Oracle has updated the Oracle Applications 11i DMZ Configuration document (Metalink Note ID 287176.1). "Oracle E-Business Suite 11i Configuration in a DMZ" is the definitive reference for implementing Oracle Applications in a DMZ that is externally accessible. All the recommendations in this document should be closely followed and appropriately penetration tested prior to implementation. We often find significant security issues in implementations due to minor configuration changes or skipped steps.
The updates primarily relate to the recent support for SSO in a DMZ configuration. Oracle has released the configuration build 4.0 for the integration of Oracle Application Server 10g (10.1.2.0.2) and Oracle Applications 11i (Metalink Note ID 233436.1). The major change from 3.2 to 4.0 is the new support for SSO in the DMZ and the support of SSL with Oracle Internet Directory. Appendix G contains the information for implementing SSO in the DMZ. This support does required 11.5.10 ATG Rollup Patch 4 be installed.
It is important to note that Oracle only supports 11.5.9 and 11.5.10 with significant patches and configuration changes to be externally accessible from the Internet. All other releases are highly vulnerable and should never be directly accessible from the Internet.
The entire SSO configuration with Oracle Applications 11i has greatly improved, but is still a work in progress. If you are planning on implementing advanced or complex configurations (DMZ, integration with third-party LDAP servers, etc.), be prepared for a lengthy and time consuming implementation. Also, carefully examine the true benefits vs. costs (time and additional licenses), since the external directory integration with Oracle Applications is very limited at this time.