3 Implementing Delegated Administrator Security

This section outlines the specific security mechanisms offered by Oracle Communications Delegated Administrator.

The Security Model

Security requirements arise from the need to protect data: first, from accidental loss and corruption, and second, from deliberate unauthorized attempts to access or alter that data. Secondary concerns include protecting against undue delays in accessing or using data, or even against interference to the point of denial of service. The global costs of such security breaches run up to billions of dollars annually, and the cost to individual companies can be severe, sometimes catastrophic.

The critical security features that provide these protections are:

  • Authentication

  • Access Control

Authentication is the way in which an entity (a user, an application, or a component) determines that another entity is who it claims to be. An entity uses security credentials to authenticate itself. The credentials might be a user name and password, a digital certificate, or something else. Usually, servers or applications require clients to authenticate themselves. Additionally, clients might require servers to authenticate themselves. When authentication is bidirectional, it is called mutual authentication.

Delegated Administrator supports LDAP authentication in that you are able to create administrative and end-user authentication. For more information on Directory Server security requirements, see the discussion about identifying security requirements in Directory Server Enterprise Edition Deployment Planning Guide.

Access Control, also known as authorization, is the means by which users are granted permission to access data or perform operations. After a user is authenticated, the user's level of authorization determines what operations the user can perform.

Configuring and Using Authentication

Delegated Administrator uses Oracle Directory Server for authentication. For more information, refer to the following Directory Server documentation:

  • Creating a Directory Server Password Policy in Directory Server Enterprise Edition Deployment Planning Guide. This guide includes information on setting up password lengths, setting up password complexity, and preventing brute forcing.

  • Setting Time Limits for Repeated Failed Logins in Directory Server Enterprise Edition Deployment Planning Guide.

To perform LDAP Authentication with Delegated Administrator, see:

  • Provisioning Calendar Server Users in Delegated Administrator System Administrator's Guide.

  • Provisioning Messaging Server Users in Delegated Administrator System Administrator's Guide.

  • Provisioning Instant Messaging Server Users in Delegated Administrator System Administrator's Guide.

  • Provisioning Contacts Server Users in Delegated Administrator System Administrator's Guide.

Configuring and Using Access Control

To configure access control in Delegated Administrator, see the following sections:

  • Administrator Roles and the Directory Hierarchy in Delegated Administrator System Administrator's Guide.

  • Configuring Administrator Access to Messaging Server in Messaging Server Administration Guide.

  • Setting Calendar Server Advanced Rights with Delegated Administrator in Delegated Administrator System Administrator's Guide.

  • Consolidating ACIs for Directory Server Performance in Delegated Administrator System Administrator's Guide.

For information on LDAP Access Control, see:

http://docs.oracle.com/cd/E20295_01/html/821-1220/bcalc.html#scrolltoc

Detecting Security Attacks or Insecure Use

Repeated login failures could be indicative of an external party trying to gain access to an account. For example, you see such activity in LDAP server logs. For more information, see Directory Server Logging in Directory Server Enterprise Edition Administration Guide.

In addition, you can use the following log files to look for similar security problems:

  • Delegated Administrator Console Log

  • Delegated Administrator Server Log

  • Web Container Server Logs

  • Directory Server and Access Manager Logs

For more information on Delegated Administrator log files, see Debugging Delegated Administrator in Delegated Administrator System Administrator's Guide.

Configuring GlassFish Server to Run Delegated Administrator in SSL Mode

If you have deployed the Delegated Administrator console to GlassFish Server, you can run the Delegated Administrator console in SSL mode, over a secure port.

To Enable the Delegated Administrator Console and Utility to Use SSL Access

  1. Edit the daconfig.properties file, located in the DelegatedAdmin_home/data/da/WEB-INF/classes/com/sun/comm/da/resources directory.

  2. Change the property values as follows:

    commadminserver.port=port
    commadminserver.usessl=true
    

    where port is the HTTPS port, for example 8181.

  3. Deploy the Delegated Administration Console web application to GlassFish by running the deploy script.

    For example:

    DelegatedAdmin_home/sbin/config-appsvr8x-da deploy
    

Configuring Application Server to Run Delegated Administrator in SSL Mode

If you have deployed the Delegated Administrator console to Application Server 8.x, you can run the Delegated Administrator console in SSL mode, over a secure port.

To Enable the Delegated Administrator Console and Utility to use SSL Access

  1. Edit the daconfig.properties file, located in the DelegatedAdmin_home/data/da/WEB-INF/classes/com/sun/comm/da/resources directory.

  2. Change the property values as follows:

    commadminserver.port=port
    commadminserver.usessl=true
    

    where port is the HTTPS port, for example 8181.

  3. Deploy the Delegated Administration Console web application to Application Server by running the deploy script.

    For example:

    DelegatedAdmin_home/sbin/config-appsvr8x-da deploy
    

Configuring Web Server to Run Delegated Administrator in SSL Mode

If you have deployed the Delegated Administrator console to Web Server 6 or Web Server 7.x, you can run the Delegated Administrator console in SSL mode, over a secure port.

If the Delegated Administrator server is deployed to Web Server 6 or Web Server 7.x, you can run the Delegated Administrator utility (commadmin) in SSL mode.

To Enable the Delegated Administrator Console and Utility to Use SSL Access

For Web Server 6, follow this procedure:

For Web Server 7.x, follow this procedure:

To Configure Web Server 6 to Enable Delegated Administrator to Run in SSL Mode

In this procedure, the certificate truststore is created in the Delegated Administrator configuration directory. For example: /var/DelegatedAdmin_home/config

  1. Request and install a certificate.

    In a production environment, you must request a certificate from a Certificate Authority (CA), which issues the certificate to you. Next, you install the certificate.

