Best Practices for Securing Oracle e-Business Suite -Metalink Note 189367.1

Similar Messages

• Best Practice for Securing Web Services in the BPEL Workflow

  What is the best practice for securing web services which are part of a larger service (a business process) and are defined through BPEL?
  They are all deployed on the same oracle application server.
  Defining agent for each?
  Gateway for all?
  BPEL security extension?
  The top level service that is defined as business process is secure itself through OWSM and username and passwords, but what is the best practice for security establishment for each low level services?
  Regards
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram

• Best practice for integrating oracle atg with external web service

  Hi All
  What is the best practice for integrating oracle atg with external web service? Is it using integration repository or calling the web service directly from the java class using a WS client?
  With Thanks & Regards
  Abhishek

  Using Integration Repository might cause performance overhead based on the operation you are doing, I have never used Integration Repository for 3rd Party integration therefore I am not able to make any comment on this.
  Calling directly as a Java Client is an easy approach and you can use ATG component framework to support that by making the endpoint, security credentials etc as configurable properties.
  Cheers
  R
  Edited by: Rajeev_R on Apr 29, 2013 3:49 AM

• Best practice for install oracle 11g r2 on Windows Server 2008 r2

  Dear all,
  May I know what is the best practice for install oracle 11g r2 on windows server 2008 r2. Should I create a special account for windows for the oracle database installation? What permission should I grant to the folders where Oracle installed and the database related files located (datafiles, controlfiles, etc.)
  Just grant Full for Administrators and System and remove permissions for all others accounts?
  Also how should I configure windows firewall to allow client connect to the database.
  Thanks for your help.

  Hi Christian,
  Check this on MOS
  *RAC Assurance Support Team: RAC Starter Kit and Best Practices (Windows) [ID 811271.1]*
  https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=BULLETIN&id=811271.1
  DOC Modified: 14-DEC-2010
  Regards,
  Levi Pereira

• Best Practice for Security Point-Multipoint 802.11a Bridge Connection

  I am trying to get the best practice for securing a point to multi-point wireless bridge link. Link point A to B, C, & D; and B, C, & D back to A. What authenication is the best and configuration is best that is included in the Aironet 1410 IOS. Thanks for your assistance.
  Greg

  The following document on the types of authentication available on 1400 should help you
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/aero1400/br1410/brscg/p11auth.htm

• Steps for integrating oracle E-business suite R12.1.3 with 11g OID.

  Hi All,
  Can anyone please let me know the Metalink document ID/Steps for integrating oracle E-business suite R12.1.3 with 11g OID.
  Thanks,
  Dinesh.

  Dineshkumar wrote:
  Hi All,
  Can anyone please let me know the Metalink document ID/Steps for integrating oracle E-business suite R12.1.3 with 11g OID.
  Thanks,
  Dinesh.Please refer to the following docs/links.
  Using Oracle Internet Directory 11gR1 Patchset 4 (11.1.1.5.0) and Single Sign-on with Oracle E-Business Suite [ID 1286596.1]
  Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR1 (11.1.1.5) using Oracle E-Business Suite AccessGate [ID 1309013.1]
  https://blogs.oracle.com/stevenChan/entry/oracle_access_manager_11_11
  https://blogs.oracle.com/stevenChan/entry/why_does_ebs_integration_with
  Thanks,
  Hussein

• Best practice for installation oracle 11g rac on windows 2008 server x64

  hello!
  can somebody tell me a good book or an other kind of literature regarding "best practice for installation oracle 11g rac on windows 2008 server x64"? thx in advance!
  best regards,
  christian

  Hi Christian,
  Check this on MOS
  *RAC Assurance Support Team: RAC Starter Kit and Best Practices (Windows) [ID 811271.1]*
  https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=BULLETIN&id=811271.1
  DOC Modified: 14-DEC-2010
  Regards,
  Levi Pereira

• Implementing Single Sign-On support for the Oracle E-Business suite

  Implement Single Sign-On support for the Oracle E-Business suite
  I want implement Single Sign-On support for the Oracle E-Business suite.
  Operationg System : linux/Solaris
  Oracle E-Business suite : 11.5.10
  Oracle Application Server : 10gAS(latest availble)
  Type of integration : SSO and OID with 11i
  No third party SSO or LDAP
  Qusetions
  1.If my SSO Server is down can i login to applications(11i) using normal mode(default login http://servername.xxxx.com:8000/).
  2. Is it possible to have appilications (11i) in Linux/Solaris and 10gAS in windows.
  Please answer...
  NOTE:
  I am following Oracle METALINK Doc.Id 233436.1 and 261914.1.
  Thank you.
  MARK

  You couldn't login into server But You can use the following login
  http://servername.xxxx.com:8000/AppsLocalLogin.jsp
  For this you need to enable the Appslocallogin Profile option

