This chapter describes security fundamentals for Oracle Communications Offline Mediation Controller.
Offline Mediation Controller security includes the following aspects:
Secure communication
User and password management
Secure centralized storage for users and user's role information
Secure Sockets Layer (SSL) enables secure communication between applications. SSL enables authentication, data integrity, and data encryption. It helps to secure transmitted data using encryption.
By default, Administration Client communicates with Administration Server through SSLs. Administration Server communicates with Node Manager through SSL. During authentication, Administration Server provides the information using a certificate. It also provides data integrity through an integrity check value.
In Offline Mediation Controller, one-way SSL is used to create secure connections before sharing any data between the components. To use one-way SSL from a client to a server, configure identity for the server and trust store for the client. The trusted Certification authority (CA) certificates need to include the trusted CA certificate that issued the peer's identity certificate. This certificate does not necessarily have to be the root CA certificate.
In the communication between Administration Client and Administration Server, Administration Server has its own certificate in a secure keystore. This certificate will have a private and public key pair. Administration Server will share the certificate containing only the public key with all its known Administration Clients. Administration Client adds the server's certificate to its trust store, indicating that Administration Server is added to the trusted list.
In the communication between Administration Server and Node Manager, Node Manager acts as the server. Node Manager creates the key pair and store in a secure keystore. Node Manager shares its public key to the known Administration Server to ensure a secure communication. Administration Server adds Node Manager's certificate to its trust store.
To acquire a digital certificate for your server, generate a public key, a private key, and a Certificate Signature Request (CSR), which contains your public key. You send the CSR request to a certificate authority and follow its procedures for obtaining a signed digital certificate.
After you have your private keys, digital certificates, and any additional trusted CA certificates that you may need, store the private keys and certificates in keystores.
See the discussion on creating certificates in Offline Mediation Controller Installation Guide.
By default, Offline Mediation Controller runs in SSL mode, but the provision for enabling and disabling SSL communication is provided in a common configuration parameter.
Note:
If one of the Offline Mediation Controller components is running in SSL mode, the other components must be in SSL mode.To enable or disable SSL mode for Offline Mediation Controller:
Open the OMC_home/bin/UDCEnvironment script in a text editor, where OMC_home is the directory in which Offline Mediation Controller is installed.
Add or modify the following entry:
SSL_ENABLED = value
where value is:
TRUE to enable SSL mode.
FALSE to disable SSL mode.
Save and close the file.
Restart Offline Mediation Controller.
You can securely connect Administration Server to other Node Manager instances or node hosts to collect data from Node Manager instances.
To securely connect Administration Server to other Node Manager instances:
Log on to the system on which Administration Server is installed.
Securely copy Node Manager's nodeManager.cer file from the machine on which Node Manager is installed to a temporary directory.
Run the following command:
OMC_home/jre/bin/keytool -import -v -trustcacerts -alias alias_name -file File_path -keystore OMC_home/config/adminserver/adminServerTruststore.jks
where:
alias_name is the name of the new keystore entry. You must specify a different alias for each Node Manager.
File_path is the path to the temporary directory and nodeManager.cer file that you securely copied.
Administration Server's truststore password prompt appears.
Enter Administration Server's truststore password.
The Trust this certificate prompt appears.
Confirm to trust the certificate.
The certificate is successfully imported into Administration Server's truststore.
Restart Administration Server and Administration Client.
The session timeout depends solely on the type of components between which the connection is established. Only the session between Administration Client and Administration Server supports session timeout after a preconfigured idle time. The session should never expire between an Administration Server and Node Manager, where user intervention is not expected.
To set the session timeout:
Open the OMC_home/web/htdocs/AdminServerImpl.properties file in a text editor.
Add or modify the following entry:
com.nt.udc.admin.server.AdminServerImpl.timeoutVal value
where value specifies a timeout value in minutes. The default is 30.
Save and close the file.
Restart Administration Server and Administration Client.
You can create, modify, and delete user login accounts through the Offline Mediation Controller administration client. The Offline Mediation Controller software authenticates all users prior to allowing them access to system configuration views.
When a login attempt fails, the system prompts again for the user name and password for authentication. The Administration Server logs all user authentication events.
Offline Mediation Controller provides the following user roles:
Administrator: Can create or delete login accounts and reset user names and passwords. The administrator can also create, modify, and delete all functional components of the system (administration servers, node managers, nodes, node chains, and so on).
Designer: Can perform all of the tasks that an Administrator can, except user-management tasks.
Operator: Can start and stop nodes, view logs and alarms, and edit NARs.
Guest: Can view logs and alarms.
All users can change their own passwords.
Table 2-1 lists the Offline Mediation Controller functions and user access based on the role.
Table 2-1 Role-Based Access to Functions
| Functions | Administrator | Designer | Operator | Guest |
|---|---|---|---|---|
|
Change the node/node host configuration |
Yes |
Yes |
No |
No |
|
Start or stop any node |
Yes |
Yes |
Yes |
No |
|
Create or delete any node host, node chain, or individual node |
Yes |
Yes |
No |
No |
|
Add, change, and delete an SNMP host |
Yes |
Yes |
No |
No |
|
Add, change, and delete users |
Yes |
No |
No |
No |
|
Change own details |
Yes |
Yes |
Yes |
Yes |
|
View alarms and alarm's level for both Node Manager and individual node |
Yes |
Yes |
Yes |
Yes |
|
View the log details for messages, exceptions, etc. |
Yes |
Yes |
Yes |
Yes |
|
Export configurations |
Yes |
Yes |
No |
No |
|
Import configurations |
Yes |
Yes |
No |
No |
|
Import customizations |
Yes |
Yes |
No |
No |
|
Launch Record Editor |
Yes |
Yes |
Yes |
No |
|
Manage poll list |
Yes |
Yes |
No |
No |
|
Manage statistics reporting |
Yes |
Yes |
No |
No |
|
View Administration Server log |
Yes |
Yes |
Yes |
Yes |
|
Create or delete or edit routing between the nodes |
Yes |
Yes |
No |
No |
|
Clear alarms |
Yes |
Yes |
No |
No |
Caution:
When you start Administration Server with the -x parameter, user authentication is disabled and you cannot perform the user management operations in Administration Client.You manage Offline Mediation Controller users by using Administration Client. The Offline Mediation Controller software authenticates all users prior to allowing them access to system configuration views. The Administration Server logs all user authentication events.
To log in to a newly installed or upgraded Offline Mediation Controller system for the first time, use the default User ID (Admin) and password (admin). Customize your own login profile, and then create user login profiles. Each profile requires a user name and a password.
Passwords are very important for security of the system. So, the provided password should be strong and not hard-coded for users like Administrator.
By default, the password management policy is applied to users in Offline Mediation Controller. Disabling of user authentication is possible by starting Administration Server using the -x parameter.
Offline Mediation Controller stores account passwords (for administrator and general users) in encrypted form in Oracle Unified Directory.
The Offline Mediation Controller installer stores account passwords in encrypted form in Oracle Unified Directory.
By default, the passwords in Oracle Unified Directory are encrypted in the salted SHA-256 format.
When you create a user account in Offline Mediation Controller, it assigns a default password policy to that user account. The default password policy includes the following rules:
Passwords expire automatically after 90 days.
The last three passwords cannot be reused during a password change.
The password must comply with the following standards:
Contain at least six characters
Contain at least one lowercase letter
Contain at least one uppercase letter
Contain at least one special character (for example, $)
Contain at least one number
The user is locked out for 10 minutes after three consecutive failed login attempts.
The user must change the password after the first successful authentication after a password is set or reset by the administrator.
The default password policy is assigned to user accounts during Offline Mediation Controller installation. You can modify the default password policies for the user accounts by modifying the parameters in the OMC_home/bin/createPasswordPolicy file.
To modify the default password policy:
Ensure that the Oracle Unified Directory server instance is running.
Open the OMC_home/bin/createPasswordPolicy file in a text editor.
Enter or modify the values in the parameters. See the Oracle Unified Directory documentation for information about the parameters and values in the createPasswordPolicy file.
Save and close the file.
Go to the OMC_home/bin directory.
Run the following command:
./createPasswordPolicy -p OUD_password
where OUD_password is the Oracle Unified Directory server instance administrator password.
Restart Administration Server and Administration Client.