2. DEFAULT ORACLE DATABASE ACCOUNTS 4.

SYSTEM PROFILE OPTIONS – SECURITY RELATED

All database passwords should be changed including both

ORACLE E-BUSINESS SUITE 11i/R12 default Oracle Database accounts as well as all Oracle EBS
PROFILE OPTION DEFAULT SUGGEST
AUDITING
schema database accounts. Use FNDCPASS (11.5/12.0) or
SECURITY QUICK REFERENCE AFPASSWD (12.1/12.2) to change the passwords in both the Sign-On:Audit Level (null) Form
Sign-On:Notification No Yes
application and database. Other standard Oracle, third-party,
VERSION 5.2 – APRIL 2018 AuditTrail:Activate No Yes
and custom database accounts may exist and default
PASSWORDS
passwords should be changed.
Signon Password Failure Limit (null) 6
1. DEFAULT ORACLE EBS USERS Signon Password Hard To Guess
CHANGE PASSWORD (1 letter, 1 number, no repeating No Yes
ACCOUNT NAME
Default passwords for all standard, seeded Oracle EBS METHOD characters, not username)
application user accounts should be changed and all unused SYS, SYSTEM manual Signon Password Length 5 8
accounts should be disabled by end-dating. CTXSYS, DBSNMP, OUTLN, … manual Signon Password No Reuse (null) 720
FNDCPASS SYSTEM Signon Password Case insensitive sensitive
APPS, APPLSYS 1, 2
DEFAULT ORACLE E-BUSINESS SUITE USERS or AFPASSWD –s Signon Password Custom
APPLSYSPUB See note 4 (null) Java Class
(see MOS Note ID 362663.1)
USER NAME MODULE END-DATE 1 EDWREP, ODM manual
DIAGNOSTICS
AME_INVALID_APPROVER AME yes AD_MONITOR, EM_MONITOR manual
Utilities:Diagnostics No No
APPSMGR AOL/FND yes OWAPUB manual
FND: Diagnostics Yes No
ASADMIN (R12) AOL/FND yes PORTAL30, PORTAL30_* manual
Hide Diagnostics menu entry No Yes
ASGADM ASG see module SSOSDK manual
ASGUEST AS see module FNDCPASS ALLORACLE OTHER SECURITY
SCHEMAS (ABM … ZX) 3
AUTOINSTALL AOL/FND yes or AFPASSWD –a Concurrent:Report Access Level 1 User User
CONCURRENT MANAGER AOL/FND yes FND Validation Level Error Error
FEEDER SYSTEM AOL/FND yes
1
APPS and APPLSYS passwords must be identical. FND Function Validation Level Error Error
GUEST 2 AOL/FND no 2
After changing the APPS password, AutoConfig must be run. Framework Validation Level Error Error
IBE_ADMIN IBE, ONT see module Restrict text input Yes Yes
3
Change all schema passwords (over 250 schemas) – use “FNDCPASS
IBE_GUEST IBE see module FND: Developer Mode (null) No
IBEGUEST IBE, IBU see module ALLORACLE” or “AFPASSWD –a” to change all.
IEXADMIN IEX yes 4
Changing the APPLSYSPUB password is recommended for R12.
1
Not used in R12. See MOS Note IDs 736547.1, 804296.1, 976613.1,
INDUSTRY DATA (R12) AOL/FND yes Refer to MOS Note ID 11i/189367.1 or R12/403537.1 for and 736547.1 for more information.
