This chapter describes security fundamentals for Oracle Communications Offline Mediation Controller.
Offline Mediation Controller security includes the following aspects:
Secure communication
User and password management
Secure centralized storage for users and user's role information
Secure Sockets Layer (SSL) enables secure communication between applications. SSL enables authentication, data integrity, and data encryption. It helps to secure transmitted data using encryption.
By default, Administration Client communicates with Administration Server through SSLs. Administration Server communicates with Node Manager through SSL. During authentication, Administration Server provides the information using a certificate. It also provides data integrity through an integrity check value.
In Offline Mediation Controller, one-way SSL is used to create secure connections before sharing any data between the components. To use one-way SSL from a client to a server, configure identity for the server and trust store for the client. The trusted Certification authority (CA) certificates need to include the trusted CA certificate that issued the peer's identity certificate. This certificate does not necessarily have to be the root CA certificate.
In the communication between Administration Client and Administration Server, Administration Server has its own certificate in a secure keystore. This certificate will have a private and public key pair. Administration Server will share the certificate containing only the public key with all its known Administration Clients. Administration Client adds the server's certificate to its trust store, indicating that Administration Server is added to the trusted list.
In the communication between Administration Server and Node Manager, Node Manager acts as the server. Node Manager creates the key pair and store in a secure keystore. Node Manager shares its public key to the known Administration Server to ensure a secure communication. Administration Server adds Node Manager's certificate to its trust store.
To acquire a digital certificate for your server, generate a public key, a private key, and a Certificate Signature Request (CSR), which contains your public key. You send the CSR request to a certificate authority and follow its procedures for obtaining a signed digital certificate.
After you have your private keys, digital certificates, and any additional trusted CA certificates that you may need, store the private keys and certificates in keystores.
See the discussion on creating certificates in Offline Mediation Controller Installation Guide.
By default, Offline Mediation Controller runs in SSL mode, but the provision for enabling and disabling SSL communication is provided in a common configuration parameter.
Note:
If one of the Offline Mediation Controller components is running in SSL mode, the other components must be in SSL mode.To enable or disable SSL mode for Offline Mediation Controller:
Open the OMC_home/bin/UDCEnvironment script in a text editor, where OMC_home is the directory in which Offline Mediation Controller is installed.
Add or modify the following entry:
SSL_ENABLED = value
where value is:
TRUE to enable SSL mode.
FALSE to disable SSL mode.
Save and close the file.
Restart Offline Mediation Controller.
You can securely connect Administration Server to other Node Manager instances or node hosts to collect data from Node Manager instances.
To securely connect Administration Server to other Node Manager instances:
Log on to the system on which Administration Server is installed.
Securely copy Node Manager's nodeManager.cer file from the machine on which Node Manager is installed to a temporary directory.
Run the following command:
OMC_home/jre/bin/keytool -import -v -trustcacerts -alias alias_name -file File_path -keystore OMC_home/config/adminserver/adminServerTruststore.jks
where:
alias_name is the name of the new keystore entry. You must specify a different alias for each Node Manager.
File_path is the path to the temporary directory and nodeManager.cer file that you securely copied.
Administration Server's truststore password prompt appears.
Enter Administration Server's truststore password.
The Trust this certificate prompt appears.
Confirm to trust the certificate.
The certificate is successfully imported into Administration Server's truststore.
Restart Administration Server and Administration Client.
The session timeout depends solely on the type of components between which the connection is established. Only the session between Administration Client and Administration Server supports session timeout after a preconfigured idle time. The session should never expire between an Administration Server and Node Manager, where user intervention is not expected.
To set the session timeout:
Open the OMC_home/web/htdocs/AdminServerImpl.properties file in a text editor.
Add or modify the following entry:
com.nt.udc.admin.server.AdminServerImpl.timeoutVal value
where value specifies a timeout value in minutes. The default is 30.
Save and close the file.
Restart Administration Server and Administration Client.
Offline Mediation Controller provides the following user roles:
Administrator
Designer
Operator
Guest
Table 3-1 lists the Offline Mediation Controller functions and user access based on the role.
Table 3-1 Role-Based Access to Functions
Functions | Administrator | Designer | Operator | Guest |
---|---|---|---|---|
Change the node/node host configuration |
Yes |
Yes |
No |
No |
Start or stop any node |
Yes |
Yes |
Yes |
No |
Create or delete any node host, node chain, or individual node |
Yes |
Yes |
No |
No |
Add, change, and delete an SNMP host |
Yes |
Yes |
No |
No |
Add, change, and delete users |
Yes |
No |
No |
No |
Change own details |
Yes |
Yes |
Yes |
Yes |
View alarms and alarm's level for both Node Manager and individual node |
Yes |
Yes |
Yes |
Yes |
View the log details for messages, exceptions, etc. |
Yes |
Yes |
Yes |
Yes |
Export configurations |
Yes |
Yes |
No |
No |
Import configurations |
Yes |
Yes |
No |
No |
Import customizations |
Yes |
Yes |
No |
No |
Launch Record Editor |
Yes |
Yes |
Yes |
No |
Manage poll list |
Yes |
Yes |
No |
No |
Manage statistics reporting |
Yes |
Yes |
No |
No |
View Administration Server log |
Yes |
Yes |
Yes |
Yes |
Create or delete or edit routing between the nodes |
Yes |
Yes |
No |
No |
Clear alarms |
Yes |
Yes |
No |
No |
Caution:
When you start Administration Server with the -x parameter, user authentication is disabled and you cannot perform the user management operations in Administration Client.You manage Offline Mediation Controller users by using Administration Client.
