Skip Headers
Oracle® Communications Network Integrity Security Guide
Release 7.1

E25444-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

3 Implementing Network Integrity Security

This chapter explains the security features of Oracle Communications Network Integrity.

Configuring and Using Authentication

Authentication is the mechanism by which users provide specific information as a proof of having access to a system. Authentication answers the question “Who are you?” using credentials such as username and password.

In Oracle WebLogic Server, authentication providers are used to prove the identity of users or system processes. Authentication providers also remember, transport, and make identity information available to various components of a system when needed. During the authentication process, a principal validation provider provides additional security protection for the principals (users and groups) contained within the subject by signing and verifying the authenticity of those principals.

Network Integrity supports the following authentication providers:

Other security providers are supported using WebLogic Server Application server.

Oracle recommends Oracle Internet Directory as your authentication provider.

Network Integrity uses username and password authentication. See Network Integrity System Administrator's Guide for more information.

Whether Network Integrity is configured to communicate with WebLogic Server over HTTP or HTTPS, login authentication is always sent over a secured HTTPS channel.

If you are using a Web services interface, authentication details are supplied with each request using the Username token header. See Network Integrity Developer's Guide for more information.

Java Authentication and Authorization Service

WebLogic Server uses the Java Authentication and Authorization Service (JAAS) classes to authenticate to the client, whether the client is an application, applet, Enterprise JavaBean, or servlet that requires authentication.

JAAS implements a Java version of the Pluggable Authentication Module (PAM) framework, which permits applications to remain independent from underlying authentication technologies. Therefore, the PAM framework allows the use of new or updated authentication technologies without requiring modifications to the application.

About Callback Handlers

A callback handler is a flexible JAAS standard that allows a variable number of arguments to be passed as complex objects to a method.

There are three types of callback handlers: NameCallback, PasswordCallback, and TextInputCallback, all of which are part of the javax.security.auth.callback package. NameCallback and PasswordCallback return the username and password, respectively. You can use TextInputCallback to access the data users enter into any additional fields on a login form (that is, fields other than those for obtaining the username and password). When used, there should be one TextInputCallback per additional form field, and the prompt string of each TextInputCallback must match the field name in the form. WebLogic Server uses only the TextInputCallback for form-based Web application login.

An application implements a callback handler and passes it to underlying security services so that they may interact with the application to retrieve specific authentication data, such as user names and passwords, or to display certain information, such as error and warning messages.

Callback handlers are implemented in an application-dependent fashion. For example, implementations for an application with a UI may pop up windows to prompt for requested information or to display error messages. An implementation may also choose to obtain requested information from an alternative source without asking the user.

Underlying security services make requests for different types of information by passing individual call backs to the callback handler. The callback handler implementation decides how to retrieve and display information depending on the call backs passed to it.

Configuring and Using Access Control

Authorization is used to control access by:

Network Integrity has a single user role: NetworkIntegrityRole. Every user must have this role to access and perform any action in Network Integrity.

Users without the NetworkIntegrityRole role are prevented from logging in and are shown the following message:

You do not have any permission.

Configuring and Using Security Audit

Network Integrity, Oracle database, and Oracle Internet Directory allow you to record logs of every action to the WebLogic Server logs. Audit logs can be viewed using the Enterprise Manager or with a text editor.

Auditing provides an electronic trail of computer activity. In the WebLogic Server security architecture, an auditing provider is used to provide auditing services.

If WebLogic Security Framework configured, it calls through to an auditing provider before and after security operations (such as authentication or authorization) have been performed, when changes to the domain configuration are made, or when management operations on any resources in the domain are run. The decision to audit a particular event is made by the Auditing provider itself and can be based on specific audit criteria or severity levels. The records containing the audit information may be written to output repositories such as an LDAP server, database, and a file.

See the WebLogic Server documentation and the Oracle Database documentation for information about enabling audit logs.

The following examples show sample audit logs.

Example 3-1 Sample Audit Log for Logging Onto Network Integrity

[2011-09-14T10:41:47.684+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '20' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bXnYZ17iJLMmCCye1ES8Co000016,0] [APP: NetworkIntegrity] User Name: user_name NI-Action: Login

Example 3-2 Sample Audit Log for Creating a Scan in Network Integrity

[2011-09-14T10:49:53.311+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bZe5617iJLMmCCye1ES8Co00002U,0] [APP: NetworkIntegrity] User Name: user_name NI-Action: Create Scan 'UIM CISCO' starts
...
[2011-09-14T10:49:53.400+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bZe5617iJLMmCCye1ES8Co00002U,0] [APP: NetworkIntegrity] User Name: user_name NI-Action: Create Scan 'UIM CISCO' ends

Example 3-3 Sample Audit Log for Running a Scan in Network Integrity

[2011-09-14T10:50:35.804+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '20' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bZneR17iJLMmCCye1ES8Co00002a,0] [APP: NetworkIntegrity] User Name: user_name NI-Action: Scan for 'UIM CISCO'  with scanrun ID '627023' Starts
...
[2011-09-14T10:50:40.588+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bZpbz17iJLMmCCye1ES8Co00002e,0] [APP: NetworkIntegrity] NI-Action: Scan for 'UIM CISCO' with scanrun ID '627023' Completed

Example 3-4 Sample Audit Log for Logging Off of Network Integrity

[2011-09-14T10:41:37.970+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '20' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bXlAk17iJLMmCCye1ES8Co000012,0] [APP: NetworkIntegrity] User Name: user_name NI-Action: Logout

Scan Parameter Security

All scan parameters are encrypted with the advanced encryption standard (AES) algorithm and are stored in the Oracle database.

Secure Access to Network Integrity Web Services

The Web services API is standards based using JAX-WS over HTTPS. The Network Integrity Web services API uses the same security access level as the Network Integrity UI. So any user able to log in to Network Integrity can also use the Web Service API. This is assigned using the NetworkIntegrityRole.

Managing Network Integrity Security

Network Integrity System Administrator's Guide contains information on the following security management topics: