Beruflich Dokumente
Kultur Dokumente
2 Configuration for
Oracle E-Business Suite 12.2 and 12.1
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 4
Program Agenda
A SSL vs TLS
B TLS Connections in Oracle E-Business Suite
A SSL vs TLS
B TLS Connections in Oracle E-Business Suite
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Confidential – Oracle Internal/Restricted/Highly Restricted 10
TLS Addresses Recent Security Vulnerabilities
• POODLE • FREAK, Logjam, RC4-NO-MORE
– Padding Oracle On Downgraded Legacy Encryption – Factoring Attack on RSA-EXPORT Keys
– Migration to TLS (SSLv3 is turned off) – Weak DH parameters (<2048), RC4)
– Disable weak cipher suites
– Strong cipher suites by default
• For example, EBS R12.2 (FMW 11.1.1.9):
[000a] RSA_DES_192_CBC3_SHA
[002f] RSA_WITH_AES_128_SHA
[0035] RSA_WITH_AES_256_SHA Available
[003c] RSA_WITH_AES_128_CBC_SHA256 with
[003d] RSA_WITH_AES_256_CBC_SHA256 TLS 1.2
[009c] RSA_WITH_AES_128_GCM_SHA256
[009d] RSA_WITH_AES_256_GCM_SHA384
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 11
Program Agenda
A SSL vs TLS
B TLS Connections in Oracle E-Business Suite
External Internal
Internet Application Node Application Node Intranet
User EBS Database User
External
Site
DMZ
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 18
What’s New with the Certification of EBS and TLS 1.2?
For Reference Only for
Existing SSL/TLS 1.0 Customers
New Structure
Contentand Content
for SSLv3 andfor TLS
TLS 1.01.2
New Structure
Contentand Content
for SSLv3 andfor TLS
TLS 1.01.2
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 19
Program Agenda
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 22
Special Considerations - Inbound Connections
Option 1
Web
Node 2
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 23
Special Considerations - Inbound Connections
Option 2
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 24
Special Considerations – Outbound & Loopback Connections
• Trust stores need root certificate information of all servers they are
communicating with
• Loopback connections need the root cert associated with the web entry
point
– Database tier (UTL_HTTP uses Oracle Wallet)
– WLS Administrative interfaces
• Outbound connections need the root cert of external site
– For products communicating with external servers such as Punchout, XML Gateway
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 25
Program Agenda
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 28
How EBS Works After Enabling/Migrating to TLS 1.2 w/BC
• EBS 12.2 and 12.1 is configured to use TLS 1.2, 1.1 or 1.0
• Connection will use the highest version of TLS enabled by the two parties
Connection
Established External Internal
Internet Using TLS 1.2 Application Node Application Node Intranet
User EBS Database User
Browser supports
Browser supports
TLS 1.2
TLS 1.1
Connection
External Established
Site Using TLS 1.1
External Site
supports TLS 1.0 Connection
Established
DMZ
Using TLS 1.0
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 29
Program Agenda
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 31
EBS 12.2: Enabling TLS w/BC
Customer implementing encryption for the first time should follow section 5
• Upgrade Technology Stack
– FMW 11.1.1.9
– JDK 7 or JDK 6u121 (July 2016 CPU)
– Apply required patches
• Create a wallet and request a server certificate
• Make configuration changes in the middle tier for
inbound/loopback/outbound connections
• Setup a wallet in the database tier
MOS Note 1367293.1
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 32
Program Agenda
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 34
EBS 12.1: Enabling TLS 1.2 w/BC
Customer implementing encryption for the first time should follow section 5
• Upgrade Technology Stack
– FMW 10.1.3.5
– JDK 7 or JDK 6u121 (July 2016 CPU)
– Apply required patches
• Create an OpenSSL configuration file and request a server certificate
• Make configuration changes in the middle tier for
inbound/loopback/outbound connections
• Setup a wallet in the database tier
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 35
EBS 12.1: Key Requirements for TLS 1.2 and OpenSSL
• FMW 10.1.3.5 One Off Patches
– OHS patch 22447165 and OPMN patch 22458773 contain new FMW code as well as
the OpenSSL (version 1.0.2) binary
....
22447165/files/Apache/Apache/libexec/mod_ssl.so
22447165/files/Apache/Apache/libexec/mod_oc4j.so
22447165/files/Apache/open_ssl/bin/openssl
....
