3 Performing a Secure Pricing Design Center Installation

Learn about the recommended deployment configurations for your Oracle Communications Pricing Design Center (PDC) installation that enhance security.

Topics in this document:

• Recommended Installation Mode

• Operating System Security

• Preinstallation Tasks

• Installation Tasks

• Postinstallation Configuration

• Uninstalling Pricing Design Center

• About Changing Passwords in the Wallets

• Implementing Pricing Design Center Security

• About Authentication

• About Authorization

• Configuring Authentication and Authorization by Using OIM

• Verifying OIM Configuration in WebLogic Server

Recommended Installation Mode

There are two types of installation modes: silent and secured.

Silent installation is not meant for production environments and should be used only in test environments for quick setup or for backing up properties for use in another test environment.

Secured installation is the only recommended option for production environments.

Operating System Security

PDC is supported on Linux (both Oracle Enterprise Linux and Red Hat Enterprise Linux) and Windows. For the supported versions, see "PDC Software Compatibility" in BRM Compatibility Matrix. See the following documents for more information about operating system security:

• Guide to the Secure Configuration of Red Hat Enterprise Linux

• Hardening Tips for the Red Hat Enterprise Linux

Preinstallation Tasks

Perform the following preinstallation tasks:

• Enable SSL for the target WebLogic server domain, configure the server KeyStore certificate, and then get the client KeyStore trusted certificate. This client KeyStore file should be used in the installer to establish a secure connection during installation.

• If SSL is enabled, ensure that the KeyStore file is created in a secure drive and that access is strictly limited to the user account.

• Configure Oracle Database advanced security encryption and integrity algorithms for a secure connection from the installer. See the Oracle Database documentation for advanced security configuration parameters. This is required for the PDC installer to establish a secure (encrypted) database connection over the network. For more details, see the Oracle Database Advanced Security Administrator's Guide documentation.

• Verify that you have the latest supported version of Oracle JDK installed.

Installation Tasks

Perform the following installation tasks:

• During PDC installation, select SSL mode and provide the client KeyStore certificate for connecting to the WebLogic Server over SSL.

• The following logs are generated after the PDC installation:

  Location: Oracle Inventory/logs/

  -rw-r-----  1 user1 eng  480058 Aug 15 09:25 installActions2018-08-15_08-06-57AM.log 
  -rw-r-----  1 user1 eng    2384 Aug 15 10:33 dbScripts2018-08-15_10-32-00AM.log
  -rw-r-----  1 user1 eng  124268 Aug 15 10:33 oraInstall2018-08-15_10-27-07AM.err

  The installActionsxxxxx.log and oraInstallxxxx.err files have details in clear text format that were entered in the PDC installation wizard. Passwords that were entered in the installation wizard are not logged in any of the PDC installation log files. Delete these installation log files if they are not needed for future reference. If they are required, protect them appropriately. By default, these log files are created with file permission 640 (owner can read/write, group can read, others have no permission).

Postinstallation Configuration

• PDC user permissions depend on the group the user belongs to. The following three groups are created in the WebLogic server during PDC installation:

  • Pricing Design Admin

  • Pricing Reviewer

  • Pricing Analyst

  Users belonging to the Pricing Design Admin group have read and write access and can perform any kind of operation using the PDC User Interface.

  Users belonging to the Pricing Analyst group have read and write access to all pricing components and read-only access to setup components.

  Users belonging to the Pricing Reviewer group have read-only access to the pricing and setup components.

  By default, none of the users is authorized to access PDC. The WebLogic server administrator must create an account for each intended user by creating the user in the Oracle WebLogic Remote Console and adding the user to one of the above groups depending on the user role.

• Do not use your browser's remember password feature for the WebLogic Remote Console URL. Always enter the WebLogic server user name and password manually on the login page as a precaution.

Using Secure Cookies

Note:

Oracle recommends deploying PDC only on SSL, which encrypts sensitive data, thus eliminating problems like session stealing.

A common web security issue is session stealing, which occurs when an attacker obtains a copy of your session cookie, usually while it is being transmitted over the network. This can only happen when the data is being sent in clear-text; that is, the cookie is not encrypted.

WebLogic Server allows users to securely access HTTPS resources in a session that was initiated using HTTP, without loss of session data.

To use secure cookies:

1. Enable cookie authentication in WebLogic Server. See "Enabling Authentication Cookies".

2. Update your PDC deployment plan to use secure cookies. See "Updating Your PDC Deployment Plan".

Enabling Authentication Cookies

You can enable cookie authentication in two different ways: by editing the config.xml file or using the WebLogic Remote Console.

To enable cookie authentication through the config.xml file:

1. Open the config.xml file.

2. Add AuthCookieEnabled="true" to the WebServer element.

   <WebServer Name="myserver" AuthCookieEnabled="true"/>

To enable cookie authentication using the WebLogic Remote Console:

1. Log in to the WebLogic Remote Console.

2. Click Edit Tree, then Environment, and then Domain.

3. Click the Web Application tab.

4. Verify that Auth Cookie Enabled is turned on.

5. Click Save.

By default, Auth Cookie Enabled is turned on, but it is not present in the config.xml file. If you turn it off, the <AuthCookieEnabled> element is added to the config.xml file.

