Tuesday Jun 14, 2016

Frequently Asked Questions about EBS Security

We often receive questions about Oracle E-Business Suite security.  To assist with answering the most frequently asked questions about Oracle E-Business Suite security including secure configuration, auditing and encryption and others, the following new document is now available:

The questions in the FAQ are organized in the following sections:

  • Section 1: Secure Configuration and Architecture
  • Section 2: Auditing
  • Section 3: Access and Authentication
  • Section 4: Encryption and Masking             
  • Section 5: Connection Encryption

 Examples of questions answered in the new FAQ include:

  • What features are available for auditing Oracle E-Business Suite?
  • Do all DBAs require the APPS password?
  • Why should you migrate from SSL to TLS?
  • What versions of TLS are currently certified with Oracle E-Business Suite?
  • How do you configure HTTPs for Oracle E-Business Suite?
  • Can you use SHA-2 signed PKI certificates with Oracle E-Business Suite?

We plan to update this document on a regular basis.  As you read through the new document, please let us know if there are additional questions that we should consider adding.

Where can I learn more?

There are several guides and documents that cover Oracle E-Business Suite secure configuration and encryption for Release 12.1 and 12.2. You can learn more by reading the following:

Related Articles

Wednesday Aug 03, 2011

Why Does EBS Integration with Oracle Access Manager Require Oracle Internet Directory?

The E-Business Suite has its own security and user-management capabilities.  You can use the E-Business Suite's native features to authenticate users, authorize users (i.e. assign responsibilities to them), and manage your EBS user repository.  The majority of E-Business Suite system administrators simply use these built-in capabilities for enabling access to the E-Business Suite.

When EBS built-in capabilities aren't enough

Some organisations have third-party user authentication systems in place.  These include CA Netegrity SiteMinder, Windows Kerberos, and others.  These organisations frequently use third-party LDAP directory solutions such as Microsoft Active Directory, OpenLDAP, and others. 

We don't certify the E-Business Suite with those third-party products directly, and we don't have any plans to do so.  This article is intended to explain why Oracle Internet Directory (OID) is required when integrating with Oracle Access Manager (OAM), but you can safely infer that the same requirements prevent the use of third-party authentication products directly with the E-Business Suite.

It's possible to integrate the E-Business Suite with those third-party solutions via Oracle Access Manager and Oracle Internet Directory.  See these articles:

Before going on, I'd recommend reading one of those two third-party integration articles.  If you don't have those concepts under your belt, the rest of this article isn't going to make much sense.

Architecture diagram showing Oracle Access Manager Oracle Internet Directory E-Business Suite AccessGate WebGate

Why does EBS require OID with OAM?

Oracle Access Manager itself doesn't require Oracle Internet Directory.  However, Oracle Internet Directory is a mandatory requirement when Oracle Access Manager is integrated with the E-Business Suite.

Why?  The short answer is that the E-Business Suite has hardcoded dependencies on Oracle Internet Directory for this configuration. These dependencies mean that you cannot replace Oracle Internet Directory with any third-party LDAP directory for this particular configuration. 

There are two cases of hardcoded dependencies on Oracle Internet Directory:

1. Reliance on Oracle GUIDs

From the articles linked above, you know that user authentication is handled by Oracle Access Manager, and user authorization is handled by the E-Business Suite itself.  This means that there are two different user namespaces. 

These namespaces must be linked and coordinated somehow, to ensure that a particular user logging in via Oracle Access Manager is the same user represented within the E-Business Suite's own internal FNDUSER repository.

We associate externally-managed Oracle Access Manager users with internally-managed E-Business Suite users via a Global Unique Identifier (GUID).  These Global Unique Identifiers are generated exclusively by Oracle Internet Directory. 

The E-Business Suite has hardcoded functions to handle the mapping of these Global Unique Identifiers between Oracle Access Manager and the E-Business Suite.  These mapping functions are specific to Oracle Internet Directory; it isn't possible to replace Oracle Internet Directory with a generic third-party LDAP directory and still preserve this functionality.

2. Synchronous user account creation

The E-Business Suite is predominantly used internally within an organisation.  Certain E-Business Suite application modules can be made visible to users outside of an organisation.  These include iStore, iRecruitment, iSupplier, and other application modules where the users aren't necessarily restricted to an organisation's own employees.

Users of some of those application modules expect to be able to register for a new account and use it immediately.  This makes sense.  If you're posting job openings via iRecruitment, potential applicants shouldn't need to hold off on submitting their resumes while your E-Business Suite sysadmin creates an account manually, assigns EBS responsibilities, and emails them the account login details. They'll be long gone before that happens.

This means that EBS application modules that support self-registration must create user accounts synchronously.  A new account must be created within the E-Business Suite and the externalized directory at the same time, on demand.

The E-Business Suite has hardcoded dependencies upon Oracle Internet Directory function calls that handle these synchronous account creation tasks.  These function calls are specific to Oracle Internet Directory; it isn't possible to replace Oracle Internet Directory with a generic third-party LDAP directory and still preserve this functionality.

Sun is setting for Oracle Single Sign-On

The older articles linked above refer to Oracle Single Sign-On.  All conceptual references to Oracle Single Sign-On apply equally to Oracle Access Manager.  Oracle Access Manager offers the same capabilities as Oracle Single Sign-On when integrated with the E-Business Suite.

You may have noticed that I have specifically been referring to Oracle Access Manager rather than Oracle Single Sign-On in this article.  There's a very good reason for this.

The Fusion Middleware Lifetime Support Policy shows that Premier Support for Oracle Single Sign-On 10gR2 ends on December 2011.  If you're using Portal 11gR1, Forms & Reports 11gR1, or Discoverer 11gR1, Premier Support for Oracle Single Sign-On 10gR2 is extended to December 2012. 

