Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
patchVantage E-Business Suite Security Patching
Abstract Understand our Engagement Model Ensure your ERP system, is secure and compliant
CONTENTS
Managed Security Upgrades ..................................................3
1.1 Introduction ................................................................ 3
1.2 Engagement Model ...................................................... 6
1.3 Additional Costs ........................................................... 6
1.4 Pricing......................................................................... 7
1.5 Cloud Mirror ................................................................ 7
1.6 Deployment Methods ................................................. 7
1.7 Documentation ........................................................... 7
1.8 Components Patched ................................................. 8
Appendix
1.9 PatchVantage Platform ................................................. 9
1.10 Example E-Business Suite Patch Analysis ......................... 9
1.11 Example of Generated Patch Executions.................. 10
1.12 Sample 12.2 Security Upgrade Release ................... 10
1.13 Driver Files and Automated Patching Elements ............... 12
Managed Security Upgrades E-Business Suite
1.1 Introduction Oracle E-Business (EBS) is a leading enterprise resource planning (ERP) solution designed to help organizations manage a global business, improve decision making, reduce costs and increase corporate performance. Over 21,000 global organizations use EBS for mission critical applications, including financial management, customer relationship management (CRM) ,supply chain management (SCM),human capital management (HCM) ,logistics, retail ,procurement and more. According to Onapsis of the 21000 E-Business Suite customers less than half applied Jan CPU patches.
However, with more ERP applications directly connected to the web and large fines introduced by new laws like CCPA it will become a necessity to resolve this. One of the main reasons Cleveland Police are re-platforming is because of the need to apply security patches. Many organizations are adding modules which interface their E-Business Suite systems with the web. Our solution is will reduce both operational and cyber risk – thereby avoiding expensive data breaches
INCCIDENT TIMELINE
1 2 3 4 5
Weeks or months • Create interim infrastructure or operations • Take or prepare for legal action • Address regulatory and audit issues • Manage client, partner, and other relationships
Months or years • Repair damage to the business • Re-design processes and assets • Invest in cyber programs to
emerge stronger
Days or weeks • Stop compromises in progress • Remediate security controls • Communicate with customers, partners, and other
external parties • Address disruption and business continuity issues
Inci
de
nt
dis
cove
ry
Business recovery
Impact management
Incident triage
Incident triage efforts comprise
<10% Of total impact
Recovery stretches over years
!
Our solution is to offer a quarterly patching service which will quickly progress the testing and acceptance of the security patches at minimal cost. Typically, E-Business Suite DBA’s cost around 200K USD per annum but we are offering specific services at a fraction of that cost. We primarily use automation to lower the costs of the service to the customer but also because it delivers better outcomes. We would completely manage the setup and initial application every 3 months. The customer gets a comprehensive solution that includes all the required CPU’s(plus ETCC). In addition, the software generates key documentation to verify and inform the customer of the upgrades. The result is a very short engagement that offers less downtime, more accuracy, less reliance on skilled DBA’s ,a detailed audit trail and full documentation. Most large companies prefer transparent processes that are proven to work. Military, Police and Defense contractors require fast and accurate patch updates to protect key infrastructure against attacks. Our solution is compatible for both 12.1 and 12.2 versions of E-Business Suite
1.2 Engagement Model Based on actual events the following engagement model will be offered and has proven results . Delivery times are estimates for customers who have up-to-date PSU systems only.
Table 1 How the service will be delivered
Task Description Duration
Setup and Discovery This is a free service combining health check and installation of software.
1 or 2 Days(one off task)
Analysis Each Quarter we provide the patches for all version of EBS. However, some patches may need to be rolled back or other ones included
1 Day 15th Jan, Apr, Jul, Oct
Download Patches
Automated Script per customer downloads patches. For legal reasons it must use the Oracle CSI. Patch Analysis zips will be provided to customer.
0.5 Day Automated
ETCC Oracle provide a script one month after the CPU which indicate the exact patches required for Middleware and Database Interoperability
0.5 Day 15th Feb, May, Aug, Nov
Patch Per Environment
Apply Patches (RDBMS, APPS, FMW, Java) 0.5 Day per system Automated
Documentation Check Space Requirements, Compatibility with other patches etc.
Automated
1.3 Additional Costs Depending on the implementation additional costs will apply
▪ RAC – Multiple nodes require dual node patching with significant enhancements to DataPatch
▪ GRID – CPU patching of the GRID is a complex procedure which we can execute.
▪ Multiple EBS Nodes – Additional patching on 12.1.3 (12.2 adop does not require this)
▪ Active Data Guard – Customers such as NATO who are moving to Azure will implement ADG instead of RAC, but this still requires patching of the standby server
▪ Impact Analysis – Most customers have customizations. We provide a list of the patches to analyze. We can also automate this procedure for a small additional cost.