Setting AuthCookieEnabled to true, which is the default setting, causes the WebLogic Server instance to send a new secure cookie, _WL_AUTHCOOKIE_JSESSIONID, to the browser when authenticating through an HTTPS connection. After the secure cookie is set, the session is allowed to access other security-constrained HTTPS resources only if the cookie is sent from the browser.

Oracle recommends keeping cookie settings enabled in the browser. Disabling cookies in the browser also disables several features, such as Help.

Updating Your PDC Deployment Plan

To update your PDC deployment plan to use secure cookies:

1. Open the PDC_home/setup/plan.xml file in a text editor.

2. Add the following configuration under the <module-override> tag:

   <module-override>     
      <module-name>BPA.war</module-name>     
      <module-type>war</module-type>
      <module-descriptor external="false">     
         <root-element>weblogic-web-app</root-element>
         <uri>WEB-INF/weblogic.xml</uri>     
         <variable-assignment>     
            <name>secure-cookie</name>
            <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath>     
         </variable-assignment>
         <variable-assignment>    
            <name>url-rewriting-enabled-enable</name>
            <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath>
            <operation>add</operation>     
         </variable-assignment>     
         <variable-assignment>
            <name>pdc-application-path</name>     
            <xpath>/weblogic-web-app/session-descriptor/cookie-path</xpath>
            <operation>add</operation>     
         </variable-assignment>     
      </module-descriptor>
   </module-override>

3. Add the following configuration under the <variable-definition> tag:

   <variable>    
      <name>secure-cookie</name>    
      <value>true</value>  
   </variable>  
   <variable>
      <name>pdc-application-path</name>    
      <value>/pdc;SameSite=strict</value>  
   </variable>  
   <variable>
      <name>url-rewriting-enabled-enable</name>    
      <value>false</value>  
   </variable>  
   <variable>
      <name>pdc-samesite</name>    
      <value>strict</value>  
   </variable>

4. Save and close the file.

5. Redeploy the PDC application with your new plan.xml file.

   For more information about updating and deploying your deployment plan, see the "Create and Use a Deployment Plan in Oracle WebLogic Server" tutorial.

Configuring the Session Timeout

The default session timeout in PDC is 10 minutes. Your WebLogic Server administrator can change this value after deployment by doing the following:

1. Log in to WebLogic Remote Console.

2. Click Monitoring Tree, then Deployments, and then Application Management.

   A page with a list of installed Java EE applications and standalone application modules appears.

3. In the table, click PricingDesignCenter.

   Information about PricingDesignCenter appears.

4. Click Configuration in the tree in the left pane.

5. Click Session Descriptor in the tree in the left pane.

6. In the Session Timeout (in seconds) field, enter a new timeout value in seconds.

7. Click Save.

8. If you do not already have a deployment plan, or if the deployment plan is unavailable, WebLogic Server creates one with these changes and prompt you to save it. Provide a name and path for the new deployment plan and click OK.

9. Click Application Management in the tree in the left pane.

10. In the table, select the PricingDesignCenter application.

11. Click Update/Redeploy.

12. Select Update - Deployment Plan on Server and set the Plan Path field to the deployment plan.

13. Click Done.

14. Restart WebLogic Server.

15. Verify your changes by doing the following:

    1. Log in to WebLogic Remote Console.

    2. Click Monitoring Tree, then Deployments, and then Application Management.

       A page with a list of installed Java EE applications and standalone application modules appears.

    3. In the table, select PricingDesignCenter.

       The information about PricingDesignCenter page appears.

    4. Click Configuration in the tree in the left pane.

    5. Click Session Descriptor in the tree in the left pane.

    6. Verify that Session Timeout (in seconds) is set to the value you specified.

For more information about deployment plans, including an example of using one while updating session timeout, see "Configuring Applications for Production Deployment" in Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.

Managing File Permissions

• Following are the default permissions set for the installed files:

  • rw------- 600 (for all non executable files)

  • rwx------ 700 (for all executable files)

  Permissions are set to the lowest possible level, and the WebLogic Server administrator can add or revoke permissions. Oracle recommends keeping the permissions as restrictive as possible, according to your business needs.

• The WebLogic configuration (JMS, JDBC, and so on) file, config.xml, in the domain’s configuration directory should be protected with proper permissions.

• Output files generated by the export utility should be stored in a protected directory because they may contain sensitive pricing information.

Uninstalling Pricing Design Center

The following files remain in the system after uninstalling PDC:

• Install logs:

  Location: Oracle Inventory/logs/

  -rw-r-----  1 user1 eng  480058 Aug 15 09:25 installActions2018-08-15_08-06-57AM.log 
  -rw-r-----  1 user1 eng       0 Aug 15 10:27 oraInstall2018-08-15_10-27-07AM.out
  -rw-r-----  1 user1 eng    2384 Aug 15 10:33 dbScripts2018-08-15_10-32-00AM.log
  -rw-r-----  1 user1 eng  124268 Aug 15 10:33 oraInstall2018-08-15_10-27-07AM.err

• PDC_home/oui/data.properties: This file is used to auto-populate the data during re-installs.

