oracle e-business custom is at ion tech white paper

Shasikkumar Veeramani 28/09/2009

Technical White Paper Sep-2009

Oracle Applications 11.5.10 Customisation of Oracle E-Business Suite User Management - For Corporate Security Rules

A Practical Example

Shasikkumar Veeramani Oracle Applications Techno-Functional Consultant Key Equipment Finance Limited, United Kingdom


Contents

Introduction: .............................................................................................................................. 3 About the Document: ................................................................................................................ 3 Corporate Security Rules:.......................................................................................................... 3 Implementation:......................................................................................................................... 3 Rule 1 – Corporate Security disclaimer..................................................................................... 3 Rule 2 – Rule 7 – All password validation rules ....................................................................... 5 Rule 8 - Password re-use policy ................................................................................................ 7 Rule 9 – Password expire .......................................................................................................... 8 Error Messages Setup:............................................................................................................... 9 Rule 10 and Rule 11 – Username and password examples in the login page ......................... 14 Additional Notes to incorporate the rule for existing Application users ................................. 15 Scope for improvement and drawbacks: ................................................................................. 16 Developer Reference – Code for java function ....................................................................... 16


Introduction: Corporate security rules are set forth by the information security team in any Company and these are the set of rules for any IT system authentication and security model to abide by the corporate standards.

Oracle E-Business Suite has a very good User Management Framework which is flexible and customisable so that any company implementing Oracle E-Business suite can customise the user management framework to abide by their corporate security guidelines.

About the Document: This document explains the various corporate security rules which must implemented as per Corporate Security guidelines in our company and also the implementation of this customisation in Oracle Applications 11.5.10.

This document would also provide the code necessary along with the screenshots so that it can extended to use for any corporate security implementation

Corporate Security Rules: Following are the list of password security guidelines according to our Corporate Security guidelines document.

1. In the login page of Oracle Applications – We must display the Corporate Security disclaimer as under “This is a private and proprietary system. Unauthorized access is unlawful and may result in disciplinary action and/or legal proceedings. Any access to this system/network may be monitored”

2. All passwords must exactly be 8 characters in length 3. Passwords must be a mix of alpha and numeric characters with a minimum of 2

numeric characters 4. There must be at least 1 non-alpha numeric special character from $ & @ 5. Password cannot be same as the user name 6. Password cannot contain spaces 7. Identical characters cannot be adjacent 8. Same password cannot be used in 12 month period 9. Password should expire automatically after 180 days 10. Have a username hint underneath the username field in the login page – Adhering to

the Corporate security rules 11. Have a password hint underneath the password field in the login page – Adhering to

the Corporate security rules

Implementation:

Rule 1 – Corporate Security disclaimer To implement the corporate security disclaimer rule in Oracle Applications 11.5.10 follow the below mentioned steps,

. Log in to Oracle Applications as an user having “Application Developer”

responsibility


. Navigate to Application Developer -> Application -> Messages

. Query (F11) for Name “FND_SSO_SARBANES_OXLEY_TEXT” and Language “US”

. Execute the query (Ctrl + F11)

. In the bottom section “Current Message Text” – Change the message text to the message as below

“This is a private and proprietary system. Unauthorized access is unlawful and may result in disciplinary action and/or legal proceedings. Any access to this system/network may be monitored”

. Save the changes (Ctrl + S)

Note: If we want the message text to be replicated in different languages then run the concurrent program “Generate Messages” within Application Developer responsibility for each such language. We will not be using as our UI will only be in English

. Login to Oracle Applications 11.5.10 using an user having “System Administrator” responsibility

. Navigate to System Administrator -> Profile -> System

. Query for the profile “Local Login Mask”

. Change the value of the profile option at the site level to 103

Note: We are using 103 as we are not using all of the features of the user management framework. Setting the profile option value to 127 would enable all of the following in the login page – Username Hint, Password Hint, Cancel Button, Forgot Password Link, Register Link,


Language images and the corporate policy message. Refer the metalink note: 468971.1 for exact details on about the various options

Rule 2 – Rule 7 – All password validation rules Rule 2 to Rule 7 is all about validation of password changes for existing users and any new user validation. Oracle E-Business suite provides a customisable Java function (Sample provided along with E-business standard product) which can extended to implement the corporate security rules. Customised version of this java file for all the above mentioned validations is given in the developer reference section at the end – Which can be saved as AppsPasswordValidationCUS.java,

Note: This is the file, would ideally be coded by a technical developer in Java for implementing the custom password validation rules. Also SYSADMIN user is excluded from the username length validation – This can be extended to any other users as well by changing that portion of code to include additional users