▪ Cloning– We expect recent copies of Production to test the patches. This means the customer is responsible for Cloning. We do however provide our fully automated cloning procedure for a one-off implementation charge. Scripts can compress pro0duction cores to smaller development servers.
▪ Production – Normally we would apply the solution on the DBA and UAT environments. The customer would then use the software to finalize on Production. We can operate this procedure at extra cost.
▪ Enterprise Tools – Configuration with OEM and Ansible can be provided at extra cost
1.4 Pricing Initially we recommended that we limit patching to essential environments such as DBA and UAT which will offer a low price point and encourage faster decisions. This reduces risk for the customers and once the service is established, they can purchase more time if they want. Our model is more pay-as-you-go and obtain enhanced DBA services using automation for a fraction of the normal price.
1.5 Rapid Critical Updates Service For military or police organizations we guarantee emergency and battle-short service. All consultants have security clearance.
1.6 Cloud Mirror We will maintain a VISION version of E-Business Suite on AWS at no extra cost. This will be used to pre-test deployments and specific to the customers EBS version.
1.7 Deployment Methods There are multiple ways to deploy the software.
COMMAND LINE(CLI) – Easy to use script (Python)
OEM – Customers with agents installed can deploy using Console or emcli
ANSIBLE– Agentless SSH solution for customers who have already configured this.
PATCHVANTAGE – Agent/Agentless with web service and console interface
1.8 Documentation Security patching without repudiation is practically worthless. It may be scrutinized by auditors and pen testers. In the event of a breach jobs will depend on it.
Content Details Target Audience Format
History Signed Report Verifying Applied Patch History
Managers Ensure nothing missing
Instructions Detailed Patch Executions Backup Manual Approach
DBA’s – Ensure Safe & Compliant
Log Files All Oracle Patch Log Filles Collected from Database & Apps Servers
DBA’s Inspect for errors and repudiation
Release Exact Contents of Security Upgrade
End User / Business Unit
ETCC Validation Oracle Security Success End User / Manager
Proof Quarterly Update Done
1.9 Components Patched
Here is a definitive list of the software components patch across all tiers.
*** RAC and GRID Supported
Database Versions Supported: 12c,18c,19c
E-Business Suite Versions Supported: 12.1.3,12.2.x
Tier Software Utility
Grid Generic script using oautopatch is applied oautopatch
RDBMS Full Database Patching (apply & rollback, ) opatch
RDBMS Data Patch – Post SQL datapatch
RDBMS Java Updated: JRE in ORACLE_HOME/appsutil jre
FMW 10.1.2 Forms in ORACLE_HOME (12.1.3) opatch
FMW 10.1.3 Forms in IAS_ORACLE_HOME (12.1.3) opatch
FMW FMW_HOME/webtier opatch
FMW FMW_HOME/oracle_common opatch
FMW WebLogic BSU bsu
EBS APPL_TOP 12.2.3 adpatch
EBS APPL_TOP 12.2.x adop
EBS TXK and AD Latest Technology Stack(bi-annually) adop
EBS Java Updated: JDK 32-bit in ORACLE_HOME jdk
EBS Java Updated: JDK 32-bit in IAS_ORACLE_HOME jdk
EBS Java Updated: JDK 32-bit in ORACLE_HOME jdk
EBS Java Updated: JDK 64-bit n IAS_ORACLE_HOME jdk
EBS Java Updated: JDK 64-bit n COMMON_TOP/util jdk
EBS Java Updated: JDK 32-bit n COMMON_TOP/util jdk
EBS DBA Analyzers: Automatically add new releases of DBA Analyzers shell
Appendix Centralize ,Collaborate and Scale
1.10 PatchVantage Platform The patchVantage platform enables organizations to automate the execution of patching, cloning, backups and other administration functions for Oracle and other databases and target types. In addition to being initiated through the web interface, all functions can also be performed through the command line using a set of APIs. The purpose of this document is to guide the reader through executing some API calls to demonstrate the power of the patchVantage platform. Additionally, sample shell scripts are provided to illustrate how these APIs can be integrated into existing systems. The database / server environments used in this document are provided by patchVantage in the AWS cloud. The reader is not required to install or setup any software on their own infrastructure. The technology stack consists of an ORDS web interface running on top of an Oracle Database. It is designed to manage large numbers of Linux Servers, Databases and Applications. The solution falls into the category of Database as a Service (DBaaS).
