Technical White Paper

Sep-2009

Oracle Applications 11.5.10

Customisation of Oracle E-Business Suite User Management - For Corporate Security Rules

A Practical Example

Shasikkumar Veeramani
Oracle Applications Techno-Functional Consultant
Key Equipment Finance Limited, United Kingdom

Shasikkumar Veeramani Page 1 28/09/2009

Contents

Introduction: .............................................................................................................................. 3
About the Document: ................................................................................................................ 3
Corporate Security Rules:.......................................................................................................... 3
Implementation:......................................................................................................................... 3
Rule 1 – Corporate Security disclaimer..................................................................................... 3
Rule 2 – Rule 7 – All password validation rules ....................................................................... 5
Rule 8 - Password re-use policy ................................................................................................ 7
Rule 9 – Password expire .......................................................................................................... 8
Error Messages Setup:............................................................................................................... 9
Rule 10 and Rule 11 – Username and password examples in the login page ......................... 14
Additional Notes to incorporate the rule for existing Application users ................................. 15
Scope for improvement and drawbacks: ................................................................................. 16
Developer Reference – Code for java function ....................................................................... 16

Shasikkumar Veeramani Page 2 28/09/2009

Introduction:
Corporate security rules are set forth by the information security team in any
Company and these are the set of rules for any IT system authentication and security model to
abide by the corporate standards.

Oracle E-Business Suite has a very good User Management Framework which is
flexible and customisable so that any company implementing Oracle E-Business suite can
customise the user management framework to abide by their corporate security guidelines.

About the Document:

This document explains the various corporate security rules which must implemented
as per Corporate Security guidelines in our company and also the implementation of this
customisation in Oracle Applications 11.5.10.

This document would also provide the code necessary along with the screenshots so
that it can extended to use for any corporate security implementation

Corporate Security Rules:

Following are the list of password security guidelines according to our Corporate Security
guidelines document.

1. In the login page of Oracle Applications – We must display the Corporate Security
disclaimer as under

“This is a private and proprietary system. Unauthorized access is unlawful and may
result in disciplinary action and/or legal proceedings. Any access to this
system/network may be monitored”

2. All passwords must exactly be 8 characters in length

3. Passwords must be a mix of alpha and numeric characters with a minimum of 2
numeric characters
4. There must be at least 1 non-alpha numeric special character from $ & @
5. Password cannot be same as the user name
6. Password cannot contain spaces
7. Identical characters cannot be adjacent
8. Same password cannot be used in 12 month period
9. Password should expire automatically after 180 days
10. Have a username hint underneath the username field in the login page – Adhering to
the Corporate security rules
11. Have a password hint underneath the password field in the login page – Adhering to
the Corporate security rules

Implementation:
Rule 1 – Corporate Security disclaimer

To implement the corporate security disclaimer rule in Oracle Applications 11.5.10 follow the
below mentioned steps,

. Log in to Oracle Applications as an user having “Application Developer”

responsibility

Shasikkumar Veeramani Page 3 28/09/2009

 . Navigate to Application Developer -> Application -> Messages
. Query (F11) for Name “FND_SSO_SARBANES_OXLEY_TEXT” and Language
“US”
. Execute the query (Ctrl + F11)
. In the bottom section “Current Message Text” – Change the message text to the
message as below

“This is a private and proprietary system. Unauthorized access is unlawful and may
result in disciplinary action and/or legal proceedings. Any access to this
system/network may be monitored”

. Save the changes (Ctrl + S)

Note: If we want the message text to be replicated in different languages then run the
concurrent program “Generate Messages” within Application Developer responsibility
for each such language. We will not be using as our UI will only be in English

. Login to Oracle Applications 11.5.10 using an user having “System Administrator”

responsibility
. Navigate to System Administrator -> Profile -> System
. Query for the profile “Local Login Mask”
. Change the value of the profile option at the site level to 103

Note:
We are using 103 as we are not using all of the features of the user management framework.
Setting the profile option value to 127 would enable all of the following in the login page –
Username Hint, Password Hint, Cancel Button, Forgot Password Link, Register Link,

Shasikkumar Veeramani Page 4 28/09/2009

Language images and the corporate policy message. Refer the metalink note: 468971.1 for
exact details on about the various options

Rule 2 – Rule 7 – All password validation rules

Rule 2 to Rule 7 is all about validation of password changes for existing users and any new
user validation. Oracle E-Business suite provides a customisable Java function (Sample
provided along with E-business standard product) which can extended to implement the
corporate security rules.

