To avoid potential security threats, customers operating DIVArchive must be concerned about authentication and authorization of the system.
These security threats can be minimized by proper configuration and by following the post-installation checklist in Appendix A.
The critical security features that provide protections against security threats are:
Authentication - Ensures that only authorized individuals are granted access to the system and data.
Authorization - Access control to system privileges and data. This feature builds on authentication to ensure that individuals get only appropriate access.
Tape Group Encryption - Tape drive encryption securely supports bulk tape migration between DIVArchive systems.
SSL Authentication and Secure Communications - DIVArchive 7.6 introduces SSL (Secure Sockets Layer) Authentication for services, and to secure DIVArchive internal and API communications. Certificate authentication provides unique identification and secure communication for each DIVArchive Service in a network.
The DIVArchive Control GUI provides three fixed user profiles (Administrator, Operator and User). The Administrator and Operator accounts require a password to obtain access. You must assign an Administrator and (or) Operator password in the Configuration Utility before using these profiles.
Both the Administrator and Operator account passwords must be changed every 180 days (or before). Passwords must be made available for Oracle Support if needed.
Access control in DIVArchive is divided into three profiles. The Administrator and Operator accounts require a password to obtain access. You must assign an Administrator and (or) Operator account password in the Configuration Utility before using these profiles.
User - After the connection to the DIVArchive Manager is established, the Control GUI will only allow the user to monitor DIVArchive operations, and retrieve data from the database. This is known as the User Profile. Not all functions that issue commands to DIVArchive are accessible while in the User profile mode, enabling situations where monitoring is required but no commands are permitted to be sent to DIVArchive.
Administrator - To issue requests to DIVArchive, such as archive or restore requests, or to eject a tape from a library, you must change to the Administrator Profile. The Administrator Profile is password protected. The password for this profile must be assigned in the Configuration Utility before using the profile. For more information, refer to the Oracle DIVArchive 7.4 Customer Documentation Library at:
https://docs.oracle.com/en/storage/#csm
Operator and Advanced Operator - In addition to User Profile permissions, the operator profile provides access to the Object Transfer Utility and requires a password configured in the Configuration Utility before using the profile. Both Operator and Advanced Operator profiles in the Control GUI can now optionally enable privileges for canceling and changing the priority of requests. The options are defined in the Manager Configuration panel of the Configuration Utility. By default, this option is disabled.
Starting with the DIVArchive 7.6 release, tape drive encryption securely supports bulk tape migration between DIVArchive systems.
After enabling encryption on a tape group, all additional tapes added to the group will also be encrypted. However, any existing tapes in the group remain unencrypted if encryption was previously disabled.
Enabling encryption on a tape group generates an encryption key, which is also encrypted. You can change the encryption key at any time. New tapes added to the group after the change will use the new encryption key. The existing tapes that were already encrypted will continue to use the original key. Therefore, tapes in the same tape group can have different encryption keys. You must notify the Manager of the change when updating the encryption key.
Disabling encryption (after it is already enabled) only affects additional tapes added to the group, and the existing tapes remain encrypted.
See the Oracle DIVArchive Installation and Configuration Guide, and the Oracle DIVArchive Export/Import User's Guide in the Oracle DIVArchive Core documentation library for detailed configuration, and export and import information.
DIVArchive 7.6 introduces SSL Certificate Authentication for authentication of services, and securing the internal and API communications in DIVArchive. Certificate authentication provides unique identification and secure communications for each DIVArchive service in a network.
DIVArchive 7.6 includes a Default Root CA (Certificate Authority) called DIVA_CA. The DIVA_CA Certificate Authority is a self-signed authority that signs all SSL certificates for the DIVArchive services. Every DIVArchive service now has its own password protected private key and a SSL certificate signed by the DIVA_CA authority.
Certificate authentication functions similar to identification cards like passports and drivers licenses. For example, passports and drivers licenses are issued by recognized government authorities. SSL (Secure Sockets Layer) certificates are signed by a recognized CA (Certificate Authority). An SSL certificate verifies the identity of its owner. When the SSL certificate is presented to others, it helps verify the identity of its owner based on the quality of the contents of the certificate.
You can also use an external third party CA (for example, VeriSign, Comodo, and so on) to generate and sign your certificates.
See the Oracle DIVArchive Installation and Configuration Guide in the Oracle DIVArchive Core documentation library for detailed configuration information.
You can use external third party CAs (for example, VeriSign, Comodo, and so on) with DIVArchive. The external CA must create a CSR (Certificate Signing Request) for DIVA_CA, signed by the third party CA, and the third party certificate must be added to the Trust Store to satisfy the certificate chain.
A new Security Tool is included in the DIVArchive 7.6 release as follows:
Windows: DivaSecurityTool.bat
Linux: DivaSecurityTool.sh
The tool is located in the %DIVA_HOME%/security/bin directory.
See the Oracle DIVArchive Installation and Configuration Guide in the Oracle DIVArchive Core documentation library for detailed information about using these tools.
