When upgrading the Oracle E-Business Suite database to Oracle Database 12c (12.1), there are a number of security considerations and steps that should be included in the upgrade procedure. Oracle Support Note ID 1524398.1 Interoperability Notes EBS 12.0 or 12.1 with RDBMS 12cR1 details the upgrade steps. Here, we will document steps that should be included or modified to improve database security. All references to steps are the steps in Note ID 1524398.1.
"While not mandatory for the interoperability of Oracle E-Business Suite with the Oracle Database, customers may choose to apply Database Patch Set Updates (PSU) on their Oracle E-Business Suite Database ...".
After any database upgrade, the latest CPU patch (either PSU or SPU) should always be applied. The database upgrade only has the latest CPU patch available at the time of release of the database upgrade patch. In the case of 18.104.22.168, the database upgrade will be current as of July 2013 and be missing the latest five CPU patches. Database upgrade patches reset the CPU level - so even if you had applied the latest CPU patch prior to the upgrade, the upgrade will revert the CPU patch level to July 2013.
From a security perspective, the latest PSU patch should be considered mandatory.
It is important to note from a security perspective that Database Vault must be disable during the upgrade process. Any protections enabled in Database Vault intended for DBAs will be disabled during the upgrade.
The DMSYS schema is no longer used with Oracle E-Business Suite and can be safely dropped. We recommended you drop the schema as part of this step to reduce the attack surface of the database and remove unused components. Use the following SQL to remove the DMSYS user --
DROP USER DMSYS CASCADE;
As part of the upgrade, it is a good time to review security related initialization parameters are set correctly. Verify the following parameters are set -
o7_dictionary_accessibility = FALSE audit_trail = <set to a value other than none> sec_case_sensitive_logon = TRUE (patch 12964564 may have to be applied)
For Oracle E-Business Suite 12.1, the sqlnet_ifile.ora should contain the following parameter to correspond with the initialization parameter sec_case_sensitive_login = true -
SQLNET.ALLOWED_LOGON_VERSION_SERVER = 10