    In a test environment, you can create and install a self-signed certificate.

    For information about requesting and installing certificates for Web Server 6, see ”Using Certificates and Keys” in the Oracle iPlanet Web Server 6.1 SP6 Administrator's Guide.

    After you complete this step, you can run the Delegated Administrator utility in SSL mode.

  2. Export the specific certificate in ASCII encoding.

    For example:

    /opt/SUNWwbsvr/bin/https/admin/bin/certutil -L -n Server-Cert -d \
    -P https-host.domain-host-
    /opt/SUNWwbsvr/alias -a > /tmp/host.cert
    

    where

    • Server-Cert is the default name created by the Administration interface

    • host is the host name of the machine where Web Server 6 is running. For example: myhost.

    • domain-host is the host and domain name of the machine where Web Server 6 is running. For example: myhost.siroe.com.

  3. Use the Java keytool utility to import the certificate into a truststore.

    This step assumes that you are creating a new truststore in the Delegated Administrator configuration directory.

    Import the certificate.

    For example:

    cd /var/DelegatedAdmin_home/configkeytool -import -alias Server-Cert -file /tmp/host.cert-keystore truststore
    

    Enter a password when the keytool prompts you for one.

  4. Define the ssl.truststore property in the JVM Setting for the Web Server 6 instance configuration.

    For example

    -Djavax.net.ssl.trustStore=/var/DelegatedAdmin_home/config/truststoreDjavax.net.ssl.trustStorePassword=password
    

    where password is the password you entered at the keytool prompt.

  5. Modify the following property in the JVM Setting for the Web Server 6 instance configuration. Change:

    -Djava.protocol.handler.pkgs=com.iplanet.services.comm
    

    to the following value:

    -Djava.protocol.handler.pkgs=com.sun.identity.protocol
    
  6. Change the following properties in the daconfig.properties file:

    Open the daconfig.properties file in a text editor.

    The daconfig.properties file is located by default in the Delegated Administrator configuration directory:

    DelegatedAdmin_home/data/da/WEB-INF/classes/com/sun/comm/da/resources
    

    (In a later step, you will deploy the daconfig.properties file to the Web Server 6 configuration directory.)

    Change the property values as follows

    commadminserver.host=host.domaincommadminserver.port=portcommadminserver.usessl=true
    

    where host.domain is the host and domain name of the machine where Web Server 6 is running. For example: myhost.siroe.com.

    And where port is the SSL port. For example: 443.

  7. Deploy the Web Server 6 configuration and restart the instance:

    Run the Web Server 6 deploy script:

    DelegatedAdmin_home/sbin/config-wbsvr-da
    

    Restart the Web Server 6 instance.

To Configure Web Server 7.x to Enable Delegated Administrator to Run in SSL Mode

In this procedure, the certificate truststore is created in the Delegated Administrator configuration directory. For example: /var/DelegatedAdmin_home/config

  1. Request and install a certificate.

    In a production environment, you must request a certificate from a Certificate Authority (CA), which issues the certificate to you. Next, you install the certificate.

    In a test environment, you can create and install a self-signed certificate.

    For information about requesting and installing certificates for Web Server 7.x, see Managing Certificates in Sun Java System Web Server Administrator's Guide.

    After you complete this step, you can run the Delegated Administrator utility in SSL mode.

  2. Run the certutil command to list all certificates in the certificate database.

    For example:

    cd /var/DelegatedAdmin_home/config/usr/sfw/bin/certutil -L -d /var/opt/SUNWwbsvr7/https-host.domain/config
    

    where host.domain is the host and domain name of the machine where Web Server 7.x is running. For example: myhost.siroe.com

  3. Export the specific certificate in ASCII encoding.

    For example:

    /usr/sfw/bin/certutil -L -n cert-host.domain -d/var/opt/SUNWwbsvr7/https-host.domain/config-a > host.cert
    

    where host and host.domain are the host name or host and domain name of the machine where Web Server 7.x is running.

  4. Use the java keytool utility to import the certificate into a truststore.

    This step assumes that you are creating a new truststore in the Delegated Administrator configuration directory.

    Import the certificate.

    For example:

    keytool -import -alias cert-host.domain -file host.cert-keystore truststore
    

    Enter a password when the keytool prompts you for one.

  5. Define the ssl.truststore property in the JVM Setting for the Web Server 7.x instance configuration.

    For example:

    -Djavax.net.ssl.trustStore=/var/DelegatedAdmin_home/config/truststore -Djavax.net.ssl.trustStorePassword=password
    

    where password is the password you entered at the keytool prompt.

  6. Modify the following property in the JVM Setting for the Web Server 7.x instance configuration.

    Change

    -Djava.protocol.handler.pkgs=com.iplanet.services.comm
    

    to the following value:

    -Djava.protocol.handler.pkgs=com.sun.identity.protocol
    
  7. Change the following properties in the daconfig.properties file:

    Open the daconfig.properties file in a text editor.

    The daconfig.properties file is located by default in the Delegated Administrator configuration directory:

    DelegatedAdmin_home/data/da/WEB-INF/classes/com/sun/comm/da/resources
    

    (In a later step, you will deploy the daconfig.properties file to the Web Server 7.x configuration directory.)

    Change the property values as follows:

    commadminserver.port=portcommadminserver.usessl=true
    

    where port is the SSL port. For example: 443.

  8. Deploy the Web Server 7.x configuration and restart the instance:

    Run the Web Server 7.x deploy script:

    DelegatedAdmin_home/sbin/config-wbsvr7x-da
    

    Restart the Web Server 7.x instance.