See More

How to Fix HTTPS Security Messages in Oracle E-Business Suite

In the evolving landscape of cybersecurity, the recent push for HTTPS enforcement in browsers like Edge and Chrome is a significant step towards a more secure web. Oracle E-Business Suite (EBS) users, however, are experiencing firsthand the impact of these industry changes, particularly when using Java Web Start (JWS). As users’ browsers are automatically upgraded, users have been presented with an additional pop-up warning message when attempting to launch forms depending on their corporate settings.

The browser’s transition to requiring HTTPS is not just about compliance; it is about safeguarding data integrity and user privacy. While some may question the need for internal network encryption not just external encryption, the reality is that threats can arise from any vector even internally. For example, a compromised device on your network could be reading any data it can see. Securing internal applications can be as crucial as protecting external ones.

This push to HTTPS has recently resulted in a new warning message seen by end users even when an environment is configured correctly as described by Oracle support note (at the time of this post): Using Java Web Start with Oracle E-Business Suite (Doc ID 2188898.1).

Recent default configuration changes pushed through regular updates in Edge and Chrome have resulted in users experiencing the following messages:

Edge: “frmservlet.jnlp can’t be downloaded securely”

Chrome: “frmservlet.jnlp  Insecure download blocked”

Previously, prior to the recent browser changes, users would see something like the following message if the GPO policies were not set correctly:

Of course, the main purpose of a web browser is to navigate the internet; In an enterprise setting, this can be a combination of external (internet), and internal (intranet), or even a combination of both in the case of a Software as a Service (SaaS) or cloud model.

The Introduction of browser restrictions forcing users to use secure connections to download items is intending to secure data like bank statements, personal data, or other confidential data, preventing it from being intercepted or tampered with during transit. Users can encounter this while using an application like EBS internally over HTTP.

How to remove browser security messages

The presentation of these warning messages can be stopped by the adjusting browsers to allow insecure content to be downloaded from http-based servers via explicit definition of domains, or specific servers via end user configuration or GPO push as an example below.

Semi-technical end users may be tempted to change these settings at a global level (say http://* but securing down to specific servers or endpoints associated with the application is a more secure approach.

Ensuring security within Oracle EBS

An even more secure route is to configure Oracle E-business Suite to deliver content via secure HTTPS-based connections instead of HTTP. This can be carried out by various methods including securing the application server itself with a certificate or securing an external termination point for EBS.

Using this approach not only eliminates the warning message, but it also secures traffic to the server. While not directly related to this warning message, securing traffic between the application tier(s) and the database tier(s) can further secure transactions within your EBS environment.

Contact us for more information, or to help secure your EBS environment.