Additional Security Options for Key Technology Components

Oracle Relational Database Management System

The vast majority of Oracle Network Management System static and dynamic model data is stored in an Oracle Relational Database Management System (RDBMS). All updates to a single NMS RDBMS instance are managed through at least one pair of Oracle RDBMS username/schema. This Oracle RDBMS access user name is used by NMS C++ services, WebLogic JDBC connections, the Oracle SQL Plus utility along with Perl and Python scripts to update/maintain the NMS instance. Actual NMS end users are generally authenticated outside of the Oracle RDBMS (via LDAP accessible Directory Services). For security purposes - it is recommended that access to the production NMS RDBMS be managed appropriately.

For a typical installation NMS updates the RDBMS using the following access mechanisms:

• Required: NMS C++ Service daemons - via Oracle Call Interface.

• Required: WebLogic - via Java Database Connectivity (JDBC) connections.

• Required: Oracle SQL Plus - used for Oracle NMS schema creation/configuration updates.

• Required: Perl (from the Oracle RDBMS installation) - used by NMS scripts to update/access RDBMS.

• Required: Python - used by NMS scripts to update/access RDBMS.

• Optional: BI Publisher via JDBC - used by Oracle NMS Switching to print switch plans.

• Optional: Project specific Oracle RDBMS query/update/monitor tools. SQL access/update tools like Oracle SQL Developer, OEM Grid/Cloud Control and/or similar may also be used to help monitor the NMS RDBMS but are not required to install or run NMS.

The NMS C++ Service daemons manage the vast majority of updates to the NMS RDBMS schema. NMS services perform RDBMS updates via calls to the various NMS *DBService daemon processes. The *DBService daemon processes use the Oracle Call Interface (OCI) to update/query the Oracle RDBMS. The Oracle Call Interface is an Application Programming Interface (API) that uses the Oracle Net8 (SQL*Net V2) protocol to communicate to the Oracle RDBMS "listener" process. The Oracle listener runs on the same node as the Oracle RDBMS and allows remote network nodes to access the Oracle RDBMS.

General RDBMS Security Options:

1. Ports: The Oracle RDBMS listener process uses port 1521 by default for Net8 (SQL*Net V2) communication. The Oracle RDBMS listener port can be configured via the $ORACLE_HOME/network/admin/listener.ora configuration file. Any change to the Oracle RDBMS listener port must be matched by the relevant $TNS_ADMIN/tnsnames.ora configuration file - which is used for Oracle RDBMS client access by Oracle NMS services.

2. Standard: Use independent Oracle RDBMS instances to manage production NMS data versus non-production NMS data.

• Depending on RDBMS capability/capacity a single RDBMS instance can often support multiple production (or non-production) Oracle NMS instances concurrently.

3. Standard: Secure NMS Oracle username credentials.

• Use Oracle Wallet to secure credentials for NMS daemon processes.

• NMS *DBService processes are "daemon" components that generally operate 24x7. As such these processes must be able to stop/start without human intervention. NMS uses Oracle Wallet technology to store and better secure user credentials needed to access/update the Oracle NMS RDBMS. This allows the NMS Unix admin account to stop/start the NMS *DBService processes without direct access to actual Oracle RDBMS schema/username credentials.

• The NMS Unix admin account uses the Oracle SQL Plus utility to help create and manage the Oracle NMS RDBMS schema. The Oracle SQL Plus utility uses the same Oracle Wallet as NMS services to more securely access the Oracle NMS RDBMS.

• The NMS nms-env-config script is generally used to setup the Oracle Wallet to hold Oracle NMS RDBMS username and password credentials for a given Oracle NMS admin (Unix) user account. In this manner access to the NMS admin Unix user account provides access to the Oracle NMS RDBMS username. These credentials are used to allow NMS OCI based processes to access the appropriate Oracle RDBMS instance and schema.

• NMS *DBService processes, Perl, Python, and SQL Plus scripts that run under the NMS admin account can all leverage the same Oracle wallet username/password credentials for access to the Oracle NMS RDBMS user/schema.

4. Standard: Minimize the Oracle RDBMS privileges granted to the Oracle username used to support the Oracle RDBMS instance (table read/write privilege but not schema change privileges). An Oracle NMS instance requires at least two Oracle RDBMS schemas.

• The Oracle NMS RDBMS admin schema/user has Data Definition Language (DDL) and Data Control Language (DCL) access and can update the schema as required. The Oracle NMS RDBMS admin user owns the schema (all NMS specific tables and views). It is used for initial NMS installs and for applying routine NMS patches (so NMS schema can be modified).

• The Oracle NMS RDBMS operational schema/user contains only synonyms with restricted Data Manipulation Language (DML) access to the Oracle RDBMS admin schema - no tables or views. This (restricted) Oracle RDBMS schema/user is for normal/daily NMS operations.

• Note in a dual NMS environment there will be two separate Oracle NMS RDBMS user/schemas for production use. Support for dual NMS environments is an NMS option that supports two separate (blue/green type) NMS admin accounts to support reduced downtime for incremental NMS patching.

• See the $NMS_BASE/templates/nms_role.sql.template for example Oracle Data Control Language (DCL) statements to create the required Oracle RDBMS roles and privileges necessary to support an NMS installation.

• See the $NMS_BASE/templates/nms.sql.template for example Oracle Data Definition Language (DDL) statements to create required Oracle RDBMS tablespaces and user names - based on the roles and privileges defined in the nms_role.sql.template file.

5. Relaxed: For a test/train RDBMS environment you might grant the ability for a given Oracle user to import/export RDBMS data. With Oracle 11gR2 or higher, you must use the Oracle datapump utility to export/import RDBMS data. The older imp/exp mechanism is not adequate and will not work. Example statements to grant an Oracle user named nms_admin datapump export/import privileges (from the nms.sql.template file noted above).

• grant DATAPUMP_EXP_FULL_DATABASE TO nms_admin;

• grant DATAPUMP_IMP_FULL_DATABASE TO nms_admin;

6. Enhanced: If a given NMS customer/installation wants or needs to encrypt Oracle NMS RDBMS data "on-the-wire" the Oracle EE RDBMS Native Network Encryption (NNE) option can be configured. Some high-level information on how to setup NNE for NMS is noted below. Reference Oracle RDBMS documentation on Native Network Encryption for more details.

Native Network Encryption(NNE)

The NNE option is built into the database itself and does not require SSL or a separate listener port and has relatively low overhead. The data is encrypted, but transported over regular tcp instead of SSL.

In the NMS RDBMS server-side sqlnet.ora file, set the options below:

# SQLNET.ENCRYPTION_SERVER = required|requested|accepted|rejected

SQLNET.ENCRYPTION_SERVER = requested

SQLNET.ENCRYPTION_TYPES_SERVER = (AES256)

In the NMS services RDBMS client side sqlnet.ora file, set the options below:

# SQLNET.ENCRYPTION_CLIENT = required|requested|accepted|rejected

SQLNET.ENCRYPTION_CLIENT = required

You can verify connections are encrypted via the Oracle NMS ISQL utility (a wrapper around sqlplus) as follows:

$ ISQL

SQL> select network_service_banner from v$session_connect_info where sid in (select distinct sid from v$mystat);

NETWORK_SERVICE_BANNER

------------------------------------------------------------

TCP/IP NT Protocol Adapter for Linux: Version 19.0.0.0.0 - Production

Encryption service for Linux: Version 19.0.0.0.0 - Production

AES256 Encryption service adapter for Linux: Version 19.0.0.0.0 - Production

Crypto-checksumming service for Linux: Version 19.0.0.0.0 - Production

In WebLogic data source, in the properties box:

oracle.net.encryption_client=REQUIRED

oracle.net.encryption_types_client=(AES256)

7. Enhanced: If a given NMS customer/installation wants or needs more security for Oracle RDBMS "data-at-rest" encryption they can consider the Oracle "Advanced Security" option to the Oracle Enterprise Edition RDBMS. The Oracle Advanced Security option allows virtually all RDBMS data to be encrypted both on-disk and/or on-the-wire as it moves between the required technology components - such as between the Oracle RDBMS and WebLogic.

• The Oracle "Advanced Security" option is a separately licensed Oracle EE RDBMS option. Configuration for the Oracle "Advanced Security" option should be generally transparent to the Oracle Network Management System application. Configuration for Oracle Advanced Security is not covered in this document.

8. Enhanced: Run the production Oracle NMS RDBMS instance on a dedicated server - not on the same server as might be used for a non-production NMS (or other) RDBMS dependent applications. This approach reduces potential attack vectors for the critical RDBMS component.

9. Relaxed: Support more than one NMS instance on a single RDBMS instance.

• Note it is generally acceptable (and common) to host multiple NMS instances on a single RDBMS instance - for production and non-production. It is generally recommended to keep all production NMS instances on separate RDBMS instances from non-production NMS-instances.

• Each NMS instance must have its own set of dedicated Oracle RDBMS schema/user names.

Network Management System Services

Oracle NMS services are a set of C++ daemon processes that manage the majority of the processing and coordination required to manage the operational NMS Electrical Network model. These NMS C++ service processes coordinate with each other using the ISIS message bus.

ISIS runs on the node where NMS services run. By default, ISIS runs on the loopback (localhost) network. In this mode ISIS is only used to coordinate messages between NMS service processes and no ISIS ports are accessible from any external nodes. NMS ISIS messages are not encrypted. ISIS uses the configuration file pointed to by the $ISIS_PARAMETERS environment variable. In general, $ISIS_PARAMETERS should not be changed unless specifically instructed by Oracle NMS support.

The NMS SwService (Switching Service) uses Simple Object Access Protocol (SOAP) over HTTPS to send synchronous request messages to WebLogic that require a distinct response. These messages are authenticated and can also be encrypted via SSL. Oracle Wallet functionality is used to hold authentication credentials for the NMS services that send these SOAP messages to WebLogic. In order to use a secure connection, SwService needs to connect to the SSL port of the WebLogic server and provide an SSL certificate file, which is used to confirm identity of the WebLogic server. See Creating the Certificate for SwService for information on creating an appropriate certificate file to use with the commands below.

SwService Command-line Options for Secure Connection to WebLogic Server

-outgoingURL https://${NMS_APPSERVER_HOST}:${NMS_APPSERVER_PORT}${NMS_SWSERVICE_EJB_STRING}/ExternalSwmanServiceImpl -sslCert ${NMS_SSL_CERT}

Oracle WebLogic Server

Oracle WebLogic provides NMS with a Java Enterprise Edition (EE) Application Server and general purpose integration platform. Oracle NMS utilizes a collection of Enterprise Java Beans (EJBs) that execute within WebLogic to:

• Authenticate and authorize NMS end users and adapters.

• Efficiently cache and provide updates for NMS Java end user client applications.

• Integrate to internal NMS applications (Switching)

• Integrate to external systems (AMI, SCADA, Mobile, etc).

A given WebLogic Managed Server communicates via a Java Database Connectivity (JDBC) pool to the Oracle listener process on the Oracle RDBMS host. WebLogic must be configured to use the JDBC Thin Drivers (not the OCI based JDBC drivers) for connection to a non-RAC RDBMS and Active GridLink drivers for a RAC RDBMS. WebLogic manages Oracle RDBMS user name and password credentials inside WebLogic. The user and password credentials must be specified when you configure the JDBC Data Source for given WebLogic Managed Server instance.

WebLogic can be configured to open up both a standard and secure port to support in-bound communication for each WebLogic Managed Server. The specific ports are configured within WebLogic. The WebLogic standard port supports HTTP, SOAP, EJB RMI calls and anything else that uses JNDI. In general WebLogic supports:

Standard: T3, HTTP, SOAP over HTTP, RMI-IIOP.

Secure: T3S, HTTPS, SOAP over HTTPS, RMI-IIOP over HTTPS

For a more secure implementation WebLogic should be placed behind an additional internal firewall (in addition to the corporate firewall - see Figure 1). In this case the only port that would need to be opened to NMS end users is the SSL (secure) port, and optionally the standard port. Specifically, the database and the NMS services including the corba gateway and publisher do not need to be directly accessible to the NMS Java client.

Note it is highly recommended that NMS Java clients be configured to run on the latest supported Java Runtime Environment (JRE). To help ensure the latest JRE versions is being used older JREs should also normally be uninstalled. In a similar fashion it is also generally recommended that the latest Java Development Kit (JDK) - which includes a JRE - be installed on the WebLogic host. Note WebLogic must also be properly configured to ensure the WebLogic JVM is actually using the latest JDK.

Common Object Request Broker Architecture - Object Request Broker

CORBA is used to allow back end NMS C++ services to support front end NMS clients. The NMS corbagateway (service process) speaks ISIS on the NMS service side and CORBA IIOP on the WebLogic side. The NMS corbagateway uses "The Ace Orb" (TAO) ORB and WebLogic uses the WebLogic ORB to coordinate communication via the TAO Naming Service (tao_cosnaming) process.

The port and host that WebLogic uses to find the tao_cosnaming process are defined in the NMS RDBMS, in the nms_parameters_view table column where nms_parameters_view.attrib='WEB_corbaInitRef'.

