| Oracle® Communications Network Integrity System Administrator's Guide Release 7.1 Part Number E23699-01 |
|
|
View PDF |
| Oracle® Communications Network Integrity System Administrator's Guide Release 7.1 Part Number E23699-01 |
|
|
View PDF |
This chapter describes security fundamentals for Oracle Communications Network Integrity, and also provides procedures to configure user passwords and manage users.
Network Integrity security includes the following aspects:
User Management
Secure centralized storage for users and roles that also enables secure and fast retrieval of that information.
Note:
You cannot configure password policies in the current version of Network Integrity.Guidelines regarding password policies for Network Integrity, and also for those of the application's integration with external applications, servers, and databases.
An audit mechanism to perform audits on security related aspects and provide an audit trail of user activities (such as login attempts).
Oracle Platform Security Services (OPSS) provides a security framework for Java Standard Edition (Java SE) and Java Enterprise Edition (Java EE) applications. OPSS is both a security framework exposing security services and APIs, and a platform offering concrete implementation of security services. It includes these five elements:
Common Security Services (CSS): The internal security framework on which Oracle WebLogic Server is based
Oracle Platform Services: This framework provides security to Oracle applications, for example, Oracle Application Development Framework (ADF), Oracle WebCenter, Oracle SOA Suite, Oracle Web Services Manager (OWSM)
User and Role APIs
Oracle Fusion Middleware Audit Framework
Oracle Security Developer Tools
A security realm comprises mechanisms for protecting WebLogic resources. Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies. A user must be defined in a security realm to access any WebLogic resources belonging to that realm. When a user attempts to access a particular WebLogic resource, WebLogic Server tries to authenticate and authorize the user by checking the security role assigned to the user in the relevant security realm and the security policy of the particular WebLogic resource.
Security providers are modules that “plug into” a WebLogic Server security realm to provide security services to applications. They call into the WebLogic Security Framework on behalf of applications. You can use the security providers that are provided as part of the WebLogic Server product, purchase custom security providers from third-party security vendors, or develop your own custom security providers.
You have a choice of the following three security providers, during installation, for Network Integrity:
The default WebLogic security provider (Embedded LDAP)
Any external security provider
Any other security provider, if using only the Authentication provider
See Network Integrity Installation Guide for more information on setting up security providers for Network Integrity.
WebLogic Server uses its embedded LDAP server as the database that stores user, group, security roles, and security policies for the WebLogic security providers. The embedded LDAP server supports the following access and storage functions:
Access and modification of entries in the LDAP server
Use of an LDAP browser to import and export security data into and from the LDAP server
Read and write access by the WebLogic security providers
Note:
WebLogic Server does not support adding attributes to the embedded LDAP server.Table 2-1 WebLogic Server Embedded LDAP Server Usage Information
| WebLogic Security Provider | Embedded LDAP Server Usage |
|---|---|
|
Authentication |
Stores user and group information |
|
Identity Assertion |
Stores user and group information |
|
Authorization |
Stores security roles and security policies |
|
Adjudication |
None |
|
Role Mapping |
Supports dynamic role associations by obtaining a computed set of roles granted to a requester for a given WebLogic resource |
|
Auditing |
None |
|
Credential Mapping |
Stores Username-Password credential mapping information |
|
Certificate Registry |
Stores registered end certificates |
Oracle Internet Directory is a general purpose directory service that combines Lightweight Directory Access Protocol (LDAP) Version 3 with an Oracle Database. It is a component of Oracle Identity Management which is an integrated infrastructure that provides distributed security services for Oracle products and other enterprise applications. Oracle Internet Directory runs as an application on an Oracle Database. It communicates with the database by using Oracle Net Services, Oracle's operating system-independent database connectivity solution. The database may or may not be on the same host.
Oracle Internet Directory includes:
Oracle directory server, which responds to client requests for information about people and resources, and to updates of that information, by using a multitiered architecture directly over TCP/IP.
Oracle directory replication server, which replicates LDAP data between Oracle directory servers.
Directory administration tools, which include:
Oracle Directory Manager, which has a Java-based graphical user interface
A number of command-line administration and data management tools invoked from LDAP clients.