Customised version of this java file for all the above mentioned validations is given in the
developer reference section at the end – Which can be saved as
AppsPasswordValidationCUS.java,

Note: This is the file, would ideally be coded by a technical developer in Java for
implementing the custom password validation rules. Also SYSADMIN user is excluded from
the username length validation – This can be extended to any other users as well by changing
that portion of code to include additional users

. Migrate the file (AppsPasswordValidationCUS.java) embedded to the DB Tier of the

Oracle Applications (Under any temporary directory) as admin user – Ideally done by the
DBA
. Login to the DB Tier server as DBA user and execute the following loadjava command
from the path where the java file is placed to migrate the java class to the apps database

loadjava -user apps/<password>@<sid> -verbose -resolve -force

AppsPasswordValidationCUS.java
. After executing the following command – we must not encounter any errors and message
should say “Sources Loaded: 1” and also “Errors: 0”

Shasikkumar Veeramani Page 5 28/09/2009

 Note: This command loads the java class to the apps database so during the password
validation – This java class gets executed using the DBMS_JAVA package and validates
all the rules coded

. Also execute the following query by logging into SQL*PLUS as “Apps” user to verify if
the java class is loaded to the database correctly

SELECT dbms_java.longname(object_name) Class_Name, status

FROM user_objects
WHERE object_type = 'JAVA CLASS'
AND dbms_java.longname(object_name) LIKE
'%AppsPasswordValidationCUS';
This must return the following result,

CLASS_NAME STATUS
-------------------------------------------------- -------
oracle/apps/fnd/security/AppsPasswordValidationCUS VALID

. Login to Oracle Applications as an user having “System Administrator” responsibility

. Navigate to System Administrator -> Profile -> System
. Set the value of the profile “SIGNON_PASSWORD_CUSTOM” as
“oracle.apps.fnd.security.AppsPasswordValidationCUS” at Site level and this guides
the user management framework to use the customised validation rules.

Note: Restart the apache at the very end to make it effective for the OA Framework pages

Shasikkumar Veeramani Page 6 28/09/2009

. Set the value of the profile option “Signon Password Hard to Guess” as blank at Site
level as all the password validations are implemented through a custom function which
will override the default capability given through this profile option

Rule 8 - Password re-use policy

For implementing the password re-use policy that users should not re-use their password for
12 months – Perform the following steps,

. Login to Oracle Applications as an user with “System Administrator” responsibility

. Navigate to System Administrator -> Profile -> System
. Set the value of the profile “Signon Password No Reuse” to 365 at Site level

Shasikkumar Veeramani Page 7 28/09/2009

Rule 9 – Password expire

To implement the password expiration to 180 days perform the following steps,

. Login to Oracle Applications as an user with “System Administrator” responsibility

. Navigate to System Administrator -> Security -> User
. Query for the user in the user form
. Change the Days to 180 in the Password expiration section

Shasikkumar Veeramani Page 8 28/09/2009

Error Messages Setup:
Following error messages are required to be created or updated as these error messages are
used when a password validation failure has occurred.

. Login to the Application using an user having “Application Developer” responsibility

. Navigate to Application Developer -> Application -> Messages
. Create the following messages according to the table mentioned below
. Query the error message – For those messages, which are indicated as Update in the
table below
Note: All error messages at the end has the list of rules – So this can be a display
guideline while setting up new users and also during password changes

S.No Message Name Language Application Current Message Text

1 PASSWORD-KEF- US Application Object Library Password cannot
NOSPACES contain any spaces

Please check other

password rules:
1. Password cannot
contain any spaces
2. All passwords
must exactly be 8
characters in length
3. Passwords
must be a mix of alpha
and numeric characters

Shasikkumar Veeramani Page 9 28/09/2009

 with a minimum of
2 numeric characters
4. There must be
at least 1 non-alpha
numeric special
character
from $ # @
5. Password
cannot be same as the
user name
6. Password
cannot contain spaces
7. Identical
characters cannot be
adjacent
8. Same password
cannot be used in 12
month period
2 PASSWORD-KEF- US Application Object Library Password must contain
ALPHANUMERIC at least one letter and at
least two numbers.

Please check other

password rules:
1. Password cannot
contain any spaces
2. All passwords
must exactly be 8
characters in length
3. Passwords
must be a mix of alpha
and numeric characters
with a minimum of
2 numeric characters
4. There must be
at least 1 non-alpha
numeric special
character
from $ # @
5. Password
cannot be same as the
user name
6. Password
cannot contain spaces
7. Identical
characters cannot be
adjacent
8. Same password
cannot be used in 12
month period
3 PASSWORD-KEF-NOT- US Application Object Library Password must contains
SOXCOMPLIANT at least one special
characters ($ # @ etc..,)

Please check other

password rules:
1. Password cannot
contain any spaces
2. All passwords
must exactly be 8

Shasikkumar Veeramani Page 10 28/09/2009

 characters in length
3. Passwords
must be a mix of alpha
and numeric characters
with a minimum of
2 numeric characters
4. There must be
at least 1 non-alpha
numeric special
character
from $ # @
5. Password
cannot be same as the
user name
6. Password
cannot contain spaces
7. Identical
characters cannot be
adjacent
8. Same password
cannot be used in 12
month period
4 USERNAME-KEF-7- US Application Object Library Username must be
CHRS seven (7) characters in
length.

Please check other

password rules:
1. Password cannot
contain any spaces
2. All passwords
must exactly be 8
characters in length
3. Passwords
must be a mix of alpha
and numeric characters
with a minimum of
2 numeric characters
4. There must be
at least 1 non-alpha
numeric special
character
from $ # @
5. Password
cannot be same as the
user name
6. Password
cannot contain spaces
7. Identical
characters cannot be
adjacent
8. Same password
cannot be used in 12
month period
5 PASSWORD-KEF- US Application Object Library Password must be
INVALID-LENGTH exactly 8 characters in
length

Please check other

password rules:

Shasikkumar Veeramani Page 11 28/09/2009

 1. Password cannot
contain any spaces
2. All passwords
must exactly be 8
characters in length
3. Passwords
must be a mix of alpha
and numeric characters
with a minimum of
2 numeric characters
4. There must be
at least 1 non-alpha
numeric special
character
from $ # @
5. Password
cannot be same as the
user name
6. Password
cannot contain spaces
7. Identical
characters cannot be
adjacent
8. Same password
cannot be used in 12
month period
6 PASSWORD-KEF- US Application Object Library Password cannot be the
INVALID-USERNAME same as User name

Please check other

password rules:
1. Password cannot
contain any spaces
2. All passwords
must exactly be 8
characters in length
3. Passwords
must be a mix of alpha
and numeric characters
with a minimum of
2 numeric characters
4. There must be
at least 1 non-alpha
numeric special
character
from $ # @
5. Password
cannot be same as the
user name
6. Password
cannot contain spaces
7. Identical
characters cannot be
adjacent
8. Same password
cannot be used in 12
month period
7 PASSWORD-KEF- US Application Object Library Password must not
INVALID-REPEATS contain repeating
characters.

Shasikkumar Veeramani Page 12 28/09/2009

 Please check other
password rules:
1. Password cannot
contain any spaces
2. All passwords
must exactly be 8
characters in length
3. Passwords
must be a mix of alpha
and numeric characters
with a minimum of
2 numeric characters
4. There must be
at least 1 non-alpha
numeric special
character
from $ # @
5. Password
cannot be same as the
user name
6. Password
cannot contain spaces
7. Identical
characters cannot be
adjacent
8. Same password
cannot be used in 12
month period
8 PASSWORD-INVALID- US Application Object Library Must not reuse a
NO-REUSE recently used password.
Please supply a different
Note: Query for this password.
message and update the
message text as this is a Please check other
standard Oracle message password rules:
1. Password cannot
contain any spaces
2. All passwords
must exactly be 8
characters in length
3. Passwords
must be a mix of alpha
and numeric characters
with a minimum of
2 numeric characters
4. There must be
at least 1 non-alpha
numeric special
character
from $ # @
5. Password
cannot be same as the
user name
6. Password
cannot contain spaces
7. Identical
characters cannot be
adjacent
8. Same password

Shasikkumar Veeramani Page 13 28/09/2009

 cannot be used in 12
month period

Note: We now want to regenerate the message text file, so run the concurrent program
“Generate Messages” within Application Developer responsibility

Rule 10 and Rule 11 – Username and password examples in the login page

Following steps show the implementation of a custom username hint and password hint in the
login page which is more inline abiding by the corporate rules

. Login to the Application using an user having “Application Developer” responsibility

. Navigate to Application Developer -> Application -> Messages
. Query for the message name “FND_SSO_HINT_USERNAME” and language “US” in
the messages form
. Update the “Current Message Text” as something meaningful to the specific corporate
(e.g.: “(example: veerash)”)
. This would ensure we have a meaningful hint displayed for the username in the login
screen
. Query for the message name “FND_SSO_HINT_PASSWORD” and language “US” in
the same messages form
. Update the “Current Message Text” as something meaningful to the specific corporate
(e.g.: “(example: mvs#ek3)”)

Shasikkumar Veeramani Page 14 28/09/2009

Additional Notes to incorporate the rule for existing Application users

All existing users now need to have their passwords reset and expiration dates set according
to the new standards. Below is the SQL to do so.

/*
Purpose:
. To make the password lifespan to be 180 days for all existing business users
. To make all business users’s password expire so that they need to change upon next
login

Enhancement Notes:
. If we plan to have a concurrent program which takes in a username input and expires
the password for that user (Also if not passed expires all business user's password)
. If we are using the above feature then we might want to consider having a separate
update statement for changing the password lifespan

*/

UPDATE FND_USER
SET PASSWORD_DATE = NULL,
PASSWORD_LIFESPAN_DAYS = 180
WHERE USER_NAME NOT IN ('AME_INVALID_APPROVER',
'ANONYMOUS',
'APPSMGR',
'ASGADM',
'ASGUEST',
'AUTOINSTALL',
'CONCURRENT MANAGER',
'FEEDER SYSTEM',
'GUEST',
'IBEGUEST',
'IBE_ADMIN',
'IBE_GUEST',
'IEXADMIN',
'INITIAL SETUP',
'IRC_EMP_GUEST',
'IRC_EXT_GUEST',
'MOBILEADM',
'MULTIORGUSER',
'OLM1BATCH',
'OP_CUST_CARE_ADMIN',
'OP_SYSADMIN',
'PORTAL30',
'PORTAL30_SSO',
'SYSADMIN',
'WIZARD',
'XML_USER'
);

COMMIT;

Shasikkumar Veeramani Page 15 28/09/2009

Scope for improvement and drawbacks:

Following are the drawbacks which was found while customising the user management
framework,

. Automatic password reset functionality given by Oracle User Management framework

cannot be used when we have a customised password validation rule (Based on the java
function) as the password generated by Oracle does not comply by the corporate rules
coded in the java function and hence we would get an error in the password reset
workflow.

Note: As per the research done in Metalink – Release 12 User Management Framework
addresses this issue and we would able to fully leverage the customisation with all the default
user management functionality

Developer Reference – Code for java function

// Disclaimer:
// This sample is provided for educational purposes only. It is NOT supported
// by Oracle World Wide Technical Support. The sample has been tested and
// appears to work as intended. However, you should always test in YOUR
// environment before relying on it.
//
// Source File Name: AppsPasswordValidationCUS.java
//

package oracle.apps.fnd.security;

import oracle.apps.fnd.common.VersionInfo;

// Referenced classes of package oracle.apps.fnd.security:

// PasswordValidation

public class AppsPasswordValidationCUS

implements PasswordValidation
{

public String getErrorStackApplicationName()

{
return "FND";
}

public String getErrorStackMessageName()

{
return m_errorStackMessageName;
}

public boolean validate(String username, String password)

{
// Username Rule 1: Username must be of Seven (7) characters in length
String sadmin = new String("SYSADMIN");
if (username.length() != 7 && !(username.equals(sadmin)))
{
m_errorStackMessageName = "USERNAME-KEF-7-CHRS";
return false;
}
// Password Rule 1: Password Length has to be minimum of 8

Shasikkumar Veeramani Page 16 28/09/2009

if(password.length() != 8)
{
m_errorStackMessageName = "PASSWORD-KEF-INVALID-LENGTH";
return false;
}
// Password Rule 2: Username and Password cannot be null
if(password ==null || password.length() == 0 || username == null || username.length() == 0)
{
m_errorStackMessageName = "PASSWORD-INVALID";
return false;
}
// Password Rule 3: Username should not be the password
if(!validateNoUsername(username, password))
{
m_errorStackMessageName = "PASSWORD-KEF-INVALID-USERNAME";
return false;
}
// Password Rule 4: Password should not contain spaces
if(!validateSpaces(username, password))
{
m_errorStackMessageName = "PASSWORD-KEF-NOSPACES";
return false;
}
// Password Rule 5: Password cannot contain identical characters that are adjacent
if(!validateNoRepeats(password))
{
m_errorStackMessageName = "PASSWORD-KEF-INVALID-REPEATS";
return false;
}
// Password Rule 6: Password has to be alpha numeric string and must contain atleast 2 numerics
if(!validateLettersAndDigits(password))
{
m_errorStackMessageName = "PASSWORD-KEF-ALPHANUMERIC";
return false;
}
// Password Rule 7: Password must have atleast 1 non-alpha numeric character (i,e - @,*$,£ etc..,)
if(!validateSOXPassword(password))
{
m_errorStackMessageName = "PASSWORD-KEF-NOT-SOXCOMPLIANT";
return false;
}
return true;
}

// Function for Password Rule 3 Validation

private boolean validateNoUsername(String p_username, String p_password)
{
return p_password.toUpperCase().indexOf(p_username.toUpperCase()) == -1;
}
// Function for Password Rule 4 Validation
private boolean validateSpaces(String p_username, String p_password)
{
boolean flag = true;
for(int i = 0;i < p_password.length(); i++)
{
if(Character.isWhitespace(p_password.charAt(i)))
flag = false;
}
return flag;
}

Shasikkumar Veeramani Page 17 28/09/2009

// Function for Password Rule 5 Validation
private boolean validateNoRepeats(String p_password)
{
for(int i = 1; i < p_password.length(); i++)
if(p_password.charAt(i) == p_password.charAt(i - 1))
return false;
return true;
}
// Function for Password Rule 6 Validation
private boolean validateLettersAndDigits(String p_password)
{
boolean flag = false;
boolean flag1 = false;
int cnt = 0;
for(int i = 0; i < p_password.length(); i++)
{
if(Character.isLetter(p_password.charAt(i)))
flag = true;
if(Character.isDigit(p_password.charAt(i)))
cnt = ++cnt;
if(cnt >= 2)
flag1 = true;
}
return flag && flag1;
}
private boolean validateSOXPassword(String p_password)
{
boolean flag = false;
int f_char = 0;
for(int i = 0; i < p_password.length(); i++)
{
if(p_password.charAt(i) == '@' || p_password.charAt(i) == '#' || p_password.charAt(i) == '$')
flag = true;
}
return flag;
}

private String m_errorStackMessageName;

Shasikkumar Veeramani Page 18 28/09/2009