Weitere ähnliche Inhalte Ähnlich wie OOW16 - Ready or Not: Applying Secure Configuration to Oracle E-Business Suite [CON6712] (20) Kürzlich hochgeladen (20) OOW16 - Ready or Not: Applying Secure Configuration to Oracle E-Business Suite [CON6712]1. Ready or Not:
A l i S C fi tiApplying Secure Configuration
to Oracle E‐Business Suite
Eric Bing, Senior Director, Applications Product Security
Elke Phelps, Senior Principal Product Manager
Applications Technology
Oracle E Business Suite DevelopmentOracle E‐Business Suite Development
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted
4. Oracle E‐Business Suite Secure Configuration TimelineOracle E Business Suite Secure Configuration Timeline
12.2 12.2.4 12.2.5 12.2.611i 12.112.0
11i Secure
Config ration
5/2002
12.1 Secure
C fi ti
9/2011
12 Secure
C fi ti
2/2007
12.2 Secure
C fi ti
9/2014
12.2 Secure
C fi ti
9/2016
Configuration
Guide
Configuration
Guide
Configuration
Guide
Configuration
Chapter
12 DMZ
Configuration
1/2007
Secure
9/2012
EM Compliance
5/2013
Auditing
9/2015
12.2 Secure
9/2016
11i DMZ
Configuration
6/2004
Configuration
Chapter (update)
Configuration
Check Scripts
12.2 Secure
9/2012
Checks for EBS
12.2 Allowed
9/2013
12.2 Allowed
9/2014
Guidelines and
Scripts
Configuration
Console
12.2 “Allowed”
F i
9/2016
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 4
Installation JSPs Redirects Features on in
installs and
upgrade
5. An analysis of researcher reported attacks againstAn analysis of researcher reported attacks against
Oracle E‐Business Suite 12.2 showed that if you
deployed your environment per our Secure
Configuration Guidelines you would haveConfiguration Guidelines you would have
reduced your vulnerability exposure by 77%.
Turning off products that are not used will reduce your
exposure even further.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 5
6. What’s Available Now to Assist You?
New
• New content throughout • New tool to assist with • Allowed JSPs
What s Available Now to Assist You?
Documentation Secure Configuration Console On By Default (12.2.6)
the Security
Administration Guide
– Secure Configuration
Chapter updated
secure configuration
• Easy to see where you are
out of compliance
– Defines whitelist of allowed
JSPs for Oracle E‐Business
Suite Release 12.2
Prevents access to JSPsChapter updated
– Auditing and Logging
chapter updated
– New Secure Configuration
• Enable features via the
console
• Guidance is provided for
– Prevents access to JSPs
which are not used
• Allowed Redirects
Defines whitelist of allowedNew Secure Configuration
Console chapter
• Enabling TLS 1.2 MOS
notes updated
• Guidance is provided for
features that cannot be
turned on via the console
– Defines whitelist of allowed
redirect destinations for Oracle
E‐Business Suite 12.2
– Prevents redirects that are
not listed as allowed
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
• Security FAQ
Confidential – Oracle Internal/Restricted/Highly Restricted 6
not listed as allowed
7. Follow Secure Deployment RecommendationsFollow Secure Deployment Recommendations
Stay current with patching
F ll d l d i
A
Follow secure deployment recommendationsB
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
8. How to Deploy Oracle E‐Business Suite SecurelyHow to Deploy Oracle E Business Suite Securely
• Apply Critical Patch Updates (CPUs) + Security Alerts
Stay Current with Patching
pp y p ( ) y
– Critical Patch Advisory Page
http://www.oracle.com/technetwork/topics/security/alerts‐086861.htm
P d t S it U d t (PSU ) ti f th d t b– Product Security Updates (PSUs) are an option for the database
• PSUs include CPUs + other database recommended patches
• EBS customers may apply either CPUs or PSUs for the DB
• As of 12c only PSUs will be released• As of 12c only PSUs will be released
• Apply latest maintenance pack or release update pack
– Yes, Oracle E‐Business Suite maintenance packs release update packs improve
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
security as well
9. How to Deploy Oracle E‐Business Suite SecurelyHow to Deploy Oracle E Business Suite Securely
• Secure Configuration Guide for Oracle E‐Business Suite
Follow Secure Deployment Recommendations
g
– Previously known as “Best Practice” documents
– Release 12.1, MOS Doc ID 403537.1
– Release 12 2 Security Administration Guide Secure Configuration Chapter– Release 12.2, Security Administration Guide, Secure Configuration Chapter
• Oracle E‐Business Suite Configuration in a DMZ
– Follow this guide if your Oracle E‐Business environment is internet accessible
– Release 12.1., MOS Note 380490.1
– Release 12.2., MOS Note 1375670.1
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
10. Secure Configuration ScriptsSecure Configuration Scripts
• Scripts are packaged as SQL and Shell scripts
– Check for updated scripts on a periodic basis
– EBSSecConfigChecks.sql – runs all (12) other SQL scripts
• Results are compiled into a single report
• Comments in the scripts often contain hints for resolution
EBSCh kM dS i h– EBSCheckModSecurity.sh
– EBSCheckFormsBlockChar.sh
• You should perform routine configuration “Health Checks”
– Create a baseline for your environment
– Run scripts often and compare against your baseline…check for differences
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
MOS Note 2069190.1, Security Configuration and Auditing Scripts for Oracle E‐Business Suite
11. Secure Configuration Console
New
•Check – Run the checks
•Configure – Fix a
fi ti hi h i t
Secure Configuration Console
configuration which is out
of compliance
•Suppress - Mute checks
that are not relevant to
your system
•Unsuppress - Unmute
previously suppressed
checkschecks
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 11
14. Oracle Enterprise Manager: Oracle E‐Business Suite Plug‐In
Out‐of‐box security
compliance checks for
Compliance Rules
Oracle Enterprise Manager: Oracle E Business Suite Plug In
compliance checks for
Oracle E‐Business Suite
Integration with Enterprise
Manager compliance
framework
Security compliance
violations and trends are
generatedgenerated
Real‐time observations of
security compliance in your
environment
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
15. Oracle E‐Business Suite 12.2 Data Masking Template
New
What is data masking?
Oracle E Business Suite 12.2 Data Masking Template
• Enterprise Manager 13c Data Masking Pack
• The act of anonymizing customer,
financial, or company‐confidential data to
create new, legible data that retains the
data's properties such as its width type
LAST_NAME SSN SALARY
AGUILAR 203‐33‐3234 40,000
BENSON 323‐22‐2943 60,000
Production
data s properties, such as its width, type,
and format
Why mask your data?
Non Production
• To protect confidential data in non‐
production environments when the data
is shared with non‐production users
without revealing sensitive information
LAST_NAME SSN SALARY
ANSKEKSL 111—23‐1111 75,000
BKJHHEIEDK 222‐34‐1345 45,000
Non‐Production
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
without revealing sensitive information
17
17. Reduce Your Attack Surface
• Allowed JSPs
– Defines whitelist of allowed JSPs for Oracle E‐
B i S i R l 12 2
• Cookie Domain Scoping
– Provide additional protection for
i i b h b d h
Reduce Your Attack Surface
Business Suite Release 12.2
– Prevents access to JSPs which are not used
– Enables configuration of allowed JSPs to avoid
unnecessary exposure
communication between the browser and the
Oracle E‐Business Suite web tier
– Define the scope for cookie sharing to avoid
unnecessary exposureunnecessary exposure
• Allowed Redirects
– Defines whitelist of allowed redirects for Oracle
E B i S i 12 2
• DMZ Configuration
– Limited number of Oracle E‐Business Suite
d ifi d f iE‐Business Suite 12.2
– Prevents redirects that are not listed as
allowed
– Enables configuration of allowed redirects to
products certified for internet access
– Responsibilities available for external use only
upon configuration
– URL Firewall exposes only the pages that are
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 19
Enables configuration of allowed redirects to
avoid unnecessary exposure
URL Firewall exposes only the pages that are
required
18. Reduce Your Attack Surface
• Allowed JSPs
– Defines whitelist of allowed JSPs for Oracle E‐
B i S i R l 12 2
• Cookie Domain Scoping