Directory server management tools within Oracle Enterprise Manager 10g Application Server Control Console. These tools enable you to:
Monitor real-time events and statistics from a normal browser
Start the process of collecting such data into a new repository
Oracle Internet Directory Software Developer's Kit
For more information on Oracle Internet Directory, see the Oracle Internet Directory documentation at the following link:
http://www.oracle.com/technology
Note:
For information on any other external security providers, see the respective product documentation.A security provider database contains the users, groups, security roles, security policies, and credentials used by some types of security providers to provide security services. For example, an authentication provider requires information about users and groups; an authorization provider requires information about security policies; a role mapping provider requires information about security roles, and a credential mapping provider requires information about credentials to be used to remote applications. These security providers need this information to be available in a database to function.
The security provider database can be the embedded LDAP server (as used by the WebLogic security providers), a properties file (as used by the sample custom security providers, available on the Web), or a production-quality, customer-supplied database that you may already be using.
Note:
The sample custom security providers are available on the Oracle Technology Network website at the following location:http://www.oracle.com/technology/community/welcome-bea/index.html
Initialize the security provider database the first time you use security providers. That is, before the security realm containing the security providers is set as the default (or, active) security realm. This initialization can be done:
When a WebLogic Server instance boots
When a call is made to a security provider's MBeans
At minimum, the security provider database is initialized with the default groups, security roles, security policies provided by WebLogic Server.
See Security Providers and WebLogic Resources for more information.
If you have multiple security providers of the same type configured in the same security realm, these security providers may use the same security provider database. This behavior holds true for all of the WebLogic security providers.
For example, if you configure two WebLogic Authentication providers in the default security realm (called myrealm), both WebLogic Authentication providers use the same location in the embedded LDAP server as their security provider database, and thus, use the same users and groups. Furthermore, if you add a user or group to a WebLogic Authentication providers, the user or group appears in the other WebLogic Authentication provider as well.
Note:
If you have two WebLogic security providers of the same type configured in two different security realms, each uses its own security provider database. Only one security realm can be active at a time.3rd party security providers can be designed so that each instance of the security provider uses its own database or so that all instances of the security provider in a security realm share the same database.
You create a password for the Network Integrity user during Network Integrity installation when you are creating the user and the associated user credentials. In case you do not create a Network Integrity user during installation, you can do so using the Oracle WebLogic Administration Console.
You can change a Network Integrity user's password using the Network Integrity user interface and also using the Oracle WebLogic Administration Server.
Note:
A Network Integrity user password can be changed using the Network Integrity user interface only if you are using the Embedded LDAP (the default WebLogic security provider).For information on changing application user passwords when you are using an external security provider, see the respective product documentation.
To change the Network Integrity user password using the Network Integrity UI:
Note:
This procedure changes the password for the user account using which you log in to Network Integrity.Log in to the Network Integrity application.
The Manage Scans screen appears by default.
In the Links section in the left pane, select Change Password.
The Change Password screen appears.
You can see the user name for the account for which you are changing the password.
Do the following:
In the Current Password field, enter the current password for this user account.
In the New Password field, enter the new password to which to want to change the password.
In the Verify New Password field, enter the new password again.
Click Save and Close.
The password for this user is changed.
To change the Network Integrity user's password using the Administration Console:
Log in to the WebLogic Administration console.
In the Home page, select Security Realms.
The Summary of Security Realms screen appears.
Select YourRealm.
The Setting for YourRealm screen appears.
Select the Users and Groups tab to display it.
The Users tab is displayed by default. If not, then select the Users tab to display it.
In the Users table, click the user for which you want to change the password.
The Settings for User screen appears.
Select the Passwords tab to display it.
In the New Password field, enter the new password for the user.
In the Confirm New Password field, enter the new password for the user again.
Click Save.
The password for this user is changed.
To change the WebLogic administrator password:
Log in to the Oracle WebLogic Server Administration Console, using the Administrator's credentials.
The WebLogic Administration Console Home appears.
Select Security Realms under Your Application's Security Settings.
The Summary of Security Realms screen appears.
In the Realms table, select YourRealm.
The Settings for YourRealm screen appears.
Select the Users and Groups tab to display it.
Within this tab, the Users tab is displayed by default.
You can view all users in this tab.
In the Users table, click the WebLogic Admin user, AdminUser for which you want to change the password.
The Settings for the AdminUser screen appears.
