSWORD_FAILURE_LIMIT).
▪ Max number of unsuccessful login attempts before the lockout.
• Signon Password Hard To Guess (SIGNON_PASSWORD_HARD_TO_GUESS).
▪ Enables password requirements: 1) at least one letter and at least one number 2) doesn’t contain username
3) doesn’t contain repeating characters.
• Signon Password Length (SIGNON_PASSWORD_LENGTH).
▪ Minimum length of a password.
• Signon Password No Reuse (SIGNON_PASSWORD_NO_REUSE).
▪ Number of days before reusing an earlier used password.
• With some cosmetical changes this hasn’t changed since 11i (10+ years). © 2016 Pythian 16

17. Standard password policy in Oracle E-Business Suite
• Security User Define form (FNDSCAUS).
• Password expiration.
▪ Days – password lifetime.
▪ Accesses – how many times
▪ None – no expiration.
• Password expiration is handled on a user level. There is no centralized control !!!
© 2016 Pythian 17

18. Does it look like a modern password policy of year 2016?
• Not really. 
• But we have “Signon Password Custom” available.
• Custom Java class.
• Loaded to the database.
▪ loadjava -user apps/apps -verbose -resolve -force MyCustomPasswordValidation.java
• Do I need to learn Java now and support this custom class?
• Do I need to code all these rules myself?
© 2016 Pythian 18
package oracle.apps.fnd.security;
...
if (do_a_triple_flipover_with_your_right_knee_up_shouting_chupakabra(password) == true) {
return true;
} else {
return false;
}

19. Does it look like a modern password policy of year 2016?
© 2016 Pythian 19

20. Standard password policy in Oracle E-Business Suite
• Non-reversable hash support for passwords.
• R12: New Feature: Enhance Security With Non-Reversible Hash Password (Doc ID
457166.1)
▪ Patch 21276707 - R12.1.x / R12.2.3+
▪ SHA-1 is deprecated !
▪ Patch 25430466: FND SECURITY RUP MAR-2017
© 2016 Pythian 20

21. Oracle Access Manager
© 2016 Pythian 21

22. History of the Password Policy implementation
• Oracle Single Sign-On 10g
• Password policy is controlled by Oracle Internet Directory standard password policies.
• SSO and OIDDAS pages support the UI.
• Full password lifecycle is managed, with some limitations.
• Full user management suite.
© 2016 Pythian 22

23. History of the Password Policy implementation
• Oracle Access Manager 10g
• Bound to own Identity Server only with full user management suite.
• Full password lifecycle is managed.
• Based on Oblix schema object classes and attributes.
• LDAP directory own policies should be same or weaker, or even just disabled.
• “validate_password” - only standard authentication plugin that supports the built-in password
policy management.
• 0 successful production implementations seen in the practice. Mostly because of the
customization requirements (multi domain and multi user sub-tree support, non-Oblix schema
attribute requirement, and more).
• Usually replaced with an external User Management system directly managing the LDAP
directory.
© 2016 Pythian 23

24. History of the Password Policy implementation
• Oracle Access Manager 11g Release 1
• Independed Oracle Access Manager is finally here.
• You can use most of the LDAP v3 compliant directories. No dependency on schema and
attributes.
• But... Password policy support is removed. 
• You can use LDAP directory own policies, but for OAM it is an LDAP error, which just ends with
a system error.
• Only Oracle Identity Manager (OIM) integration with OAM provides the full user management
suite, desired password policy implementation and UI support for full password lifecycle.
• $$$ 
© 2016 Pythian 24

25. History of the Password Policy implementation
• Oracle Access Manager 11g Release 2
• Same old independed OAM 11g, overall.
• But on steroids (integrated federation, mobile and social, and many more).
• Basic password policy support is back and free. 
• LDAP directory own policies should be same or weaker, or disabled.
• Oracle Identity Manager (OIM) integration with OAM is still there and provides the same “more
advanced” policy implementation with UI support for full password lifecycle, self services, and
full user management suite.
• $$$ … nothing changed
© 2016 Pythian 25

26. OAM 11gR2 native password policy – what it is?
• Most of the current modern rules are
there.
• Expiration and Lockout support.
• Provides the
“UserPasswordPolicyPlugin”
authentication plugin that can be used
with various combinations of
authentication workflow.
© 2016 Pythian 26

27. OAM 11gR2 native password policy – what it is?
• It is still based on OAM 10g Oblix schema object classes and attributes.
• But mandatory are only related to password management.
▪ obPasswordCreationDate
▪ obPasswordHistory
▪ obPasswordChangeFlag
▪ obuseraccountcontrol
▪ obpasswordexpirydate
▪ obLockoutTime
▪ obLoginTrvCount
▪ oblastsuccessfullogin
▪ oblastfailedlogin
• For user data reference – you have a choice. Usable for OAM 10g upgrade scenarios.
• It is not mandatory to pre-assign Oblix object classes to your existing user entries.
• IMPORTANT: User Identity Store configured Bind DN user must have required ACI
permissions to adjust these attributes !!! © 2016 Pythian 27

