Wednesday, June 11, 2008

Oracle APPS Password Security

Oracle applications 11i Implementations has a Security weakness. Oracle application 11i passwords are stored in the database. Apps password stores in2 tables: FND_USER and FND_ORACLE_USERID tables Stores internal oracle applications database accounts. The APPS and APPLSYS database accounts must always have the same password

The APPS.fnd_user table has all applications accounts and there Are 2 Password columns provide for ENCRYPTION.

ENCRYPTED_FOUNDATION_PASSWORD

ENCRYPTED_USER_PASSWORD
The above 2 columns any also contains 1 of the String Values
1.External: Means User Authentication is Delegated So password is not stored in the FND_USER Table

2.INVALID Some Default Oracle apps Accounts access is blocked by directly updating the FND_USER Table.

3.X Means like INVALID

4.ZG If the Encryption Algorithm fails the Error MSG is stord in password column

The Passwords in FND_ORACLE_USERID maintained independent of the database, So Any changes to the account passwords using ALTER USER statements not reflect in the table. If you want change the passwords in FND_ORACLE_USERID can done by utility called FNDCPASS or sysadmin “ORACLE Form”

The Oracle Application passwords can be 1 to 100 chars length and longer Passwords are truncated at 100 Chars.

Oracle Apps passwords Encryption done by APPS.FND_WEB_SEC Or JAVA Class Oracle.apps.fnd.security.websessionManagerProc
Oracle.apps.fnd.security.AolSecurity
Oracle.apps.fnd.security.AolSecurityPrivate

You can find this class information at $JAVA_TOP Directory.

You can download the class and Using Java class Converter You can see how the code is written. The Actual Encryption and Decryption calls are in the “oracle.apps.fnd.security.AolSecurityPrivate” Java class. The Guest account Password is stores in System Profile. You can get by using

Select APPS.FND_PROFILE.VALUE('GUEST_USER_PWD') from dual.

No comments: