This chapter provides an overview of the DIVAdirector product, explains the general principles of application security, and includes the following information:
Oracle DIVAdirector is a tool for interacting with existing Oracle DIVArchive systems. The UI (User Interface) is delivered graphically through a web browser. DIVAdirector consists of the following major components:
The web module of DIVAdirector provides a Web based UI interface, enabling you to search for discovered objects in DIVArchive, administer user access rights, add metadata for assets, play proxies of objects, and perform operations such as Restore, Oracle Partial File Restore, and Delete on items added to Work Bins or Shot Lists. It also gives you the ability to browse files locally and to archive content to the DIVArchive system.
DIVAdirector uses PostgreSQL to store all DIVArchive assets information, metadata, proxy info, user information, operation history, and configuration settings.
The DIVAdirector Transcode Service is a separate service called by DIVAdirector to transcode high resolution clips to low resolution proxies, which are then shown within the DIVAdirector Web UI.
The DIVAdirector TaskManager Service is a Windows Service visible in the standard Services Control Manager dialog box. This application is responsible for executing potentially long running tasks in a background process.
This service exposes endpoints for common DIVAdirector functionality. Initially, only a subset of DIVAdirector's logic will be contained in this service. The endpoints exposed through this service will continue to grow as functionality is gradually migrated away from DIVAdirector Web.
The following sections describe the fundamental principles that are required to use any application securely.
Stay current with the DIVAdirector release that you run. You can find current releases of the software for download at the Oracle Software Delivery Cloud:
DIVAdirector uses the following TCP/IP ports:
tcp/8080 for the HTTP server
For DIVAdirector releases later than 5.4, three additional ports are needed as follows:
tcp/9444 for DIVA Enterprise Connect Service integration
tcp/9876 for DIVAtranscode Service integration
tcp/6543 for DIVAdirector API Service integration
Note:
The port numbers listed are current for this release.admin user and use Principle of Least Privilege where PossibleDIVAdirector provides a default SystemAdmins group with an admin user, whose password will be changed on the first log in. The admin password will be reset on the first log in. Beyond that, the admin user follows the same password rules as all other users. The admin user can then create other users with different group permissions for access and operations.
All passwords automatically expire every 90 days. Users are prompted for new passwords after successfully logging in after this expiration occurs.
After a password change has been made, the passwords must be stored in a safe location (offline recommended) where they can be made available for Oracle Support if needed.
DIVAdirector uses individual user profiles who's permissions and access rights are based on the group they belong to. These groups have a range of permissions related to different functional areas of the application and specific custom metadata permissions. Similarly, the group's LDAP and SMTP configuration are governed by their Organization, and metadata permissions are inherited from them. See the Oracle DIVAdirector Administrator's Guide for configuration details.
DIVAdirector uses a centralized logging framework for system events. Log files for individual components can be found in the \logs subdirectory for that component. For example, the TaskManager specific logs can be found in C:\Program Files (x86)\DIVAdirector 5\TaskManager\logs. The API logs are located in the C:\Program Files (x86)\DIVAdirector 5\Api\log folder.
You can also observe a live view of the entire system by configuring an appropriate log4net viewer, and component log4net.config file.
You can access several sources of security information. See http://www.us-cert.gov for security information and alerts for a large variety of software products.
The primary way to keep up to date on security matters is to run the most current release of the DIVAdirector software.