Password Policies in Oracle E-Business Suite

One of my customers is challenging the possibility to enforce strong passwords in E-Business Suite (Release 12). Using the generic User Define Form you can define when a password expires, but that is more or less all you can do from that screen. In order to enforce an advanced Password Policy, you should go to the Profile Options:



Signon Password Failure Limit
The Signon Password Failure Limit profile option defines the maximum number of login attempts before the user’s account is disabled.



Signon Password Hard to Guess
Set this Profile Option to Yes to ensure that they will be "hard to guess."
A password is considered hard-to-guess if it meets this requirements:
• The password contains at least one letter and at least one number.
• The password does not contain the username.
• The password does not contain repeating characters.



Signon Password Length
Signon Password Length defines the minimum length of the password. Te default is 5 characters



Signon Password No Reuse
This profile option specifies the number of days before any previously given password can be reused.



Signon Password Case
Set this profile option to 'Sensitive' to make the password case sensitive (it defaults to 'Insensitive in 11i, apparently, it defaults to 'Sensitive' in R12.1.1).

















In this example, Users will have to enter a case sensitive password, they are not allowed to enter more than 3 wrong passords, the password must be hard to guess (see above), the lenght is set to at least 8 characters and cannot be used again for at least a year after it has expired.





















In the Define User screen we can set the Password Expiration to either
• Days (see example),
• Accesses (the number of logins) or
• None.

Combining the profile options with the Password Expiration will give you a robust password policy for Oracle E-Business Suite.

R12.1.1 - New Technology Features at a Glance

Here is a quick list of the new technology features for E-Business Suite Release 12.1.1:

Versions

Database
Version 11.1.0.7 comes pre-packaged with E-Business Suite Release 12.1.1.
Version 10gR2 is still supported, for upgrades

Application Server
10.1.2.3 for Forms And Reports
10.1.3.4 for Java code and OAF, HTTP Server and OJSP


Third Party Technology
Java JDK version 6.0
Native Java Plugin for Client side browser) version 6.0 (5.0 still supported for upgrading customers).


Technology Components in APPL_TOP
JDeveloper runtime libraries version 10.1.3.4
Oracle BI Beans version 3.1.1.7
Oracle Thin JDBC Drivers version 11.1.0.7


Externally Installed Technology Certified with 12.1.1
Oracle AS 10g Portal 10.1.4.2
Oracle AS 10g Single Sign-on 10.1.4.3
Oracle AS 10g Discoverer 10.1.2.3
Oracle Collaboration Suite 10.1.2
Oracle Enterprise Manager 10.2.0.2

* The above require separate installation, the products mentioned don't come packaged with the distro.



Technology Configuration Management

Autoconfig has been improved greatly in this new release of Oracle E-Business Suite:


Profiler Mode
This mode has been added to the 12.1.1 AutoConfig. When you run AutoConfig in this mode, it can generate a performance report containing timing details about each script that is run by AutoConfig.


Parallelization
Autoconfig can be run in parallel on multiple nodes, reducing downtime.


Control Dependency Management
Redesigned service and service group definitions in the context file, enabling a service to be in different service groups and easing the addition of new services. Additional support for dependencies between service group. Introducing the possibility to enable and disable specific OC4J instances on the Application Tier Servers.


adchkcfg
Enhanced to report on file system and database changes prior to running autoconfig. The report has a R12 L&F.


adbldxml on the Database Tier
This utility can now be used to create new context files on the database tier to facilitate database upgrades and cross-platform migration. This feature was available in 11i, but removed in R12.0, but luckily reintroduced again in R12.1.1


AutoConfig Search Utility
Run from the command line, this utility can be used to get detailed information on context variables and the templates where these are used. Nice detail: If you don't know the entire variable name, it also accepts part of the variable name.


Technology Stack Inventory Validation Report
This utility validates the TechStack Inventory, similar to the TechStack Validation utility. The resulting report shows component versions, installed patches and patch sets.