– Provide additional protection for
i i b h b d h
Reduce Your Attack Surface
Business Suite Release 12.2
– Prevents access to JSPs which are not used
– Enables configuration of allowed JSPs to avoid
unnecessary exposure
communication between the browser and the
Oracle E‐Business Suite web tier
– Define the scope for cookie sharing to avoid
unnecessary exposureunnecessary exposure
• Allowed Redirects
– Defines whitelist of allowed redirects for Oracle
E B i S i 12 2
• DMZ Configuration
– Limited number of Oracle E‐Business Suite
d ifi d f iE‐Business Suite 12.2
– Prevents redirects that are not listed as
allowed
– Enables configuration of allowed redirects to
products certified for internet access
– Responsibilities available for external use only
upon configuration
– URL Firewall exposes only the pages that are
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 20
Enables configuration of allowed redirects to
avoid unnecessary exposure
*On by default with EBS 12.2.6
URL Firewall exposes only the pages that are
required
19. Feature Overview of Allowed JSPsFeature Overview of Allowed JSPs
• Reduces the attack surface of Oracle E‐Business Suite
Principles
• Defines whitelist of allowed JSPs for Oracle E‐Business Suite Release 12.2
– A whitelist is an explicit list of items that are allowed for access
• Prevents access to JSPs which are not used
• Enables configuration of actively allowed JSPs to avoid unnecessary
exposureexposure
• Allows custom JSPs to be defined in the list of allowed JSPs
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 21
20. Allowed JSPsAllowed JSPs
• Configuration Files
Configuration Overview
Configuration Files
$OA_HTML/WEB-INF/web.xml
$FND_SECURE/allowed_jsps.conf - master configuration file
$FND SECURE/allowed jsps <Family>.conf$ _ / _j p _ y
$FND_SECURE/allowed_jsps_<Family>_<Product>.conf
– Custom configuration files may also be defined
• Profile Option
– Allow Unrestricted JSP Access
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
21. Overview of Configuring Allowed JSPsOverview of Configuring Allowed JSPs
On By Default in E‐Business Suite 12.2.6
1 Evaluate product family usage1. Evaluate product family usage
2. Cross‐check restricted JSPs against access_log
3 Add custom JSPs3. Add custom JSPs
4. Continue to refine the list (comment out JSPs not used)
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
22. Allowed JSPs
New
Allowed JSPs
• Automatically configure products in your allowed JSP configuration for you
Automatic configuration
y g p y g y
– txkCfgJSPWhitelist.pl
– Currently only available in 12.2.6
C fi i b d• Configuration based on
– Whether we detect transactional data
– How commonly the product is used
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
23. Allowed JSPs
New
Allowed JSPs
• Two modes –
Automatic configuration
– REPORT – reports on current status, product usage and what the script will do
– UPDATE – modifies the configuration files
• Usage:
$ perl txkCfgJSPWhitelist.pl -contextfile=$CONTEXT_FILE -mode=report
Configuration file Current Status Transactional Data Updated Status
allowed_jsps_CRM_ASL.conf ACTIVE ABSENT INACTIVE
…
allowed_jsps_CRM_AMV.conf ACTIVE AVAILABLE ACTIVE
…
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
24. Whitelisted Resources
Roadmap
Whitelisted Resources
• Expanding out Allowed JSP feature to additional Allowed Resources
Allowed Servlets
p g
– Explicit list of servlets that are exposed
– Rebranding ‐ New Profile
• Security: Whitelisted Resources• Security: Whitelisted Resources
– Values: All, JSPs, None
• Replaces Allow Unrestricted JSP Access
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 26
26. Auditing and LoggingAuditing and Logging
• Documentation
– Oracle E‐Business Suite 12.2 Security Guide, Auditing and Logging Chaptery g gg g p
– MOS Note 2069190.1, Security Configuration and Auditing Scripts for Oracle E‐
Business Suite
• Scriptsp
– Download EBSAuditScripts.zip (contains multiple SQL scripts)
• Validate audit configuration
• Query audit tablesQ y
• Configure database auditing
– Check periodically for updates to EBSAuditScripts.zip
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
