Monday, November 12, 2007

Oracle Application security

Just tips,

what ever i learnt putted into a repository and pasting it here.

1. When you are applying any patches use $adpatch flags=hidepw { avilable from 11.5.10 and above }

2. Apache usually use the directory indexing to search the html/jsp pages, so recommand method from Oracle is to comment the following lines from httpd.conf and httpd_pls.conf
# IndexOptions FancyIndexing

3. Set SEND_ACCESS_KEY=Y, the worklow notification email bypasses the e-buss suite sing-on process, email notificatoins contain an acess key. The key allows the user to access the Notification Details web page directly without authenticating.

Also we can do same for forms and reports
FORMS60_RESTRICT_ENTER_QUERY=TRUE
REPORTS60_CGINODIAG=YES

4. Active server security:
This i was not aware till yesterday, if i we want to make my Application authendication to forms ON/OFF/SECURE i.e using my DBC file ,

we can use the following command:
jre oracle.apps.fnd.security.AdminAppsServer apps/ AUTHENTICATION OFF/ON/SECURE DBA=

Note id: 145646.1 contrains more deatils about APPL_SERVER_ID authendication of dbc

5. Using following tables we can get the end-user access details:

APPLSYS.FND_LOGINS
APPLSYS.FND_LOGIN_RESPONSIBILITY
APPLSYS.FND_LOGIN_RESP_FORMS
APPLSYS.FND_UNSUCCESSFUL_LOGINS
FND_CONCURRENT_REQUESTS
ICX.ICX_FAILURES

6. Clients requires to restrict duplicate user sessions usually, so in previous project we setted ICX_SESSIONS of DISABLED_FALG=Y to restrict the duplicate session of E-buss suite user. { This can obtain by patch 21228669 }

Still lot more to come, check daily

No comments: