Solution Beacon
 

Solution Beacon Security Best Practice #7 - Set E-Business Suite Timeout Parameters and Profiles

An unattended PC without the screen locked poses a security risk.  Likewise, an unattended or long running E-Business Suite user session can also pose a risk.  The E-Business Suite provides many configuration parameters and profile settings to control user sessions.  I recommend reviewing these against your existing corporate policies and setting them according to our recommendations after testing their impact.  The following sections describe those items that I recommend setting.

 

  • ICX Timeout Profile Values

The following E-Business Suite profile options control screen timeouts for Forms, as well as Self Service sessions.  Again, please note, some of the ICX profiles also control Forms Session timeouts!  This can be confusing since Inter-Cartridge Exchange (ICX) is often associated with Self Service applications. This is no longer the case since the release of Framework for the ICX Profiles control the timeout functionality.

 

Parameter

Default

Recommendation

ICX:Session Timeout

None

30 (minutes)

ICX: Limit Time

4 (hours)

4 (hours)

ICX: Limit Connect

1000

2000

·         ICX:Session Timeout - This profile option determines the length of time (in minutes) of inactivity in a user's form session before the session is disabled.  Note that disabled does not mean terminated or killed.  The user is provided the opportunity to re-authenticate and re-enable their timed-out session. If the re-authentication is successful, the disabled session is re-enabled and no work is lost. Otherwise, the session is terminated without saving pending work.  This functionality is available via Patch 2012308 (included in 11.5.7, FND.E).  Note: Setting the profile value to greater than 30 minutes can drain the JVM resources and cause ‘out of memory’ errors.

·         ICX: Limit time - This profile option defines the maximum connection time for a connection – regardless of user activity.  If 'ICX:Session Timeout' is set to NULL, then the session will last only as long as 'ICX: Limit Time', regardless of user activity. 

·         ICX: Limit connect - This profile option defines the maximum number of connection requests a user can make in a single session. Note that other EBS internal checks will generate connection requests during a user session, so it is not just user activity that can increment the count. 

§         CRM Application Timeout Profile Values

CRM applications use the afore-mentioned ICX timeout profiles (ICX:Session Timeout, ICX: Limit Time, and ICX: Limit Connect), but additionally, CRM also utilizes the  JTF_INACTIVE_SESSION_TIMEOUT profile option.

 

Parameter

Default

Recommendation

JTF_INACTIVE_SESSION_TIMEOUT

None

30 (minutes)

JTF_INACTIVE_SESSION_TIMEOUT - This profile option affects CRM-based products only, and serves the same purpose as the ICX:Session Timeout profile. This profile option exists for legacy reasons, and its value should be set the same as ICX:Session Timeout.

  • Jserv (Java) Timeout Settings

     

Parameter

Recommendation

disco4iviewer.properties:session.timeout

5400000 (milliseconds)

formservlet.ini:FORMS60_TIMEOUT

55 (minutes)

formservlet.properties:session.timeout

5400000 (milliseconds)

jserv.conf:ApJServVMTimeout

360  (seconds)

mobile.properties:session.timeout

5400000 (milliseconds)

zone.properties:session.timeout

5400000 (milliseconds)

zone.properties:servlet.framework.initArgs

5400000 (milliseconds)

These settings are located at: ../*ora/iAS/Apache/Jserv/etc

JServ Timeout is specified by the value of the property session.timeout in the JServ configuration file zone.properties, and represents the number of milliseconds to wait before ending an idle JServ session (the default is 30 minutes).  This timeout is used by products based on Oracle Applications Framework (OAF).   

  • Apache HTTP Timeout Settings

The following parameter settings control timeout behavior within Apache.

Parameter

Recommendation

httpd.conf:Timeout

300 (seconds)

httpd.conf:KeepAliveTimeout

15 (seconds)

httpd.conf:SSLSessionCacheTimeout

300 (seconds)

These settings are located: ../*ora/iAS/Apache/Apache/conf

  • Forms 60 Environment Timeout Variables

The following parameter settings control timeout behavior within Oracle Forms.

Parameter

Recommendation

FORMS60_TIMEOUT

55 (minutes)

FORMS60_CATCHTERM

0

You should modify the APPL_TOP/<SID>.env setting to include the following settings:

FORMS60_CATCHTERM=0
FORMS60_TIMEOUT=55 (minutes) 

I recommend using a timeout value of 55 because it is less than the 60 minute value recommended for the web apache timeout values.  Note that these values may vary depending on security policies.

  • Oracle Single Sign-On Server Timeouts

The following parameter setting controls timeout behavior within Oracle Single Sign-On. 

‘Single Sign-On Session Duration’ represents the number of hours a user can be logged in to the server without being timed out and having to log in again. This timeout value can be specified from the "Edit SSO Server Configuration" link on the SSO Server Administration page.  When a user logs in to Release 11i via the Single Sign-On Server, an SSO login session is created and remains valid for the duration specified by this setting. 



> back to list