This chapter presents planning information for your Oracle Communications Network Integrity system and describes recommended deployment topologies that enhance security.
For more information about installing Network Integrity, see Network Integrity Installation Guide.
You can perform a custom installation or a typical installation. Perform a custom installation to avoid installing options and products you do not need. If you perform a typical installation, however, you can always remove or disable features you do not need after the installation is complete.
When installing Network Integrity, do the following:
When creating the WebLogic Server domain for Network Integrity:
Make sure that SSL ports are being used on the Administration Server and all Managed servers.
If installing Network Integrity on a cluster of servers, configure the cluster addresses to use SSL ports.
After you have created the WebLogic Server domain for Network Integrity, start the Administration Server. Then, use t3s to start the Managed servers:
startManagerServer.sh ManagedServer_1 t3s://host_name
where ManagedServer_1 is the name of the first Managed server, and host_name is the host name of the Administration server.
Using the WebLogic Administration Console, configure Certificate Identity and trust store to use SSL. Do not use the default, demonstration certificate that comes with WebLogic Server. See the WebLogic administrator's documentation for more information.
During the installation of Network Integrity, on the Disable unsecured Listen Port screen of the Oracle Universal Installer, select the Disable all the non-SSL ports check box to secure all communication between components, and JCA and JMS collection, over SSL ports.
Consider the following when planning your Network Integrity installation:
Access to files created during the installation is limited. To have access to the created files, the installer must have root or admin access.
Data Source passwords are encrypted using the Oracle AES algorithm. The encrypted passwords are stored in WebLogic Server configuration files.
Configure the following directories with the following permission settings:
WL_Home and all its subdirectories: 750 permissions, but all files you create should be set with 640.
Domain_Home and all its subdirectories: 750 permissions, but all files you create should be set with 640.
NI_Home and all its subdirectories (a temporary directory used during installation): 750 permissions, but all files you create should be set with 640.
Set secure file system access permissions for the Oracle database and Oracle Internet Directory.
Note:
The Network Integrity Installer never writes or records its schema or base user account information to any file.Oracle recommends having strong password policies for Network Integrity and database schema users. Consider enforcing the following password policies:
Minimum length of password is eight characters.
Password must contain at least one digit, one capital letter, and one special character. For example: WebLogic@123.
The user name must not be part of the password.
As a minimum, passwords must be at least eight characters long and contain at least one non-alphabetic character.
Stricter rules can be set for the authentication provider using the WebLogic Administration console. For details on authentication providers and their configuration, refer to WebLogic administrator documentation.
See Network Integrity System Administrator's Guide for information about changing and setting Network Integrity passwords.
Oracle recommends installing Network Integrity cartridges over SSL. For details on installing or deploying the cartridges over SSL, see the Oracle Cartridge Deployer documentation.
For the File Transfer and Parsing cartridge, enable secure file transfer. See Network Integrity File Transfer and Parsing Cartridge Guide for more information.
Oracle Business Intelligence Publisher (BI Publisher) is installed into a WebLogic Server domain. When installing BI Publisher, configure it to communicate with the Oracle Database over an SSL-enabled channel, and disable all unused ports, especially unsecured ports. See the BI Publisher documentation for more information.
This section explains security configurations to complete after Network Integrity is installed.
Create Network Integrity user accounts to lock after a certain number of failed log in attempts, and to expire after a certain amount of idle time.
See Network Integrity System Administrator's Guide for information about changing and setting Network Integrity passwords.
When the Oracle Database communicates with Network Integrity through an SSL-enabled port, the following data source connections must also be configured to enable SSL communication:
CMWSPersistentDS
JobDispatcherDS
JobDispatcherPersistentDS
mds-commsNIRepository
NIDataSource
NIPersistentDS
NIPomsPersistentDS
For information about configuring data sources, see Oracle Database Security Guide.
For secure communication between WebLogic Server and an external LDAP, enable SSL on both the external LDAP and the corresponding WebLogic Security Provider. SSL on the WebLogic Security Provider is enabled from the WebLogic Administration console.
For secure communication between WebLogic Server and Oracle Internet Directory, see Oracle Fusion Middleware Securing Oracle WebLogic Server.