. Migrate the file (AppsPasswordValidationCUS.java) embedded to the DB Tier of the

Oracle Applications (Under any temporary directory) as admin user – Ideally done by the DBA

. Login to the DB Tier server as DBA user and execute the following loadjava command from the path where the java file is placed to migrate the java class to the apps database

loadjava -user apps/<password>@<sid> -verbose -resolve -force AppsPasswordValidationCUS.java

. After executing the following command – we must not encounter any errors and message should say “Sources Loaded: 1” and also “Errors: 0”


Note: This command loads the java class to the apps database so during the password validation – This java class gets executed using the DBMS_JAVA package and validates all the rules coded

. Also execute the following query by logging into SQL*PLUS as “Apps” user to verify if the java class is loaded to the database correctly

SELECT dbms_java.longname(object_name) Class_Name, status FROM user_objects WHERE object_type = 'JAVA CLASS'

AND dbms_java.longname(object_name) LIKE '%AppsPasswordValidationCUS';

This must return the following result, CLASS_NAME STATUS -------------------------------------------------- ------- oracle/apps/fnd/security/AppsPasswordValidationCUS VALID

. Login to Oracle Applications as an user having “System Administrator” responsibility

. Navigate to System Administrator -> Profile -> System

. Set the value of the profile “SIGNON_PASSWORD_CUSTOM” as “oracle.apps.fnd.security.AppsPasswordValidationCUS” at Site level and this guides the user management framework to use the customised validation rules.

Note: Restart the apache at the very end to make it effective for the OA Framework pages


. Set the value of the profile option “Signon Password Hard to Guess” as blank at Site level as all the password validations are implemented through a custom function which will override the default capability given through this profile option

Rule 8 - Password re-use policy For implementing the password re-use policy that users should not re-use their password for 12 months – Perform the following steps, . Login to Oracle Applications as an user with “System Administrator” responsibility . Navigate to System Administrator -> Profile -> System . Set the value of the profile “Signon Password No Reuse” to 365 at Site level


Rule 9 – Password expire

To implement the password expiration to 180 days perform the following steps,

. Login to Oracle Applications as an user with “System Administrator” responsibility

. Navigate to System Administrator -> Security -> User

. Query for the user in the user form

. Change the Days to 180 in the Password expiration section


Error Messages Setup: Following error messages are required to be created or updated as these error messages are used when a password validation failure has occurred.

. Login to the Application using an user having “Application Developer” responsibility

. Navigate to Application Developer -> Application -> Messages

. Create the following messages according to the table mentioned below

. Query the error message – For those messages, which are indicated as Update in the table below

Note: All error messages at the end has the list of rules – So this can be a display guideline while setting up new users and also during password changes

S.No Message Name Language Application Current Message Text 1 PASSWORD-KEF-

NOSPACES US Application Object Library Password cannot

contain any spaces Please check other password rules: 1. Password cannot contain any spaces 2. All passwords must exactly be 8 characters in length 3. Passwords must be a mix of alpha and numeric characters


with a minimum of 2 numeric characters 4. There must be at least 1 non-alpha numeric special character from $ # @ 5. Password cannot be same as the user name 6. Password cannot contain spaces 7. Identical characters cannot be adjacent 8. Same password cannot be used in 12 month period

2 PASSWORD-KEF-ALPHANUMERIC

US Application Object Library Password must contain at least one letter and at least two numbers. Please check other password rules: 1. Password cannot contain any spaces 2. All passwords must exactly be 8 characters in length 3. Passwords must be a mix of alpha and numeric characters with a minimum of 2 numeric characters 4. There must be at least 1 non-alpha numeric special character from $ # @ 5. Password cannot be same as the user name 6. Password cannot contain spaces 7. Identical characters cannot be adjacent 8. Same password cannot be used in 12 month period

3 PASSWORD-KEF-NOT-SOXCOMPLIANT

US Application Object Library Password must contains at least one special characters ($ # @ etc..,) Please check other password rules: 1. Password cannot contain any spaces 2. All passwords must exactly be 8


characters in length 3. Passwords must be a mix of alpha and numeric characters with a minimum of 2 numeric characters 4. There must be at least 1 non-alpha numeric special character from $ # @ 5. Password cannot be same as the user name 6. Password cannot contain spaces 7. Identical characters cannot be adjacent 8. Same password cannot be used in 12 month period

