Skip Headers
Oracle® Communications Network Integrity System Administrator's Guide
Release 7.2.2

Part Number E36030-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Managing Network Integrity Security

This chapter describes security fundamentals for Oracle Communications Network Integrity, and also provides procedures to configure user passwords and manage users.

About Network Integrity Security

Network Integrity security includes the following aspects:

Oracle Platform Security Services (OPSS)

Oracle Platform Security Services (OPSS) provides a security framework for Java Standard Edition (Java SE) and Java Enterprise Edition (Java EE) applications. OPSS is both a security framework exposing security services and APIs, and a platform offering concrete implementation of security services. It includes these five elements:

Security Realms

A security realm comprises mechanisms for protecting WebLogic resources. Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies. A user must be defined in a security realm to access any WebLogic resources belonging to that realm. When a user attempts to access a particular WebLogic resource, WebLogic Server tries to authenticate and authorize the user by checking the security role assigned to the user in the relevant security realm and the security policy of the particular WebLogic resource.

Security Providers

Security providers are modules that “plug into” a WebLogic Server security realm to provide security services to applications. They call into the WebLogic Security Framework on behalf of applications. You can use the security providers that are provided as part of the WebLogic Server product, purchase custom security providers from third-party security vendors, or develop your own custom security providers.

You have a choice of the following three security providers, during installation, for Network Integrity:

  • The default WebLogic security provider (Embedded LDAP)

  • Any external security provider

  • Any other security provider, if using only the Authentication provider

See Network Integrity Installation Guide for more information on setting up security providers for Network Integrity.

About the Embedded LDAP Server

WebLogic Server uses its embedded LDAP server as the database that stores user, group, security roles, and security policies for the WebLogic security providers. The embedded LDAP server supports the following access and storage functions:

  • Access and modification of entries in the LDAP server

  • Use of an LDAP browser to import and export security data into and from the LDAP server

  • Read and write access by the WebLogic security providers

Note:

WebLogic Server does not support adding attributes to the embedded LDAP server.

Table 2-1 provides the usage information for the WebLogic Server's embedded LDAP server.

Table 2-1 Usage Information for WebLogic Server's Embedded LDAP Server

WebLogic Security Provider Embedded LDAP Server Usage

Authentication

Stores user and group information

Identity Assertion

Stores user and group information

Authorization

Stores security roles and security policies

Adjudication

None

Role Mapping

Supports dynamic role associations by obtaining a computed set of roles granted to a requester for a given WebLogic resource

Auditing

None

Credential Mapping

Stores Username-Password credential mapping information

Certificate Registry

Stores registered end certificates


Figure 2-1 provides an illustration of the embedded LDAP server.

Figure 2-1 Embedded LDAP Server Illustration

Embedded LDAP server illustration

About External Security Provider - Oracle Internet Directory

Oracle Internet Directory is a general purpose directory service that combines Lightweight Directory Access Protocol (LDAP) Version 3 with an Oracle Database. It is a component of Oracle Identity Management which is an integrated infrastructure that provides distributed security services for Oracle products and other enterprise applications. Oracle Internet Directory runs as an application on an Oracle Database. It communicates with the database by using Oracle Net Services, Oracle's operating system-independent database connectivity solution. The database may or may not be on the same host.

Oracle Internet Directory includes:

  • Oracle directory server, which responds to client requests for information about people and resources, and to updates of that information, by using a multi-tiered architecture directly over TCP/IP.

  • Oracle directory replication server, which replicates LDAP data between Oracle directory servers.

  • Directory administration tools, which include:

    • Oracle Directory Manager, which has a Java-based graphical user interface

    • A number of command-line administration and data management tools invoked from LDAP clients.

    • Directory server management tools within Oracle Enterprise Manager. These tools enable you to:

      • Monitor real-time events and statistics from a normal browser

      • Start the process of collecting such data into a new repository

  • Oracle Internet Directory Software Developer's Kit.

Figure 2-2 provides an illustration of the Oracle Internet Directory.

Figure 2-2 Oracle Internet Directory Illustration

Oracle Internet Directory illustration

For more information on Oracle Internet Directory, see the Oracle Internet Directory documentation at the following link:

http://www.oracle.com/technology

Note:

For information on any other external security providers, see the respective product documentation.

Security Provider Databases

A security provider database contains the users, groups, security roles, security policies, and credentials used by some types of security providers to provide security services. For example, an authentication provider requires information about users and groups; an authorization provider requires information about security policies; a role mapping provider requires information about security roles, and a credential mapping provider requires information about credentials to be used to remote applications. These security providers need this information to be available in a database to function.

The security provider database can be the embedded LDAP server (as used by the WebLogic security providers), a properties file (as used by the sample custom security providers, available on the Web), or a production-quality, customer-supplied database that you may already be using.

Note:

The sample custom security providers are available on the Oracle Technology Network web site at the following location:

http://www.oracle.com/technology/community/welcome-bea/index.html

Initialize the security provider database the first time you use security providers. That is, before the security realm containing the security providers is set as the default (or, active) security realm. This initialization can be done:

  • When a WebLogic Server instance boots

  • When a call is made to a security provider's MBeans

At minimum, the security provider database is initialized with the default groups, security roles, security policies provided by WebLogic Server.

See Security Providers and WebLogic Resources for more information.

If you have multiple security providers of the same type configured in the same security realm, these security providers may use the same security provider database. This behavior holds true for all of the WebLogic security providers.

For example, if you configure two WebLogic Authentication providers in the default security realm (called myrealm), both WebLogic Authentication providers use the same location in the embedded LDAP server as their security provider database, and thus, use the same users and groups. Furthermore, if you add a user or group to a WebLogic Authentication providers, the user or group appears in the other WebLogic Authentication provider as well.

Note:

If you have two WebLogic security providers of the same type configured in two different security realms, each uses its own security provider database. Only one security realm can be active at a time.

3rd party security providers can be designed so that each instance of the security provider uses its own database or so that all instances of the security provider in a security realm share the same database.

About Network Integrity User Password

You create a password for the Network Integrity user during Network Integrity installation when you are creating the user and the associated user credentials. In case you do not create a Network Integrity user during installation, you can do so using the Oracle WebLogic Administration Console.

Changing the Network Integrity User Password

You can change a Network Integrity user's password using the Network Integrity user interface and also using the Oracle WebLogic Administration Server.

Note:

A Network Integrity user password can be changed using the Network Integrity user interface only if you are using the Embedded LDAP (the default WebLogic security provider).

For information on changing application user passwords when you are using an external security provider, see the respective product documentation.

Changing the Network Integrity User Password Using the UI

To change the Network Integrity user password using the Network Integrity UI:

Note:

This procedure changes the password for the user account using which you log in to Network Integrity.
  1. Log in to the Network Integrity application.

    The Manage Scans screen appears by default.

  2. In the Links section in the left pane, select Change Password.

    The Change Password screen appears.

    You can see the user name for the account for which you are changing the password.

  3. Do the following:

    1. In the Current Password field, enter the current password for this user account.

    2. In the New Password field, enter the new password to which to want to change the password.

    3. In the Verify New Password field, enter the new password again.

    4. Click Save and Close.

      The password for this user is changed.

Changing the Network Integrity User Password Using the Administration Console

To change the Network Integrity user's password using the Administration Console:

  1. Log in to the WebLogic Administration console.

  2. In the Home page, select Security Realms.

    The Summary of Security Realms screen appears.

  3. Select YourRealm.

    The Setting for YourRealm screen appears.

  4. Select the Users and Groups tab to display it.

    The Users tab is displayed by default. If not, then select the Users tab to display it.

  5. In the Users table, click the user for which you want to change the password.

    The Settings for User screen appears.

  6. Select the Passwords tab to display it.

  7. In the New Password field, enter the new password for the user.

  8. In the Confirm New Password field, enter the new password for the user again.

  9. Click Save.

    The password for this user is changed.

Changing the WebLogic Administrator Password

To change the WebLogic administrator password:

  1. Log in to the Oracle WebLogic Server Administration Console, using the Administrator's credentials.

    The WebLogic Administration Console Home appears.

  2. Select Security Realms under Your Application's Security Settings.

    The Summary of Security Realms screen appears.

  3. In the Realms table, select YourRealm.

    The Settings for YourRealm screen appears.

  4. Select the Users and Groups tab to display it.

    Within this tab, the Users tab is displayed by default.

    You can view all users in this tab.

  5. In the Users table, click the WebLogic Admin user, AdminUser for which you want to change the password.

    The Settings for the AdminUser screen appears.

    The General tab is displayed by default.

  6. Select the Password tab to display it.

  7. In the New Password field, enter the new password.

  8. In the Confirm New Password field, enter the new password again.

  9. Click Save.

    The password for the WebLogic Administrator is changed.

Setting User Lockout Attributes

You set the user lockout attributes using the Oracle WebLogic Administration Console.

To set the user lockout attributes:

  1. Log in to the Oracle WebLogic Server Administration Console, using the Administrator's credentials.

    The WebLogic Administration Console Home appears.

  2. In the Change Center on the left, click Lock & Edit.

  3. Select Security Realms under Your Application's Security Settings.

    The Summary of Security Realms screen appears.

  4. In the Realms table, select YourRealm.

    The Settings for YourRealm screen appears.

  5. In the Configuration tab, select the User Lockout tab to display it.

  6. Do the following:

    1. Select Lockout Enabled to enable user lockout.

    2. In the Lockout Threshold, enter a value for the maximum number of consecutive invalid login attempts that can occur before a user's account is locked out.

    3. In the Lockout Duration field, enter the value for the user lockout duration, which is the number of minutes that a user's account is locked out.

    4. In the Lockout Reset Duration field, enter the value, in minutes, for the duration within which consecutive invalid login attempts cause a user's account to be locked out. The user is not locked out if the lockout threshold in not reached in this duration.

    5. In the Lockout Cache Size field, enter a value for the number of invalid login records (between 0 and 99999) that the server places in a cache.

    6. In the Lockout GC Threshold field, enter the value for the maximum number of invalid login records that the server keeps in memory.

  7. Click Save.

  8. In the Change Center of the Administration Console, click Activate Changes.

  9. Restart WebLogic Server.

    User lockout attributes are set.

Unlocking User Accounts

To unlock a user account:

  1. Log in to the Oracle WebLogic Server Administration Console, using the Administrator's credentials.

    The WebLogic Administration Console Home appears.

  2. In the Change Center on the left, click Lock & Edit.

  3. In the left pane, select YourDomain.

    The Settings for YourDomain screen appears.

  4. Select the Security tab to display it, then select and display the Unlock User tab.

  5. In the Unlock User field, enter the name of the user to be unlocked.

  6. Click Save.

  7. In the Change Center of the Administration Console, click Activate Changes.

    The specified user is unlocked.

Managing Users

You manage Network Integrity users using the WebLogic Administration Console.

Network Integrity provides two user groups: one for accessing the Network Integrity functionality, and the other is the JD Group, that accesses the Job Dispatcher.

Currently Network Integrity provides only one role: NetworkIntegrityRole. All users are assigned to this role and hence, by default, all users are also a member of the JD Group.

The NetworkIntegrityRole role grants full access to the Network Integrity UI, allowing users to manage all scans, view results, and correct discrepancies.

Creating Users Using the WebLogic Administration Server Console

To create a user:

  1. Log in to the WebLogic Administration console.

  2. In the Home page, select Security Realms.

    The Summary of Security Realms screen appears.

  3. Select YourRealm.

    The Setting for YourRealm screen appears.

  4. Select the Users and Groups tab to display it.

    The Users tab is displayed by default. If not, then select the Users tab to display it.

  5. In the Users tab, click New.

    The Create a New User screen appears.

  6. Do the following:

    1. In the Name field, enter the name for the new user.

    2. In the Description field, enter a description for the new user. This field is not mandatory.

    3. From the Provider list, select the security provider where the user credentials are saved.

    4. In the Password, and Confirm Password fields, enter a password for the new user.

    5. Click OK.

      The new user appears in the Users table.

About Managing Users in the External LDAP

For information regarding managing users in the external LDAP, see the relevant Administrator's Guide for the particular external LDAP that you are using.

Deleting Users Using the WebLogic Administration Server Console

To delete a user:

  1. Log in to the WebLogic Administration console.

  2. In the Home page, select Security Realms.

    The Summary of Security Realms screen appears.

  3. Select YourRealm.

    The Setting for YourRealm screen appears.

  4. Select the Users and Groups tab to display it.

    The Users tab is displayed by default. If not, then select the Users tab to display it.

  5. In the Users table, select the user you want to delete.

    Caution:

    WebLogic Administration console does not ask for confirmation. Ensure that the user you have selected is the user you want to delete.
  6. Click Delete.

    The selected user is deleted and is not visible in the Users table.

Adding User to a Group and Assigning a Role to the User

Note:

It is assumed that this Network Integrity user belongs to the JDGroup, which is the group of users accessing the Job Dispatcher.

To add user to a group and assign that user a role:

  1. Log in to the WebLogic Administration console.

  2. In the Home page, select Security Realms.

    The Summary of Security Realms screen appears.

  3. Select YourRealm.

    The Setting for YourRealm screen appears.

  4. Select the Users and Groups tab to display it.

    The Users tab is displayed by default. If not, then select the Users tab to display it.

  5. Select the User whose properties you want to modify.

    The Settings for User screen appears.

    The General tab is displayed by default.

  6. Select the Groups tab to display it.

  7. In the Parent Groups section, in the Available list, select the role which you want to assign to the User user.

  8. Click the right arrow to move the selected item to the Chosen box.

  9. In the same way, select the group you want to assign to the User user.

  10. Click Save.

    The user is assigned the new role and group.

Creating a Group in the WebLogic Administration Server Console

To create a group in the WebLogic Administration Console:

  1. Log in to the WebLogic Administration console.

  2. In the Home page, select Security Realms.

    The Summary of Security Realms screen appears.