• Best Practices for user ORACLE

  Hello,
  I have few linux servers with user ORACLE.
  All the DBAs in the team connecting and working on the servers as ORACLE user and they dont have sperate account.
  I create for each DBA its own account and would like them to use it.
  The problem is that i dont want to lock the ORACLE account since i need it for installation/upgrade and etc , but yet i dont what
  the DBA Team to connect and work with the ORACLE user.
  What are the Best Practice for souch case ?
  Thanks

  To install databases you don't need acces to Oracle.
  Also installing 'few databases every month' is fundamentally wrong as your server will run out of resources, and Oracle can host multiple schemas in one database.
  "One reason for example is that we have many shell scripts that user ORACLE is the owner of them and only user ORACLE have a privilege to execute them."
  Database control in 10g and higher makes 'scripts' obsolete. Also as long as you don't provide w access to the dba group there is nothing wrong in providing x access.
  You now have a hybrid situation: they are allowed interactively to screw 'your' databases, yet they aren't allowed to run 'your' script.
  Your security 'model' is in urgent need of revision!
  Sybrand Bakker
  Senior Oracle DBA

• Best practice for securing confidential legal documents in DMS?

  We have a requirement to store confidential legal documents in DMS and are looking at options to secure access to those documents.  We are curious to know.  What is the best practice?  And how are other companies doing it?
  TIA,
  Margie
  Perrigo Co.

  Hi,
  The standard practice for such scenarios is to use 'authorization' concept.You can give every user to use authorization to create,change or display these confidential documents. In this way, you can control access authorization.SAP DMS system monitors how you work, and prevents you from displaying or changing originals if you do not have the required authorization.
  The below link will provide you with an improved understanding of authorization concept and its application in DMS
  http://help.sap.com/erp2005_ehp_04/helpdata/en/c1/1c24ac43c711d1893e0000e8323c4f/frameset.htm
  Regards,
  Pradeepkumar Haragoldavar

• Best Practice for thinning Oracle Forms

  We are considering upgrading from 10g (10.1.2.3) to (probably) 11g forms initially whist long term migrating to ADF.
  Our system is 15 years old and has many issues that go along with a system this old i.e. database keys/indexes missing, forms with lots of code etc.
  We have very few resources so thought the best way to go about this would be to thin out all our Oracle forms in 10g prior to upgrade (as this is mainly just a recompile in 11g) but was looking at if there were any best practices as to what level this should be done.
  For example we heavily use PLLs. Should the majority of this code be moved into packages or are PLLs ok to use. I take it the majority of program units should be moved to db.
  How thin should we aim to make the form. i.e if we are using post queries for something as simple as select customername into :nondbitem from customer where customerid =:customerid. Should we be making this a function in the db and reusing the code in the necessary places?
  Just wondering what people would deam best practice before we start.
  Thanks

  Thanks for all your input.
  Although the current database design is not correct we are going to correct the existng database rather than rewriting it.
  So were hoping to correct this also!
  But what im doing now to get rid some of this post queries for nondbnames is im creating a view of all information i need to display on one pertaining record.
  Then i used this view like block basic procedure like relationship to the transactional block.So if you make queries or insert (need to run query the block view) it will give all the necessary record display"
  {CODE}
  This sounds sensible but we havs hundreds of tables with lots of columns. How are you managing the views/deciding how manytables/columns to include on the forms?                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

• Best practices for administering Oracle Big Data Appliance

  -        Best practices as part of administration of Oracle Big Data Infrastructure
  -        How do we lock down max space usage per project
  Eg: Project team A can have a max limit of 10 TB space allocated
  -        Restricting roles, access ( Read, Write), place holder for common shared artifacts
  -        Template/procedure for code migration across dev,qa and prod environments etc

  Your data is bigger than I run, but what I have done in the past is to restrict their accounts to a separate datafile and limit its size to the max that I want for them to use: create objects restricted to accommodate the location.

• Best practices for an oracle application upgrade

  Hello,
  We have an enterprise application deployed on Oracle Weblogic and connecting to an Oracle database (11g).
  The archive is versioned and we are using Weblogic's feature to upgrade to new versions and retire old versions.
  In a case of emergency when we need to rollback an upgrade, the job is really easy on Weblogic but not the same on Oracle DB.
  For most of our releases, the release package is an ear plus some database scripts.
  Releases are deployed with minimum downtime, so while we are releasing our clients are still writing to the DB.
  In case of a rollback is needed, we need to make sure the changes we made to the DB structure (Views, SP, Tables...) are reverted but data inserted by clients stayed intact.
  Correct me if I am wrong, but Flashback and RMAN TSPITR are not the good options here.
  What other people usually do in similar cases? What are best practices and deployment plans for our case?
  Guides and direction are welcomed.
  Thanks!

