Oracle E-Business Suite 12.2 Web Services Security for Oracle Supplier Network

This is the ninth posting in a blog series summarizing the new Oracle E-Business Suite 12.2 Mobile and web services functionality and recommendations for securing them.

The most common use of web services with the Oracle E-Business Suite is the Oracle Suppler Network (OSN). Do not confuse OSN with the Oracle Social Network (also referred to as OSN) or when configuring OSN, do not confuse the Oracle Transport Agent (OXTA) web services with Oracle Training Administration (OTA) web services.

To use OSN, you must configure the both the url_fw.conf and url_fw_ws.conf file to open traffic for the XML Gateway to consume OXTA web services. The OSN documentation in places confuses OTXA and OTA.  The risk is that in the url_fw_ws.conf there are services for both the Oracle Training Administration (OTA) module as well as for the OXTA. Unless both are being used, be careful to open only the correct services.

It should also be noted that while OSN uses web services, as of 12.2.5, OSN’s web services are NOT shown as deployed in the ISG repository.  This is because OSN’s functionality is built into the Oracle E-Business Suite’s core functionality.

It is very important to note that while using OSN with trading partners over the Internet requires opening the E-Business Suite to the Internet. Unfortunately, it is not clearly stated that a WAF, ideally the API Gateway, should be used to protect OSN. Even if OSN is the only web service being used, a WAF is still required to guard the attack surface.

Lastly, the passwords used for the various OSN accounts (defined within the OSN GUI forms) need to be complex and regularly rotated. Many clients forget about these accounts.

If you have any questions, please contact us at

-Michael Miller, CISSP-ISSMP, CCSP, CCSK



 Share this post