1.11 Example E-Business Suite Patch Analysis
Analysis using mature OAM and other reports will be used to minimize impact
1.12 Example of Generated Patch Executions Example Auto-generated documentation - customized upon request
1.13 Sample 12.2 Security Upgrade Release
Contents of each release is delivered to ensure customer knows what they are getting
Component Patch Purpose
GRID 30920127 Grid Infrastructure Apr 2020 Release Update 12.2.0.1.200414
RDBMS 30783885 April 2020 CPU Database Bundle Patch 12.1.0.2.200414
RDBMS 30783885 Oracle JavaVM Component 12.1.0.2.200414 Database PSU
RDBMS JRE jre1.7.0_261
E-BUSINESS SUITE JDK jdk1.7.0_261
E-BUSINESS SUITE 26834480 AD R12.AD.C.11 PATCH
E-BUSINESS SUITE 28840822 R12.TXK.C.DELTA.11
E-BUSINESS SUITE 30812019 ORACLE APPLICATIONS RELEASE 12.2: CPU PATCH FOR APR 2020
E-BUSINESS SUITE 30739126 Fix for Bug 30739126
E-BUSINESS SUITE 30980446 Fix for Bug 30980446
E-BUSINESS SUITE 28782643 'CANNOT RESIZE BUFFER' BECAYUSE FILTER RUNNING RUNFUNCTION.INIT()
MIDDLEWARE WL 13845626 This patch contains Smart Update patch FC8V for WebLogic Server 10.3.6.0.200414
MIDDLEWARE WL 16684205 This patch contains Smart Update patch XGXM for WebLogic Server 10.3.6.0.20041
MIDDLEWARE WL 30857748 Oracle WebLogic Server Patch Set Update 10.3.6.0.200414
MIDDLEWARE WEBTIER 31047338 Interim Patch for Bug: 31047338
MIDDLEWARE WEBTIER 30332567 Interim Patch for Bug: 30332467
MIDDLEWARE FORMS 26825525 Interim Patch for Base Bugs: 26825525
E-BUSINESS SUITE 22999977 REPORT MANAGER CONSOLIDATED FIXES FOR MICROSOFT OFFICE 2016
E-BUSINESS SUITE 23645622 GL: Add Java Web Start Support to AHM Java applet
E-BUSINESS SUITE 24498616 AD: Add Java Web Start support to Oracle E-Business Suite
E-BUSINESS SUITE 25380324 Oracle E-Business Suite Java Applets launching with Java Web Start
E-BUSINESS SUITE 25449925 TXK: Add Java Web Start support to Oracle E-Business Suite
E-BUSINESS SUITE 28713780 1OFF:12.2.6+:Oracle Workflow Java Applets launching with Java Web Start
E-BUSINESS SUITE 30674081 RENEW DIGITAL SIGNATURE CERTIFICATE VALID TILL Nov 2021 ON WEB-ADI DOCUMENT
EBA DBA ANALYZERS None Oracle Support Proactive Services Bundle Perl Menu [200.86]
1.14 Driver Files and Automated Patching Elements Configuration management makes use of a human readable driver file that controls the upgrade. The file has a list of elements assigned to an infrastructure Tier (Database, EBS,FMW) During execution software transforms the elements into physical patching actions on the servers. Regular TXK and AD upgrades are included.
Tier Tool Comment
Grid opatchauto ACFS Cluster and Kernel Upgrades
Database opatch Handles apply or rollback.
Database Stop Database + Listener RAC and non-RAC
Database Start Database + Listener RAC and non-RAC
Database Run Database auto config
Database Install latest JRE Location ORACLE_HOME/appsutil
Database Datapatch Includes RDBMS upgrade mode and RAC cluster
option
Database Clean Nodes EXEC FND_CONC_CLONE.SETUP_CLEAN
Database utlrp Compile Objects
E-Business Suite adop Makes use of internal password files
E-Business Suite adpatch Generates a new defaults file each run
E-Business Suite adadmin All adadmin commands (see Options in later section)
E-Business Suite admkappsutil Generate appsutil.zip + Installs on Database Node(s)
E-Business Suite adstrtall Start All Services / Start Primary Node First
E-Business Suite Compile JSP
E-Business Suite adstpall Stop All Services / Manage Concurrent Manager
E-Business Suite Run Application auto config
E-Business Suite adgrants Check version and apply using SYSDBA
E-Business Suite Install latest JDK Multiple Locations
FMW Fusion Middleware opatch used to update multiple locations
E-Business Suite Custom Templates TKX patches require update and merging
FMW Weblogic BSU Patching / Rollback of previous JARS included
E-Business Suite Support Automatically add new releases of DBA Analyzers