Application Tier File System sharing
There is now support for sharing the Application Tier File System amongst multiple Oracle E-Business Suite instances. In Release 12.0 the APPL_TOP could be shared, because the Instance Home was introduced. Now there is support to share the entire Application Tier File System (including the Application Server Tech Stacks). Refer to Metalink Note 384248.1.

Enhanced Support for DMZ deployments
New demilitarized zone (DMZ) deployment options added, like support for forward proxies, reverse proxies without external web tiers, and the option to use hardware load-balancers without an external web tier.
More information in Metalink Note 380490.1

Application Tier Load Balancing
Enhancements in support for major load balancing methods: DNS, HTTP Layer and Native OC4J. Refer to Metalink Note 380489.1


Network Traffic Encryption
There is now Autoconfig support for securing the main communication with SSL: Desktop To WebServer (HTTPS), WebServer to JVM (AJPS), JVM (and other technology processes) to database (Advanced Security or Encrypted SQL*Net). See Metalink Note 376700.1


Oracle Connection Manager
AutoConfig now supports Oracle Connection Manager with R12.1.1. Oracle Connection Manager is a security tool acting as a proxy server that forwards connection requests to database servers. For more information, see Metalink Note 558959.1.

One option that I cannot leave unnoticed (taken from Steven Chan's weblog):
The R12.1.1 Rapid Install allows you to upgrade to 12.1.1 from EBS 11.5.9, 11.5.10, 11.5.10.CU1, and 11.5.10.CU2. That is one cool feature to explore. Will do that soon, hopefully.

Come back soon!

E-Business Suite Release 12.1.1 - It is working!

Yesterday morning I started my installation of Oracle E-Business Suite Release 12.1.1. I was very impressed by the installation, even though I performed the installation on a VMware guest Oracle Enterprise Linux 5.3, running with only 1.5GB of memory, from my external USB disk. Installation started around 8:15am and finished around 12:45pm: 4.5 hours. Not bad for an installation on an external USB drive...

I simultaneously discovered the solution to an issue with the R12 Webserver in combination with OCFS2 I reported upon about two years ago in one of my articles on the AMIS Technology Blog. I didn't realize it until I found out that, against my expectations, after the installation, surprisingly the webtier started without problems. I thought of two possible causes for this:

1. OCFS2 has improved, or
2. The new version of the Oracle Internet Application Server (10.1.3.4) has improved.

Neither of the two turned out to be the case:

During the Rapid Install I (to be honest, accidentally) configured the Instance Home ($INST_TOP) on one of my local file systems. The Instance Home contains the E-Business Suite Instance specific configuration files, log files and other files that are specific to its particular instance. Therefore, this Instance Home doesn't require to be shared. There is nothing wrong putting it on a local file system.
Now, when defining the Instance Home to a local file system, also brings the location where the Apache Web Server wants to create this particular file ($INST_TOP/logs/ora/10.1.3/Apache/mm.XXXX) to the local file system. No need for symbolic links or whatsoever.

In my next article I will be discussing some of the new technological features of R12.1.1.

E-Business Suite R12.1.1 installation impression

Two weeks ago I was at Collaborate09 where Charles Phillips announced the release of E-Business Suite 12.1.1. Exciting news, since 12.1.1 comes with a number of enhancements screaming for attention.

First of all, the most eye-catching enhancement is the pre-packaged 11gR1 (11.1.0.7) database. Second is the inclusion of all the Critical Patch Updates.
There is also a number of updates on the Application Servers for Forms (version is now 10.1.3.4)

As soon as I came back home, I downloaded the 12.1.1 software and created a VM to test the installation. I installed Oracle Enterprise Linux 5.3 with a bunch of storage... You definitely need some storage for 12.1.1! Vision Demo Database only is over 200GB!
Starting with the Oracle Applications Installation Guide: Using Rapid Install, you will be guided through the installation process. Since I am on OEL5.3 32-bit, I was pointed to Metalink Note 761564.1 - Oracle Applications Installation and Upgrade Notes Release 12 (12.1.1) for Linux x86.
In this document you can find all the details about installing EBS 12.1.1 on Linux x86:

RPMS required to install 12.1.1:

openmotif21-2.1.30-11.EL5.i3861
xorg-x11-libs-compat-6.8.2-1.EL.33.0.1.i386
binutils-2.17.50.0.6-6.0.1.i3862

The above RPMs can be downloade from oss.oracle.com.
The list of RPMs down here can all be found on your distribution media of OEL5.3:

compat-glibc-2.3.4-2.26
gcc-4.1.2-14.el5
gcc-c++-4.1.2-14.el5
glibc-2.5-123
glibc-common-2.5-123
glibc-devel-2.5-12
libgcc-4.1.2-14.el53
libstdc++-devel-4.1.2-14.el5
libstdc++-4.1.2-14.el53
make-3.81-1.13
gdbm-1.8.0-26.2.13
libXp-1.0.0-8.1.el5
libaio-0.3.106-3.23
libgomp-4.1.2-14.el5
sysstat-7.0.0-3.el5
compat-libstdc++-296-2.96-138
compat-libstdc++-33-3.2.3-61

If you are performing a fresh install of 12.1.1, like I did, you will also need some RPMs for 11g database:

elfutils-libelf-devel-0.125
elfutils-libelf-devel-static-0.125
libaio-devel-0.3.106
unixODBC-2.2.11
unixODBC-devel-2.2.11
kernel-headers-2.6

Now all required RPMs have been installed, take a look at the kernel settings:

Add or adjust the following parameters in /etc/sysctl.conf:

kernel.sem = 256 32000 100 142
kernel.shmall = 2097152
kernel.shmmax = 2147483648(*)
kernel.shmmni = 4096
kernel.msgmax = 8192
kernel.msgmnb = 65535
kernel.msgmni = 2878
fs.file-max = 131072
net.ipv4.ip_local_port_range = 10000 65000(**)
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 262144

(*) least value. Half the memory if that is more
(**) I had 1024 65000 and it worked too

Apply these settings by saving the /etc/sysctl.conf and typing the command:
sysctl -p

Next, adjust the DNS resolver parameters in /etc/resolv.conf:
options attempts:5
options timeout:15

Next, make sure your hosts fully qualified domain name is mentioned as the first alias to the hosts IP address in /etc/hosts:
192.168.1.10 hostname.domain.name.com hostname

Make sure that /etc/sysconfig/network contains the fully qualified domain name as your hostname.

In /etc/security/limits.conf you should set some limits for the user you are installing EBS under:
oracle hard nofile 65535
oracle soft nofile 4096
oracle hard nproc 16384
oracle soft nproc 2047

Next, apply patch 6078836 for Oracle or RedHat Enterprise Linux 5. This is an important prerequisite patch in order to prevent compilation errors during installation.
After you have applied this patch, perform the following as root:
# unlink /usr/lib/libXtst.so.6
# ln -s /usr/X11R6/lib/libXtst.so.6.1 /usr/lib/libXtst.so.6

Now we're ready to install.
Installation is currently underway.
I'll be back soon to update on my findings.

Collaborate 2009: Mixing E-Business Suite and Pleasure

So, This is the last week before I will be leaving for Orlando, FL. Next saturday (may 2) I will be taking off to join Collaborate09. I am excited and a little nervous too. It will be the first time to present at a large scale conference like this.
If you are interested: Look out for session #1037, Mixing E-Business and Pleasure on Tuesday, May 5, 3:15PM - 4:15PM in room W105A.
In this presentation I will share my experience with a large-scale E-Business Suite implementation with SOA integration (mainly BPEL). The business case will be discussed, what the customer wanted to achieve, and what issues and challenges the actual implementation brought.

I am really looking forward meeting you there.

Outsourcing your E-Business Suite environment - Part V

In my previous articles in this series I explained what the key areas of focus would have to be when you consider outsourcing your Oracle E-Business Suite environment(s). This last article in this series covers some of the questions you could or should ask to your potential partners.