Extended Support is not available for Oracle Single Sign-On 10gR2.  This is true regardless of whether you're using those other Fusion Middleware 11gR1 products or not.  These support policy timelines for Oracle Single Sign-On are not affected by the E-Business Suite's own support timelines.  There are no special exceptions from these Fusion Middleware support timelines for E-Business Suite customers. 

Given that the Oracle Single Sign-On is nearing its end-of-life, anyone considering a new external authentication solution for the E-Business Suite should use Oracle Access Manager at this point.  If you're currently using Oracle Single Sign-On, I would recommend evaluating your plans for migrating to Oracle Access Manager as soon as possible.

Related Articles

Saturday Jul 16, 2011

E-Business Suite Technology Frequently Asked Questions (FAQ)

Last updated: February 21, 2013

Given changes to our blogging platform this year, it's gotten much harder to browse and locate previously-published articles on certain topics.  As a workaround, here's a FAQ to act as an index to our most-commonly referenced articles.

1. EBS Technology Stack Basics

Q: I'm completely new to Oracle E-Business Suite.  Where do I start?

A: There's a lot to learn, but don't get intimidated.  This article is a good starting point to understand key terms.  The latest EBS 12.1 documentation is hereThis article has pointers to good resources for beginners, including formal training from Oracle University.

Three tier architecture for EBS 12.0 and 12.1

Q: How can I keep current on EBS technology stack news?

A: We announce over 120 new certifications a year.  Stay current by monitoring or subscribing to this blog.  We publish roadmaps for upcoming certifications few times a year.  The latest is available here.

Q: Where can I find documentation for EBS technology stack components?

A:  Documentation for the EBS 12.1 is here; documentation for older releases is here.  Technology stack components that must be updated regularly are cross-referenced in these Note roadmaps:

Q: What are the latest E-Business Suite releases?

A: There are two types of EBS releases:  Rapid Installs and Release Update Packs.  Rapid Installs can be used to create a brand-new E-Business Suite environment.  Release Update Packs can only be applied on top of an existing environment.  The releases are:

Q:  What technology stack versions were included in the latest EBS releases?

A:  Here's a summary of the bundled technology stack components in the three EBS 12 Rapid Install releases that you can (and should) upgrade yourself as new versions become available.

2. Support Policies

Q: I'm having a problem.  How can I get help?

A: Sadly, this blog isn't the best place to get technical support.  For technical support resources and tips on logging Service Requests with Oracle Support, see this article.

Q: Is my third-party product supported with Oracle E-Business Suite?

A: We test specific Oracle products with the Oracle E-Business Suite.  This is called certification. We don't certify the E-Business Suite with third-party products, but you can certainly use them.  We distinguish between certification and support.  For details, see this article.

Q: What do I need to know about support for EBS 11i?

A: Premier Support ended on Nov. 30, 2010.  Extended Support began on Dec. 1, 2010.  New EBS 11i patches will be created for a minimum baseline environment.

Q: What do I need to know about EBS 12 Support dates and patching baselines?

A:  They're governed by two interlocking policy documents.  If you're running EBS 12, you must ensure that you're on these minimum patching baselines.

EBS Premier and Extended Support timelines

Q: How do Server Technologies (Database) support policies affect EBS environments?

A: Database support dates for Premier, Extended, and Sustaining support apply to E-Business Suite, too.  EBS users do not get any special exemptions from Oracle Database support dates.

Q: How do Fusion Middleware support policies affect EBS environments?

A:  Support policies for Fusion Middleware components used by EBS are a bit more complicated.  See this article for details.

3. Upgrades and Migrations

Q: I want to upgrade from EBS 11i to 12.  Where do I start?

    Q: I need to migrate my server to a different platform.  Where do I start?

    A: Verify that your target platforms are certified.  Plan your migration carefully.  Evaluate available tools for the job, including the Transportable Database process or Transportable Tablespaces.

    Q: I plan to upgrade EBS and migrate my server platforms.   Which do I do first, and what tools can I use?

    A: In general, migrating your database server to faster hardware will make your EBS upgrades faster.  There are more considerations for different endian platforms.  For more details, see this whitepaper on best practices.

    4. EBS System Maintenance

    Q: My E-Business Suite environment has slowed down.  What can I do?
    A: Start here.  Power users will love the additional tweaks and tips referenced in this article.

    Q: How can I reduce my maintenance downtimes?
    A: There are seven ways to reduce your patching downtimes.  EBS 12 users can also optimize AutoConfig execution and run AutoConfig in parallel.

    Q: What resources are available to help me test my environment?

    A: Testing is vital; your EBS environment is unique.  You can use testing tools like the Oracle Application Testing Suite.  We provide Test Starter Kits for older tools such as WinRunner and QuickTest Professional, too.

    Q: What's the best strategy for maintaining my environment?

    A: Apply EBS and technology stack updates to your environment in this order of priority.

    5. General Certifications

    Q: Is <version X> of <component Y> certified with the E-Business Suite?

    A: Check this one-page summary.  If what you're looking for isn't listed, check the official certification database on My Oracle Support.

    Q: When will the next version of <something> be released or certified with EBS?

    A:  Oracle's Revenue Recognition rules prohibit us from discussing certification and release dates.  And, besides, it's just unwise for us to speculate about dates.  This is why.

    Q: Is my third-party product supported with Oracle E-Business Suite?

    A: We test specific Oracle products with the Oracle E-Business Suite.  This is called certification. We don't certify the E-Business Suite with third-party products, but you can certainly use them



    « June 2016