Skip Headers
Oracle® Communications IP Service Activator Security Guide
Release 7.2

E35657-01
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

3 Implementing IP Service Activator Security

This chapter explains the security features of Oracle Communications IP Service Activator.

Configuring and Using Access Control

This section explains the authorization system used to control access to data, resources, and processes. Authorization is used to control access by:

  • Permitting only certain users access or actions

  • Applying varying limitations on user access or actions

IP Service Activator uses groups and roles to control access to network topology objects. To change these settings, start the IP Service Activator client and follow the steps in "About Users and Security" in IP Service Activator System Administrator's Guide. The IP Service Activator user password policies are also defined in the IP Service Activator client. For more information, see "Passwords" in IP Service Activator System Administrator's Guide.

Configuration Management Access Levels

A Configuration Management user with Read/Write access can be restricted to do any or all of the following:

  • Restore an archive

  • Activate a configlet

  • Unlock an archive

By default, the user with this access level is allowed to:

  • Change permissions

  • Start the Configuration GUI and click the Configuration Management Server tab

  • Select the operations that you want to restrict, or unselect the operations that you want to allow, and click Commit to implement the changes

Users with SuperUser permissions can do all of the above, and users with Read permissions can only view; Read permissions operate like read-only mode.

IP Service Activator User Accounts

Oracle recommends that you use a separate router user account to log in and provision the devices. This is the user account that is defined and used under the IP Service Activator Device Security panel. If there is a security threat, this user can be locked out by the Administrator.

Configuration Management Security

Oracle recommends that you create a custom IP Service Activator user for the Configuration Management server so that you can monitor and audit Configuration Management activities. You must also ensure that each user has a separate account/user to log in to Configuration Management so that you can monitor and audit operations described in "Configuring and Using Security Audit".

If you are using the restore functionality, Oracle recommends that you clean the router configuration out of the directory after the restore. If the router configuration is left in the directory, it could be downloaded by other users.

Configuring and Using Security Audit

Each application (IP Service Activator, Oracle Database, and WebLogic) has separate logs and audit logs that you can use to monitor activities. You can view WebLogic audit logs and IP Service Activator Web service logs using the Enterprise Manager (if enabled) or in a text editor.

The IP Service Activator application audit and systems logs are stored in the application installed directory. You can open these files in a text editor.

For information about the WebLogic logs, see the WebLogic Server documentation.

For information about the Oracle logs, see the Oracle Database documentation.

IP Service Activator Logs

IP Service Activator creates logs of all the commands and configuration sent to the routers. The logs are located in the IP Service Activator installation directory called Audit Trails, and you can view the logs in a text editor. For example:

/opt/OracleCommunications/ServiceActivator/AuditTrails

IP Service Activator stores and records all transactions, their operations, and their statuses, which you can view using the client. For more information about logs, see IP Service Activator System Administrator's Guide.

You can open these logs in a text editor.

The following examples show sample IP Service Activator Device configuration logs.

2012-05-17 21:10:55|10.156.68.43|#Applying Configuration
2012-05-17 21:10:56|10.156.68.43|terminal length 0
2012-05-17 21:10:56|10.156.68.43|conf t
2012-05-17 21:10:56|10.156.68.43|interface Tunnel899
2012-05-17 21:10:56|10.156.68.43|description test
2012-05-17 21:10:57|10.156.68.43|alias exec IpsaConfigVersion 2012-05-17T21:10:55.653Z
2012-05-17 21:10:57|10.156.68.43|end
2012-05-17 21:10:57|10.156.68.43|copy running-config startup-config
2012-05-17 21:10:57|10.156.68.43|startup-config
2012-05-17 21:10:59|10.156.68.43|logout
2012-05-17 21:11:00|10.156.68.43|#End Configuration

Configuration Management Audit Logs

Configuration Management has audit logs that show the user and the operation performed. The logs are located in the WebLogic domain logs. For example:

/opt/Oracle/Middleware/user_projects/domains/DomainName/cmuser.audit.log

You can open these logs in a text editor.

Table 3-1 shows sample Configuration Management audit logs.

Table 3-1 Sample Audit Logs

Operation Sample Audit Log Text

Logging in to Configuration Management

2012-05-17 11:55:55 The user admin has successfully logged in.

Logging out of Configuration Management

2012-05-17 11:57:56 The user admin has logged out.

Unsuccessful login to Configuration Management

2012-05-17 11:57:56 The user admin was not successful logging in.

A schedule is being created in Configuration Management

2012-05-17 17:07:59 Schedule Order operation invoked by user admin.

An archive is being created in Configuration Management

2012-05-17 17:08:33 Archive Order operation invoked by user admin.

An archive is being deleted from Configuration Management

2012-05-17 17:09:33 Delete Archive operation invoked by user admin.

A configlet is being activated in Configuration Management

2012-05-17 17:10:16 Configlet Order operation invoked by user admin.

A configlet is being deleted from Configuration Management

2012-05-17 17:10:18 Delete Configlet operation invoked by user admin.

A restore is being sent to Configuration Management

2012-05-17 17:10:26 Restore Order operation invoked by user admin.

A change tracking policy is being sent to Configuration Management

2012-05-17 17:10:36 Change Tracking Order operation invoked by user admin.


Security Considerations for Developers

To create new components for IP Service Activator without compromising security, when you are passing credentials, do not under any circumstance log the credentials or store them in clear text. If the component or program resides on a different computer than the integration manager, Oracle recommends setting up an SSH tunnel to ensure that the traffic is encrypted.