Now that you have a rough idea about the issues to bear in mind when outsourcing your E-Business Suite environment(s), it is time to look for a partner that you can do business with. In order to make a proper judgement, it is essential to know which details are important to your business. Ask questions on those details. They are important to you, so you must find the answers with your partner, and weigh them on the scale of importance.

Criteria

Here you can find a list of criteria you might find useful:

• Every customer should be logically separated from other customers
• Possibility to filter traffic between systems of the same customer
• In case of an attack/intrusion it should be possible to quickly block traffic
• Detection by means of a network intrusion detection system should lead to action in less than 3 minutes
• Possibility to guarantee bandwidth
• Possibility to regulate bandwidth
• Possibility to deliver connections, by fixed lines as well as VPN via Internet
• Data Center has more than 1 public exchange utilizing multiple carriers
• Multiple access paths to the public exchange are possible, physically as well as logically, so in case of interruption of service altenate paths could provide required service
• Termination is separated from the server room, so physical access is not required for assembly
• Separated LANs for different purposes (backup/recovery, management, public, cluster heartbeat)
• Failover datacenter at least 5 miles away
• Support for QoS (Quality of Service)
• Trunking Technology should be supported
• Local LAN is redundant, including switches, SAN switches, cables, power supplies
• Redundant Airconditioning with sufficient capacity
• ISO27001 compliancy/certification
• Availability of No-Break
• External Power Generators are available, are tested monthly and meet capacity requirements
• Growth of XXX% can be facilitated
• Hardware defects can be solved within SLA times
• Near Real-Time information about systems, load and amount of traffic available online or can be made available online, included in regular pricing
• Monitoring is taking place for intrusion, fire, power failure, high/low voltage, external power generator failure, UPS/No-Break failure, temperature, humidity, breaker trips and leakage
• 24x7 security available on the premises
• 24x7 access for authorized personell of customer
• Backup facilities available and optionally availability to take backups to multiple tape units
• E-mail facilities are available for outbound mail from specified servers
• Physical access to hardware is separated from possible other customers to prevent other customers having access to our hardware
• Capacity planning should be in place, for at least 12 months
• Operations Staff should be adequately trained
• Credentials should not be stored human readable, i.e. no hard coded credentials in scripts etc.
• Cleaning and Archiving procedures in place for log files etc.
• All access to systems must be logged and should be tracable to a personal account
• Availability of centralized authentication system with LDAP or NIS
• Servers should be addressed through a servername using Fully Qualified Domain Names
• OS Storage needs to be mirrored
• Remote Console Access should be possible
• A representation of current configuration and hardware as well as Operating System should be delivered when asked (CMDB report)
• Following Operating Systems and distributions should be supported: (fill in your required Operating Systems)
• All machines are configured with swap space according to best practices
• All File Systems are configured with either RAID5, RAID1 or RAID1+0
• All provided slices of storage can be resized dynamically
• Availability of a supported platform for backups
• Every Unix machine is provided with ping, traceroute, lsof, top, truss, strace, sar or applicable equivalences for the OS in place
• Telnet services are disabled, ssh access should be possible
• A Network Time Protocol Server is available for every system and is redundant
• An authorization and maintenance process is in place for all privileges
• Security audits are taking place on a regular basis, conform ISO27001
• Gigabit Ethernet is standard
• Relevant information on all layers is stored onto which trend-analysis can be performed
• On at least a monthly basis, investigation is done regarding patches to be applied and proposed as change to customer
• Weekly SLA Meetings
• Weekly Service Level Reports
• NIS and FTP services are disabled
• UIDs and GIDs of non-system OS users and groups should always be identical across systems
• Possibility to perform routine maintenance by means of sudo
• Availability and Performance Management should be in place
• Architecture needs to be provided with a flexible storage solution for allocation, deallocation and copying of data and efficient backups
• Backup data should be kept online on a remote location, at least 5 miles away from the primary data center
• It should be possible to put backups on tape, to deliver at customer site
• Internet connected machines should be placed in a DMZ
• The meeting structure being used, by means of communication and consultation on strategical, tactical and operational level is formatted by a governance model
• Support needs to be provided in the … language
• A situation is designated as a crisis at initiative of customer; in such a situation supervision will be accepted from the by customer assigned crisis manager
• At least 1FTE with knowledge of the environment is available at all times to support and investigate opon request
• Customer can take backups to disk and optionally to tape at a later time, facilitated by hosting provider
• It should be possible to house or host optional “external” hardware, like customer owned systems

