This chapter explains the security features of Oracle Communications Network Integrity.
Authentication is the mechanism by which users provide specific information as a proof of having access to a system. Authentication answers the question ”Who are you?” using credentials such as user name and password.
In Oracle WebLogic Server, authentication providers are used to prove the identity of users or system processes. Authentication providers also remember, transport, and make identity information available to various components of a system when needed. During the authentication process, a principal validation provider provides additional security protection for the principals (users and groups) contained within the subject by signing and verifying the authenticity of those principals.
Network Integrity supports the following authentication providers:
WebLogic-embedded lightweight directory access protocol (LDAP)
External LDAP, such as Oracle Internet Directory
Relational database management system (RDBMS)
Security Assertion Markup Language (SAML)
Other security providers are supported using WebLogic Server Application server.
Oracle recommends Oracle Internet Directory as your authentication provider.
Network Integrity uses user name and password authentication. See Network Integrity System Administrator's Guide for more information.
Whether Network Integrity is configured to communicate with WebLogic Server over HTTP or HTTPS, login authentication is always sent over a secured HTTPS channel.
If you are using a web services interface, authentication details are supplied with each request using the User name token header. See Network Integrity Developer's Guide for more information.
WebLogic Server uses the Java Authentication and Authorization Service (JAAS) classes to authenticate to the client, whether the client is an application, applet, Enterprise JavaBean, or servlet that requires authentication.
JAAS implements a Java version of the Pluggable Authentication Module (PAM) framework, which permits applications to remain independent from underlying authentication technologies. Therefore, the PAM framework allows the use of new or updated authentication technologies without requiring modifications to the application.
A callback handler is a flexible JAAS standard that allows a variable number of arguments to be passed as complex objects to a method.
There are three types of callback handlers: NameCallback, PasswordCallback, and TextInputCallback, all of which are part of the javax.security.auth.callback package. NameCallback and PasswordCallback return the user name and password, respectively. You can use TextInputCallback to access the data users enter into any additional fields on a login form (that is, fields other than those for obtaining the user name and password). When used, there should be one TextInputCallback per additional form field, and the prompt string of each TextInputCallback must match the field name in the form. WebLogic Server uses only the TextInputCallback for form-based web application login.
An application implements a callback handler and passes it to underlying security services so that they may interact with the application to retrieve specific authentication data, such as user names and passwords, or to display certain information, such as error and warning messages.
Callback handlers are implemented in an application-dependent fashion. For example, implementations for an application with a UI may pop up windows to prompt for requested information or to display error messages. An implementation may also choose to obtain requested information from an alternative source without asking the user.
Underlying security services make requests for different types of information by passing individual call backs to the callback handler. The callback handler implementation decides how to retrieve and display information depending on the call backs passed to it.
Authorization is used to control access by:
Permitting only certain users to access a resource or action.
Applying varying limitations on user access or actions.
Network Integrity has a single user role: NetworkIntegrityRole. Every user must have this role to access and perform any action in Network Integrity.
The NetworkIntegrityRole role grants full access to the Network Integrity UI, allowing users to manage all scans, view results, and correct discrepancies.
Users without the NetworkIntegrityRole role are prevented from logging in and are shown the following message:
You do not have any permission.
Network Integrity, Oracle database, and Oracle Internet Directory allow you to record logs of key user actions to the WebLogic Server logs. Audit logs can be viewed using the Enterprise Manager or with a text editor.
Auditing provides an electronic trail of computer activity. In the WebLogic Server security architecture, an auditing provider is used to provide auditing services.
If WebLogic Security Framework configured, it calls through to an auditing provider before and after security operations (such as authentication or authorization) have been performed, when changes to the domain configuration are made, or when management operations on any resources in the domain are run. The decision to audit a particular event is made by the Auditing provider itself and can be based on specific audit criteria or severity levels. The records containing the audit information may be written to output repositories such as an LDAP server, database, and a file.
See the WebLogic Server documentation and the Oracle Database documentation for information about enabling audit logs.
The following examples show sample audit logs.
Example 3-1 Sample Audit Log for Logging Onto Network Integrity
[2011-09-14T10:41:47.684+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '20' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bXnYZ17iJLMmCCye1ES8Co000016,0] [APP: NetworkIntegrity] User Name: user_name NI-Action: Login
Example 3-2 Sample Audit Log for Creating a Scan in Network Integrity
[2011-09-14T10:49:53.311+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bZe5617iJLMmCCye1ES8Co00002U,0] [APP: NetworkIntegrity] User Name: user_name NI-Action: Create Scan 'UIM CISCO' starts ... [2011-09-14T10:49:53.400+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '19' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bZe5617iJLMmCCye1ES8Co00002U,0] [APP: NetworkIntegrity] User Name: user_name NI-Action: Create Scan 'UIM CISCO' ends
Example 3-3 Sample Audit Log for Running a Scan in Network Integrity
[2011-09-14T10:50:35.804+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '20' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bZneR17iJLMmCCye1ES8Co00002a,0] [APP: NetworkIntegrity] User Name: user_name NI-Action: Scan for 'UIM CISCO' with scanrun ID '627023' Starts ... [2011-09-14T10:50:40.588+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '10' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bZpbz17iJLMmCCye1ES8Co00002e,0] [APP: NetworkIntegrity] NI-Action: Scan for 'UIM CISCO' with scanrun ID '627023' Completed
Example 3-4 Sample Audit Log for Logging Off of Network Integrity
[2011-09-14T10:41:37.970+00:00] [AdminServer] [NOTIFICATION] [] [oracle.communications.integrity.auditlog] [tid: [ACTIVE].ExecuteThread: '20' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: user_ID] [ecid: 0000J9bXlAk17iJLMmCCye1ES8Co000012,0] [APP: NetworkIntegrity] User Name: user_name NI-Action: Logout
All scan parameters are encrypted with the advanced encryption standard (AES) algorithm and are stored in the Oracle database.
The web services API is standards based using JAX-WS over HTTPS. The Network Integrity web services API uses the same security access level as the Network Integrity UI. So any user able to log in to Network Integrity can also use the web Service API. This is assigned using the NetworkIntegrityRole.