  Hi Magnus
  I guess you have to install again to ensure no problems. BP installation also involves ensuring correct SP levels (cannot be higher) for all software components.
  Best regards
  Ramki

• Best Practice for stopping unsolicited e-mails that are not detected as SPAM or Marketing?

  I have roughly 40,000 mailboxes behind some IronPort appliances.   My question for all of you veteran SMTP admins is how do you handle situations where you have an individual sending multiple e-mails to one of your mailboxes?  It's not really a big enough of an issue to setup a content filter for the sending e-mail address, we don't have Blocklists roled out to everyone yet, so that's not a good fit, although I really like the IronPort quarantine with it's SafeList and Blocklist features.
  What I'm looking for is do you even take the time to try to work with the sender and get them to stop sending the e-mails?
  Do you bounce the e-mails back to the sender?
  Setup a client side (Outlook) rule to just automatically delete the e-mails?
  Just looking for some "best practice" or good advice on how to handle these minor issues.  The major ones are easy but it's these little ones that turn into administrative issues.
  Thanks all, look forward to your input...
  Jason Meyer

  If the sender is mailbombing you (sending a large number of mails just to flood your mailbox) then that's clear network abuse; you ignore him and complain to his system administrator or to his upstream provider. As that's likely to take some time if it works at all, you also want a block in place as soon as you've recorded enough evidence to document the abuse.
  There used to be a vulnerability in MS Small Business Server whereby some chump would send out a mail to over 500(?) recipients including at least two SBS boxes with the bug. Each box would then send a further copy of the mail, thereby creating a loop. Swift coding was necessary to protect one's own recipients from the deluge. (And that's a sales argument in favour of appliances versus outsourcing to the Cloud, by the way.) Strictly speaking, the abuse was the fault of the SBS systems administrators rather than the original chump, so careful header parsing can sometimes be necessary.
  A more likely scenario is that you have someone who just keeps on sending the odd spam, week after week. Let's take the worst case; that it's addressed just to you, the sender's domain is reasonably fragrant (or at least impractical to block) and there's no headers or body phrases that you can add to a filter to create a general solution. You have to block the specific sender.
  At the moment I'm doing this with a simple dictionary-driven rule. If I get a complaint from any of my mailbox owners and am satisfied that nothing else will workthen I simply add the sender's address to the dictionary. The rule is already in place and only requires a dictionary update. One hallmark of this type of case is that I have no qualms about simply dropping the mail, rather than sending some sort of NDR.
  Sender-blacklist: if (mail-from-dictionary-match("blocked-senders", 1)) { drop(); }
  Now at the scale you are discussing, this solution may not work. Is there time to properly examine each case, or will your colleagues simply start slamming addresses into such a dictionary? How quickly will the list grow to the point where it starts to consume an unreasonable slice of your CPU time? Indeed, I'm not sure how far such a solution will scale even if processing capacity is not an issue.
  I need a review process to remove addresses from my dictionary, but then the same principle applies to any filter that uses specific static data. I try to keep records of every case where I include such data, and if I cannot find justification for a specific listing then I remove it at once.

• Best Practice For Secure File Sharing?

  I'm a newbie to both OX X Server and File Sharing protocols, so please excuse my ignorance...
  My client would like to share folders in the most secure way possible; I was considering that what might be the best way would be for them to VPN into the server and then view the files through the VPN tunnel; my only issue with this is that I have no idea how to open up File Sharing to ONLY allow users who are connecting from the VPN (i.e. from inside of the internal network)... I don't see any options in Server Admin to restrict users in that way....
  I'm not afraid of the command line, FYI, I just don't know if this is:
  1. Possible!
  And 2. The best way to ensure secure AND encrypted file sharing via the server...
  Thanks for any suggestions!

  my only issue with this is that I have no idea how to open up File Sharing to ONLY allow users who are connecting from the VPN
  Simple - don't expose your server to the outside world.
  As long as you're running on a NAT network behind some firewall or router that's filtering traffic, no external traffic can get to your server unless you setup port forwarding - this is the method used to run, say, a public web server where you tell the router/firewall to allow incoming traffic on port 80 to get to your server.
  If you don't setup any port forwarding, no external traffic can get in.
  There are additional steps you can take - such as running the software firewall built into Mac OS X to tell it to only accept network connections from the local network, but that's not necessary in most cases.
  And 2. The best way to ensure secure AND encrypted file sharing via the server...
  VPN should take care of most of your concerns - at least as far as the file server is concerned. I'd be more worried about what happens to the files once they leave the network - for example have you ensured that the remote user's local system is sufficiently secured so that no one can get the documents off his machine once they're downloaded?