Website Design, Website Development, Shopping Carts, Content Management Systems, Custom Programming, Custom Applications Appsdba: October 2007

Oracle Applications, Middleware, Database, DB RAC & HA

It is place where anyone grab more knowledge about Oracle Applications, middleware etc.

 
APPS R12
  • File System
  • Tech Stack
  • Admin Scripts
  • Forms Mode
  • APPS 11i
  • Know more
  • Maintenance Mode
  • Maintenance Mode(New)
  • Patching
  • APPS Scripts
  • Database Scripts
  • Protect APPS Password
  • Concurrent Manager
  • Database Refersh
  • Patchset Utility
  • Forms Data Loader
  • Web Server
  • Space Required
  • Responsibilities Of APPSDBA
  • OAS 9i/10gR2
  • Software Load Balancer
  • OAS 10gR3
  • Components
  • HTTP Server as Port 80
  • Database
  • Enable Archive
  • Clear Temp Tablespace
  • Drop DB (New in 10g)
  • Database Performance
  • Oracle Process
  • Advanced Topic
  • Database RAC

  • Do you know
  • Clusterware
  • Manage RAC Environment
  • High Availability
  • Certifications
  • EBS R12 Beta Exam
  • APPS 11i - 1z0-233
  • RAC 10gR2 - 1z0-048
  • Oracle Certifications
  • DBA Tools
  • TOAD
  • KEEP TOOL
  • ORACLE's SQL DEVELOPER
  • Spotlight on Oracle E-Business
  • DBDiff For Oracle

  • 10 ways to protect APPS Password?
    Monday, October 22, 2007
    E-Business Suite security is a huge topic, as there are many different facets to consider. This article will consider a small but essential part of the security model: protecting your APPS user password.

    The APPS user in the E-Business Suite is the master of its world. I have gathered together some thoughts on steps you can take and things to consider to help you protect your APPS password from being compromised:


    1. Stay current with our latest Security Best Practices

    Regularly review the latest version of Best Practices for Securing Oracle E-Business Suite (Note 189367.1). This note is regularly updated and will give security advice covering many different aspects of Applications 11i. For Release 12, see Best Practices For Securing Oracle E-Business Suite Release 12 (Note 403537.1)


    2. Regularly change your APPS password

    This is an essential activity from a security perspective and needs to be part of your routine operating procedures. Same applies for other schema passwords and SYSADMIN user. As an aside, don't use predicable passwords, or have a system to create passwords, such as using "0ct0ber" for the password in October as this will make it easier to guess


    3. Always change passwords as part of a clone process from PROD

    It is recomended to change ALL schema passwords and ALL eBiz user passwords in a cloned instance. You can use Removing Credentials from a Cloned EBS Production Database (Note 419475.1) to achieve this. Similarly, you don't want to have any relation in the passwords used for PROD compared to any other instances. Data masking and obfuscation is a large topic in its own right, but is also something you may need to consider doing for the cloned instance to protect sensitive data generally. With Release 12, EM plugin provides some data scrambling facilities


    4. Perform data masking on any files sent to outside parties from the PROD system

    When you need to send any log files or configuration files, ensure that you scan for any sensitive data before packing the files to be sent. In this article we are concerned about the APPS password, but this applies equally well for other data as well. For example, a crude mechanism would be to use "ed" or "sed" on all files to globally change any occurrences of the APPS password before creating a tar archive to email or upload. You may be uploading files to Oracle Support, or just emailing them within your Organization. Whenever the files are going to someone who cannot access them directly you should always check the files before sending.

    5. Create separate schemas with minimal access required for direct database access

    If anyone requires direct access to the E-Business Suite database, ensure that you create a new unique schema with the specific permissions required for them to perform their job role. Except for a very few Apps DBAs, there should be no reason that anyone else needs the APPS user password. Sometimes pressures of work make it easier to just give someone APPS access, but this should be resisted and the time taken to provide only the minimum access absolutely required. Every person should also have their own unique login (but this is digressing into a separate area that I'll address in a later article). When considering permissions to allocate, don't be tempted to give read only access to everything, as being able to read sensitive information may be just as damaging as being able to change it.

    6. Protect Apps 11i middle tier file system files

    These days, there is little need to give anyone UNIX-level access to the servers, but it is still important to ensure the "applmgr" operating system user password is well protected. Also consider whether any of your own startup scripts or monitoring scripts have the APPS password hard coded in them, and protect these scripts with chmod 700 permissions, or remove them if no longer needed

    7. Ensure no processes are running with APPS username/password in command line

    Generally the APPS password is not listed in "ps" output, but there may be some manual scripts or other processes intermittently running with the APPS password in clear text or trivially encoded. Ensure these scripts are changed to hide the APPS password. In addition, ensure operating system access is restricted to only those who really need it

    8. Protect OID access

    If you have integrated the E-Business Suite with Oracle Application Server 10g, Single Sign-On, and Oracle Internet Directory, then the Apps user password is stored in the OID database, as it is required for Provisioning to function. The OID administrator and anyone with ldapsearch rights in the Provisioning Profiles will be able to extract the APPS password from OID. This in turn implies the "AppsDN" OID password should be protected in the same way as the APPS password itself. For assistance in security hardening OID, refer to the Oracle Internet Directory Administrator's Guide 10g (10.1.4.0.1) - Part III Directory Security

    9. Encrypt SQLNET traffic from Middle Tier to RDBMS

    In a previous article, Steven highlighted that ANO is certified with the E-Business Suite. Use encryption to protect the APPS password from network sniffers tracing SQLNET connection packets and deciphering the APPS password on the wire.

