Problem: ITAR customer has a few questions related to use of SSL with Apps 8 SP1+ which they must answer for their internal auditors to demonstrate compliance with gov’t regulations
Recreated in core: not applicable (not reporting a problem - instead asking some questions)
Recreated in customer environment: same as previous
Business impact: must satisfy auditors’ security concerns and comply w/governmental regulations before IFS installations will be allowed to proceed
Importance: customer follows up with IFS Consulting Services daily to check on our response
Request from R&D: Please respond to the following statements below by confirming whether customer’s own answer or proposed steps are correct. If they are incorrect please respond by providing direction on how to make customer’s proposed steps correct. They are trying to secure their Apps 8 SP1+ middleware to comply with governmental security recommendations. NOTE: the “customer / author” appears not to be a native English speaker and therefore some grammar errors are present. The customer’s statements begin here….
- WLSSLWallet
If we apply this changed. Would it break the system? Or this change is not needed since it’s all embedded?
Change Recommendation: Set the "WLSSLWallet" directive to the location (i.e., folder within $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/<componentName>/keystores) of the Oracle wallet created via orapki with AES Encryption (-compat_v12 parameters) that contains the certificate chain served by the WebLogic host/port combination, add the directive if it does not exist.
2). How to verify the patch level?
Oracle HTTP Server 12.1.3
3). What are the operational impact if this change was made to the Oracle HTTP Server? Will it prevent IFS from writing files to certain directories, IE shipping documents, logs,
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor.
2. Search for the "<Directory />" directive within the OHS server configuration scope.
3. Set the "Deny" directive within the "<Directory />" directive to "from all", add the directive if it does not exist.
4). Does IFS Oracle http server do they use FileTag or Etag?
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.
2. Search for the "Header" and "FileETag" directives at the OHS server, virtual host, or directory configuration scopes.
3a. Set the "Header" directive to "unset ETag", add the directive if it does not exist.
3b. Set the "FileETag" directive to "none", add the directive if it does not exist.
Entity tags (ETags) are used for cache management to save network bandwidth by not sending a web page to the requesting client if the cached version on the client is current. When the client only has the ETag information, the client will make a request to the server with the ETag. The server will then determine if the client can use the client cached version of the web page or if a new version is required.
As part of the ETag information, the server sends to the client the index node (inode) information for the file being requested. The inode information gives an attacker sensitive information like inode number, multipart MIME boundaries and makes certain NFS attacks much simpler to execute.
5). Does IFS use server tokens? If changes applied to the name of the authentication tokens will it impact the system?
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf with an editor.
2. Search for the "ServerTokens" directive at the OHS server configuration scope.
3. Set the "ServerTokens" directive to a value of "Custom DoD-Web-Server", add the directive if it does not exist.
END OF CUSTOMER’S STATEMENTS