Securing the Internet Facing
E-Business Suite
(revision 2)
John Peters
JRPJR, Inc.
john.peters@jrpjr.com
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
1
• There have been changes to this presentation
since the copy was provided to OAUG.
• The most recent revision to both the presentation
and white paper are on my web site:
http://www.jrpjr.com/
• This information will be repeated at the end of the
presentation
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
2
• How many of you have an Internet Facing Oracle
Application Module?
• Or Considered Buying one?
iSupplier Portal
iSupport
iStore
iRecruitment
Oracle Sourcing
Oracle Marketing
iLearning
iReceivables
iSurvey
Transportation
Partner Relationship Management
Service Contracts
Oracle Learning Management
Others???
• How many of you have thought about security?
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
3
What you should learn from this presentation:
• General Oracle Applications Security
(and why this is not enough)
• Various Systems Configuration Options
• An Optimal Solution at This Time
• Oracle’s Recent Developments in This Area
• External Facing eBusiness Suite Functionality
Issues
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
4
General Oracle Applications Security
• Note 189367.1, 17-APR-2006, Version 3.0.3
Best Practices for Securing the E-Business Suite
~ 72 pages in length
*** An excellent starting point ***
• Covers each applications component:
–
–
–
–
–
–
SQL*Net Listener
Database
Applications Tier
eBusiness Suite
Desktop
OS
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
5
General Oracle Applications Security
• Note 189367.1
• But leaves many holes
– Does not provide a configuration overview
– Does not adequately address external
eBusiness Suite modules
– Just barely touches on OS Issues
– Does not address user registration issues
– Does not address functional issues
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
6
Typical OraApps Configuration
Internal Users Only
Router
Applications
Tier
Database
Tier
SAN Device
DB
User
Computers
• One or more physical servers for each Tier
• Typically a router between the servers and the user
• Connection between users and servers is typically
non-SSL HTTP:// ( not HTTPS:// )
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
7
Non-SSL vs SSL
For Internal Users Only
• SSL encrypts communications between users
and the Applications Tier
• Sometimes SOX pushes this as a requirement
• Possibly a 10-15% performance hit
• Hardware Accelerators are available
• Probably not required and overkill for internal
users running on a switched network
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
8
SSL Implementation
For Internal Users Only
• ‘A Guide to Understanding and Implementing SSL
with Oracle Applications 11i’,
Note:123718.1, 02-APR-2006
• This document changes so keep up to date with it
• There are issues associated with some modules
which call servlets:
– Configurator (even if you are not using it OM calls it for PTO
Kits)
– iPayment
– Fix requires running a non-SSL web listener
• Expect to spend some dedicated time to get this
working, and test, test, test, ….
• Again SSL is probably not required for most sites
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
9
OraApps Internet Facing Configurations
Arranged worst to best in terms of security
• Example 1
No DMZ, Open Up Firewall
• Example 2
DMZ Application Server
• Example 3
DMZ Web Cache Server
• Example 4
DMZ Web Cache Server
Dedicated External Applications Server
• Example 5
Oracle’s Deployment Option 1
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
10
Example 1: Non-DMZ Configuration
(!!! do not do this !!!)
Internet
Corporate Network
Corporate
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
Drawbacks
• With same ports open that internal users use, internal
functionality is exposed to the internet
• Without SSL between the Internet User’s Computer
and Applications Tier, the Internet User’s
communications can be eave’s dropped on
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
11
Example 2: DMZ Application Server Configuration
Internet
DMZ
Corporate Network
DMZ
Firewall
Corporate
Firewall
Router
DMZ
Applications
Tier
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Benefits
• Internet Communication is done through SSL
• SSL End Point is not on Internal Applications Tier
• Communication between DMZ Applications Tier and
DB Tier are done through SQL*net
• DMZ must be compromised for a hacker to get in
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
12
Example 2: DMZ Application Server Configuration
Internet
DMZ
Corporate Network
DMZ
Firewall
Corporate
Firewall
Router
DMZ
Applications
Tier
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Drawbacks
• DMZ Applications Tier exposes too much to a possible
hacker
• DMZ Applications Tier must be patched and monitored
• Not currently autoconfig and ad tools supported
(see reverse proxy server later for more info)
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
13
Example 3: DMZ Web Cache Server
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Benefits
• All the benefits of Example 2
• Ports are filtered, only http traffic between Internet and
Applications Tier
• Minimize software components in DMZ
• Only one Applications Tier to patch (no patching on web cache)
• Can change URL, masking the Oracle Application
URLs were  https://mysite.com/OA_HTML/
URLs can be  https://mysite.com/external/
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
14
Example 3: DMZ Web Cache Server
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Drawbacks
• Applications Tier still exposes too much to a possible
hacker.
