Thursday, May 28, 2009

Password Policies in Oracle E-Business Suite

One of my customers is challenging the possibility to enforce strong passwords in E-Business Suite (Release 12). Using the generic User Define Form you can define when a password expires, but that is more or less all you can do from that screen. In order to enforce an advanced Password Policy, you should go to the Profile Options:



Signon Password Failure Limit
The Signon Password Failure Limit profile option defines the maximum number of login attempts before the user’s account is disabled.



Signon Password Hard to Guess
Set this Profile Option to Yes to ensure that they will be "hard to guess."
A password is considered hard-to-guess if it meets this requirements:
• The password contains at least one letter and at least one number.
• The password does not contain the username.
• The password does not contain repeating characters.



Signon Password Length
Signon Password Length defines the minimum length of the password. Te default is 5 characters



Signon Password No Reuse
This profile option specifies the number of days before any previously given password can be reused.



Signon Password Case
Set this profile option to 'Sensitive' to make the password case sensitive (it defaults to 'Insensitive in 11i, apparently, it defaults to 'Sensitive' in R12.1.1).

















In this example, Users will have to enter a case sensitive password, they are not allowed to enter more than 3 wrong passords, the password must be hard to guess (see above), the lenght is set to at least 8 characters and cannot be used again for at least a year after it has expired.





















In the Define User screen we can set the Password Expiration to either
• Days (see example),
• Accesses (the number of logins) or
• None.

Combining the profile options with the Password Expiration will give you a robust password policy for Oracle E-Business Suite.

Tuesday, May 26, 2009

R12.1.1 - New Technology Features at a Glance

Here is a quick list of the new technology features for E-Business Suite Release 12.1.1:

Versions


Database
Version 11.1.0.7 comes pre-packaged with E-Business Suite Release 12.1.1.
Version 10gR2 is still supported, for upgrades


Application Server
10.1.2.3 for Forms And Reports
10.1.3.4 for Java code and OAF, HTTP Server and OJSP


Third Party Technology
Java JDK version 6.0
Native Java Plugin for Client side browser) version 6.0 (5.0 still supported for upgrading customers).


Technology Components in APPL_TOP
JDeveloper runtime libraries version 10.1.3.4
Oracle BI Beans version 3.1.1.7
Oracle Thin JDBC Drivers version 11.1.0.7


Externally Installed Technology Certified with 12.1.1
Oracle AS 10g Portal 10.1.4.2
Oracle AS 10g Single Sign-on 10.1.4.3
Oracle AS 10g Discoverer 10.1.2.3
Oracle Collaboration Suite 10.1.2
Oracle Enterprise Manager 10.2.0.2

* The above require separate installation, the products mentioned don't come packaged with the distro.



Technology Configuration Management

Autoconfig has been improved greatly in this new release of Oracle E-Business Suite:


Profiler Mode
This mode has been added to the 12.1.1 AutoConfig. When you run AutoConfig in this mode, it can generate a performance report containing timing details about each script that is run by AutoConfig.


Parallelization
Autoconfig can be run in parallel on multiple nodes, reducing downtime.


Control Dependency Management
Redesigned service and service group definitions in the context file, enabling a service to be in different service groups and easing the addition of new services. Additional support for dependencies between service group. Introducing the possibility to enable and disable specific OC4J instances on the Application Tier Servers.


adchkcfg
Enhanced to report on file system and database changes prior to running autoconfig. The report has a R12 L&F.


adbldxml on the Database Tier
This utility can now be used to create new context files on the database tier to facilitate database upgrades and cross-platform migration. This feature was available in 11i, but removed in R12.0, but luckily reintroduced again in R12.1.1


AutoConfig Search Utility
Run from the command line, this utility can be used to get detailed information on context variables and the templates where these are used. Nice detail: If you don't know the entire variable name, it also accepts part of the variable name.


Technology Stack Inventory Validation Report
This utility validates the TechStack Inventory, similar to the TechStack Validation utility. The resulting report shows component versions, installed patches and patch sets.


Application Tier File System sharing
There is now support for sharing the Application Tier File System amongst multiple Oracle E-Business Suite instances. In Release 12.0 the APPL_TOP could be shared, because the Instance Home was introduced. Now there is support to share the entire Application Tier File System (including the Application Server Tech Stacks). Refer to Metalink Note 384248.1.


Enhanced Support for DMZ deployments
New demilitarized zone (DMZ) deployment options added, like support for forward proxies, reverse proxies without external web tiers, and the option to use hardware load-balancers without an external web tier.
More information in Metalink Note 380490.1

Application Tier Load Balancing
Enhancements in support for major load balancing methods: DNS, HTTP Layer and Native OC4J. Refer to Metalink Note 380489.1


Network Traffic Encryption
There is now Autoconfig support for securing the main communication with SSL: Desktop To WebServer (HTTPS), WebServer to JVM (AJPS), JVM (and other technology processes) to database (Advanced Security or Encrypted SQL*Net). See Metalink Note 376700.1


Oracle Connection Manager
AutoConfig now supports Oracle Connection Manager with R12.1.1. Oracle Connection Manager is a security tool acting as a proxy server that forwards connection requests to database servers. For more information, see Metalink Note 558959.1.

One option that I cannot leave unnoticed (taken from Steven Chan's weblog):
The R12.1.1 Rapid Install allows you to upgrade to 12.1.1 from EBS 11.5.9, 11.5.10, 11.5.10.CU1, and 11.5.10.CU2. That is one cool feature to explore. Will do that soon, hopefully.

Come back soon!

