Tuesday, 27 December 2016

Oracle Application in DMZ (Demilitarized Zone)

DMZs For Civilians

In the IT industry, a demilitarized zone is a single or multi-segment perimeter network that demarks the portion of the corporate network that lies between the intranet and outside networks.  Corporate DMZ borders are enforced by firewalls and other dedicated networking devices.  

DMZs for the E-Business Suite

AutoConfig supports the use of DMZs with the E-Business Suite Release 11i, and an increasing number of our customers have either already implemented them or are planning to do so.  This is a common configuration:

In the configuration above, there are two different E-Business Suite application servers, each with its own unique domain name and setup.  External users access the E-Business Suite via the external "acme.company.com" address, and internal users access it via the "staff.acme.com" address.

Different Responsibilities for Internal and External Servers

It's possible (and recommended) to restrict the general set of Applications Responsibilities based on the application server that you're using.  

For example, there should be no reason to allow external users to modify your company's Chart of Accounts, so that responsibility can't be used if the end-user is logging in from outside the corporate intranet.

Possible Weak Points

There are two possible weaknesses with the first configuration shown above:
  1. If your external firewall is compromised, your external application server is also compromised, exposing an attack on your E-Business Suite database.
  2. There's nothing to prevent your internal users from attacking your internal application server, also exposing an attack on your E-Business Suite database.
Reverse Proxies and DMZs

If you're concerned about your external firewall being hacked, one possible countermeasure is to use layered DMZs and put a reverse proxy in the first DMZ.  

The reverse proxy has restricted capabilities and and the authority only to speak with the external application server.  It's possible to use the following as reverse proxies with the E-Business Suite:
  • Oracle Web Cache
  • Oracle HTTP Server
  • Other third-party reverse proxy servers, including Apache and Microsoft Proxy Server
An Inside Job

I'm a big fan of heist and con artist movies.  According to Hollywood, you can't pull off a big job without someone on the inside.  

It seems a lot of IT security analysts are fans, too, since they regularly publish surveys that suggest that the majority of security breaches are the result of employees with their hand in the till.  If we're to learn anything from movies, it's this:  trust nobody, not even your internal end-users.

That's why the second configuration above shows the E-Business Suite database server protected by its own firewall.  Even if your internal application server is compromised by an industrious but disgruntled fellow employee, your database is still protected.

Scratching the Surface

There are a number of other interesting DMZ-related architectural options for the E-Business Suite.  If you'd like to get more details, the following document is recommended reading:

Wednesday, 7 December 2016

Vendor API - Error creating contact - Contact information you are trying to import is already associated (Doc ID 1616295.1)


Oracle Payables - Version 12.1.3 and later
Information in this document applies to any platform.

On : 12.1.3 version, Supplier SupReports Merge Emp

When attempting to create a new vendor contact via the API
the following error occurs.


-> User receiving error 'ERROR : Contact information you are
-> trying to import is already associated'

The issue can be reproduced at will with the following steps:
import vendor contact details

The issue has the following business impact:
Due to this issue, users cannot import such data


BUg 17619121


apply Patch 17619121