INITIAL SETUP AOL/FND yes
instructions. APPLSYSPUB password must always be uppercase
IRC_EMP_GUEST IRC see module
IRC_EXT_GUEST IRC see module
even if the database has case-sensitive passwords enabled. 5. AUTOCONFIG VARIABLES – SECURITY RELATED
MOBADM ASG yes
MOBDEV ASG yes 3. FND CHANGE PASSWORD UTILITY AUTOCONFIG VARIABLE NAME DEFAULT SUGGEST
MOBILEADM ASG see module
OP_CUST_CARE_ADMIN XDP see module TIMEOUT
OP_SYSADMIN XDP see module
Change APPS/APPLSYS Passwords
Applications Session Timeout
FNDCPASS apps/apps 0 Y system/manager \ 1800000 1800000
ORACLE12.0.0 – ORACLE12.9.0 AOL/FND no 3 (s_sesstimeout)
SYSTEM APPLSYS <new password> (30 min) (30 min)
PORTAL30 AOL/FND yes See MOS Note ID 307149.1
PORTAL30_SSO AOL/FND yes Note: AutoConfig must be run and application tier restarted. OC4J Session Timeout
30 min 30 min
STANDALONE BATCH PROCESS AOL/FND yes (s_oc4j_sesstimeout)
SYSADMIN AOL/FND no Change Oracle EBS Schema Password (e.g., GL, FA, AR, etc.) SECURITY
WIZARD AOL/FND yes FNDCPASS apps/apps 0 Y system/manager \ Application Server Security
XML_USER AOL/FND yes ORACLE <schemaname> <new password> Authentication OFF SECURE
1 (s_appserverid_authentication)
If the module is not being used, the account should be end-dated.
Change All Oracle EBS Schema Passwords (e.g., GL, AR) Applications 'GUEST' User strong
Otherwise, see the module documentation for more information. FNDCPASS apps/apps 0 Y system/manager \ ORACLE
(s_guest_pass) password
2
Change the GUEST password using the AutoConfig variable ALLORACLE <new password> Applications 'GWYUID' Password strong
“s_guest_pass” and run AutoConfig. See MOS Note ID 443353.1. PUB
(s_gwyuid_pass) (APPLSYSPUB) password
Lock All Oracle EBS Schema Accounts (12.1 – 12.2)
3
Should not be end-dated, but check that FND_USER table
AFPASSWD apps/apps@<twotask> -L TRUE
ENCRYPTED_USER_PASSWORD = “INTERNAL USER-NOLOGIN”.
 6. APPLSYSPUB PERMISSIONS 9. DEFAULT ORACLE E-BUSINESS SUITE PORTS 10. RECOMMENDED FILE PERMISSIONS

The APPLSYSPUB account should have only these grants, AUTOCONFIG UNIX
COMPONENT PORT # + X PATH FILES
which are set in <FND_TOP>/admin/sql/afpub.sql – VARIABLE PERM
Database s_dbport 1521 $ORACLE_HOME All 0750
INSERT ON FND_UNSUCCESSFUL_LOGINS RPC/FNDFS s_rpcport 1626 $ORACLE_HOME/bin All 0751
INSERT ON FND_SESSIONS Reports Server s_repsport 7000 $ORACLE_HOME/network/admin/ listener.ora
EXECUTE ON FND_DISCONNECTED 0600
s_webport 8000 <sid> sqlnet.ora
EXECUTE ON FND_MESSAGE
Web Server (Apache) s_webssl_port 4443 $ORACLE_HOME/appsutil/install/ *.sql 0600
EXECUTE ON FND_PUB_MESSAGE
s_active_webport 8000 <sid> *.sh 0700
EXECUTE ON FND_SECURITY_PKG
EXECUTE ON FND_WEBFILEPUB Web Proxy s_proxyport 80 $IAS_TOP/Apache/modplsql/cfg
wdbsvr.app 0600
SELECT ON FND_APPLICATION JServ oprocmgr (11i) s_oprocmgr_port 8699 (11i)
SELECT ON FND_APPLICATION_TL s_forms_servlet_ $806_HOME/reports60/server
Forms Servlet (jserv) (11i) 8701-8710 CGIcmd.dat 0600
SELECT ON FND_APPLICATION_VL portrange (11i)
SELECT ON FND_LANGUAGES_TL Discoverer Servlet (jserv) s_disco_servlet defaults.txt
8711-8720 $APPL_TOP/admin/<sid> 0600
SELECT ON FND_LANGUAGES_VL (11i) _portrange adalldefaults.txt
SELECT ON FND_LOOKUPS s_xmlsvcs_servlet_
XML Serlvet (jserv) (11i) 8741-8750 $FND_TOP/secure All 0750
SELECT ON FND_PRODUCT_GROUPS portrange
SELECT ON FND_PRODUCT_INSTALLATIONS OA Core Servlet (jserv) s_oacore_servlet_
8721-8740
SELECT ON FND_NEW_MESSAGES (11i) portrange 11. MY ORACLE SUPPORT (MOS) SECURITY NOTES
