Skip Headers
Oracle® Communications Order and Service Management System Administrator's Guide
Release 7.2.2

E35414-02
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

3 Setting Up OSM Security

This chapter describes how to set up security on your Oracle Communications Order and Service Management (OSM) system.

About OSM Security

You use the Oracle WebLogic Server Console to manage OSM security.

When you manage OSM security, you can perform the following tasks:

For more information about WebLogic security realms, refer to the WebLogic Server Console documentation.

Note:

OSM supports LDAP Version 2.

Adding Users to OSM

To add a user to OSM:

Adding Users to Groups in the WebLogic Server Console

All security for OSM users and groups is managed through the WebLogic Server Console. See the Oracle WebLogic Server documentation for more information about creating and deleting users and groups.

To add users to groups:

  1. Log in to the WebLogic Server Administration Console.

    You must be a WebLogic administrator.

  2. In the Domain Structure tree, click Security Realms.

    The Summary of Security Realms page is displayed.

  3. Click myrealm.

    The settings for the security realm are displayed.

  4. Click the Users and Groups tab.

    A list of users that have been configured is displayed.

  5. Click on a user.

    The user's description, password, and group membership is displayed. Users are assigned to one or more parent groups that have different levels of access to WebLogic resources, depending on their roles and the tasks they can perform. Groups in the WebLogic security realm represent the roles.

  6. On the page that displays the settings for the selected user, click the Groups tab.

  7. Select a group or groups from the Available list, click the right arrow to move the selected group to the Chosen list. See "Required Groups and Users" for more information.

  8. Click Save.

Creating Workgroups as Roles in Design Studio

In Design Studio, you create roles and assign permissions to give users in that role access to related functions in the Task, and Order Management Web Clients.

Note:

You assign individual users to roles using the Administrator application. See OSM Administrator Application User's Guide for more information.

Table 3-1 describes the Web client functions to which you provide access. Most of these are applicable only to the Task Web Client. Only the Reference Number Modification permission is also applicable to the Order Management Web Client.

Table 3-1 Web Client Permissions

Function Description

Create Versioned Orders

Enables users to create orders for different versions of cartridges. If not granted this permission, users can only create orders for the default version of the cartridge.

Exception Processing

Enables users to alter the flow of a process by applying exception statuses at any time throughout the process.

Online Reports

Enables users to view summarized reports on all orders and tasks on the system.

Order Priority Modification

Enables users to modify the priority of a task in an order.

Reference Number Modification

Enables users to modify the reference number of an order.

Search View

Enables users to access the order Query function.

Task Assignment

Enables users to assign tasks to others.

Worklist Viewer

Enables users to access the Worklist function.


In addition to granting Web client permissions, you can also grant permissions at the order level (by associating a role to an order type) and the task level.

See the discussion about creating new roles in the Design Studio Modeling OSM Processes Help for more information. After you create a role, you must assign permissions to the role entities. See the description of the Role Editor Role tab in the Design Studio Modeling OSM Processes Help for more information about permissions for role entities.

Assigning Users to Workgroups in OSM Administrator

See the discussion about assigning users to a workgroup in OSM Administrator Application User's Guide for more information.

Required Groups and Users

When you install OSM, required groups and users are created automatically. To use another security implementation such as LDAP, you must create the appropriate groups and manually add users to them.

Table 3-2 lists the groups and the members of each group.

Table 3-2 Groups and Access Members

Group Name Access

OMS_client

All users of the OSM Web Client or OSM HTTP XML API must belong to this group.

OMS_workgroup_manager

Gives members the ability to create and modify workgroups using the OSM Administrator. They cannot add users to workgroups.

OMS_user_assigner

Gives members the ability to add users to workgroups from the OSM Administrator.

OMS_log_manager

Gives access to the log4jAdmin web page for reading log messages.

OMS_designer

You can do all process, order modeling, and system maintenance. You cannot create or modify workgroups, or assign users to workgroups.

Administrators

Gives access to

  • WebLogic Server administrative user; that is, the alias that starts the WebLogic server

  • WebLogic Server instance

  • WebLogic Server Clusters

  • Security parameters, including managing users, groups, and roles

  • Deploying your applications

  • Monitor server and application performance

  • View server and domain log files

  • View application deployment descriptors

  • Edit selected run-time application deployment descriptor elements


Using Secure Sockets Layer

OSM supports three levels of security for interactive users:

Changing Secure Sockets Layer Configuration in OSM

You configure SSL for OSM using the XML parameter file web.xml which is stored in the oms.war file inside the oms.ear file. To edit the web.xml file, you must unpack the oms.ear file, edit the web.xml file, and then repack the oms.ear file and re-deploy it to the OSM server.

To change SSL configuration on the OSM server:

  1. Locate and extract the web.xml file from the oms.ear/oms.war file.

  2. Add or modify the parameter secure_login in the web.xml file.

  3. Edit the parameter value as follows:

    • For no SSL support, enter 0.

    • For SSL support, enter 1.

  4. Save the file.

Setting Up a Caching Realm

If you use an external security implementation such as LDAP, you should also use a caching realm to improve performance. A caching realm holds the results of security checks in memory so that subsequent checks are not required to communicate directly with an external security server. The default settings for caching realms are appropriate for small numbers of users in the external realm; however, they do not help if your external security implementation has large numbers of users.

To set up a caching realm:

  1. Log in to the WebLogic Administration Console.

  2. In the Domain Structure tree, select Security Realms.

    The Summary of Security Realms page is displayed.

  3. Select the realm from the table.

    The Settings for myrealm window is displayed.

    From this window, you can change the settings for your realm.

Using the XML Import/Export Application to Administer Users and Workgroups

The userAdmin command lets you add users to WebLogic groups and OSM workgroups using an XML document. The XML document contains the user information you want to add or configure based on the UserAdmin.xsd schema, which can be found in the \SDK\XMLImportExport\models directory.

Administering users in this way allows you to manage users in volume instead of assigning them individually, and it permits the integration of OSM users into a larger, enterprise system administration application.

You must encrypt the passwords in the source XML document prior to running the userAdmin command. Otherwise, when you run userAdmin, you will trigger an error indicating that the EncryptPassword utility should be run. See "Using the EncryptPasswords Utility" for more information.

To run the userAdmin command, you should first modify the classpath in the config.bat file (if you are using the command-line script) or the xml.project.class.path in the build.xml file (if you are using Ant), to ensure the following:

To set up your environment and run the command:

  1. Define an XML file with the user information to add, similar to the sample shown below. See UserAdmin.xsd for more details on the XML schema.

    <userConfig xmlns="http://www.metasolv.com/Provisioning/UserConfig" 
    xmlns:oms="http://www.metasolv.com/OMS/OrderModel/2002/06/25" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.metasolv.com/Provisioning/UserConfig
    C:\Provisioning\SDK\XMLImportExport\models\UserAdmin.xsd">
       <user name="demo">
          <description>A test user</description>
       </user>
       <clientGroup>
          <user>demo</user>
       </clientGroup>
       <designerGroup>
          <user>demo</user>
       </designerGroup>
       <logManagerGroup>
          <user>demo</user>
       </logManagerGroup>
       <userAssignerGroup>
          <user>demo</user>
       </userAssignerGroup>
       <workgroupManagerGroup>
          <user>demo</user>
       </workgroupManagerGroup>
       <workgroup name="demo">
          <user>demo</user>
       </workgroup>
       <workgroup name="everyone">
          <user>demo</user>
       </workgroup>
    </userConfig>
    
  2. Encrypt the passwords in your source XML file. See "Using the EncryptPasswords Utility".

  3. If required, edit the config.xml file to modify your connection information to WebLogic. You must have the authority to administer users in WebLogic.