4 USERNAME-KEF-7-CHRS

US Application Object Library Username must be seven (7) characters in length. Please check other password rules: 1. Password cannot contain any spaces 2. All passwords must exactly be 8 characters in length 3. Passwords must be a mix of alpha and numeric characters with a minimum of 2 numeric characters 4. There must be at least 1 non-alpha numeric special character from $ # @ 5. Password cannot be same as the user name 6. Password cannot contain spaces 7. Identical characters cannot be adjacent 8. Same password cannot be used in 12 month period

5 PASSWORD-KEF-INVALID-LENGTH

US Application Object Library Password must be exactly 8 characters in length Please check other password rules:


1. Password cannot contain any spaces 2. All passwords must exactly be 8 characters in length 3. Passwords must be a mix of alpha and numeric characters with a minimum of 2 numeric characters 4. There must be at least 1 non-alpha numeric special character from $ # @ 5. Password cannot be same as the user name 6. Password cannot contain spaces 7. Identical characters cannot be adjacent 8. Same password cannot be used in 12 month period

6 PASSWORD-KEF-INVALID-USERNAME

US Application Object Library Password cannot be the same as User name Please check other password rules: 1. Password cannot contain any spaces 2. All passwords must exactly be 8 characters in length 3. Passwords must be a mix of alpha and numeric characters with a minimum of 2 numeric characters 4. There must be at least 1 non-alpha numeric special character from $ # @ 5. Password cannot be same as the user name 6. Password cannot contain spaces 7. Identical characters cannot be adjacent 8. Same password cannot be used in 12 month period

7 PASSWORD-KEF-INVALID-REPEATS

US Application Object Library Password must not contain repeating characters.


Please check other password rules: 1. Password cannot contain any spaces 2. All passwords must exactly be 8 characters in length 3. Passwords must be a mix of alpha and numeric characters with a minimum of 2 numeric characters 4. There must be at least 1 non-alpha numeric special character from $ # @ 5. Password cannot be same as the user name 6. Password cannot contain spaces 7. Identical characters cannot be adjacent 8. Same password cannot be used in 12 month period

8 PASSWORD-INVALID-NO-REUSE Note: Query for this message and update the message text as this is a standard Oracle message

US Application Object Library Must not reuse a recently used password. Please supply a different password. Please check other password rules: 1. Password cannot contain any spaces 2. All passwords must exactly be 8 characters in length 3. Passwords must be a mix of alpha and numeric characters with a minimum of 2 numeric characters 4. There must be at least 1 non-alpha numeric special character from $ # @ 5. Password cannot be same as the user name 6. Password cannot contain spaces 7. Identical characters cannot be adjacent 8. Same password


cannot be used in 12 month period

Note: We now want to regenerate the message text file, so run the concurrent program “Generate Messages” within Application Developer responsibility

Rule 10 and Rule 11 – Username and password examples in the login page Following steps show the implementation of a custom username hint and password hint in the login page which is more inline abiding by the corporate rules . Login to the Application using an user having “Application Developer” responsibility . Navigate to Application Developer -> Application -> Messages . Query for the message name “FND_SSO_HINT_USERNAME” and language “US” in

the messages form . Update the “Current Message Text” as something meaningful to the specific corporate

(e.g.: “(example: veerash)”) . This would ensure we have a meaningful hint displayed for the username in the login

screen . Query for the message name “FND_SSO_HINT_PASSWORD” and language “US” in

the same messages form . Update the “Current Message Text” as something meaningful to the specific corporate

(e.g.: “(example: mvs#ek3)”)


Additional Notes to incorporate the rule for existing Application users All existing users now need to have their passwords reset and expiration dates set according to the new standards. Below is the SQL to do so. /* Purpose:

. To make the password lifespan to be 180 days for all existing business users

. To make all business users’s password expire so that they need to change upon next login

Enhancement Notes:

. If we plan to have a concurrent program which takes in a username input and expires the password for that user (Also if not passed expires all business user's password)

. If we are using the above feature then we might want to consider having a separate update statement for changing the password lifespan

*/ UPDATE FND_USER SET PASSWORD_DATE = NULL, PASSWORD_LIFESPAN_DAYS = 180 WHERE USER_NAME NOT IN ('AME_INVALID_APPROVER', 'ANONYMOUS', 'APPSMGR', 'ASGADM', 'ASGUEST', 'AUTOINSTALL', 'CONCURRENT MANAGER', 'FEEDER SYSTEM', 'GUEST', 'IBEGUEST', 'IBE_ADMIN', 'IBE_GUEST', 'IEXADMIN', 'INITIAL SETUP', 'IRC_EMP_GUEST', 'IRC_EXT_GUEST', 'MOBILEADM', 'MULTIORGUSER', 'OLM1BATCH', 'OP_CUST_CARE_ADMIN', 'OP_SYSADMIN', 'PORTAL30', 'PORTAL30_SSO', 'SYSADMIN', 'WIZARD', 'XML_USER' );

COMMIT;


Scope for improvement and drawbacks: Following are the drawbacks which was found while customising the user management framework, . Automatic password reset functionality given by Oracle User Management framework

cannot be used when we have a customised password validation rule (Based on the java function) as the password generated by Oracle does not comply by the corporate rules coded in the java function and hence we would get an error in the password reset workflow.

