11 Business Operations Center Security

Learn how to install and implement Oracle Communications Business Operations Center and its components in a secure configuration.

Topics in this document:

• About Installing Business Operations Center

• About Implementing Business Operations Center Security

• Storing Business Operations Center Passwords in Oracle Wallet

• Storing Configuration Entries in the Business Operations Center Wallet

About Installing Business Operations Center

Before installing Business Operations Center, you must properly install and configure several Oracle products, including Java, Oracle WebLogic Server, Oracle Identity and Access Management components, and Oracle Communications Billing and Revenue Management.

For installation instructions, including all the required products and related tasks, such as setting up KeyStores and SSL for WebLogic Server, see "Installing Business Operations Center" in Business Operations Center Installation Guide.

About Implementing Business Operations Center Security

Business Operations Center supports stringent authorization and authentication requirements. This section describes how to implement the security capabilities supported by Business Operations Center.

About Identity and Access Management

To authenticate users when they log in and to control user access to functionality, Business Operations Center uses the following Oracle Identity and Access Management components in a production environment:

• Oracle Identity Cloud Service (IDCS)

• Oracle Identity Manager for authentication

• Oracle Platform Security Services (OPSS) for authorization

These components are required in a Business Operations Center implementation.

For more information, see the following documentation:

• Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager

• Oracle Fusion Middleware Administrator's Guide for Oracle Platform Security Services

About Authentication

Authentication is the process of verifying the identity of a user. The Business Operations Center authentication scheme is designed for deployments in which a central user identity repository, storing all enterprise users, authenticates Business Operations Center sign-in requests.

Business Operations Center supports the following security for authentication:

• Authenticating users against an LDAP-based user ID repository

• Enabling single-sign-on capabilities

• Supporting user's password policies

Oracle Identity Manager manages user password policies. For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

About Authorization

Authorization is the process of granting users those access privileges (entitlements) appropriate for their job functions while denying access to other functionality. Oracle Platform Security Services handles all authorization tasks for Business Operations Center.

A user who has not been granted any entitlements in Oracle Platform Security Services is denied access to Business Operations Center.

To grant entitlements, you use authorization policies, which contain a collection of the following components combined to form a logical entitlement:

• Resource type: Specifies the full scope of traits for a resource, such as job execution history, and defines all actions that can be performed on the resource.

• Resource: Represents the aspect of an application's functionality being secured, such as billing, payment collection, and invoicing. Each resource must belong to a resource type.

• Action: Represents an operation that can be performed on a resource, such as view, create, modify, delete, history, and timeline.

You map authorization policies to enterprise (external) roles, which represent job functions for the users in your company. If you do not map enterprise roles to authorization policies, you must map each user to an authorization policy.

For more information about authorization policies and enterprise roles, see Oracle Fusion Middleware Administrator's Guide for Oracle Platform Security Services.

Business Operations Center includes an authorization policy component file (system-jazn-data.xml), which defines all the resource types, resources, and actions available for Business Operations Center authorization policies (see Table 11-1).

Table 11-1 Business Operations Center Authorization Policy Components

Resource Type	Resource	Action	Description
Metrics	Subscribers	View	Permits users to view subscriber metrics.
Metrics	Subscriptions	View	Permits users to view subscription metrics.
Metrics	Billed Revenue	View	Permits users to view billed-revenue metrics.
Metrics	Payments Received	View	Permits users to view payments-received metrics.
Metrics	AR	View	Permits users to view accounts receivable in the dashboard.
Job	Billing GL Invoicing PaymentCollection PricingSync Refund Workflow	Create View Modify Delete Timeline History	Create: You can create a new job. View: You can view job categories and the jobs for this category. Modify: You can edit a job, deactivate or reactivate jobs. Delete: You can delete jobs. Timeline: You can view the timeline. History: You can view jobs in history.
PaymentFailures	PaymentFailures	View Resolve	View: You can view realtime checkpoints, unresolved batches and unresolved payments, and failure report for Payment Collections jobs. Resolve: You can resolve unresolved payments.
BlackoutPeriod	BlackoutPeriod	View Create Delete	View: You can view the blackout period in the timeline. Create: You can create the blackout period in the timeline. Delete: You can remove the blackout period in the timeline.
Job	Custom	Create View Modify Delete	Create: You can create custom categories in Business Operations Center. View: You can only view custom categories in Business Operations Center.
Job	VirtualTime	View Modify	View: You can view the modified pin virtual time in the Manage Virtual Time banner. Modify: You can change the pin virtual time and date from the jobs actions menu or manage the virtual time banner.
Any	Any	Any	Permits users to perform all operations.
Job	category_customcategory1_resource Where: category is a prefix you should add for each resource name. customcategory1 is the name of the resource of the custom category entered when you create a new category. resource is the suffix that you should add to the resource name. For example, category_custom_billing_resource For information about creating a resource name, see "Defining a Custom Category" in Business Operations Center Online Help.	Create View Modify Delete Timeline History	Create: You can create a new job. View: You can view job categories and the jobs for this category. Modify: You can edit a job, deactivate or reactivate jobs. Delete: You can delete jobs. Timeline: You can view the timeline. History: You can view jobs in history.

