Monday, March 16, 2020

EBS R12.2 | OAInfo.jsp returns HTTP 403 Forbidden | Security: Allowed Resources


Issue :

OAInfo.jsp is commonly used to setup a health Check On A BIG-IP Loadbalncer to monitor E-Business Suite JVM's . But please be aware that OAInfo.jsp has been deprecated in R12.1, the jsp is still functional for the purposes of health check.

But after we upgraded ebs t0 12.2.8, we are getting 403 message in access log.

"GET /OA_HTML/OAInfo.jsp HTTP/1.1" 403 54

Cause:
There is a significant difference in the security features from 12.2.6+ & It brings allowed Resources feature  which is part of 12.2.7+. Due to this enhancement, it disables all the deprecated jsps  which affects oainfo.jsp as well.

Solution:

Action Plan 1:

This  action plan will allow all the deprecated resources
.
a.       Access the page http://ebs.jay.com/OA_HTML/OAInfo.jsp  & it should return 403 error message  (or) Requested resource or page is not allowed in this site
b.       Please set profile option Security: Allowed Resources to  ALL  which will whitelist all the jsps
c.        Bounce the apache & oacore services.  (Please bounce the services  on all application tiers)
d.        Now try to access the http://ebs.jay.com/OA_HTML/OAInfo.jsp   &  it should display the page with below text which will return status code 200 in access log -

“This JSP is no longer supported. To view the information that this JSP provided, please log in to Oracle E-Business Suite, and select the About this Page link."”

Action Plan2:

This action plan will allow only oainfo.jsp page

a.       Access the page http://ebs.jay.com/OA_HTML/OAInfo.jsp & it should return 403 error message  (or) Requested resource or page is not allowed in this site
b.       cd $FND_TOP/secure & vi allowed_extensions_custom.conf
c.        Add the /OA_HTML/OAInfo.jsp entry in  allowed_extensions_custom.conf
d.       java oracle.apps.fnd.security.resource.WLDataMigration MODE=custom INPUT_FILE=$FND_TOP/secure/allowed_extensions_custom.conf  DBC=$FND_SECURE/{SID}.dbc
e.       Bounce the apache & oacore services. (Please bounce the services on all application tiers)
f.         Now try to access the http://ebs.jay.com/OA_HTML/OAInfo.jsp   &  it should display the page with below text which will return status code 200 in access log.
 
“This JSP is no longer supported. To view the information that this JSP provided, please log in to Oracle E-Business Suite, and select the About this Page link."”
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How to Compile Forms , Reports & Custom.pll in R12.2

How to Compile Custom.pll   cd $AU_TOP/resource  cp CUSTOM.plx CUSTOM.plx_bkup  cp CUSTOM.pll CUSTOM.pll_bkup  frmcmp_batch module=CUSTOM.pl...

  • Terraform - count vs for_each
      Count: Before Terraform 0.12.6, the only way to create multiple instances of the same resource was to use a  count  parameter. One o...
  • How to check If a patch is applied in R12.2
    In eBusiness Suite (EBS) 12.2.x you cannot query the AD_BUGS table to check if patches have been applied.The AD_BUGS table may have entries...
  • Oracle Wallet (Orapki commands)
    Wallets:       A wallet is a password-protected container used to store authentication and signing credentials, including private keys, ce...