To create a new user:
Ensure that the Oracle Unified Directory server instance is running.
Go to the OMC_home/bin directory.
Run the following command:
./adminsvr
Note:
Do not start Administration Server using the -x parameter. The -x parameter disables authentication and you will not be able to perform user management operations in Administration Client.Administration Server is started.
Run the following command:
./gui
Administration Client is started.
Log on to Administration Client as a user with administrator privileges.
Note:
You can create, modify, or delete users only as the administrator user.The Node Hosts & Nodes (logical view) screen appears.
Do one of the following:
From the Administrative Function list, select User Administration.
Click the User Administration icon.
The User Administration screen appears.
Click New.
The Add New User dialog box appears.
Do the following:
In the Name field, enter the name for the user.
In the User ID field, enter the user ID.
From the Select Role list, select the user role.
In the Password field, enter the new password. See "About the Default Password Policy" for more information about the password policies.
In the Re-type Password field, enter the password again.
Click Save.
The new user is created.
To change the user details:
Ensure that the Oracle Unified Directory server instance is running.
Go to the OMC_home/bin directory.
Run the following command:
./adminsvr
Note:
Do not start Administration Server using the -x parameter. The -x parameter disables authentication and you will not be able to perform user management operations in Administration Client.Administration Server is started.
Run the following command:
./gui
Administration Client is started.
Log on to Administration Client as a user with administrator privileges.
Note:
You can create, modify, or delete users only as the administrator user.The Node Hosts & Nodes (logical view) screen appears.
Do one of the following:
From the Administrative Function list, select User Administration.
Click the User Administration icon.
The User Administration screen appears.
From the User List section, select a user, and click Change.
The Modify User dialog box appears.
Do any of the following:
To change the name of the user, in the Name field, enter the new name.
Note:
You cannot change the user ID of the user.To change the role of the user, from the Select Role list, select the new user role.
To change the password of the user, select the Change Password check box.
In the Password field, enter the new password. See "About the Default Password Policy" for more information about the password policies.
In the Re-type Password field, enter the new password again.
Click Save.
The user details are changed.
To delete a user:
Ensure that the Oracle Unified Directory server instance is running.
Go to the OMC_home/bin directory.
Run the following command:
./adminsvr
Note:
Do not start Administration Server using the -x parameter. The -x parameter disables authentication and you will not be able to perform user management operations in Administration Client.Administration Server is started.
Run the following command:
./gui
Administration Client is started.
Log on to Administration Client as a user with administrator privileges.
Note:
You can create, modify, or delete users only as the administrator user.The Node Hosts & Nodes (logical view) screen appears.
Do one of the following:
From the Administrative Function list, select User Administration.
Click the User Administration icon.
The User Administration screen appears.
From the User List section, select a user, and click Delete.
The Delete User dialog box appears.
Click Yes.
The user is deleted.
Passwords are very important for security of the system. So, the provided password should be strong and not hard-coded for users like Administrator.
By default, the password management policy is applied to users in Offline Mediation Controller. Disabling of user authentication is possible by starting Administration Server using the -x parameter.
Offline Mediation Controller stores account passwords (for administrator and general users) in encrypted form in Oracle Unified Directory.
The Offline Mediation Controller installer stores account passwords in encrypted form in Oracle Unified Directory.
By default, the passwords in Oracle Unified Directory are encrypted in the salted SHA-256 format.
When you create a user account in Offline Mediation Controller, it assigns a default password policy to that user account. The default password policy includes the following rules:
Passwords expire automatically after 90 days.
The last three passwords cannot be reused during a password change.
The password must comply with the following standards:
Contain at least six characters
Contain at least one lowercase letter
Contain at least one uppercase letter
Contain at least one special character (for example, $)
Contain at least one number
The user is locked out for 10 minutes after three consecutive failed login attempts.
The user must change the password after the first successful authentication after a password is set or reset by the administrator.
The default password policy is assigned to user accounts during Offline Mediation Controller installation. You can modify the default password policies for the user accounts by modifying the parameters in the OMC_home/bin/createPasswordPolicy file.
To modify the default password policy:
Ensure that the Oracle Unified Directory server instance is running.
Open the OMC_home/bin/createPasswordPolicy file in a text editor.
Enter or modify the values in the parameters. See the Oracle Unified Directory documentation for information about the parameters and values in the createPasswordPolicy file.
Save and close the file.
Go to the OMC_home/bin directory.
Run the following command:
./createPasswordPolicy -p OUD_password
where OUD_password is the Oracle Unified Directory server instance administrator password.
Restart Administration Server and Administration Client.