Key Performance Indicators

Next, you should have a set of Key Performance Indicators (KPIs), that will have to be mapped to the criteria. You should have at least the following areas:

• General
  Availability
• Incident Management
  Reaction Time, Resolution Time, Down Time, etc.
• Change Management
  Maintenance Windows, Change Qualification Time, etc.
• Configuration Management
  CMDB, Monitoring, etc.
• Operations Management
  Backup, Maintenance, etc.
• Service Management
  Reports, meetings, etc.

Questions

Based on the above, you could ask your party

• what their vision is on separation of responsibilities and how they would realize this vision,
• which risks they identify and how they would minimize these,
• their ability to meet the criteria as stated,
• their ability to meet service levels mentioned in the key performance indicators outlined by you,
• to share a transition plan and approach for application management takeover and / or migration of current to new infrastructure,
• to identify cost drivers for accounting services and products, based on the separation of responsibilities and conform the given criteria,
• identify the monthly cost per cost driver,
• how they detect intrusions,
• how they guarantee bandwidth,
• how they guarantee connection availability,
• what time they need to establish a system,
• what possibilities there are to customize environments in terms of:
  kernel parameters,
  operating system limits,
  startup scripts,
  disks and partitions,
  mountpoints
• which security certifications they have,
• whether they have multiple datacenters,
• what their vision is on capacity, availability and performance management and how that translates to practice,
• if they can provide an example of an incident report, if possible for multiple priorities/severities,
• if they can provide an example of a change report,
• what their definition is of a problem,
• whether they have experience managing/hosting
  Oracle Database environments and for which versions,
  Oracle E-Business Suite environments and for which versions,
  Oracle Application Server environments and for which versions,
• If they can provide any references for any of the above with information about:
  Version Size
  Number of users
  Number of transactions
  Availability.

This list is not complete, but it can give you a start to identify the kind of questions you might want to be answered, in order to make a proper judgement.

I hope this series has given you some clearer view on the topic of outsourcing your environment. If you have any questions left, you can always drop me a comment.

Outsourcing your Oracle E-Business Suite environment - Part IV

In the previous articles in this series about outsourcing E-Business Suite environments I discussed the question why, the more technical aspects and the supporting services. This article will cover the topics availability, disaster recovery and security.

Availability

Load Balancing - Load Balancing techniques are used for two reasons: To increase availability and to increase capacity.

Application Server
On the application server level of E-Business Suite, one can choose to implement two kinds of load balancing: Forms based (11i) and HTTP based (11i and r12). In order to run forms based load balancing, one server needs to be designated as Forms Metrics Server, the remaining servers will be Forms Metrics Clients. On each of the servers the Forms Server needs to be running. All clients will be connected to the Forms Metrics Server, which diverts the connection to either of the forms servers in the application tier. This is a basic form of load balancing, because it is based on a round-robin principle. The alternative is HTTP Load Balancing, which requires Forms Servlet Mode to be in use. In this configuration, the forms server is running through a servlet, which runs under the http server. Therefore, there is no need to use other ports than the port the http server is using. A side effect is increased security. Another requirement is to use a separate load balancer. This load balancer will be configured with a central IP address (resolvable by a DNS name). The connections will be spread over the available application servers. This can be done on a round-robin principle, but can also be based on actual system load, like with Cisco ACE technology. One thing to keep in mind, which is of great importance when implementing load balancing is to ensure that Session Stickiness/Persistence (IP or cookie based) is implemented.
It is also possible to implement DNS based load balancing. In this configuration, the DNS server has got multiple IP addresses for the same hostname and will randomly reply a possible IP address to any DNS request for an application server. This requires some additional configuration on the Application Tier, like JServ load balancing and defining OProcMgr nodes (web nodes) in your environment (using the context editor).
Refer to metalink note 217368.1 for implementing load balancing for E-Business Suite