The General tab is displayed by default.
Select the Password tab to display it.
In the New Password field, enter the new password.
In the Confirm New Password field, enter the new password again.
Click Save.
The password for the WebLogic Administrator is changed.
You set the user lockout attributes using the Oracle WebLogic Administration Console.
To set the user lockout attributes:
Log in to the Oracle WebLogic Server Administration Console, using the Administrator's credentials.
The WebLogic Administration Console Home appears.
In the Change Center on the left, click Lock & Edit.
Select Security Realms under Your Application's Security Settings.
The Summary of Security Realms screen appears.
In the Realms table, select YourRealm.
The Settings for YourRealm screen appears.
In the Configuration tab, select the User Lockout tab to display it.
Do the following:
Select Lockout Enabled to enable user lockout.
In the Lockout Threshold, enter a value for the maximum number of consecutive invalid login attempts that can occur before a user's account is locked out.
In the Lockout Duration field, enter the value for the user lockout duration, which is the number of minutes that a user's account is locked out
In the Lockout Reset Duration field, enter the value, in minutes, for the duration within which consecutive invalid login attempts cause a user's account to be locked out. The user is not locked out if the lockout threshold in not reached in this duration.
In the Lockout Cache Size field, enter a value for the number of invalid login records (between 0 and 99999) that the server places in a cache.
In the Lockout GC Threshold field, enter the value for the maximum number of invalid login records that the server keeps in memory.
Click Save.
In the Change Center of the Administration Console, click Activate Changes.
Restart WebLogic Server.
User lockout attributes are set.
To unlock a user account:
Log in to the Oracle WebLogic Server Administration Console, using the Administrator's credentials.
The WebLogic Administration Console Home appears.
In the Change Center on the left, click Lock & Edit.
In the left pane, select YourDomain.
The Settings for YourDomain screen appears.
Select the Security tab to display it, then select and display the Unlock User tab.
In the Unlock User field, enter the name of the user to be unlocked.
Click Save.
In the Change Center of the Administration Console, click Activate Changes.
The specified user is unlocked.
You manage Network Integrity users using the WebLogic Administration Console.
Network Integrity provides two user groups: one for accessing the Network Integrity functionality, and the other is the JD Group, that accesses the Job Dispatcher.
Currently Network Integrity provides only one role; NetworkIntegrityRole. All users are assigned to this role and hence, by default, all users are also a member of the JD Group.
To create a user:
Log in to the WebLogic Administration console.
In the Home page, select Security Realms.
The Summary of Security Realms screen appears.
Select YourRealm.
The Setting for YourRealm screen appears.
Select the Users and Groups tab to display it.
The Users tab is displayed by default. If not, then select the Users tab to display it.
In the Users tab, click New.
The Create a New User screen appears.
Do the following:
In the Name field, enter the name for the new user.
In the Description field, enter a description for the new user. This field is not mandatory.
From the Provider list, select the security provider where the user credentials are saved.
In the Password, and Confirm Password fields, enter a password for the new user.
Click OK.
The new user appears in the Users table.
To delete a user:
Log in to the WebLogic Administration console.
In the Home page, select Security Realms.
The Summary of Security Realms screen appears.
Select YourRealm.
The Setting for YourRealm screen appears.
Select the Users and Groups tab to display it.
The Users tab is displayed by default. If not, then select the Users tab to display it.
In the Users table, select the user you want to delete.
Caution:
WebLogic Administration console does not ask for confirmation. Ensure that the user you have selected is the user you want to delete.Click Delete.
The selected user is deleted and is not visible in the Users table.
Note:
It is assumed that this Network Integrity user belongs to the JDGroup, which is the group of users accessing the Job Dispatcher.To add user to a group and assign that user a role:
Log in to the WebLogic Administration console.
In the Home page, select Security Realms.
The Summary of Security Realms screen appears.
Select YourRealm.
The Setting for YourRealm screen appears.
Select the Users and Groups tab to display it.
The Users tab is displayed by default. If not, then select the Users tab to display it.
Select the User whose properties you want to modify.
The Settings for User screen appears.
The General tab is displayed by default.
Select the Groups tab to display it.
In the Parent Groups section, in the Available list, select the role which you want to assign to the User user.
Click the right arrow to move the selected item to the Chosen box.
