To avoid potential security threats, customers operating DIVA Enterprise Connect must be concerned about authentication and authorization of the system.
These security threats can be minimized by proper configuration and by following the postinstallation checklist in Appendix A.
The critical security features that provide protections against security threats are:
Authentication - Ensures that only authorized individuals are granted access to the system and data.
Authorization - Access control to system privileges and data. This feature builds on authentication to ensure that individuals get only appropriate access.
Caution:
: DIVA Enterprise Connect uses passwords as part of the configuration. Passwords must be changed immediately after installation, and every 180 days (minimum) thereafter. After the change has been made, you must store the passwords in a safe location, offline, where they can be made available for Oracle Support if needed.The following sections describe authentication security features for WebLogic and DIVAnet.
DIVA Enterprise Connect can perform authentication in a few different ways:
API Clients are authenticated by looking up credentials in a directory configured in WebLogic. Oracle recommends using the DIVA Enterprise Connect Key Generator to generate a client ID (user name) and API Key (password), and automatically store the user in the Weblogic directory. For more information on the Key Generator, see the Oracle DIVA Enterprise Connect 1.0 Installation, Configuration, and Operations Guide, Chapter 4: Administering the Platform in the Oracle DIVA Enterprise Connect 1.0 documentation library. Oracle Weblogic has many features for storing users and passwords, changing passwords, unlocking users, deleting accounts, and adding users to groups. For more information on using the standard WebLogic directory features, see https://docs.oracle.com/middleware/12212/wls/SECMG/ldap.htm#SECMG327.
WebLogic has features that allow it to validate certificates that are stored in its truststore, both inbound and outbound. DIVA Enterprise Connect generates a new self-signed SSL certificate upon installation. you can then add this certificate to the DIVAnet ManagerAdapter truststore so that DIVAnet can authenticate DIVA Enterprise Connect. An overview of this process is presented in the Oracle DIVA Enterprise Connect 1.0 Installation, Configuration, and Operations Guide in the Oracle DIVA Enterprise Connect 1.0 documentation library. For more information on configuring SSL, keystores, and truststores in Weblogic, refer to https://docs.oracle.com/middleware/12212/wls/SECMG/identity_trust.htm#SECMG365.
DIVA Enterprise Connect can connect to the DIVAnet ManagerAdapter. DIVAnet has security features that may be helpful in this scenario as follows:
DIVAnet consults a certificate truststore when DIVAnet creates an outbound connection to a remote DIVAnet service. This helps to ensure that DIVAnet is connecting to genuine DIVAnet services. You must connect through the ManagerAdapter using a ConnectionType identified as WebServices to create a secure connection from the DIVAnet ClientAdapter to a DIVArchive instance.
Access rules can filter inbound connections based on the inbound IP address, user name (Access Group), and other criteria. This feature is necessary to help ensure that only approved systems have appropriate access to DIVAnet services.
You can find more DIVAnet configuration details in the DIVAnet 2.2 Installation, Configuration, and Operations Guide, Chapter 4: Configuring DIVAnet Services in the Oracle DIVAnet 2.2 documentation library.
Access control in DIVA Enterprise Connect employs the following access controls:
DIVA Enterprise Connect indicates, on a per request basis, which access rules should be applied in the DIVAnet ManagerAdapter. This is accomplished using group assignment in WebLogic. For more information, see the DIVA Enterprise Connect 1.0 Installation, Configuration, and Operations Guide, Chapter 3: Configuring DIVA Enterprise Connect in the Oracle DIVA Enterprise Connect 1.0 documentation library.
You can define Access Rules in the DIVAnet ManagerAdapter for each group of API users after Access Groups are set up in WebLogic. For more information, see the DIVAnet 2.2 Installation, Configuration, and Operations Guide in the Oracle DIVAnet 2.2 documentation library.
Weblogic has too many security features to list in this guide. Instead, refer to the Weblogic documentation.
For a general overview of customizing WebLogic security, see https://docs.oracle.com/middleware/12212/wls/SECMG/realm.htm#SECMG127.
For information on how to configure policies in WebLogic see https://docs.oracle.com/middleware/1221/wls/WLDFC/config_watches.htm#WLDFC194.