For example:

nms_parameters_view.attrib='NameService=corbaloc:iiop:1:2@myhost:17820/NameService'

The port and host that the NMS corbagateway process uses to find the tao_cosnaming (ORB) process is defined in the project specific NMS system.dat configuration file. A typical entry for a given corbagateway process might start something like the following:

program corbagateway corbagateway -ORBInitRef NameService=iioploc://myhost:17820/NameService /n

If more than one WebLogic Managed Server is in play (for whatever reason), each must be configured to communicate to NMS Services via a specific "pair" of corbagateway processes. One corbagateway process handles WebLogic (client) initiated requests and another "corbagateway -publisher" process that sends NMS Service "published updates" to that WebLogic Managed Server. On the WebLogic Admin Server - on the "Server Start" tab for the Managed Server in question - ensure the "‑DintersysName=InterSys_xxx_n" value matches a set of corbagateway processes with a matching "‑implname InterSys_xxx_n" value - where "n" is typically the only value differentiating different WebLogic Managed Servers.

The port used to communicate to the naming service can be modified but must be coordinated. CORBA message traffic between NMS C++ services and WebLogic is not encrypted.

HTTP Server

The HTTP server, lighttpd, is a lightweight third party HTTP server shipped with Oracle NMS. It is used by Oracle NMS to serve NMS map files to WebLogic. The lighttpd daemon is auto-configured and started using the nms-lighttpd script:

Usage: nms-lighttpd [start [port] [host] | stop | status]

host - host the httpd server will serve files on.

If not specified, will use value from

nms_parameters_view where attrib=WEB_mapHttpdHost

Default if not specified or in RDBMS: 0.0.0.0

port - port the httpd server will serve files on.

If not specified, will use value from

nms_parameters_view where attrib=WEB_mapHttpdPort

Default if not specified or in RDBMS: 8888

start - will start the httpd server on the given port

stop - will stop the httpd server

status - will echo 0 if not running, 1 if running

exit value is 0 if running, 1 if not running.

Notes: nms_parameters_view attib=WEB_mapHttpdAllowedIPs

restricts access by IP

The lighttpd HTTP server is configured and monitored by SMService by default in the template system.dat files.

The HTTP server is generally configured to serve a single directory of unencrypted NMS model map files to specific IP addresses (where the WebLogic instances that support this NMS instance run). The HTTP server is typically not configured to serve encrypted NMS map files to WebLogic, however HTTPS is supported if desired. More information on configuration options for the nms-lighttpd script can also be found under [project]_parameters.sql in the Oracle Utilities Network Management System Installation Guide.

The lighttpd HTTP server is also used to serve up log files to the Oracle Utilities Network Management System Application Management Pack (AMP) for Oracle Enterprise Manager (OEM). The server logs can be downloaded from the NMS AMP plug-in and/or viewed without having to log into the server where the NMS services are running.

The nms-lighttpd-oem script is used to start this auto-configured instance of lighttpd.

Usage: nms-lighttpd-oem [start [port] [host] | stop | status]

host - host the httpd server will serve files on.

If not specified, will use value from

nms_parameters_view where attrib=WEB_oemHttpdHost

Default if not specified or in RDBMS: 0.0.0.0

port - port the httpd server will serve files on.

If not specified, will use value from

nms_parameters_view where attrib=WEB_oemHttpdPort

Default if not specified or in RDBMS: 8888

start - will start the httpd server on the given port

stop - will stop the httpd server

status - will echo 0 if not running, 1 if running

exit value is 0 if running, 1 if not running.

Notes: nms_parameters_view attib=WEB_oemHttpdAllowedIPs restricts access by IP

This nms-lighttpd-oem instance has the same monitoring and configurable options as what was described for the nms-lighttpd instance.

LDAP Server

Oracle NMS generally uses LDAP accessible enterprise Directory Services to authenticate NMS end users. This is accomplished by routing authentication requests from NMS Java clients through WebLogic - which must in turn be configured to connect to the appropriate LDAP accessible Directory Service. In practice (especially production) LDAPS (LDAP over TLS) should be used to encrypt LDAP traffic. See the Oracle Utilities Network Management System Installation Guide for details on configuring LDAP within WebLogic.

Network Management System Java Client Applications

Oracle NMS uses Java (Swing) clients to allow NMS end users access to the operational NMS Electrical Network data model. Once initiated these clients are in near-constant communication with WebLogic in an effort to remain synchronized with the real-time operational model.

The NMS Java clients generally use two forms of digital signing certificates:

1. SSL certificate: This is used to authenticate the WebLogic server to the client, as well as to encrypt communication to and from WebLogic.

2. Signing certificate: This is used to sign the NMS Java client jar files so that the client machine recognizes the application is from a trusted source and will allow the application to run on the client.

For both of these certificates, Oracle recommends using a certificate generated by a trusted Certificate Authority (CA). However for testing purposes, self-signed certificates are supported. Please see Security Certificates in Oracle Utilities Network Management System for details on using security certificates.