Note: As per the research done in Metalink – Release 12 User Management Framework addresses this issue and we would able to fully leverage the customisation with all the default user management functionality

Developer Reference – Code for java function // Disclaimer: // This sample is provided for educational purposes only. It is NOT supported // by Oracle World Wide Technical Support. The sample has been tested and // appears to work as intended. However, you should always test in YOUR // environment before relying on it. // // Source File Name: AppsPasswordValidationCUS.java // package oracle.apps.fnd.security; import oracle.apps.fnd.common.VersionInfo; // Referenced classes of package oracle.apps.fnd.security: // PasswordValidation public class AppsPasswordValidationCUS implements PasswordValidation {

public String getErrorStackApplicationName() {return "FND"; }

public String getErrorStackMessageName() {return m_errorStackMessageName; }

public boolean validate(String username, String password) {// Username Rule 1: Username must be of Seven (7) characters in length String sadmin = new String("SYSADMIN"); if (username.length() != 7 && !(username.equals(sadmin))) {m_errorStackMessageName = "USERNAME-KEF-7-CHRS"; return false; }// Password Rule 1: Password Length has to be minimum of 8


if(password.length() != 8) {m_errorStackMessageName = "PASSWORD-KEF-INVALID-LENGTH"; return false; }// Password Rule 2: Username and Password cannot be null if(password ==null || password.length() == 0 || username == null || username.length() == 0) {m_errorStackMessageName = "PASSWORD-INVALID"; return false; }// Password Rule 3: Username should not be the password if(!validateNoUsername(username, password)) {m_errorStackMessageName = "PASSWORD-KEF-INVALID-USERNAME"; return false; }// Password Rule 4: Password should not contain spaces if(!validateSpaces(username, password)) {m_errorStackMessageName = "PASSWORD-KEF-NOSPACES"; return false; }// Password Rule 5: Password cannot contain identical characters that are adjacent if(!validateNoRepeats(password)) {m_errorStackMessageName = "PASSWORD-KEF-INVALID-REPEATS"; return false; }// Password Rule 6: Password has to be alpha numeric string and must contain atleast 2 numerics if(!validateLettersAndDigits(password)) {m_errorStackMessageName = "PASSWORD-KEF-ALPHANUMERIC"; return false; }// Password Rule 7: Password must have atleast 1 non-alpha numeric character (i,e - @,*$,£ etc..,) if(!validateSOXPassword(password)) {m_errorStackMessageName = "PASSWORD-KEF-NOT-SOXCOMPLIANT"; return false; }return true; }

// Function for Password Rule 3 Validation private boolean validateNoUsername(String p_username, String p_password) {return p_password.toUpperCase().indexOf(p_username.toUpperCase()) == -1; }// Function for Password Rule 4 Validation private boolean validateSpaces(String p_username, String p_password) {boolean flag = true; for(int i = 0;i < p_password.length(); i++) {if(Character.isWhitespace(p_password.charAt(i))) flag = false; }return flag; }


// Function for Password Rule 5 Validation private boolean validateNoRepeats(String p_password) {for(int i = 1; i < p_password.length(); i++) if(p_password.charAt(i) == p_password.charAt(i - 1)) return false; return true; }// Function for Password Rule 6 Validation private boolean validateLettersAndDigits(String p_password) {boolean flag = false; boolean flag1 = false; int cnt = 0; for(int i = 0; i < p_password.length(); i++) {if(Character.isLetter(p_password.charAt(i))) flag = true; if(Character.isDigit(p_password.charAt(i))) cnt = ++cnt; if(cnt >= 2) flag1 = true; }return flag && flag1; }private boolean validateSOXPassword(String p_password) {boolean flag = false; int f_char = 0; for(int i = 0; i < p_password.length(); i++) {if(p_password.charAt(i) == '@' || p_password.charAt(i) == '#' || p_password.charAt(i) == '$') flag = true; }return flag; }

private String m_errorStackMessageName; }

oracle e-business custom is at ion tech white paper

Documents