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 36
EBS 12.1: Switching To OpenSSL
All EBS 12.1 customers must get a new certificate or ask CA to rekey their existing certificate
SSL/ TLS1.0 TLS1.2
New
10g NZ Library OpenSSL 1.0.2
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 38
EBS 12.1 Outbound/Loopback Connections
TLS 1.2 Key Configuration –AutoConfig Customizations
• Copy the following files from <FND_TOP>/admin/template to the custom
directory, <FND_TOP>/admin/template/custom:
oc4j_properties_1013.tmp, oafm_oc4j_properties_1013.tmp,
forms_oc4j_properties_1013.tmp
• Known Issues
– Same AutoConfig known issue as with the inbound connection configuration
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 39
Program Agenda
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 43
How EBS Works When Configured with TLS 1.2 Only
• EBS 12.2 and 12.1 is configured to only connect with TLS 1.2
• Connection will use TLS 1.2
Connection
Established External Internal
Internet Using TLS 1.2 Application Node Application Node Intranet
User EBS Database User
Browser supports
TLS 1.2
X Browser supports
TLS 1.1
ERROR!
External Connection
Site
External Site
X Not Established
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 44
Additional Considerations When Configuring TLS 1.2 Only
• Product Certifications with TLS 1.2
– Mobile Applications V6 (minimum)
– Oracle E-Business Suite Information Discovery V7 (minimum)
• JRE Versions
– JRE 8 : TLS1.2 enabled by default
– JRE 7 : TLS1.2 to be enabled manually
Java Control Panel > Advanced tab > Advanced Security Settings section > Use TLS 1.2.
• Browser Enabled TLS1.2 by Default
– IE 11/Firefox ESR 45.x/Chrome v49
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 45
EBS 12.2: Migrating from SSL/TLS 1.0 to TLS 1.2 Only
• Upgrade Technology Stack
– FMW 11.1.1.9
– JDK 7 or JDK 6u121 (July 2016 CPU)
– Database 12.1.0.2
– Apply required patches
• Make configuration changes in the middle tier
– Inbound: Same as in section 5.2 for TLS 1.2 w/BC except for the following:
• Step 7: Set SSLProtocol nzos_Version_1_0 nzos_Version_1_1 nzos_Version_1_2
in admin.conf
Set ssl-versions=”TLSv1.0” in opmn.xml
• Step 9: Set SSLProtocol TLSv1.2 in ssl.conf
– Known Issues: Bug 23630525
• Workaround for inbound connections per Step 7 above. Set SSLProtocol for TLS 1.2, 1.1. and 1.0
MOS Note 1367293.1
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 46
EBS 12.2: Migrating from SSL/TLS 1.0 to TLS 1.2 Only
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 47
EBS 12.1: Migrating from SSL/TLS 1.0 to TLS 1.2 Only
• Upgrade Technology Stack
– FMW 10.1.3.5
– JDK 7 or JDK 6u121 (July 2016 CPU)
– Database 12.1.0.2
– Apply required patches
• Make configuration changes in the middle tier
– Inbound, Same as in section 5.2 for TLS 1.2 w/BC except for the following:
• Section 5.2.1, Step 6: Use the value listed in Section 6.1.2, Step 1 instead
– Loopback and Outbound: Same as in Section 5.3 except for the following:
• Section 5.3.1, Step 1: Set https.protocols=TLSv1.2 in a few custom template files
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 48
Program Agenda
• EBS 12.2 and 12.1 are now certified with only the HTTPS port accessible.
• After HTTPS (e.g. port 4443) is enabled, the HTTP port (e.g., port 8000) is
still accessible. You now may manually disable the HTTP port.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 50
EBS 12.2: Disabling HTTP Port
• TXK and FMW minimum requirement
– Requirements from section 5.1 and section 6.2 “Required Patches”
• TXK Delta 7 bundle patch 21846184 (enable JSSE)
• OPMN patch 20493440
• FMW 11.1.1.9 patch 22288381
– Recommend to apply the latest FMW CPU patch
• Update httpd.conf through FMW Control Console
– Comment out the “listen ####” line
– Switch the order of the include statement so that the ssl.conf is before admin.conf
• Known Issues
– iHELP search failure (Bug 20472035)
MOS Note 1367293.1
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 51
EBS 12.1: Disabling HTTP Port
• TXK and FMW minimum requirement
– Requirements from section 5.1
• Copy the template file, httpd_conf_1013.tmp, to the
<FND_TOP>/admin/template/custom directory
• Comment out "Listen %s_http_listen_parameter%“
• Known Issues
– iHELP search failure (20472035)
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 52
Program Agenda
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 54
Program Agenda
Note:
• JDK 1.6.0_121 (July 2016 update) or 1.7.0_xx can be
used with TLS 1.2.
• Follow the steps in MOS Note 455492.1 to upgrade to
JDK 6 or MOS Note 1530033.1 to upgrade to JDK 1.7
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 56
TLS Configuration Checklist
What to Do What to Review
For EBS 12.2, execute the following in the FMW 11g Under ‘Installed Top-level Products’,
WebTier Oracle Home: look for ' Oracle WebTier and Utilities CD‘
$opatch lsinventory –detail The version should show ‘11.1.1.9.0’.
For EBS 12.1, execute the following in the FMW 10g Check the FMW inventory for the required patches
WebTier Oracle Home: TLS 1.2
• FMW 10.1.3.5 20080288, 22447165 and 22458773.
$opatch lsinventory –detail SHA-2
• FMW 10.1.3.5 Oct 2015 CPU patch: 20080288
and
• For AIX/HP: 21948197
• For Windows: 22251660
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 57
TLS Configuration Checklist
What to Do What to Review
To research errors with an inbound connections (see Review the configuration in the ssl.conf file.
Section 4.1 for definition), check the following file:
If you are enabling “TLS 1.2 w/BC” the following lines are
ssl.conf required:
Located in the following directory SSLProtocol TLSv1 TLSv1.1 TLSv1.2
<s_ohs_instance_loc>/config/OHS/<s_ohs_ SSLCipherSuite
component> HIGH:MEDIUM:!aNULL:!RC4:+HIGH:+MEDIUM
If you are enabling “TLS 1.2 Only” the following lines are
required:
SSLProtocol TLSv1.2
SSLCipherSuite
HIGH:MEDIUM:!aNULL:!RC4:+HIGH:+MEDIUM
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 58
TLS Configuration Checklist
What to Do What to Review
To research errors with inbound connections (see The following lines should be in the
Section 4.1 for definition), check the following file: httpd_conf_1013.tmp file:
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 59
References
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 60
Documentation
Title Doc ID
FAQ: Oracle E-Business Suite Security 2063486.1
Oracle E-Business Suite Security Guide, Release 12.2 – Secure Configuration Chapter N/A
Secure Configuration for Oracle E-Business Suite Release 12 403537.1
Enabling TLS in Oracle E-Business Suite Release 12.2 1367293.1
Enabling SSL or TLS in Oracle E-Business Suite Release 12.2 2143101.1
Enabling TLS in Oracle E-Business Suite Release 12.1 376700.1
Enabling SSL or TLS in Oracle E-Business Suite Release 12 2143099.1
CVE-2014-3566 - Instructions to Mitigate the SSLv3 Vulnerability ("POODLE Attack") in Oracle E-Business Suite 1937646.1
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 61
Where to Find More Information
Oracle E-Business Suite Release 12.2
EBS 12.2 Information Center
• EBS Documentation and Training
– EBS 12.2 Information Center
MOS Note 1581299.1
Includes link to the EBS Documentation Web Library
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 63
Oracle E-Business Suite Learning Subscription
Stay Up-to-Date on Everything Oracle E-Business Suite
education.oracle.com/subscriptions/ebs
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 65
Oracle E-Business Suite Learning Subscription
Oracle E-Business Suite and Oracle Cloud
Oracle E-Business Suite and Oracle Cloud
• Channel Dedicated to “EBS and Oracle Cloud” with
Focus on:
– EBS on Oracle Cloud (IaaS + PaaS)
– EBS Coexistence with Cloud HCM/ERP/CX
– SaaS on PaaS Cloud Applications
• Available Today:
– Running EBS on Oracle Cloud: Why, What and How?
– Deploying EBS on Oracle Cloud: Getting Started
– Deploying EBS on Oracle Cloud: Multi-Node Topologies
– Oracle E-Business Suite Coexistence with Oracle HCM Cloud
….and more related sessions
• Coming Soon:
– Secure Configuration for Oracle E-Business Suite in Oracle Cloud
…and more
education.oracle.com/subscriptions/ebs
blogs.oracle.com/stevenchan
Subscribe by Email
facebook.com/groups/EBS.SysAdmin
Join us on Facebook