Skip Headers
Oracle® Communications Network Integrity Security Guide
Release 7.1

E25444-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Performing a Secure Network Integrity Installation

This chapter presents planning information for your Oracle Communications Network Integrity system and describes recommended deployment topologies that enhance security.

For more information about installing Network Integrity, see Network Integrity Installation Guide.

Installing Network Integrity Securely

You can perform a custom installation or a typical installation. Perform a custom installation to avoid installing options and products you do not need. If you perform a typical installation, however, you can always remove or disable features you do not need after the installation is complete.

When installing Network Integrity, do the following:

Secure File System Access

Consider the following when planning your Network Integrity installation:

  • Access to files created during the installation is limited. To have access to the created files, the installer must have root or admin access.

  • Data Source passwords are encrypted using the Oracle AES algorithm. The encrypted passwords are stored in WebLogic Server configuration files.

Configure the following directories with the following permission settings:

  • WL_Home and all its subdirectories: 750 permissions, but all files you create should be set with 644.

  • Domain_Home and all its subdirectories: 750 permissions, but all files you create should be set with 644.

  • NI_Home and all its subdirectories (a temporary directory used during installation): 750 permissions, but all files you create should be set with 644.

Set secure file system access permissions for the Oracle database and Oracle Internet Directory.

Note:

The Network Integrity Installer never writes or records its schema or base user account information to any file.

About Password Policies

Oracle recommends having strong password policies for Network Integrity and database schema users. Consider enforcing the following password policies:

  • Password length between 8 and 12 characters.

  • Password must contain at least one digit, one capital letter, and one special character. For example: WebLogic@123.

  • The user name must not be part of the password.

Stricter rules can be set for the authentication provider using the WebLogic Administration console. For details on authentication providers and their configuration, refer to WebLogic administrator documentation.

See Network Integrity System Administrator's Guide for information about changing and setting Network Integrity passwords.

Securely Installing Cartridges

Oracle recommends installing Network Integrity cartridges over SSL. For details on installing or deploying the cartridges over SSL, see the Oracle Cartridge Deployer documentation.

For the File Transfer and Parsing cartridge, enable secure file transfer. See File Transfer and Parsing Cartridge Guide for more information.

Securely Integrating BI Publisher with Network Integrity

Oracle Business Intelligence Publisher (BI Publisher) is installed into a WebLogic Server domain. When installing BI Publisher, configure it to communicate with the Oracle Database over an SSL-enabled channel, and disable all unused ports, especially unsecured ports. See the BI Publisher documentation for more information.

Post-Installation Configuration

This section explains security configurations to complete after Network Integrity is installed.

Setting Up User Accounts to Lock and Expire

Create Network Integrity user accounts to lock after a certain number of failed log in attempts, and to expire after a certain amount of idle time.

See Network Integrity System Administrator's Guide for information about changing and setting Network Integrity passwords.

Enabling SSL for Network Integrity Data Sources

When the Oracle Database communicates with Network Integrity through an SSL-enabled port, the following data source connections must also be configured to enable SSL communication:

  • CMWSPersistentDS

  • ESSDS

  • EssXADS

  • JobDispatcherDS

  • JobDispatcherPersistentDS

  • mds-commsRepository

  • mds-ESS_MDS_DS

  • NIDataSource

  • NIPersistentDS

  • PomsPersistentDS

For information about configuring data sources, see Oracle Database Security Guide.

Enabling SSL for LDAP Authentication Provider

For secure communication between WebLogic Server and an external LDAP, enable SSL on both the external LDAP and the corresponding WebLogic Security Provider. SSL on the WebLogic Security Provider is enabled from the WebLogic Administration console.

For secure communication between WebLogic Server and Oracle Internet Directory, see Oracle Fusion Middleware Securing Oracle WebLogic Server.