1. System Administrator's Guide
  2. Managing Offline Mediation Controller Security

2 Managing Offline Mediation Controller Security

Learn how to manage security in Oracle Communications Offline Mediation Controller.

Topics in this document:

About Offline Mediation Controller Security

Offline Mediation Controller security includes the following aspects:

  • Secure communication

  • User and password management

  • Secure centralized storage for users and user's role information

About Secure Communication Using Secure Sockets Layer

Secure Sockets Layer (SSL) enables secure communication between applications. SSL enables authentication, data integrity, and data encryption. It helps to secure transmitted data using encryption.

By default, Administration Client communicates with Administration Server through SSLs. Administration Server communicates with Node Manager through SSL. During authentication, Administration Server provides the information using a certificate. It also provides data integrity through an integrity check value.

Creating Secure Connections

In Offline Mediation Controller, one-way SSL is used to create secure connections before sharing any data between the components. To use one-way SSL from a client to a server, configure identity for the server and trust store for the client. The trusted Certification authority (CA) certificates need to include the trusted CA certificate that issued the peer's identity certificate. This certificate does not necessarily have to be the root CA certificate.

In the communication between Administration Client and Administration Server, Administration Server has its own certificate in a secure KeyStore. This certificate will have a private and public key pair. Administration Server will share the certificate containing only the public key with all its known Administration Clients. Administration Client adds the server's certificate to its trust store, indicating that Administration Server is added to the trusted list.

In the communication between Administration Server and Node Manager, Node Manager acts as the server. Node Manager creates the key pair and store in a secure KeyStore. Node Manager shares its public key to the known Administration Server to ensure a secure communication. Administration Server adds Node Manager's certificate to its trust store.

To acquire a digital certificate for your server, generate a public key, a private key, and a Certificate Signature Request (CSR), which contains your public key. You send the CSR request to a certificate authority and follow its procedures for obtaining a signed digital certificate.

After you have your private keys, digital certificates, and any additional trusted CA certificates that you may need, store the private keys and certificates in KeyStores.

See "Enabling Secure Communication Using Certificates" in Offline Mediation Controller Installation Guide.

Enabling and Disabling SSL Mode

By default, Offline Mediation Controller runs in SSL mode, but the provision for enabling and disabling SSL communication is provided in a common configuration parameter.

Note:

If one of the Offline Mediation Controller components is running in SSL mode, the other components must be in SSL mode.

To enable or disable SSL mode for Offline Mediation Controller:

  1. Open the OMC_home/bin/UDCEnvironment script in a text editor, where OMC_home is the directory in which Offline Mediation Controller is installed.

  2. Add or modify the following entry:

    SSL_ENABLED = value

    where value is:

    • TRUE to enable SSL mode.

    • FALSE to disable SSL mode.

  3. Save and close the file.

  4. Restart Offline Mediation Controller.

Securely Connecting Administration Server to Other Node Manager Instances

You can securely connect Administration Server to other Node Manager instances or node hosts to collect data from Node Manager instances.

To securely connect Administration Server to other Node Manager instances:

  1. Log on to the system on which Administration Server is installed.

  2. Securely copy Node Manager's nodeManager.cer file from the machine on which Node Manager is installed to a temporary directory.

  3. Run the following command:

    OMC_home/jre/bin/keytool -import -v -trustcacerts -alias alias_name -file File_path -keystore OMC_home/config/adminserver/adminServerTruststore.jks

    where:

    • alias_name is the name of the new keystore entry. You must specify a different alias for each Node Manager.

    • File_path is the path to the temporary directory and nodeManager.cer file that you securely copied.

    Administration Server's truststore password prompt appears.

  4. Enter Administration Server's truststore password.

    The Trust this certificate prompt appears.

  5. Confirm to trust the certificate.

    The certificate is successfully imported into Administration Server's truststore.

  6. Restart Administration Server and Administration Client.

Configuring Session Timeout Between Administration Server and Administration Client

The session timeout depends solely on the type of components between which the connection is established. Only the session between Administration Client and Administration Server supports session timeout after a preconfigured idle time. The session should never expire between an Administration Server and Node Manager, where user intervention is not expected.

To set the session timeout:

  1. Open the OMC_home/web/htdocs/AdminServerImpl.properties file in a text editor.

  2. Add or modify the following entry:

    com.nt.udc.admin.server.AdminServerImpl.timeoutVal  value

    where value specifies a timeout value in minutes. The default is 30.

  3. Save and close the file.

  4. Restart Administration Server and Administration Client.

About Users in Offline Mediation Controller

You can create, modify, and delete user login accounts through the Offline Mediation Controller administration client. The Offline Mediation Controller software authenticates all users prior to allowing them access to system configuration views.

When a login attempt fails, the system prompts again for the user name and password for authentication. The Administration Server logs all user authentication events.

Offline Mediation Controller provides the following user roles:

  • Administrator: Can create or delete login accounts and reset user names and passwords. The administrator can also create, modify, and delete all functional components of the system (administration servers, node managers, nodes, node chains, and so on).

  • Designer: Can perform all of the tasks that an Administrator can, except user-management tasks.

  • Operator: Can start and stop nodes, view logs and alarms, and edit NARs.

  • Guest: Can view logs and alarms.

All users can change their own passwords.

Table 2-1 lists the Offline Mediation Controller functions and user access based on the role.

Table 2-1  Role-Based Access to Functions

Functions Administrator Designer Operator Guest

Change the node/node host configuration

Yes

Yes

No

No

Start or stop any node

Yes

Yes

Yes

No

Create or delete any node host, node chain, or individual node

Yes

Yes

No

No

Add, change, and delete an SNMP host

Yes

Yes

No

No

Add, change, and delete users

Yes

No

No

No

Change own details

Yes

Yes

Yes

Yes

View alarms and alarm's level for both Node Manager and individual node

Yes

Yes

Yes

Yes

View the log details for messages, exceptions, etc.

Yes

Yes

Yes

Yes

Export configurations

Yes

Yes

No

No

Import configurations

Yes

Yes

No

No

Import customizations

Yes

Yes

No

No

Launch Record Editor

Yes

Yes

Yes

No

Manage poll list

Yes

Yes

No

No

Manage statistics reporting

Yes

Yes

No

No

View Administration Server log

Yes

Yes

Yes

Yes

Create or delete or edit routing between the nodes

Yes

Yes

No

No

Clear alarms

Yes

Yes

No

No

Caution:

When you start Administration Server with the -x parameter, user authentication is disabled and you cannot perform the user management operations in Administration Client.

About Managing Users in Offline Mediation Controller

You manage Offline Mediation Controller users by using Administration Client. The Offline Mediation Controller software authenticates all users prior to allowing them access to system configuration views. The Administration Server logs all user authentication events.

To log in to a newly installed or upgraded Offline Mediation Controller system for the first time, use the default User ID (Admin) and password (admin). Customize your own login profile, and then create user login profiles. Each profile requires a user name and a password.

About Managing the Administrator User Password in Oracle Unified Directory

You can modify the administrator user password by accessing the Oracle Unified Directory server. For information regarding managing users in Oracle Unified Directory, see "Managing Users and Groups" in Oracle Fusion Middleware Administering Oracle Unified Directory.

About Managing Passwords

Passwords are very important for security of the system, so the provided password should be strong and not hard-coded for users like Administrator.

By default, the password management policy is applied to users in Offline Mediation Controller. Disabling of user authentication is possible by starting Administration Server using the -x parameter.

Storing Passwords

The Offline Mediation Controller installer stores account passwords (for the Administrator and general users) in encrypted format in Oracle Unified Directory. By default, the passwords in Oracle Unified Directory are encrypted in the salted SHA-256 format.

About the Default Password Policy

When you create a user account in Offline Mediation Controller, it assigns a default password policy to that user account. The default password policy includes the following rules:

  • Passwords expire automatically after 90 days.

  • The last three passwords cannot be reused during a password change.

  • The password must comply with the following standards:

    • Contain at least six characters

    • Contain at least one lowercase letter

    • Contain at least one uppercase letter

    • Contain at least one special character (for example, $)

    • Contain at least one number

  • The user is locked out for 10 minutes after three consecutive failed log in attempts.

  • The user must change the password after the first successful authentication after a password is set or reset by the administrator.

Modifying the Default Password Policies

The default password policy is assigned to user accounts during Offline Mediation Controller installation. You can modify the default password policies by modifying the parameters in the OMC_home/bin/createPasswordPolicy script.

To modify the default password policy:

  1. Ensure that the Oracle Unified Directory server instance is running.

  2. Open the OMC_home/bin/createPasswordPolicy file in a text editor.

  3. Enter or modify the parameter values. For example:

    • To have passwords expire every 120 days, you would set max-password-age to 120.

    • To require users to enter their current password when setting a new password, you would set password-change-requires-current-password to true.

    For information about each password policy parameter, see "Managing Password Policies" in Oracle Fusion Middleware Administering Oracle Unified Directory.

  4. Save and close the file.

  5. Go to the OMC_home/bin directory.

  6. Run the following command:

    ./createPasswordPolicy -p OUD_password

    where OUD_password is the Oracle Unified Directory server instance administrator password.

  7. Restart Administration Server and Administration Client.