  3. Select YourRealm.

    The Setting for YourRealm screen appears.

  4. Select the Users and Groups tab to display it.

    The Users tab is displayed by default.

  5. Select the Groups tab to display it.

  6. Click New.

    The Create a New Group screen appears.

  7. In the Name field, enter a name for the new group.

  8. (Optional) In the Description field, enter a brief description about the new group that you creating.

  9. Leave the Provider as Default Provider and click OK.

    The new group is created.

About Creating Groups In the External LDAP

For information regarding creating groups in the external LDAP, see the relevant Administrator's Guide for the particular external LDAP that you are using.

Configuring the Authentication Provider

When you use an external authentication provider, you must configure to use it with Network Integrity.

To configure the authentication provider:

Note:

The use of Oracle Internet Directory and Oracle Identity Manager (OIM) requires a separate license from Network Integrity.

Please contact your Oracle representative for information on acquiring a license.

  1. Log in to the WebLogic Administration console.

  2. In the Home page, select Security Realms.

    The Summary of Security Realms screen appears.

  3. Select YourRealm.

    The Setting for YourRealm screen appears.

  4. Select the Providers tab to display it.

    The Authentication tab is displayed by default. If not, then select to display it.

  5. Click Lock & Edit in the Change Center in the left pane, to activate all buttons in this tab.

  6. Click New.

    The Create a New Authentication Provider screen appears.

  7. In the Name field, enter the name NewAuthProvider of the authentication provider.

  8. From the Type list, select OracleInternetDirectoryAuthenticator.

  9. Click OK.

    The Settings for YourRealm screen appears.

    The Authentication tab is displayed by default.

    You can see the newly created authentication provider, NewAuthProvider, in the Authentication Providers table.

  10. Click NewAuthProvider.

    The Settings for NewAuthProvider screen appears.

    In the Configuration tab, the Common tab is displayed by default.

    If the Common tab is not displayed, select it to display it.

  11. In the Control Flag list, select SUFFICIENT.

  12. Click Save.

  13. Select the Provider Specific tab to display it.

  14. In the Connection section, do the following:

    1. In the Host field, enter the IP address of the host.

    2. In the Port field, enter the relevant port number.

    3. In the Principal field, enter the value for the principal.

    4. In the Credentials field, enter the relevant credentials.

    5. In the Confirm Credentials field, enter the credentials again.

  15. In the Users section, do the following:

    1. In the User Base DN field, provide a value, like the one shown here:

      cn=Users,dc=idc,dc=oracle,dc=com
      
    2. In the All User Filter field, provide the relevant value.

    3. In the User From Name Filter field, provide the relevant value.

    4. In the User Search Scope field, provide the relevant value.

    5. In the User Name Attribute field, provide the relevant value.

    6. In the User Object Class field, provide the relevant value.

  16. In the Groups section, do the following:

    1. In the Group Base DN field, provide a value, like the one shown here:

      cn=Groups,dc=idc,dc=oracle,dc=com
      
    2. In the All Groups Filter field, provide the relevant value.

    3. In the Group From Name Filter field, provide the relevant value.

    4. In the Group Search Scope field, provide the relevant value.

    5. In the Group Membership Searching field, provide the relevant value.

    6. In the Max Group Membership Search Level field, provide the relevant value.

  17. Click Save.

  18. Restart the WebLogic server.

To re-order the authentication providers:

  1. Log in to the WebLogic Administration console.

  2. In the Home page, select Security Realms.

    The Summary of Security Realms screen appears.

  3. Select YourRealm.

    The Setting for YourRealm screen appears.

  4. Select the Providers tab to display it.

    The Authentication tab is displayed by default. If not, then select to display it.

  5. Click Reorder.

    The Reorder Authentication Providers screen appears.

  6. Use and Up and Down arrows to the right of the Authentication Providers table to reorder them.

  7. Click OK.

Encrypting Properties

Properties can be encrypted so that they can be configured as Secret properties in a property group on a processor. Properties can be configured to have secret values to pass sensitive information in Network Integrity. See Network Integrity Developer's Guide for more information.

Before running the encryption, create the property. See Network Integrity Developer's Guide for more information.

To encrypt a property:

  1. On the system that Network Integrity is installed, go to NI_Home/integrity.

    Where NI_Home is the directory where Network Integrity is installed.

  2. Run the property encryption tool by running the following command:

    ./runPropertyEncryptor.sh
    
  3. At the prompt, enter the name of the property.

  4. At the prompt, enter the property value.

  5. At the prompt, confirm the property value.

    The encrypted property value is displayed.

  6. Enter the encrypted value as the property value using the MBean interface at deployment time.