The DIVArchive APIs include changes to establish secure communication with the Oracle DIVArchive Manager. The DIVArchive Manager is backward compatible with earlier Java, C++ and Web Services APIs to establish connections over regular sockets. The DIVArchive 7.6 (and later) Java and C++ API releases can establish Manager communications using secure, or unsecure, sockets.
The Java API includes new parameters added to the SessionParameters class to facilitate secure connections to the Manager Service.
Exporting and importing encrypted tapes is also available using the Java API.
See the Oracle Java API Readme in the Oracle DIVArchive Additional Features documentation library for the location of the Java API documentation.
The C++ API DIVA_SSL_initialize call is added to set the environment for secure communication with the Manager service. See the Oracle DIVArchive C++ API Programmer's Guide in the Oracle DIVArchive Additional Features documentation library for detailed information.
The Java and C++ APIs initiators both use the default keys and certificates under the %DIVA_API_HOME%/lib/security subfolder when connecting to the Manager.
Oracle DIVA Enterprise Connect connects to the Manager Service through the unsecure tcp/9000 port. See the Oracle DIVA Enterprise Connect Installation, Configuration, and Operations Guide in the Oracle DIVA Enterprise Connect documentation library for detailed information.
The Manager Service is backward compatible with earlier releases of DIVAnet, Java API, C++ API, and Web Services API, and establishes the connection over regular sockets.
The Manager can simultaneously support two communications ports - one secure, and one unsecure. The default secure port number is 8000 and the unsecure default port number is 9000.
All internal DIVArchive services can only connect to secure ports. The control GUI will report an SSL Handshake Timeout if you attempt to connect to the non-secure port.
See the Oracle DIVArchive Installation and Configuration Guide in the Oracle DIVArchive Core documentation library for detailed information.
DIVArchive consist of services in Java and C++. The format in how certificates and keys are represented are different in each. DIVArchive has the keys and certificates for JAVA services in a Java Keystore file, and in PEM (Privacy Enhanced Mail) format files for the C++ services.
The Manager can simultaneously support two communications ports - one secure, and one unsecure. The default secure port number is 8000 and the unsecure default port number is 9000.
All internal DIVArchive 7.6 services (Control GUI, Configuration Utility, DBBackup, Migration Utility, Actor, SPM, DFM, SNMP, Robot Manager, RDTU, and Migration Services) can only connect to secure ports. The control GUI will report an SSL Handshake Timeout if you attempt to connect to the non-secure port. Clients using the Java or C++ API are allowed to connect to either port.
The following is a relative snippet from the Manager configuration file:
# Port number on which the DIVA Manager is waiting for incoming connections. # Note: If you are using a Sony library and plan to execute the DIVA Manager # on the same machine as the PetaSite Controler (PSC) software, be aware # that the PSC server uses the 9000 port and that this cannot be modified. # In that situation, you have to use a different port for the DIVA Manager. # This same warning applies to FlipFactory which uses ports 9000 and 9001. # The default value is 9000. DIVAMANAGER_PORT=9000 # Secure port number on which the DIVA Manager is waiting for incoming connections. # The default value is 8000. DIVAMANAGER_SECURE_PORT=8000
A new folder called %DIVA_API_HOME%/security is added to the DIVArchive API installation structure as follows:
%DIVA_API_HOME%
security
conf
The conf folder contains the SSLSettings.conf file that is used to configure the SSL handshake timeout.
See the Oracle DIVArchive Java API documentation included with the API, and the Oracle C++ API Programer's Guide in the Oracle DIVArchive Additional Features documentation library for detailed information.
With DIVA 7.6.1, a new DIVAOracle package version 3-1-0 was created:
Windows: OracleDivaDB_3-1-0_12_2_0_1_0_SE2_Windows_64-bit
Linux: OracleDivaDB_3-1-0_12_2_0_1_0_SE2_OEL7_x86_64
This new package includes the following
Secure Oracle Database listener listening on port 1522, additional on top of the regular unsecured listener listening on port 1521.
Oracle Database wallet for storing the Trust Certificate and DIVADatabaseServer Certificates. During installation DIVADatabaseServer.jks holding the default DIVA_CA trust certificate and Default DIVADatabaseServer certificate is import into the Oracle Database wallet for enabling the secure communication.
This new package also creates a secure TNSNames LIB5SSL which enables any DIVA services to connect to the oracle database securely over SSL connecting to the new secure Oracle database listener listening on port 1522 using the TNSNames.
LIB5SSL =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCPS)(HOST = HOSTNAME)(PORT = 1522))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = LIB5.WORLD)
)
)
A new Configuration Parameter "DIVAMANAGER_DB_SECURE_CONNECT" was added to the Manager,Migrate,DBBackup configuration file to enable secure communication to database using Hostname/IPAddress and port. This parameter has no effect if using DIVAMANAGER_TNSNAME parameter in the configuration file.
Valid parameter values are:
TRUE - When set to TRUE, the DIVAMANAGER_DBPORT in the Manager,Migrate,DBBackup configuration file must point to the secure port of the Oracle Database.
FALSE (default)
The Configuration Utility and Control GUI also supports connecting securely to the database. SPMService can connect securely only using TNS names.