1. Security Guide
  2. Implementing UIM Security

3 Implementing UIM Security

This chapter explains the security features of Oracle Communications Unified Inventory Management (UIM).

Configuring and Using Authentication

Authentication is the mechanism by which users provide specific information as a proof of having access to a system. Authentication answers the question “Who are you?" using credentials such as user name and password.

In Oracle WebLogic Server, authentication providers are used to prove the identity of users or system processes. Authentication providers also remember, transport, and make identity information available to various components of a system when needed. During the authentication process, a principal validation provider provides additional security protection for the principals (users and groups) contained within the subject by signing and verifying the authenticity of those principals.

Upon installation, UIM uses the WebLogic-embedded Lightweight Directory Access Protocol (LDAP) as the authentication provider. However, you can use any WebLogic-supported authentication provider, such as Oracle Internet Directory (OID), Relational Database Management System (RDBMS), or Security Assertion Markup Language (SAML).

Note:

If your UIM environment requires high-grade security and your user base is high (over 10,000 users), Oracle recommends you use an external LDAP such as OID.

UIM uses user name and password authentication. See UIM System Administrator's Guide for more information.

Whether UIM is configured to communicate with WebLogic Server over HTTP or HTTPS, login authentication is always sent over a secured HTTPS channel.

If you are using a Web services interface, authentication details are supplied with each request using the Username token header. See UIM Web Services Developer's Guide for more information.

Java Authentication and Authorization Service

WebLogic Server uses the Java Authentication and Authorization Service (JAAS) classes to authenticate to the client, whether the client is an application, applet, Enterprise JavaBean, or servlet that requires authentication.

JAAS implements a Java version of the Pluggable Authentication Module (PAM) framework, which permits applications to remain independent from underlying authentication technologies. Therefore, the PAM framework allows the use of new or updated authentication technologies without requiring modifications to the application.

About Callback Handlers

A callback handler is a flexible JAAS standard that allows a variable number of arguments to be passed as complex objects to a method.

There are three types of callback handlers: NameCallback, PasswordCallback, and TextInputCallback, all of which are part of the javax.security.auth.callback package. NameCallback and PasswordCallback return the user name and password, respectively. You can use TextInputCallback to access the data users enter into any additional fields on a login form (that is, fields other than those for obtaining the user name and password). When used, there should be one TextInputCallback per additional form field, and the prompt string of each TextInputCallback must match the field name in the form. WebLogic Server uses only the TextInputCallback for form-based Web application login.

An application implements a callback handler and passes it to underlying security services so that they may interact with the application to retrieve specific authentication data, such as user names and passwords, or to display certain information, such as error and warning messages.

Callback handlers are implemented in an application-dependent fashion. For example, implementations for an application with a UI may prompt users for requested information, or display error messages. An implementation may also choose to obtain requested information from an alternative source without asking the user.

Underlying security services make requests for different types of information by passing individual call backs to the callback handler. The callback handler implementation decides how to retrieve and display information depending on the call backs passed to it.

Configuring and Using Access Control

Authorization is used to control access by:

  • Permitting only certain users to access a resource or action

  • Applying varying limitations on user access or actions

Upon installation, UIM defines the uimuser role. This is a super role that grants access to all UIM resources, so the role should not be granted to everyone. Rather, Oracle recommends that you define your own application roles to restrict access to UIM resources.

The uimuser role is part of the uim-users WebLogic Server group. To access UIM, a user must be assigned a role that is part of the uim-users group. If a user is not assigned a role that is part of the uim-users group, after successful authentication, the user encounters the following error:

Error 403 - Access Forbidden error. For details on Group Management, see the WebLogic Server Administration Console Help.

Enabling Access for Specifications

In WebLogic Server Administration console, to enable access for a specification, you should add the corresponding user group to the specification.

To enable access for a specification:

  1. Open WebLogic Server Administration console.

  2. Create the user groups and assign users to the groups.

    Note:

    UIM recognizes the user group only if the group name begins with ora_uim_partition#.

  3. In SPECIFICATION table, update PARTITION column of the corresponding specification record with the user group name.

    For example, if the user group name is mypartition, update the PARTITION column with /mypartition. After updating the table, only the users belonging to mypartition group can see this specification.

  4. Update the PARTITION column for all specifications, for which the users need access.

  5. Restart the application servers after clearing tmp and cache as the above steps modify the data in database.

  6. Set the following property in system-config.properties file:

    uim.security.filter.enabled=true

Configuring and Using Security Audit Logs

For information about configuring and using security audit logs in Oracle WebLogic Server, see:

http://docs.oracle.com/middleware/1221/wls/SECMG/toc.htm

Secure Access to UIM Web Services

The Web services API is standards based using JAX-RPC over HTTPS. The UIM Web services API uses the same security access level as the UIM UI. So any user able to log in to UIM can also use the Web Service API.

Managing UIM Security

UIM System Administrator's Guide contains information on the following security management topics:

  • Authentication

    • Password management

    • Authenticating Web services

  • Authorization

    • Security roles and policies

    • Taskflow and resource permissions

    • Application role management

    • Application policy management

    • Enabling Web service authentication at runtime

    • Partitioning the database