Protecting Oracle E-Business Suite: Password Policy
For a third week in a row, we’re providing you with best practices for securing your Oracle E-Business Suite implementation. Today, we are going to talk about a common topic: password security. When it comes to password policy, the first thing that probably comes to mind is having a secure password. That is why in addition to all network security layers, it is very important to have a proper password policy, along with a users list and groups so to follow a guideline of how passwords are formed. To help with this, Oracle E-Business Suite has several requirements that force the user to add complexity to the passwords. In this blogpost, we will talk about these profiles, configurations and other features that E-Business Suite has to help ensure that your password are strong and complex enough.
What is a strong password?
Despite the fact that there is not a specific standard for what’s considered a ‘strong’ password, there are some general rules that lead to a strong password. So, the common practices for creating strong complex passwords are as follows:
- Do not create a password that is shorter than 8 characters in length.
- Do not create a password that contains the user name, employee name, or family member names.
- Do not select passwords that are easy to guess.
- Do not create passwords that contain a consecutive string of numbers, such as 12345.
- Do not create passwords that contain a word or string that is easily discoverable by a simple Internet search.
- Do not allow users to reuse the same password across multiple systems.
- Do not allow users to reuse older passwords.
Oracle E-business Suite offers various profile options in different policies. This profile should only be set at Site level, and can also be set at other levels such as User or Responsibility. Here’s a list of any option and its description.
- Sign-on Password Failure Limit: determines the maximum number of log in attempts before the user's account is disabled. Users cannot see or update this profile option.
- Sign-on Password Hard to Guess: sets rules for choosing passwords to ensure that they will be "hard to guess." A password is considered hard-to-guess if it follows these rules: contains at least one letter and at least one number, does not contain the user name and does not contain repeating characters.
- Sign-on Password Length: sets the minimum length of an Applications signon password. If no value is entered the minimum length defaults to 5.
- Sign-on Password No Reuse: specifies the number of days that a user must wait before being allowed to reuse a password.
- Sign-on Password Case: when available (since 11i.ATG_PF.H RUP3) it allows to make password case sensitive.
- Session Timeout: limits for Self Service Framework Applications and is specified in minutes.
Profile Options Recommendations by Oracle
As previously mentioned, every company should define its own policy. Regardless, Oracle recommends the following configurations that could be useful if you don't have a policy yet:
- SIGNON_PASSWORD_LENGTH: 8
- SIGNON_PASSWORD_HARD_TO_GUESS: YES
- SIGNON_PASSWORD_NO_REUSE: 180
- SIGNON_PASSWORD_CASE: Sensitive
- SIGNON_PASSWORD_FAILURE_LIMIT: 5
- ICX_SESSION_TIMEOUT: 30
- SIGNON_PASSWORD_CUSTOM: implement
In regards to the last item, this is available in case your corporate password policy cannot be expressed using the above parameters. If so, it is possible to implement a custom password validation function and register it with Oracle E-Business Suite. Here's an example of a Password Policy Configuration:
Customize Password Validation
As previously mentioned, if your password policy cannot be expressed using the "Sign-On" parameters, you can implement a custom function for validating new passwords. Let's see how it works. To customize password validation, create a Java class that implements the oracle.apps.fnd.security.PasswordValidation Java interface.
The interface requires three methods:
- 1. public boolean validate(String user, String password)
This method takes a user name and password, and returns True or False, indicating whether the user's password is valid or invalid, respectively.
- 2. public String getErrorStackMessageName()
- 3. public String getErrorStackApplicationName()
This method returns the application short name for the aforementioned error message.
After writing the customized password validator, set profile option SIGNON_PASSWORD_CUSTOM to the full name of the class.
So, now we know about the definitions for our password policy. The next step is to find all default password that have users in Oracle EBS. Lucky for us, EBS have scripts for these checks.
Change Default User Passwords in Applications & Database
It is well know that E-Business Suite has product users in the Database, and by default user accounts for each product have a default password. Any Apps DBA should reset those passwords after installation. The application database instance contains default, open schemas with default passwords. These accounts and corresponding passwords are well-known so keeping passwords unchanged could be risky for your security.
There are six default schemes (that can be identified by querying the table FND_ORACLE_USERID) from different sources that should be taken into account for default password changes:
- 1. Default database administration schemas
- 2. Schemas belonging to optional database features neither used nor patched by E-Business Suite
- 3. Schemas belonging to optional database features used but not patched by E-Business Suite
- 4. Schemas belonging to optional database features used and patched by E-Business Suite
- 5. Schemas common to all E-Business Suite products
- 6. Schemas associated with specific E-Business Suite products
To change passwords, you can use the following commands:
- For the schemas in categories 1, 2 and 3:
- For the schemas in categories 4, 5 and 6, use the application password change tool FNDCPASS or AFPASSWD:
How to Check Default User Passwords in Database
In 2005, Oracle released patch 4926128 that contains a SQL script that will list all open accounts with default password in your database. The SQL script was created for database versions 9i. Newer databases (10g, 11g & 12c) have a view - DBA_USERS_WITH_DEFPWD - that provides the same information. By now the value of patch 4926128 is included in the PDF document that documents how to change some old accounts that may be present in an old database.
Passwords are one of the most common targets for cybercriminals and should be properly protected. In this context, this simple tools and best practices are relevant for E-Business Suite Security. Defining a corporate password policy should be the first step to move forward, remember Oracle has suggested values for help. It is also important to teach your employees not to share passwords and your administrators to avoid default passwords.
Stay tuned, there's still more blogpost on the way about EBS Security!