In the same way, select the group you want to assign to the User user.
Click Save.
The user is assigned the new role and group.
To create a group in the WebLogic Administration Console:
Log in to the WebLogic Administration console.
In the Home page, select Security Realms.
The Summary of Security Realms screen appears.
Select YourRealm.
The Setting for YourRealm screen appears.
Select the Users and Groups tab to display it.
The Users tab is displayed by default.
Select the Groups tab to display it.
Click New.
The Create a New Group screen appears.
In the Name field, enter a name for the new group.
(Optional) In the Description field, enter a brief description about the new group that you creating.
Leave the Provider as Default Provider and click OK.
The new group is created.
When you use an external authentication provider, you must configure to use it with Network Integrity.
To configure the authentication provider:
Note:
The use of Oracle Internet Directory and Oracle Identity Manager (OIM) requires a separate license from Network Integrity.Please contact your Oracle representative for information on acquiring a license.
Log in to the WebLogic Administration console.
In the Home page, select Security Realms.
The Summary of Security Realms screen appears.
Select YourRealm.
The Setting for YourRealm screen appears.
Select the Providers tab to display it.
The Authentication tab is displayed by default. If not, then select to display it.
Click Lock & Edit in the Change Center in the left pane, to activate all buttons in this tab.
Click New.
The Create a New Authentication Provider screen appears.
In the Name field, enter the name NewAuthProvider of the authentication provider.
From the Type list, select OracleInternetDirectoryAuthenticator.
Click OK.
The Settings for YourRealm screen appears.
The Authentication tab is displayed by default.
You can see the newly created authentication provider, NewAuthProvider, in the Authentication Providers table.
Click NewAuthProvider.
The Settings for NewAuthProvider screen appears.
In the Configuration tab, the Common tab is displayed by default.
If the Common tab is not displayed, select it to display it.
In the Control Flag list, select SUFFICIENT.
Click Save.
Select the Provider Specific tab to display it.
In the Connection section, do the following:
In the Host field, enter the IP address of the host.
In the Port field, enter the relevant port number.
In the Principal field, enter the value for the principal.
In the Credentials field, enter the relevant credentials.
In the Confirm Credentials field, enter the credentials again.
In the Users section, do the following:
In the User Base DN field, provide a value, like the one shown here:
cn=Users,dc=idc,dc=oracle,dc=com
In the All User Filter field, provide the relevant value.
In the User From Name Filter field, provide the relevant value.
In the User Search Scope field, provide the relevant value.
In the User Name Attribute field, provide the relevant value.
In the User Object Class field, provide the relevant value.
In the Groups section, do the following:
In the Group Base DN field, provide a value, like the one shown here:
cn=Groups,dc=idc,dc=oracle,dc=com
In the All Groups Filter field, provide the relevant value.
In the Group From Name Filter field, provide the relevant value.
In the Group Search Scope field, provide the relevant value.
In the Group Membership Searching field, provide the relevant value.
In the Max Group Membership Search Level field, provide the relevant value.
Click Save.
Restart the WebLogic server.
To re-order the authentication providers:
Log in to the WebLogic Administration console.
In the Home page, select Security Realms.
The Summary of Security Realms screen appears.
Select YourRealm.
The Setting for YourRealm screen appears.
Select the Providers tab to display it.
The Authentication tab is displayed by default. If not, then select to display it.
Click Reorder.
The Reorder Authentication Providers screen appears.
Use and Up and Down arrows to the right of the Authentication Providers table to reorder them.
Click OK.
Properties can be encrypted so that they can be configured as Secret properties in a property group on a processor. Properties can be configured to have secret values to pass sensitive information in Network Integrity. See Network Integrity Developer's Guide for more information.
Before running the encryptor, create the property. See Network Integrity Developer's Guide for more information.
To encrypt a property:
On the system that Network Integrity is installed, go to NI_Home/integrity.
Where NI_Home is the directory where Network Integrity is installed.
Run the property encryption tool by running the following command:
./runPropertyEncryptor.sh
At the prompt, enter the name of the property.
At the prompt, enter the property value.
At the prompt, confirm the property value.
The encrypted property value is displayed.
Enter the encrypted value as the property value using the MBean interface at deployment time.
|
 Copyright © 2010, 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