    10. Allow only specific IP addresses to access RDBMS via SQLNET

    Slightly off topic, but if someone has acquired the APPS password they still have to be able to gain access to a tool that can use it. Restricting the IP addresses that can access your Apps database will help minimise this risk. If you are still using "fat" clients (Discoverer or ADI for example) then you will have to weigh up the risks against the administrative overhead. Oracle recommends upgrading to server-based equivalent tools or shared desktop technologies such as Citrix so desktop clients no longer need direct access. This topic is discussed further in E-Business Suite Recommended Set Up for Client/Server Products (Note 277535.1)

    Conclusions

    Defence in depth is generally considered the best approach so hopefully these recommendations will give you some food for thought when you are reviewing how well your own system is protected.

    Sound password policies are critical to enforce access policies and enforce individual accountability. You need to jealously guard your passwords, particularly for the APPS user.
    posted by Jaswinder Singh @ 12:21 AM   0 comments
    OCP Track - Applications Database Administrator !!!!
    Thursday, October 4, 2007
    Good news for all our Application DBA friends!
    There's a certification track introduced just for you.
    During the beta exam testing phase, one of the certification tracks launched was 11i Applications Technology Certified Professional Administrator track. This certification has been now renamed as Oracle 11i Applications Database Administrator Certified Professional.

    The Oracle 11i Applications Database Administrator Certified Professional track would consist of the following exams:
    1Z0-235 Applications DBA Fundamentals I
    1Z0-236 Applications DBA Fundamentals II
    1Z0-233 Oracle 11i Install Patch and Maintain Applications


    The exams for 1Z0-235 Applications DBA Fundamentals I and 1Z0-236 Applications DBA Fundamentals II are based on the hands on courses Oracle9i Database Administration Fundamentals I, Oracle9i Database Administration Fundamentals II and Oracle9i Database Performance Tuning. Thus, one who is already Oracle 9i DBA OCP or Oracle 10g DBA OCP need to take the 1Z0-233 Oracle 11i Install Patch and Maintain Applications to be certified on this new track!


    1Z0-232 Oracle 11i System Administration certification which leads to Oracle Certified Expert.
    posted by Jaswinder Singh @ 12:10 AM   3 comments
    Release 12 File System !!!!!!!!!!!!!
    Wednesday, October 3, 2007
    Release 12 File System Layout
    • Database node
    /db/tech_st/10.2.0
    /db/apps_st/data
    • Applications node
    /apps/tech_st/10.1.2
    /apps/tech_st/10.1.3
    /apps/apps_st/appl
    /apps/apps_st/comn
    • Instance home
    /inst/apps/
    --------------------------------------
    R12 File System

    1) iAS 10.1.3 ORACLE HOME
    - RSF 10.1
    - Apache 1.3
    - OC4J
    2) Developer10.1.2 ORACLE HOME
    - RSF 10.1
    - Reports 10
    - Forms 10
    3) Database ORACLE HOME
    - RDBMS Components
    - RSF 10.2
    4) APPL TOP
    5) COMMON TOP
    6) INSTANCE TOP

    Major Components:
    •Java Home: 10.1-based iAS 10.1.3 –new
    •C Home: 10.1-based Developer 10 standalone install of AS 10.1.2 phase2 –new
    •Database Home: 10.2
    •Appl Top: Applications’ code staging area
    •Common Top: Runtime location for Java, HTML
    •Instance Top: configuration and runtime generated files – New
    posted by Jaswinder Singh @ 5:50 AM   0 comments
    12i technology stack ?


    • Highlights of new R12 techstack components
    • New Application Server 10g (10.1.2 & 10.1.3) ORACLE_HOMEs replacing the 9iAS 1.0.2.2.2 O_HOMEs from 11i
    • Switch from JServ to Oracle Containers for J2EE (OC4J) for running servlets, Java Server Pages (JSP), and Enterprise Java Beans (EJB)
    • OC4J Deployment details, including replacements for jserv.conf and jserv.properties configuration files
    • New R12 filesystem layout, including the introduction of an Instance Home (INST_TOP)
    • New use of Oracle Process Manager & Notification Server (OPMN)
    • New Forms 10g deployment
    • Comparison of 11i and R12 environment variables
    • Discussion of relative benefits of Forms Servlet vs. Server (socket) mode deployments
    • Disabled mod_plsql in R12 (more about this in a later article)
    • Things you can do today to prepare for R12
    posted by Jaswinder Singh @ 5:45 AM   0 comments
    About Me

    Name: Jaswinder Singh
    Home: Bangalore, Karnataka, India
    Certifications: RAC Certified Expert, OCP 9i, 10g & 11i
    About Me: I am working as APPSDBA, have hands on experience on DB RAC, HA on OAS 10g and Oracle Applications.
    See my complete profile
    Previous Post
    Archives
    Links
    Powered by

    Free Blogger Templates

    BLOGGER

    ADVERTISEMENT
    click here
    © 2006 Appsdba .