1. Security Guide
  2. Performing a Secure Pricing Design Center Installation

3 Performing a Secure Pricing Design Center Installation

Learn about the recommended deployment configurations for your Oracle Communications Pricing Design Center (PDC) installation that enhance security.

Topics in this document:

Recommended Installation Mode

There are two types of installation modes: silent and secured.

The silent installation is not meant for production environments, and it should be used only in test environments for setting up quickly or backing up the properties for later use in another test environment.

The secured installation is the only recommended option for production environments.

Operating System Security

PDC is supported on Linux (both Oracle Enterprise Linux and Red Hat Enterprise Linux) and Windows Client. For the supported versions, see "PDC Software Compatibility" in BRM Compatibility Matrix. See the following documents for more information about operating system security:

  • Guide to the Secure Configuration of Red Hat Enterprise Linux

  • Hardening Tips for the Red Hat Enterprise Linux

Preinstallation Tasks

Perform the following preinstallation tasks:

  • Enable SSL for the target WebLogic server domain, configure the server KeyStore certificate, and then get the client KeyStore trusted certificate. This client KeyStore file should be used in installer to make secured connection during installation.

  • If SSL is enabled, ensure that the KeyStore file is created in a secure drive and access is strictly limited to the user account.

  • Configure Oracle Database advanced security encryption and integrity algorithms for a secure connection from the installer. See the Oracle Database documentation for advanced security configuration parameters. This is required for a PDC installer to make a secured (encrypted) database connection over the network. For more details, see the Oracle Database Advanced Security Administrator's Guide documentation.

  • Verify that you have the latest supported version of Oracle JDK installed.

Installation Tasks

Perform the following installation tasks:

  • During PDC installation, select SSL mode and provide the client KeyStore certificate for connecting to a WebLogic server over SSL.

  • The following logs are generated after the PDC installation.

    Location: Oracle Inventory/logs/

    -rw-r-----  1 user1 eng  480058 Aug 15 09:25 installActions2018-08-15_08-06-57AM.log 
-rw-r-----  1 user1 eng    2384 Aug 15 10:33 dbScripts2018-08-15_10-32-00AM.log
-rw-r-----  1 user1 eng  124268 Aug 15 10:33 oraInstall2018-08-15_10-27-07AM.err

    The installActionsxxxxx.log and oraInstallxxxx.err files will have details in clear text format that were entered in the PDC installation wizard. Passwords that were entered in the installation wizard are not logged in any of the PDC installation log files. Delete these installation log files if you do not need them for future reference. If you do require them, protect them appropriately. These log files are created with the file level permission 640 (owner can read/write, group members can read, others cannot do anything) by default.

Postinstallation Configuration

  • PDC user permissions depend on the group the user belongs to. The following three groups are created in the WebLogic server during PDC installation:

    • Pricing Design Admin

    • Pricing Reviewer

    • Pricing Analyst

    The users belonging to Pricing Design Admin group have read and write access and can perform any kind of operation from PDC User Interface.

    The users belonging to Pricing Analyst group have read and write access to all pricing components and read only access to setup components.

    The users belonging to Pricing Reviewer group have read only access to the pricing and setup components.

    None of the users by default is authorized to access PDC. The WebLogic server administrator must create an account for each intended user by creating the user in the WebLogic Server Administration Console and adding the user to one of the above groups depending on the user role.

  • Do not use your browser's remember password feature for the WebLogic Server Administrator Console URL. Always enter the WebLogic server user name and password manually in the login page, as a precaution.

Managing Cookies

Oracle recommends deploying PDC only on SSL, which encrypts sensitive data, thus eliminating problems like session stealing.

Using Secure Cookies

A common Web security problem is session stealing. This happens when an attacker manages to get a copy of your session cookie, generally while the cookie is being transmitted over the network. This can only happen when the data is being sent in clear-text; that is, the cookie is not encrypted.

WebLogic Server allows a user to securely access HTTPS resources in a session that was initiated using HTTP, without loss of session data.

To use secure cookies:

  1. Open the config.xml file.

  2. Add AuthCookieEnabled="true" to the WebServer element. 

    <WebServer Name="myserver" AuthCookieEnabled="true"/>

You can also set this entry using the WebLogic Server Administration Console:

  1. Log in to the Oracle WebLogic Server Administration Console.

    The Home page appears.

  2. In the Domain Configurations section, under Domain, click Domain.

    The Settings for Domain_Name page appears.

  3. Click the Web Applications tab.

  4. Verify that the Auth Cookie Enabled check box is selected.

  5. Click Save.

By default, the Auth Cookie Enabled check box is selected, but it is not present in the config.xml file. If you deselect it, the <AuthCookieEnabled> element is added to the config.xml file.

Setting AuthCookieEnabled to true, which is the default setting, causes the WebLogic Server instance to send a new secure cookie, _WL_AUTHCOOKIE_JSESSIONID, to the browser when authenticating via an HTTPS connection. After the secure cookie is set, the session is allowed to access other security-constrained HTTPS resources only if the cookie is sent from the browser.

Oracle recommends keeping cookies settings enabled in the browser. Disabling cookies in the browser disables several features, such as Help.

Configuring the Session Timeout

The default session timeout in PDC is 10 minutes. Your WebLogic Server administrator can change this value after deployment by doing the following:

  1. Log in to WebLogic Server Administration Console.

  2. In the Domain Structure section, click Deployments.

  3. Click on the application PricingDesignCenter deployed as type Enterprise Application.

    The deployment settings for PricingDesignCenter appears.

  4. Click the Configuration tab.

  5. Set Session Timeout (in seconds) to the new timeout value, in seconds.

  6. Click the Overview tab.

  7. In the Modules and Components table, click PricingDesignCenter.

  8. Click the Configuration tab.

  9. Set Session Timeout (in seconds) to the same timeout value, in seconds, set in step 5.

  10. Click Save.

    If no deployment plan is created, WebLogic Server creates one with above changes and prompts you to save deployment plan. Provide the name and path for the deployment plan and click OK.

  11. In the Domain Structure section, click Deployments.

  12. Select the application PricingDesignCenter deployed as Enterprise Application.

    The Update button is enabled.

  13. Click Update.

  14. Select Update this application in place with new deployment plan changes.

  15. Set Deployment plan path to the deployment plan created in step 10. Use Change Path button to browse to the file.

  16. Click Next.

  17. Click Finish.

  18. Restart WebLogic Server.

  19. Verify your changes by doing the following:

    1. Log in to WebLogic Server Administration Console.

    2. In the Domain Structure section, click Deployments.

    3. Click on the application PricingDesignCenter deployed as type Enterprise Application.

      The deployment settings for PricingDesignCenter appears.

    4. Click the Configuration tab.

    5. Verify that Session Timeout (in seconds) is set to the value you have provided.

For more information about deployment plans, including an example of using one while updating session timeout, see "Configuring Applications for Production Deployment" in Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

Managing File Permissions

  • Following is the default permissions set for the installed files:

    • rw------- 600 (for all non executable files)

    • rwx------ 700 (for all executable files)

    Permissions are set to the lowest possible level, and the WebLogic Server administrator can add or revoke permissions. Oracle recommends keeping the permissions as restrictive as possible, as per your business needs.

  • The WebLogic configuration (JMS, JDBC, etc) file, config.xml, in the domain's configuration directory should be protected with proper permissions.

  • Output files generated by the export utility should be stored in a protected directory because it may contain sensitive pricing information.

Uninstalling Pricing Design Center

The following files remain in the system after uninstalling PDC:

  • Install logs:

    Location: Oracle Inventory/logs/

    -rw-r-----  1 user1 eng  480058 Aug 15 09:25 installActions2018-08-15_08-06-57AM.log 
-rw-r-----  1 user1 eng       0 Aug 15 10:27 oraInstall2018-08-15_10-27-07AM.out
-rw-r-----  1 user1 eng    2384 Aug 15 10:33 dbScripts2018-08-15_10-32-00AM.log
-rw-r-----  1 user1 eng  124268 Aug 15 10:33 oraInstall2018-08-15_10-27-07AM.err

  • PDC_home/oui/data.properties: This file is used to auto-populate the data during re-installs.

Delete these files manually if you do not need them or protect them appropriately if they are required for further references.

These files are created with the file permission 640 (owner can read/write, group members can read, others cannot do anything) by default.

About Changing Passwords in the Wallets

PDC stores the passwords for the WebLogic Server domain, PDC user, cross-reference database, and Oracle Communications Billing and Revenue Management (BRM) database in PDC and BRM Integration Pack wallets.

To change the password in the wallets, you must encrypt the new password manually and update the entry in the appropriate wallet. See "Changing Passwords in the Wallet" in BRM System Administrator's Guide for more information.

Implementing Pricing Design Center Security

This section describes how to implement the security capabilities in PDC by using Oracle Identity Management (IDM).