• You can deep link to JSP pages if you know their
names.
• The JSP pages are suppose to throw errors if deep
linked to without applications login, yeah right.
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
15
What is Web Cache
• Web Cache is a component of Oracle iAS 10G
(and prior versions)
• Web Cache in my example is installed without
Oracle iAS 10G (standalone installation)
• Minimal set of software
–
–
–
–
No Infrastructure DB
None of the other components of iAS
Perfect for a DMZ deployment
No Applications Patching
• Please refer to the product documentation on OTN
Oracle Application Server 10g Release 2 (10.1.2)
• Please talk to your Oracle Sales Rep for licensing
information.
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
16
What does Web Cache do?
• Web Cache sits between the users and the origin
servers (Applications Middle Tier)
• Web Cache stores or caches data into memory
based on rules you specify
• The primary purpose is to improve performance of
web sites
• Our purpose is to:
– Provide an SSL termination point
– Change the URL’s served up
– Filter the URL’s (not available yet)
• Web Cache can also provide an error page should
the Application Tier be down for maintenance
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
17
Example 4: DMZ Web Cache & Dedicated Apps Tier
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
External
Applications
Tier
Internal
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Benefits
• All the benefits of Example 3.
• External Applications Tier with all of the components
not required by the Internet Users removed. Thus
preventing deep linking issues.
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
18
Example 4: DMZ Web Cache & Dedicated Apps Tier
Internet
DMZ
Corporate
Firewall
DMZ
Web Cache
Corporate Network
DMZ
Firewall
Router
External
Applications
Tier
Internal
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Drawbacks
• External Applications Tier not supported by Oracle
Support tools. You have to manually maintain this tier.
(see reverse proxy server later for more info)
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
19
‘DMZ Reverse Proxy Server’
• Eliminates the need for Example 4’s Tweaked External
Application Server. (Oracle Supported)
• External Applications Web Server in DMZ will restrict JSPs
which are allowed to run
• External Product Teams will supply JSP lists
• Mitigating the “unnecessary code” problem
• Described in Oracle OpenWorld Paper
‘Oracle E-Business Suite Security Management’ by George
Buzsaki, VP Applications Technology Products at Oracle
• ‘Oracle E-Business Suite 11i Configuration in a DMZ’ use to
be called ‘DMZ Configuration with Oracle E-Business Suite
11i’, Metalink Document 287176.1, Aug 29, 2005
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
20
Example 5: Reverse Proxy & External Apps Middle Tier
Oracle’s Deployment Option 1
Note: 287176.1
Internet
DMZ 1
Firewall
DMZ
Reverse Proxy
DMZ
DMZ 2
Firewall
Corporate Network
DMZ 3
Firewall
Router
External
Applications
Tier
Internal
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
OAUG Collaborate 2006
User
Computers
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
non-SSL
SSL
21
Reverse Proxy and Second Apps Middle Tier
Internet
DMZ 1
Firewall
DMZ
Reverse Proxy
DMZ
DMZ 2
Firewall
Corporate Network
DMZ 3
Firewall
Router
External
Applications
Tier
Internal
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
Benefits
• Restrict access to a limited set of
responsibilities depending upon the Application
Tier the user log’s on to.
• Limited JSPs can be accessed on External
Applications Tier, (in development now)
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
22
Reverse Proxy and Second Apps Middle Tier
Internet
DMZ 1
Firewall
DMZ
Reverse Proxy
DMZ
DMZ 2
Firewall
Corporate Network
DMZ 3
Firewall
Router
External
Applications
Tier
Internal
Applications
Tier
Database
Tier
SAN Device
DB
User
Computers
Internet User
Computers
non-SSL
SSL
Drawbacks
• Separate External Apps Tier to patch
(can not share APPL_TOP through firewall)
•
•
•
•
Additional firewall and Server
Still allows deep linking (until JSP filtering released)
Reverse Proxy Server URL filtering not yet implemented
It’s New, support only for 11.5.10
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
23
Other Oracle Configuration Options
• There are two other less secure options listed
in document 287176.1
• They basically drop Firewalls and Applications
Middle Tiers.