    <j2eeAdminConnection>
       <user>weblogic</user>
       <password>password</password>
       <hostname>localhost</hostname>
       <port>7001</port>
    </j2eeAdminConnection>
    

    Note:

    The <password> element in the config.xml file is optional. If you opt not to specify the password in the <password> element, you can specify it in a command prompt as follows:

    -j2eeAdminPassword <password>

  4. Run the following command at the system prompt:

    userAdmin [XML_MODEL] [XML_CONFIG]
    

    Where:

    • XML_MODEL is the name of the XML model document containing the user information.

    • XML_CONFIG is the name of the configuration file.

    For example:

    userAdmin data/users.xml config/config.xml
    

    or

    ant userAdmin
    
  5. In the OSM Administrator, use the refresh buttons to refresh the Users and Workgroups lists, or use ant Refresh in the CDK to refresh the metadata.

  6. After the users have been created, you can assign functions and tasks to them using Design Studio.

Using the EncryptPasswords Utility

You use the EncryptPasswords utility to encrypt the user name and password credentials of XML Import/Export application users.

For information on the EncryptPasswords utility, see the following:

About the EncryptPasswords Utility

The EncryptPasswords utility (located in the OSM_home\SDK\XMLImportExport directory) is a password management utility that secures the credentials that the XML Import/Export application uses to access the OSM database, the XML API interface, and the WebLogic domain Administration Server. The EncryptPasswords utility encrypts the credentials, preventing their accidental exposure.

Running the EncryptPasswords utility script stores the user names and passwords of all XML Import/Export application users in encrypted format in the configuration file which the XML Import/Export application uses to provide these credentials (for example, OSM_home\SDK\XMLImportExport\config\config.xml). When the XML Import/Export application runs, it decrypts the passwords as part loading its configuration file.

The EncryptPasswords utility can be run only by a user who has write access to the XML files in which the credentials are stored.

When you install the XML Import/Export application, you can optionally provide passwords for the OSM database, the XML API interface, and the WebLogic domain Administration Server. To set and reset those passwords, you run the EncryptPasswords utility. See "Running the EncryptPasswords Utility" for information on running the utility.

The EncryptPasswords utility prompts you to enter the user name and password credentials of each XML Import/Export application user that requires access to the OSM database, the XML API interface, and the WebLogic domain Administration Server. The utility then encrypts the credentials and stores their encrypted form in the configuration file specified when the utility is run.

Ant build files for the EncryptPasswords utility are located in the following directories:

  • OSM_home\SDK\CartridgeManagement\production

  • OSM_home\SDK\CartridgeManagement\development

The Ant build files have targets corresponding to each of the batch files in the OSM_home\SDK\XMLImportExport directory that include the EncryptPasswords functionality.

Running the EncryptPasswords Utility

Run the EncryptPasswords utility script:

  • As part of the initial setup of the XML Import/Export application

  • Each time the user name or password credentials of an XML Import/Export application user changes

See "About the EncryptPasswords Utility" for information on how the EncryptPasswords utility works.

Note:

To run the EncryptPasswords utility, you have write access to the XML files in which the XML Import/Export application user credentials are stored.

To run the EncryptPasswords utility, use these arguments and syntax:

EncryptPasswords [XML_CONFIG] OPTIONAL{-dbUser} OPTIONAL{-xmlapiUser} OPTIONAL{-wlsUser}

where the XML Import/Export application password is set and reset for gaining access to

  • -dbUser: the OSM database

  • -xmlapiUser: the XML API interface

  • -wlsUser: the WebLogic domain Administration Server

and [XML_CONFIG] is the example XML Import/Export application configuration XML file (config_sample.xml) that you copied to a new file and renamed (for example, config.xml).

When you set a user's credentials, you specify only the systems that they use for the XML Import/Export application operations they perform. For example, if the user only imports or exports cartridges, you only need to specify the -dbUser flag.

Removing an Encrypted Password

To remove a user name and password for a user that no longer requires credentials, open the XML file where the credentials are stored and remove them manually. If you do not remove them manually, the user name and password combination continues to exist in the XML file.