PDC uses IDM for authenticating and authorizing PDC users. Each instance of PDC requires an appropriately configured instance of IDM to enable these functions.

For information about installing PDC, see PDC Installation Guide.

Note:

If you have configured IDM, you must authorize PDC users by using IDM only.

About Authentication

Within IDM, Oracle Identity Manager (OIM) provides a mechanism for managing user password policies. You must configure OIM to authenticate and authorize PDC users. See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

About Authorization

Authorization refers to granting appropriate privileges to users and denying access to other functionality based on their job functions. The users with the following roles can access PDC by using IDM:

  • Pricing Design Admin: Can import and export all pricing and setup components in PDC.

  • Pricing Analyst: Can import only pricing components. However, the user with this role can export pricing and setup components.

  • Pricing Reviewer: Can only export all pricing and setup components.

  • Migration Admin: Can migrate pricing data from the BRM database to the PDC database.

  • JDGroup: Can manually trigger job dispatcher to put transformation jobs in the work item queue.

Configuring Authentication and Authorization by Using OIM

OIM enables enterprises to manage the entire user life cycle across all enterprise resources within and beyond a firewall.

To configure OIM to authenticate and authorize users in PDC:

  1. Configure OAM in WebLogic Server. See "Configuring OAM in WebLogic Server".

  2. Add users and assign roles in OIM. See "Adding Users and Assigning Roles in OIM".

Configuring OAM in WebLogic Server

To configure Oracle Access Manager (OAM) in WebLogic server:

  1. Log in to the Oracle WebLogic Server Administration Console.

    The Home page appears.

  2. On the left panel, under the Change Center, click Lock and Edit.

  3. On the left panel, under the Domain Structure, click the Security Realms link.

    The Summary of Security Realms page appears.

  4. Under the Name, click myrealm.

    The Settings for myrealm page appears.

  5. Click Providers and under Authentications providers, click New.

    The Create a New Authentication Provider page appears.

  6. Enter the name as OAM Identity Asserter.

  7. Select the type as OAMIdentityAsserter.

  8. Click OK.

    The Settings page appears.

  9. Repeat the steps 3 and 4 to navigate to the Settings for myrealm page.

  10. Click the OAMIdentityAsserter link.

  11. In the Control Flag row, select REQUIRED.

  12. Click Save.

    The Settings updated successfully message appears.

  13. Click New.

    The Create a New Authentication Provider page appears.

  14. In the Name field, enter OUD Authenticator.

  15. In the Type field, enter IPlanetAuthenticator.

  16. Click OK.

    The Settings for OUD Authenticator page appears.

  17. In the Control Flag row, select SUFFICIENT.

  18. Click Provider Specific and provide Oracle Unified Directory (OUD) connection details.

  19. Click Save.

  20. Click Reorder.

    The Reorder Authentication Providers page appears.

    Reorder the authentication provider names in the following order:

    • OAMIdentityAsserter

    • OUD Authenticator

    • DefaultAuthenticator

    • DefaultIdentityAsserter

  21. Click OK.

  22. Click the default authenticator and then modify the Control Flag of DefaultAuhtenticator to SUFFICIENT and click Save.

  23. In the Change Center, click Activate Changes.

  24. Restart the WebLogic server.

Adding Users and Assigning Roles in OIM

To add users and assign roles in OIM to access PDC:

  1. Log in to Oracle Identity Self Service.

    The Oracle Identity Self Service home page appears.

  2. Create new users (if required) by performing the following steps:

    1. Click Manage.

    2. Click Users.

      The Users page appears.

    3. Click + Create.

      The Create Users page appears.

    4. Enter the required information.

      For more information on creating users, see the discussion about creating and managing users in the Oracle Identity Manager Administrative and User Console Guide.

  3. Select a user.

  4. Click + Request Roles.

  5. In the Search field, enter the name of the role and click Search.

    See "About Authentication" for the supported roles.

    The search results appear.

  6. Select a role from the list under Categories.

  7. Click + Add to Cart.

  8. Click Next and click Submit.

    Now, the users can access PDC.

Verifying OIM Configuration in WebLogic Server

To verify the OIM configuration in the WebLogic server:

  1. Log in to the Oracle WebLogic Server Administration Console.

    The Home page appears.

  2. On the left panel, under the Domain Structure, click the Security Realms link.

    The Summary of Security Realms page appears.

  3. Under Name, click myrealm.

    The Settings for myrealm page appears.

  4. Click Users and Groups tab.

    The list of users created in OIM appears.