1. Administrative Security Guide
  2. Access
  3. Administrative Security Feature Set

Administrative Security Feature Set

This section describes implications of adding and removing the Admin Security feature set on an Oracle Communications Session Border Controller (OCSBC).

This feature enables various security enhancements described in this document. In the absence of an Admin Security feature set, these enhancements are not available.

Note:

The Admin Security feature set is not intended for all customer use. Consult your Oracle representative to understand the ramifications of enabling these features.
If the Admin Security feature is removed, protected areas of the system remain unavailable. This ensures that a system cannot be compromised by removing features. Once the Admin Security feature is provisioned, it cannot be removed, and the OCSBC may retain sensitive information. To remove all sensitive data, you must perform a complete factory reset (zeroization). To remove all sensitive data, you must perform a complete factory reset (zeroization). On supported Acme Packet platforms, zeroization is done using the Oracle Rescue Account. To perform zeroization on a virtual OCSBC, you must perform a complete image reinstallation. For more information on the performing a factory reset, see "Factory Reset for the Oracle Communications Session Border Controller" in this guide.

Note:

The Government Security Certification SKU is equivalent to the Admin Security feature.
When enabling the Admin Security via the setup entitlements command, the OCSBC warns the user with the following message: 
********************************************************************************
CAUTION: Enabling this feature activates enhanced security functions.
Once saved, security cannot be reverted without resetting the system
back to factory default state.
********************************************************************************
Note: The 'factory default' process via the 'oracle rescue account' menu can be used for support to guide the
removal of these features in the field by resetting the system back to the as-shipped state.

When the Admin Security feature set is present and enabled, the following security policies and restrictions are implemented:

  • shell access is denied
  • SSH keys are denied
  • history log access is denied
  • password policy features are enabled in addition to some additional Admin Security specific password requirements
  • access to the Session Element Manager (SEM) in the Session Delivery manager (SDM) is blocked
  • ACP (Acme Control Protocol) is blocked

When the Admin Security feature set is disabled and deleted, the following security policies and restrictions are implemented:

  • shell access is denied
  • SSH keys are denied
  • password policy features are disabled
  • access to the SEM in the SDM is granted
  • ACP is blocked

Enabling the Admin Security Feature

Provision the Admin Security feature by enabling Admin Security via the setup entitlements command. For more information on installing the Admin Security feature set, see the Oracle Enterprise Session Border Controller Release Notes. For instructions on provisioning this feature set, see the Oracle Enterprise Session Border Controller ACLI Configuration Guide.

Supported Platforms

The following platforms support Admin Security:
  • Acme Packet 1100
  • Acme Packet 3900
  • Acme Packet 4600
  • Acme Packet 6300
  • VMWare

JITC Support

The Oracle Communications Session Border Controller (OCSBC) supports Joint Interoperability Testing Command (JITC). The Admin Security feature set largely encompasses JITC features with one main difference. Instead of sending ACP over TCP (potentially exposing sensitive information) JITC allows ACP over TLS.

Note:

The JITC feature set is supported only on OESBC releases only.

When both Admin Security and Federal Information Processing Standards (FIPS) feature sets are enabled on the OCSBC, . When both are provisioned and you execute the show licenses and show entitlements commands, the OCSBC displays JITC.

Provision the JITC feature by enabling the Advanced Security Suite via the setup entitlements command. For more information on installing the Admin Security feature set, see the Oracle Enterprise Session Border Controller Release Notes. For instructions on provisioning this feature set, see the Oracle Enterprise Session Border Controller ACLI Configuration Guide.

Note:

As of Release ECZ7.5.0 and later, JITC supersedes all Admin Security features, while behavior for Admin Security features acquired prior to ECZ7.5.0 remain unchanged.

Supported Platforms

The following platforms support JITC mode:

  • Acme Packet 1100
  • Acme Packet 3900
  • Acme Packet 4600
  • Acme Packet 6300
  • VME

Admin Security ACP Feature

The Administrative Security ACP feature adds more password security and opens the ACP port, allowing the OCSBC to connect to the Oracle Communications Session Delivery Manager (OCSM).

The Admin Security ACP feature inherits the rules of the Admin Security feature set and imposes additional rules and restrictions to improve password strength. For information on obtaining an Admin Security with ACP license key, contact your Oracle representative.

For information on the additional password length/strength requirements supported with the Admin Security with ACP feature, see Password Policy.

Set the password-policy, password-policy-strength parameter to enabled to enable the enhanced password strength requirements. To retain only the password requirements defined by the Admin Security feature, leave this parameter set to disabled. For more information on configuring Admin Security with ACP password policies, see Configuring the Admin Security with ACP Password Rules.

Login Banner

Upon successful user authentication/authorization, the Oracle OCSBC displays the login banner.

Login Banner

  • Last login: displays the date and time that the current user (admin in this case) last successfully logged-in
  • System last accessed: displays the date and time and user name of the last user who successfully logged-in
  • Unsuccessful login attempts: displays the date and time of the last five unsuccessful login attempts by the current user (admin in this case)
  • Confirm reading: requires user acknowledgement of the display banner.

    A positive response (y) successfully completes login, and starts audit-log activity for this user session. A negative response (n) generates an audit-log entry and logs the user out of the OCSBC.

The login banner also provides notification or impending password or SSH public key expiration as described in Password Policy Configuration.