E-Business Suite Release 12.1.1 - It is working!

Yesterday morning I started my installation of Oracle E-Business Suite Release 12.1.1. I was very impressed by the installation, even though I performed the installation on a VMware guest Oracle Enterprise Linux 5.3, running with only 1.5GB of memory, from my external USB disk. Installation started around 8:15am and finished around 12:45pm: 4.5 hours. Not bad for an installation on an external USB drive...

I simultaneously discovered the solution to an issue with the R12 Webserver in combination with OCFS2 I reported upon about two years ago in one of my articles on the AMIS Technology Blog. I didn't realize it until I found out that, against my expectations, after the installation, surprisingly the webtier started without problems. I thought of two possible causes for this:

1. OCFS2 has improved, or
2. The new version of the Oracle Internet Application Server (10.1.3.4) has improved.

Neither of the two turned out to be the case:

During the Rapid Install I (to be honest, accidentally) configured the Instance Home ($INST_TOP) on one of my local file systems. The Instance Home contains the E-Business Suite Instance specific configuration files, log files and other files that are specific to its particular instance. Therefore, this Instance Home doesn't require to be shared. There is nothing wrong putting it on a local file system.
Now, when defining the Instance Home to a local file system, also brings the location where the Apache Web Server wants to create this particular file ($INST_TOP/logs/ora/10.1.3/Apache/mm.XXXX) to the local file system. No need for symbolic links or whatsoever.

In my next article I will be discussing some of the new technological features of R12.1.1.

E-Business Suite R12.1.1 installation impression

Two weeks ago I was at Collaborate09 where Charles Phillips announced the release of E-Business Suite 12.1.1. Exciting news, since 12.1.1 comes with a number of enhancements screaming for attention.

First of all, the most eye-catching enhancement is the pre-packaged 11gR1 (11.1.0.7) database. Second is the inclusion of all the Critical Patch Updates.
There is also a number of updates on the Application Servers for Forms (version is now 10.1.3.4)

As soon as I came back home, I downloaded the 12.1.1 software and created a VM to test the installation. I installed Oracle Enterprise Linux 5.3 with a bunch of storage... You definitely need some storage for 12.1.1! Vision Demo Database only is over 200GB!
Starting with the Oracle Applications Installation Guide: Using Rapid Install, you will be guided through the installation process. Since I am on OEL5.3 32-bit, I was pointed to Metalink Note 761564.1 - Oracle Applications Installation and Upgrade Notes Release 12 (12.1.1) for Linux x86.
In this document you can find all the details about installing EBS 12.1.1 on Linux x86:

RPMS required to install 12.1.1:

openmotif21-2.1.30-11.EL5.i3861
xorg-x11-libs-compat-6.8.2-1.EL.33.0.1.i386
binutils-2.17.50.0.6-6.0.1.i3862


The above RPMs can be downloade from oss.oracle.com.
The list of RPMs down here can all be found on your distribution media of OEL5.3:

compat-glibc-2.3.4-2.26
gcc-4.1.2-14.el5
gcc-c++-4.1.2-14.el5
glibc-2.5-123
glibc-common-2.5-123
glibc-devel-2.5-12
libgcc-4.1.2-14.el53
libstdc++-devel-4.1.2-14.el5
libstdc++-4.1.2-14.el53
make-3.81-1.13
gdbm-1.8.0-26.2.13
libXp-1.0.0-8.1.el5
libaio-0.3.106-3.23
libgomp-4.1.2-14.el5
sysstat-7.0.0-3.el5
compat-libstdc++-296-2.96-138
compat-libstdc++-33-3.2.3-61


If you are performing a fresh install of 12.1.1, like I did, you will also need some RPMs for 11g database:

elfutils-libelf-devel-0.125
elfutils-libelf-devel-static-0.125
libaio-devel-0.3.106
unixODBC-2.2.11
unixODBC-devel-2.2.11
kernel-headers-2.6


Now all required RPMs have been installed, take a look at the kernel settings:

Add or adjust the following parameters in /etc/sysctl.conf:

kernel.sem = 256 32000 100 142
kernel.shmall = 2097152
kernel.shmmax = 2147483648(*)

kernel.shmmni = 4096
kernel.msgmax = 8192
kernel.msgmnb = 65535
kernel.msgmni = 2878
fs.file-max = 131072
net.ipv4.ip_local_port_range = 10000 65000(**)
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 262144


(*) least value. Half the memory if that is more
(**) I had 1024 65000 and it worked too

Apply these settings by saving the /etc/sysctl.conf and typing the command:
sysctl -p

Next, adjust the DNS resolver parameters in /etc/resolv.conf:
options attempts:5
options timeout:15


Next, make sure your hosts fully qualified domain name is mentioned as the first alias to the hosts IP address in /etc/hosts:
192.168.1.10 hostname.domain.name.com hostname

Make sure that /etc/sysconfig/network contains the fully qualified domain name as your hostname.

In /etc/security/limits.conf you should set some limits for the user you are installing EBS under:
oracle hard nofile 65535
oracle soft nofile 4096
oracle hard nproc 16384
oracle soft nproc 2047

Next, apply patch 6078836 for Oracle or RedHat Enterprise Linux 5. This is an important prerequisite patch in order to prevent compilation errors during installation.
After you have applied this patch, perform the following as root:
# unlink /usr/lib/libXtst.so.6
# ln -s /usr/X11R6/lib/libXtst.so.6.1 /usr/lib/libXtst.so.6

Now we're ready to install.
Installation is currently underway.
I'll be back soon to update on my findings.