Database Server
Increasing availability on the database server can be established using Real Applications Cluster technology. Implementing Real Applications Cluster will require Oracle Clusterware, and takes some of the system resources for cluster node intercommunication. However, the increase in availability will more than compensate for this. I do need to say that no matter how much I appreciate RAC, it adds to the complexity of your infrastructure and you will definitely need resources in your team or at your hosting provider (depending on who is going to manage/maintain the E-Business Suite) capable of managing and maintaining Real Applications Cluster environments. Otherwise you may end up with a system with lower uptime compared to a single instance database environment.

Disaster Recovery
Dataguard – This topic adds up to the previous one, availability. If your hosting provider can provide multiple data centers, it might be worthwhile investigating the possibilities of implementing DataGuard. With E-Business Suite you can establish a physical standby database on a remote location that can be switched over to when the primary database fails for whatever reasons. For more information on implementing DataGuard ee Metalink Notes 216212.1 and 403347.1 for Release 11i and Metalink Note 452056.1 for Release 12.

Data Replication – If Dataguard is not feasible, you should at least be given the possibilities for data replication. Make sure your hosting partner is able to replicate your business-critical data to a remote data center, so you, or your hosting partner can rebuild the entire environment on another location in case of a site failure.

For any DR solution, you should be able to quantify the maximum downtime you find acceptable. In order to be able to do this, it may be required to estimate the cost of downtime per time-unit. Take into consideration that your company should have the resources to sustain the damage of this downtime. Make sure your hosting partner can live up to the required level of service. After all, it is your business-critical data.

Security
Talking about business-critical data, you don’t want anyone that is not supposed to be there strolling around in your environment. Therefore it is of greatest importance that your hosting partner can guarantee the highest level of security. The International Standards Organization (ISO) has a certification for this: ISO-27001:2005. Ask for this certification at your partner of choice. This ensures that your partner has been audited on a number of controls dealing with information security.
Various security issues need to be covered when you want to outsource your environment. This can be issues that you as a customer may require, but it can also be issues that are required by your hosting partner. It is essential to work these out before starting your contract, or you may be surprised your partner doesn’t provide a solution you want to be implemented because of their tight security, or you will become personably responsible for security measures your partner can or will not provide.

Hardening – your systems need to be secure enough by themselves. This means that e.g. you don’t want to allow direct root access from a remote location, sudo lists to limit the amount of users that may become root, sudo command lists, to limit the commands that can be run with root privileges, limiting the services to those that are necessary to run the environment.

External Access – Remote OS access should be regulated by an external authentication system like an Active Directory system. If this is not possible, you should require vLANs that separate your environment(s) from others. It can also be arranged with Access Control Lists, but they should be combined with an AD solution.Intrusion Detection – No matter how secure your environment is hosted, it will always be possible for someone to try and attack your environment. For this, it is important to have an Intrusion Detection system in place. This system alarms when it detects uncommon activities on the environment, indicating someone or some program is trying to attack the system.

E-Business Suite Security - Ask your outsourcing partner what they would do to secure your E-Business Suite. It is of great importance. You might have a secure Operating System, but your application that runs on it must be secure as well, because it might be located at a remote site, in a hosting center, along with various other applications from who knows where. Security may very well be the top priority on your list. Refer to Metalink Note 189367.1 - Best practices for securing Oracle E-Business Suite for directions.

I hope to publish a questionnaire to ask a potential outsourcing partner as a conclusion to this series.