Delete these files manually if you do not need them, or protect them appropriately if they are required for future reference.

By default, these files are created with file permission 640 (owner can read/write, group members can read, others have no permission).

About Changing Passwords in the Wallets

PDC stores the passwords for the WebLogic Server domain, the PDC user, the cross-reference database, and the Oracle Communications Billing and Revenue Management (BRM) database in PDC and BRM Integration Pack wallets.

To change the password in the wallets, you must encrypt the new password manually and update the entry in the appropriate wallet. See "Changing Passwords in the Wallet" in BRM System Administrator's Guide for more information.

Implementing Pricing Design Center Security

This section describes how to implement the security capabilities in PDC by using Oracle Identity Management (IDM).

PDC uses IDM for authenticating and authorizing PDC users. Each instance of PDC requires an appropriately configured instance of IDM to enable these functions.

For information about installing PDC, see PDC Installation Guide.

Note:

If you have configured IDM, you must authorize PDC users by using IDM only.

About Authentication

Within IDM, Oracle Identity Manager (OIM) provides a mechanism for managing user password policies. You must configure OIM to authenticate and authorize PDC users. See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

About Authorization

Authorization refers to granting appropriate privileges to users and denying access to other functionality based on their job functions. Users with the following roles can access PDC using IDM:

• Pricing Design Admin: Can import and export all pricing and setup components in PDC.

• Pricing Analyst: Can import only pricing components; however, users with this role can export pricing and setup components.

• Pricing Reviewer: Can only export all pricing and setup components.

• Migration Admin: Can migrate pricing data from the BRM database to the PDC database.

• JDGroup: Can manually trigger the job dispatcher to put transformation jobs in the work item queue.

Configuring Authentication and Authorization by Using OIM

OIM enables enterprises to manage the entire user life cycle across all enterprise resources within and beyond a firewall.

To configure OIM to authenticate and authorize users in PDC:

1. Configure OAM in WebLogic Server. See "Configuring OAM in WebLogic Server".

2. Add users and assign roles in OIM. See "Adding Users and Assigning Roles in OIM".

Configuring OAM in WebLogic Server

To configure Oracle Access Manager (OAM) in WebLogic server:

1. Log in to the WebLogic Remote Console.

2. Click Edit Tree, then Security, and then Realms.

   The Summary of Security Realms page appears.

3. Click the myrealm link.

   The myrealm configuration page appears.

4. Click Authentication Providers in the tree in the left pane.

   A page with an Authentication Providers table appears.

5. Click New.

6. In the Name field, enter OAM Identity Asserter.

7. From the Type list, select Oracle Access Manager Identity Asserter.

8. From the Control Flag list, select REQUIRED.

9. Click Create.

10. Click New.

11. In the Name field, enter OUD Authenticator.

12. From the Type list, select Oracle Unified Directory Authenticator.

13. From the Control Flag list, select SUFFICIENT.

14. Click Create.

15. Click the Oracle Unified Directory Authenticator Parameters tab and provide the Oracle Unified Directory (OUD) connection details.

16. Click Save.

17. In the Authentication Provider table, arrange the providers in the following order using the Move Down and Move Up buttons.

    • OAMIdentityAsserter

    • OUD Authenticator

    • DefaultAuthenticator

    • DefaultIdentityAsserter

18. Click DefaultAuthenticator in the tree in the left pane and modify the Control Flag to SUFFICIENT.

19. Click Save.

20. Click the shopping cart at the top right, and then click Commit Changes to commit your changes.

21. Restart WebLogic Server.

Adding Users and Assigning Roles in OIM

To add users and assign roles in OIM to access PDC:

1. Log in to Oracle Identity Self Service.

   The Oracle Identity Self Service home page appears.

2. Create new users (if required) by performing the following steps:

   1. Click Manage.

   2. Click Users.

      The Users page appears.

   3. Click + Create.

      The Create Users page appears.

   4. Enter the required information.

      For more information on creating users, see the discussion about creating and managing users in the Oracle Identity Manager Administrative and User Console Guide.

3. Select a user.

4. Click + Request Roles.

5. In the Search field, enter the name of the role and click Search.

   See "About Authentication" for the supported roles.

   The search results appear.

6. Select a role from the list under Categories.

7. Click + Add to Cart.

8. Click Next and click Submit.

   Now, the users can access PDC.

Verifying OIM Configuration in WebLogic Server

To verify the OIM configuration in the WebLogic server:

1. Log in to the WebLogic Remote Console.

2. Click Security Data Tree and then Realms.

   The Summary of Security Realms page appears.

3. Click myrealm.

   The myrealm configuration page appears.

4. Click Authentication Providers in the tree in the left pane.

   A page with an Authentication Provider table appears.

5. In the Authentication Provider table, click DefaultAuthenticator.

6. Click Users in the tree in the left pane.

   The list of users created in OIM appears.