Servlet (jserv) – old (11i) s_servletport 8800
To check permissions –
Web Server (moplsql) Secure Configuration Guide for Oracle 189367.1 (11i)
s_web_port_pls 8888
SELECT * FROM sys.dba_tab_privs (11i) E-Business Suite Release (11i/R12) 403537.1 (12.1)
where grantee = 'APPLSYSPUB' Forms Server s_formsport 9000
287176.1 (11i)
Metrics Server Data s_metdataport 9100 DMZ Configuration with Oracle
380490.1 (12.1)
Verify EXECUTE on FND_SIGNON and SELECT ON Metrics Server Requests s_metreqport 9200 E-Business Suite (11i/R12)
1375670.1 (12.2)
FND_USER_VIEW are not granted to APPLSYSPUB. VisiBroker Server Agent s_osagent_port 10000 123718.1 (11i)
MSCA Mobile Server s_mwaportno 10200-10299 Enabling SSL/TLS in Oracle E-Business Suite
376700.1 (12.1)
s_mwadispatcher_ 10300-10399 (11i/R12)
1367293.1 (12.2)
7. APPLICATIONS AUDITING (WHO COLUMNS) MSCA Mobile Dispatcher
port 10800-10899
MCSA Telnet Server (R12) s_mwatelnetportno 10200-10299 FAQ: Oracle E-Business Suite Security 2063486.1
Most Oracle EBS tables have information on the creation JTF Fulfilment Server s_jtfuf_port 9300 or 11000
and last update of a row in the following columns – Security Configuration and Auditing Scripts
TCF Server s_tcfport 15000 2069190.1
for Oracle E-Business Suite
ONS Local Port (R12) s_ons_localport 6100
▪ CREATION_DATE 403294.1 (11i)
ONS Remote Port (R12) s_ons_remoteport 6200 Using Transparent Data Encryption (TDE)
▪ CREATED_BY  FND_USERS table 828229.1 (12.1)
ONS Request Port (R12) s_ons_requestport 6500 with the E-Business Suite
▪ LAST_UPDATE_LOGIN  FND_LOGINS tables 1585296.1 (12.2)
Java Object Cache Port s_java_object_
▪ LAST_UPDATE_DATE 12345 Using Oracle Database Vault with Oracle E-
(R12) cache_port 950018.1
▪ LAST_UPDATED_BY  FND_USERS table Business Suite Releases 11i and 12
OC4J JMS Ports Oacore s_oacore_jms
~23000-23099
(R12) _portrange Configuring Oracle Connection Manager
558959.1
8. END-USER APPLICATION ACCESS AUDITING OC4J JMS Ports for Forms s_forms_jms with Oracle E-Business Suite Release 12
~23500-23599
(R12) _portrange
Enable simple logging of user, responsibility, and forms OC4J JMS Ports for Home s_home_jms
~24000-24099
accesses by setting system profile option “Sign-On: Audit (R12) _portrange
OC4J JMS Ports for Oafm s_oafm_jms
Level” to “FORM” at the site level. ~24500-24599
(R12) _portrange
END-USER AUDIT TABLES Oracle Connection http://www.integrigy.com
s_cmanport 1532
Manager Port
applsys.fnd_logins applsys.fnd_login_responsibilities Version 5.2 – April 2018
fnd_concurrent_requests applsys.fnd_login_resp_forms Port numbers may be modified during installation or may be Oracle E-Business Suite 11.5.10 – 12.0.6 – 12.1.3 – 12.2
automatically incremented by x during installation where x is a Copyright © 2018 Integrigy Corporation. Information in this document is subject
icx.icx_failures applsys.fnd_unsuccessful_logins
number 1 to 100 (typical less than 10). Port number ranges are often to change without notice and does not represent a commitment on the part of
a grouping of 3, 4, 5, or 6 contiguous ports in the specified range. Integrigy Corporation. Integrigy does not guarantee or warrant the accuracy or
END-USER AUDIT REPORTS completeness of the information in this document. AppSentry, and AppDefend
Signon Audit Users Signon Audit Concurrent Requests are trademarks of Integrigy Corporation. Oracle is a registered trademark of
Oracle Corporation and/or its affiliates.
Signon Audit Responsibilities Signon Audit Unsuccessful Logins
Signon Audit Forms