• I am not reviewing them because they are
less secure, please refer to the document for
more information.
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
24
Other Changes in Document 287176.1
• Hierarchy Type
– Profile Options used to construct various URL’s for
an E-Business Suite environment.
– Profile Options can be set at the Server Level
• So at the server level you can generate
different URL’s for internal and external users.
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
25
Other Changes in Document 287176.1
• Node Trust Level
– Profile Option used to set trust level for each
middle tier servers
– Three levels supported:
• Administrative
• Normal
• External
• So at the server level you can set a Trust
Level to be restrict user responsibility access
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
26
Other Changes in Document 287176.1
• Responsibility Trust Level
– Profile Option to set the Trust Level for each
Responsibility
– Same Three Trust Levels supported:
• Administrative
• Normal
• External
• Result: at the server level you can restrict
which responsibilities are accessible to the
internal and external users
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
27
Other Changes (in development)
• JSP Filtering
– External Applications Teams provide a list of
externally required JSP files
– Users can customize this file on the external
application server
• Result: Deep linking issue are eliminated
• Plan to spend time testing and verifying JSP’s
which are really required externally
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
28
Document 287176.1
• This document has finally settled down in
terms of changes. The last revision was
August 29, 2005. 9 months have gone by
without changes.
• Always keep an eye on this document for
further enhancements and roll out of
additional internet security.
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
29
My Recommendation
• If cost, setup and patching time are not
issues go with Example 5, Oracle’s Option 1,
Reverse Proxy & External Apps Middle Tier.
• Consider web cache for the Reverse Proxy
Server
• If not on 11.5.10 or you can not afford the
extra hardware consider my Example 3
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
30
My Recommendation
Internet
DMZ 1
Firewall
DMZ
Reverse Proxy
DMZ
DMZ 2
Firewall
Corporate Network
DMZ 3
Firewall
Router
External
Applications
Tier
Internal
Applications
Tier
Database
Tier
SAN Device
DB
Internet User
Computers
User
Computers
non-SSL
SSL
• Go with Oracle’s Deployment Option 1, Reverse Proxy &
External Apps Middle Tier
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
31
How does it work (step 1)
• Internet users go to SSL URL:
https://mysite.com/external/login.jsp
• Connects using SSL to port 443 of the DMZ Web Cache
Server on NIC 1
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
32
How does it work (step 2)
• Web Cache reviews URL request to see if page/data is
cached in memory
• If so it serves up page/data
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
33
How does it work (step 3)
• Web Cache sends request out to the Application Tier (Origin Server)
https://myserver.com:8000/OA_HTML/login.jsp
• Communication is through NIC 2 using SSL
• The External Applications Tier is the SSL termination point
• Application Tier responds, Web Cache relays page/data to the Internet
User
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
34
Reverse Proxy & External Apps Tier
• What is the configuration for these new
DMZ servers in the Oracle Applications
environment?
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
35
DMZ Server Hardware
• My recommendation is a small server like:
– Dell PowerEdge 2850 or 1850
– 2 CPU server
– 4GB of RAM
– Dual NICs
• Run Linux on this Server
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
36
DMZ Server NIC Configuration
• Dual NIC’s allow us to configure them
– One NIC Internet Facing
– One NIC Application Tier Facing
• We are effectively using this server to
route traffic from one network to the
other
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
37
Hardening the Linux OS
• Reinstall the factory installed OS
• Install only the essential components
– Compilers
– Kernal Source
– X Windows/GNOME
• Install an intrusion detection product
like TripWire
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
38
TripWire
• Creates a database of files on your server storing information like:
Inode number, Multiple Checksums, File Size, File Permission, File
Ownership, etc.
• You create the Policy file describing what directories/files to track
• Reports can be run periodically to tell you if something changed and
are sent via email
• TripWire DB and Policy Files are stored on another centralized server
• This takes a while to setup and change the policy file to keep the
noise to a minimum
• Was an Open Source product, included on older Linux distributions.
Now is commercial, www.tripwire.com
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
39
Keep Linux Patched
• OS Security issues don’t just exist for
Microsoft products
• Subscribe to your Linux vendor’s
patching/support service
• Emails will alert you when fixes are
available and are tailored to your install
• The automated tools for patching the
OS are fairly easy to use
• Patch TEST first, then patch PROD
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
40
Don’t forget the TEST instance
PROD
TEST
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
41
Functionality Issues
• We have discussed configuration issue,
now lets cover some of the functionality
issues.
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
42
Support Issues
• Down time for patching is now a bigger deal
with External Users
• Web Cache can serve up “System Down For
Maintenance” messages to External Users,
rather than no server found browser errors
• What was 6am to 6pm support, now turns
into 24x7
• Who do external users contact for support?
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
43
User Registration Issues
• All External Facing eBusiness Suite
Applications utilize FND_USER
• All of these non-company resources
have user accounts on your system
– iStore Users
– iReceivables Users
– iSupplier Users
– iRecruitment Users
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
44
Internal vs External Users
• They are different
• Internal and External differences
–
–
–
–
–
Password aging
Handling of Password reset requests
Responsibility requests
Responsibility verifications
End date
• Also eBusiness Suite Record History is
instantly visible and identifiable.
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
45
How to know who is who
• Come up with a Userid Standard for both
classes of users:
– Internal Users
– External Users
• Internal Users
<first name initial><last name>
<windows login>
jsmith
• External Users
<email address>
joe.smith@mycustomer.com
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
46
User Registration Page Issues
Example:
• iStore’s user registration page inserts
FND_USER records
– User records can not be purged
– Internal and External Users are mixed together
(use a convention of email address for external users)
– They are routed for approval but if denied they
are unusable forever
– Approval process is really insufficient for most
business cases
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
47
User Registration Page Issues (cont.)
• iStore’s user registration page requests the
Party Number from the customer registering.
– How many customers know they are 123456
– If they enter 123465 they are linked to a
completely different customer
– Once incorrectly linked it is almost impossible to
correct in CRM, FND_USER, TCA
– FND_USER record is lost for further use
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
48
User Registration Page Issues
(cont.)
• Soution:
– Create a custom form and table
– External userids request are stored in the custom
table for review
– Data is reviewed and if okay entered by internal
resources into the Oracle Applications registration
processes to ensure it’s accuracy
• Denial of Service attacks will fill this custom
table which we can delete records from. This
object can be created with no redo log
actions to minimize impact on archive logs if
required.
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
49
External User Data Changes
• Keep an eye on what your external
users can do to your Oracle Applications
data.
• Extensively review all forms for hidden
functionality, a simple link can open up
a whole world of functionality you did
not know about.
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
50
External User Data Changes
Example:
• iStore allows external users (customers) to
modify addresses and contacts
• How many companies have customer master
issues around addresses and contacts with
just Internal Users making changes?
• Now your customers can do what ever they
want, to your customer master.
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
51
Summary
• External Facing eBusiness Suite modules
bring Security issues to light
• You might ask, Why do this to yourself?
• There are legitimate business reasons to use
External Facing eBusiness Suite modules
• Just go into them with your eyes wide open
and an understanding of what you are getting
into
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
52
Additional References
• Note:189367.1, 17-APR-2006, Version 3.0.3
Best Practices for Securing the E-Business
Suite
• Note:287176.1, Aug 29, 2005
Oracle E-Business Suite 11i Configuration in a
DMZ
• Note:243324.1, 08-JUL-2003
Securing Oracle E-Business Suite for Internet
Access by Suppliers
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
53
Additional Book References
• Linux Security Cookbook
– by Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
O'Reilly
• Real World Linux Security: Intrusion
Prevention, Detection and Recovery
– by Bob Toxen
Prentice Hall PTR
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
54
• My contact information:
John Peters
john.peters@jrpjr.com
http://www.jrpjr.com
• Additional reference papers can be found
at:
http://www.norcaloaug.org
http://www.jrpjr.com
OAUG Collaborate 2006
Copyright ©2005-2006 by John Peters, JRPJR, Inc.
55