Database Reference
In-Depth Information
Protect administrative web pages
Within
Oracle Application Server
, a number of web pages provide administrative
and testing functionality. These pages offer information about various services, the
server's state, and its configuration. While useful for debugging, these pages must be
restricted or disabled in a production system.
Use the configuration files
httpd.conf
and
httpd_pls.conf
to limit web page
access to a list of trusted hosts. In order to do this, create a file
trusted.conf
and include it in the
httpd.conf
and
httpd_pls.conf
files.
This new file contains the following content. The following is an example
code snippet:
<Location ~ "/dev60html/run(form|rep).htm">
Order deny,allow
Deny from all
Allow from localhost <list of TRUSTED IPs>
</Location>
There are many such location tags in the file, each one pointing to a particular
service. The preceding snippet is the authorized IP Addresses for the Forms and
Reports service.
The
order deny, allow
tells the system how to judge the precedence when
combining allows and denies to determine if the IP Address is authorized.
Replace
<list
of
TRUSTED
IPs>
with host machines from which administrators
may connect.
E-Business Suite security
Change passwords for seeded application user accounts. Oracle comes with
seeded user accounts having default passwords. You should change the default
passwords immediately.
Note that Oracle DB provides a script, which checks accounts for all default
passwords that are shipped with Oracle products, including the E-Business
Suite. E-Business Suite also ships a script, which checks for default passwords of
E-Business Suite users (
FND_USERS
). Both the scripts should be run after a major
upgrade to ensure there are no database or E-Business Suite user accounts with
default passwords.
Search WWH ::
Custom Search