27. Auditing and LoggingAuditing and Logging
• Recent and current activity (monitoring)
Categories
y ( g)
– Information about what is happening currently in the system
– Information about the last activity performed on a specific record or by a specific
session
• Historical activity
– Information is similar to recent and current activity that is captured
– Information is retained (historical records of activity)o at o s eta ed ( sto ca eco ds o act ty)
• Unexpected events
– Unexpected Errors reported by the application or technology stack
– Unexpected errors can include security related activity
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Unexpected errors can include security related activity
28. Auditing and Logging
• Data Changes Tracked • Apache Access Logs • Unsuccessful logon
Auditing and Logging
Recent or Current Activity Historical Activity Unexpected Events
with Row Who Columns
• Sign‐On Audit
• Session Auditing
• Page Access Tracking
• Oracle E‐Business Suite
AuditTrail
attempts
• Debug logging
• OHS Apache error logs• Session Auditing
• Database connection
tagging
AuditTrail
• Proxy User Auditing
• Database listener log
• OHS Apache error logs
• Database listener log
• Database alert log
• Database alert log
• Database auditing
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
• Fine‐grained auditing
30. Transport Layer Security (TLS) vs Secure Socket Layer (SSL)Transport Layer Security (TLS) vs Secure Socket Layer (SSL)
• TLS is the successor to SSL; HTTPS is HTTP working on top of TLS
Review
• TLS 1.2 is what we will talk about for Oracle E‐Business Suite going forward
• SSL 3.0 is no longer recommended (dead)
• TLS creates an encrypted connection between two machines allowing for private
information to be transmitted without the problems of eavesdropping, data tampering,
or message forgery
• Industry standards mandating the move to TLS 1.2
– OMB NIST mandate (800‐52 rev1) to move to TLS 1.2
– PCI council (PCI DSS v3.1) requires new implementations to be on at least TLS 1.1
i i i f S f bl S 2 b 20 8
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
• Migrate to a minimum of TLS 1.1, preferably TLS 1.2 by June 2018
31. TLS Addresses Recent Security Vulnerabilities
• POODLE
– Padding Oracle On Downgraded Legacy Encryption
• FREAK, Logjam, RC4‐NO‐MORE
– Factoring Attack on RSA‐EXPORT Keys
TLS Addresses Recent Security Vulnerabilities
– Migration to TLS (SSLv3 is turned off) – Weak DH parameters (<2048), RC4)
– Disable weak cipher suites
– Strong cipher suites by default
• For example, EBS R12.2 (FMW 11.1.1.9):
[000a] RSA_DES_192_CBC3_SHA
[002f] RSA_WITH_AES_128_SHA
[0035] RSA WITH AES 256 SHA Available[0035] RSA_WITH_AES_256_SHA
[003c] RSA_WITH_AES_128_CBC_SHA256
[003d] RSA_WITH_AES_256_CBC_SHA256
[009c] RSA_WITH_AES_128_GCM_SHA256
[009d] RSA_WITH_AES_256_GCM_SHA384
Available
with
TLS 1.2
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 35
33. TLS Connections in Oracle E‐Business Suite
• Inbound Connections
from a client to the Oracle
• Loopback connections
from Oracle E‐Business
• Outbound connections
from Oracle E‐Business
TLS Connections in Oracle E Business Suite
from a client to the Oracle
HTTP Server
from Oracle E Business
Suite to itself
from Oracle E Business
Suite to External Site(s)
Intranet
User
Internet
User
External
Application Node
Internal
Application Node
EBS Database
External
Site
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
DMZ
39
34. Examples of TLS Connections in Oracle E‐Business SuiteExamples of TLS Connections in Oracle E Business Suite
Inbound Connections
• Browser access
• Forms access
Loopback Connections
• Workflow notification
emails from Concurrent
Outbound Connections
• Punchout in iProcurement
• XML Gateway connection
li i• Incoming XML Gateway
message
• Mobile access via a
REST i
Manager tier
• Payment call back from
database tier
• OAM log viewer
to a partner application
• Payments credit card
processing
REST service • OAM log viewer
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 40
35. What’s New with the Certification of EBS and TLS 1.2?
New
What s New with the Certification of EBS and TLS 1.2?