28. OAM 11gR2 native password policy – what it is NOT?
• It is NOT a complete password lifecycle management tool.
• Self service is missing: password change on-demand, forgot your password.
• Standard UI pages requires valid OAM authentication request id.
• Direct access just ends with a system error.
• Customizations is a solution.
• Login page customization is supported by both ECC and DCC.
• Password Policy page customization is supported only by DCC.
▪ ER Bug 17800099 - OAM 11G R2 : PASSWORD POLICY: NEED STEPS TO CUSTOMIZE PASWORD
SERVICE PAGES
▪ Was targeted for release 11.1.2.3.0, but it’s not there yet.
• Or implement OIM. $$$ 
© 2016 Pythian 28

29. More advantages of Oracle Access Manager
• Windows Native Authentication
• Kerberos / RADIUS
• Certificates
• Social (Google, Facebook, more)
• Multi-Factor authentication support.
• RSA (same RADIUS)
• OTP – Oracle Mobile Authenticator.
• Update: Officially Google Authenticator compliant.
© 2016 Pythian 29
Sorry Windows Mobile users…

30. Licensing
• Oracle Access Manager is separately licensed.
• Oracle E-Business Suite implementation requires an Oracle Internet Directory
(Oracle Unified Directory supported from R12.2.5 only) – again licensed separately.
• Standard pack:
▪ Oracle Directory Services Plus.
▪ Oracle Access Manager.
▪ Both are covered with Oracle Identity and Access Management Suite Plus license pack.
• Also includes Oracle Identity Manager.
▪ Database separate license is not required if used only for Metadata Repository data.
• “Extra” features of OAM requires an additional licensing.
▪ Like Mobile and Social for OTP.
© 2016 Pythian 30

31. Example of most
common configuration
© 2016 Pythian 31

32. Configuring the password policy
• OAM Console
• Application Security – Password Policy
• Full reference:
• Administrator's Guide for Oracle Access
Management
▪ 24.3.1 Password Policy Configuration Page
▪ https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-
7850A074-9EE3-45EE-9150-5DD96B9D13CD.htm#GUID-
200E3E90-21CC-439C-BF4E-
0468CA455148__BABDBBHE
© 2016 Pythian 32

33. Configuring the password policy
• OAM Console
• Application Security – Password Policy
• Console is doing it’s own math. If something is inline, there will be a warning.
• Example: If we put value 1 into both Minimum Uppercase and Lowercase Characters fields
then Minimum Alphabetic Characters value is expected to be the sum of above.
© 2016 Pythian 33

34. User Identity Store
• OAM Console
• Configuration – User Identity Stores
• Password Management feature must be enabled.
• “Use Oblix User Schema” - if we use full Oblix schema for everything.
• If disabled, only password lifecycle attributes are in use.
• Other 4 parameters are needed to point the correct attributes to be used with “Can Include X”
policies.
© 2016 Pythian 34

35. User Identity Store
• OAM Console
• Configuration – User Identity Stores
• Do not forget about the mandatory Oblix attributes in use !
• “Bind DN” LDAP user should have WRITE permissions to manage these attributes.
• Also to add the required object classes to the user entry if found missing.
• Do not use a super user account like I do here 
© 2016 Pythian 35

36. User Identity Store
• ACI grant example (Oracle Unified Directory)
© 2016 Pythian 36
ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd <<EOF
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=example,dc=com")(version 3.0; acl "OAM app user entry level aci
example"; allow (read,search,compare)
userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)
-
add: aci
aci: (targetattr="*")(version 3.0; acl "OAM app user attribute level aci read example"; allow
(read,search,compare) userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)
-
add: aci
aci: (targetattr="obPasswordCreationDate || obPasswordHistory || obPasswordChangeFlag ||
obuseraccountcontrol || obpasswordexpirydate || obLockoutTime || obLoginTrvCount ||
oblastsuccessfullogin || oblastfailedlogin || userPassword")(version 3.0; acl "OAM app user
attribute level aci write example"; allow (write)
userdn="ldap:///cn=oam_user,ou=application,dc=example,dc=com";)
EOF

37. User Identity Store
• Reminder about LDAP directory own password policy.
• Policy should be set the same or weaker.
• Or just completely disabled.
© 2016 Pythian 37

38. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• Let us create new module with name “LDAP_EBS_with_password_policy”.
© 2016 Pythian 38

39. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• 3 steps to be configured:
• User Identification Step
• User Authentication Step
• User Password Status Step
▪ The one that triggers the policy.
© 2016 Pythian 39

40. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Identification Step
▪ KEY_LDAP_FILTER: default value should be (uid={KEY_USERNAME})
▪ KEY_IDENTITY_STORE_REF: your User Identity Store (OIDIdentityStore)
▪ KEY_SEARCH_BASE_URL: leave empty for plugin to use default Identity store’s User Search Base DN.
© 2016 Pythian 40

41. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Authentication Step
▪ KEY_IDENTITY_STORE_REF: your User Identity Store
(OIDIdentityStore)
▪ KEY_PROP_AUTHN_EXCEPTION: enables the propagation
of LDAP errors. Must be TRUE if password policy plugin is
used in the chain.
▪ KEY_ENABLE_AUTHN_FAILOVER and
KEY_PROP_AUTHN_LEVEL parameters are not yet
documented.
© 2016 Pythian 41

42. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Password Status Step
▪ PLUGIN_EXECUTION_MODE: this plugin can be used as a
replacement for User Authentication Plugin too, but we are
going to set it as PSWDONLY for a separate 3rd step.
▪ OBJECTCLASS_EXTENSION_SUPPORTED: must be set to
TRUE in order to automatically adjust affected user entries with
Oblix object classes.
▪ KEY_IDENTITY_STORE_REF: your User Identity Store
(OIDIdentityStore)
© 2016 Pythian 42

43. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• User Password Status Step
▪ URL_ACTION: redirection behavior between the pages, default REDIRECT_POST.
▪ NEW_USERPSWD_BEHAVIOR: action for new user entry not covered by the policy, and we will enable it
via FORCEPASSWORDCHANGE.
• Actually should be FORCECHANGEPASSWORD. Documentation bug.
• Configuring OAM Password Policy Parameter NEW_USERPSWD_BEHAVIOR To Force Password
Changes for Existing Passwords Not Working (Doc ID 1563172.1)
▪ POLICY_SCHEMA: just OAM10G, as everything is based on Oblix schema standards.
▪ CHALLENGES_SUPPORTED: this parameter is not yet documented, default FALSE.
▪ DISABLED_STATUS_SUPPORT: User Account disabled status support – TRUE.
© 2016 Pythian 43

44. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• Full parameter reference
• Administrator's Guide for Oracle Access Management
▪ Table 24-8 User Password Step Details
▪ https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-30780A11-8254-4AE3-9A15-C759C08E872D.htm#GUID-9FE10CF0-A4E7-4F7F-
81A9-859EC85AEA80__CFFEHBFJ
© 2016 Pythian 44

45. Authentication module
• OAM Console
• Application Security – Plug-ins – Authentication Modules
• Workflow
© 2016 Pythian 45

46. Configure EBS to use the new Authentication Module
• OAM Console
• Application Security – Access Manager – Authentication Schemes
• Expecting that EBS is already integrated.
• Integrating Oracle E-Business Suite Release 12.2 with Oracle Access Manager 11gR2
(11.1.2) using Oracle E-Business Suite AccessGate (Doc ID 1576425.1)
• EBSAuthScheme
• Authentication Module:
LDAP_EBS_with_password_policy
• Challenge Parameters:
OverrideRetryLimit=0
© 2016 Pythian 46

47. Testing
• Did I forget something important to mention?
• Hint:
© 2016 Pythian 47
<LIBOVD-40082> <Could not modify entry.javax.naming.directory.SchemaViolationException: [LDAP:
error code 65 - Entry cn=testuser1,ou=people,dc=example,dc=com cannot not be modified because the
resulting entry would have violated the server schema: Entry
cn=testuser1,ou=people,dc=example,dc=com violates the Directory Server schema configuration
because it includes attribute oblastsuccessfullogin which is not allowed by any of the
objectclasses defined in that entry]; remaining name 'cn=testuser1,ou=people,dc=example,dc=com'

48. LDAP directory schema extension
• We forgot Oblix schema extension.
• Reference:
• Administrator's Guide for Oracle Access Management
▪ Table 24-6 Location of Oracle-provided LDIFs for LDAP Providers
▪ https://docs.oracle.com/cd/E52734_01/oam/AIAAG/GUID-E0DF807A-6432-4261-A119-9AECAC56AD53.htm#GUID-48382B33-54CB-407D-
8CAA-2A69CDEA50FB__CFFEJEEE
• OUD example:
▪ Object classes: oblixPersonPwdPolicy and oblixorgperson
▪ Attributes: obPasswordCreationDate, obPasswordHistory, obPasswordChangeFlag, obuseraccountcontrol,
obpasswordexpirydate, obLockoutTime, obLoginTrvCount, oblastsuccessfullogin, oblastfailedlogin
© 2016 Pythian 48
ldapmodify -h localhost -p 1389 -D "cn=directory manager" -j /tmp/oud_pwd --defaultAdd
-f $OAM_HOME/oam/server/pswdservice/ldif/OUD_PWDPersonSchema.ldif

49. Summary
• Even latest R12.2.6 is not meeting today’s modern password policy standards out-
of-the-box. We can code a custom java class, but that requires Java skills, courage,
luck, and good release management process.
• Oracle Access Manager is the only certified SSO solution for EBS. It has the
support of today’s standards, but costs additional resources, is a separate
component, and is separately licensed.
• 11gR2 upgrade is highly recommended. Provides support for other more secure
authentication methods, like Multi-Factor Authentication.
• Password policy setup is well documented and quite straightforward.
• Except few nuances noted. 
© 2016 Pythian 49

50. Demo
© 2016 Pythian 50

51. THANK YOU
Q & A
© 2016 Pythian 51