• Oracle E‐Business Suite Release 12.2 and 12.1 Certified with TLS 1.2
– “TLS 1.2 with Backward Compatibility” aka “TLS 1.2 w/BC”p y /
– Mandatory prerequisites and configuration
• Oracle E‐Business Suite Release 12.1 Uses OpenSSL
• Optional Configurations
– Configuring “TLS 1.2 Only”
– Disabling HTTP PortDisabling HTTP Port
– Enabling TLS from Oracle HTTP Server (OHS) to Application Server (OC4J / WLS)
• Certified for EBS 12.1: OHS to OC4J
• Pending certification for EBS 12 2: OHS to WebLogic Server (WLS )
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Pending certification for EBS 12.2: OHS to WebLogic Server (WLS )
Oracle Confidential – Internal/Restricted/Highly Restricted 41
36. What’s New with the Certification of EBS and TLS 1.2?What s New with the Certification of EBS and TLS 1.2?
EBS 12 2 EBS 12 2
For Reference Only for
Existing SSL/TLS 1.0 Customers
Structure and Content for TLS 1.2
EBS 12.2
MOS Note 1367293.1
Content for SSLv3 and TLS 1.0
EBS 12.2
MOS Note 2143101.1 New
Note ID
New
EBS 12.1 EBS 12.1
MOS Note 376700.1 MOS Note 2143099.1 New
Note ID
Content for SSLv3 and TLS 1.0Structure and Content for TLS 1.2New
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 43
38. Oracle E‐Business Suite on Oracle CloudOracle E Business Suite on Oracle Cloud
Security Lists and Security Rules
Security List
SecList1 SecList3 SecList4 SecList5
Allows you to control network access to or
from Oracle Compute Cloud Service
instances.
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 46
39. Oracle E‐Business Suite on Oracle CloudOracle E Business Suite on Oracle Cloud
Security Lists and Security Rules
S it Li tSecurity List
Allows you to control network access to or
from Oracle Compute Cloud Service
i
SecList1 SecList2 SecList3 SecList4
Security Rule
Like a firewall rule allows you to define
instances.
Like a firewall rule, allows you to define
what traffic is permitted between security
lists, instances and external hosts.
Allow
DB Port
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 47
40. Oracle E‐Business Suite on Oracle CloudOracle E Business Suite on Oracle Cloud
Additional Security with Security Lists and Security Rules
EBS App
Node 1
EBS EBS
i i i
env_appenv_otd env_db[host]_provm
DB Node OTD
Provisioning
Tools VM
VPN/Security IP List
EBS App
Node 2
on-premises
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 49
41. Oracle E‐Business Suite on Oracle CloudOracle E Business Suite on Oracle Cloud
Additional Security with Security Lists and Security Rules
Allow ssh
EBS App
Node 1
EBS EBS
i i i
env_appenv_otd env_db[host]_provm
Allow ssh
DB Node OTD
Provisioning
Tools VM
EBS App
Node 2
Allow ssh
Allow ssh
on-premises
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 50
42. Oracle E‐Business Suite on Oracle CloudOracle E Business Suite on Oracle Cloud
Additional Security with Security Lists and Security Rules
Allow http/https
EBS App
Node 1
EBS EBS
i i i
env_appenv_otd env_db[host]_provm
DB Node OTD
Provisioning
Tools VM
VPN/Security IP List
EBS App
Node 2
Allow http/https
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 51
on-premises Oracle Cloud
43. Oracle E‐Business Suite on Oracle CloudOracle E Business Suite on Oracle Cloud
Additional Security with Security Lists and Security Rules
Allow required ports
Allow required ports
EBS App
Node 1
EBS EBS
i i i
env_appenv_otd env_db[host]_provm
DB Node OTD
Provisioning
Tools VM
VPN/Security IP List
EBS App
Node 2
Allow required ports
Allow required ports
Allow required ports
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 52
Oracle Cloud
45. Oracle E‐Business Suite Security
Roadmap
• Turn additional security • Certify Database 12c • Certify Database Vault for
Oracle E Business Suite Security
Oracle Cloud & On‐Premises Oracle Cloud On‐Premises
features on by default
• Whitelisted Resources
• Add additional checks to
Database Vault (DBCS)
with EBS 12.2
• Provide an improved
EBS 12.2 with Database
12c and 11gR2
• Certify Database Vault for • Add additional checks to
the Secure Configuration
Console
• Certify EBS 12 1 Data
process for enabling TDE
with EBS 12.1.3 and EBS
12.2 on DBCS
EBS 12.1.3 and Database
12c
• Certify EBS 12.1 Data
Masking Templates with
EM13cR1
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 54