The system-jazn-data.xml file also includes the following sample authorization policies:

• OperationsAdminPolicy

• FinancialsAdminPolicy

• FullAdminPolicy

The file is located in the Domain_home/lib/oes_config directory, where Domain_home is the WebLogic Server domain home directory location of the Oracle Platform Security Services client domain in which Business Operations Center is deployed.

Note:

Do not change the system-jazn-data.xml file.

Creating Authorization Policies for Business Operations Center

To create authorization policies for Business Operations Center:

1. Import the Business Operations Center authorization policy component file:

   Domain_home/lib/oes_config/system-jazn-data.xml

   For detailed instructions, see "Importing the Business Operations Center Operations Security Policies into OPSS" in Business Operations Center Installation Guide.

2. In Oracle Platform Security Services (OPSS), map an authorization policy to one or more resources, which may have one or more actions.

   For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Platform Security Services.

3. Associate the authorization policy with a user or an enterprise role.

   For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Platform Security Services.

4. Redeploy all changes made in OPSS.

Figure 11-1 shows how authorization policies are mapped to resources and enterprise roles or users:

Figure 11-1 Mapping Authorization Policies to Resources and Enterprise Roles or Users

Description of "Figure 11-1 Mapping Authorization Policies to Resources and Enterprise Roles or Users"

Storing Business Operations Center Passwords in Oracle Wallet

By default, the Business Operations Center Installer stores sensitive information such as passwords in the Oracle wallet and the Business Operations Center application retrieves the passwords from the Oracle wallet. However, if the passwords are also stored in the configuration files, the Business Operations Center application retrieves the passwords from the configuration files. The Business Operations Center application automatically decrypts the encrypted passwords when retrieving them from the configuration files.

By default, the passwords in the configuration files are encrypted in the Oracle ZT PKI format. For more information, see "Encrypting Data" in BRM Developer's Guide.

Note:

To encrypt passwords that are associated with customizations, use the pin_crypt_app utility. For details, see "About Encrypting Passwords" in BRM Developer's Guide.

Storing Configuration Entries in the Business Operations Center Wallet

To store a configuration entry for the Business Operations Center wallet:

1. Go to the BOC_home/wallet/client directory, where BOC_home is the directory in which Business Operations Center is installed.

2. Do one of the following:

   • On UNIX, run the following command:

     java -cp '.:oraclepki.jar_location:osdt_cert.jar_location:osdt_core.jar_location:cet.jar_location' com.portal.cet.ConfigEditor -setconf -wallet clientWalletLocation -parameter configEntry -value value

     where:

     • oraclepki.jar_location is the path to the oraclepki.jar file, which contains the APIs that are required for the wallet. The oraclepki.jar file is stored in the BOC_home/lib directory.

     • osdt_cert.jar_location is the path to the osdt_cert.jar file, which contains the JARs that are used by the JAVA PCM library for establishing a TLS connection to BRM. The osdt_cert.jar file is stored in the BOC_home/lib directory.

     • osdt_core.jar_location is the path to the osdt_core.jar file, which contains the JARs that are used by the JAVA PCM library for establishing a TLS connection to BRM. The osdt_core.jar file is stored in the BOC_home/lib directory.

     • cet.jar_location is the path to the cet.jar file, which contains the APIs that are required for the wallet. The cet.jar is stored in the BOC_home/lib directory.

     • clientWalletLocation is the path to the Business Operations Center wallet.

     • configEntry is the configuration entry in the Business Operations Center wallet.

     • value is the appropriate value for the respective entry in the Business Operations Center wallet.

     For example, running the following command with the -value parameter stores the infranet.log.level as 1 in the Business Operations Center wallet. If the value exists in the wallet, it will be overwritten:

     java -cp '.:oraclepki.jar:osdt_cert.jar:osdt_core.jar:cet.jar:' com.portal.cet.ConfigEditor  -setconf -wallet "/scratch/pin11/wallet" -parameter infranet.log.level -value 1

     If you run the command without the -value parameter, it prompts for the values for the infranet.connection entries and stores them in the Business Operations Center wallet. At the command prompt, enter values listed in Table 11-2.

     Table 11-2 BRM Connection Information

     Field	Description
     User Name	The user name for connecting to BRM.
     Password	The BRM user's password.
     Host Name	The IP address or the host name of the machine on which the primary BRM Connection Manager (CM) or CM Master Process (CMMP) are running.
     Port Number	The TCP port number of the CM or CMMP on the host computer.
     Service Type	The BRM service type.
     Service POID Id	The POID of the BRM service.

   • On Windows, run the following command:

     java -cp ".;oraclepki.jar_location:osdt_cert.jar_location:osdt_core.jar_location:cet.jar_location" com.portal.cet.ConfigEditor -setconf -wallet clientWalletLocation -parameter configEntry -value value

     For example, running the following command with the -value parameter stores the infranet.log.level as 1 in the Business Operations Center wallet:

     java -cp ".;C:\Program Files (x86)\Portal Software\BOC_HOME\lib\oraclepki.jar;C:\Program Files (x86)\Portal Software\BOC_HOME\lib\osdt_cert.jar;C:\Program Files (x86)\Portal Software\BOC_HOME\lib\osdt_core.jar;C:\Program Files (x86)\Portal Software\BOC_HOME\lib\cet.jar" com.portal.cet.ConfigEditor  -setconf -wallet "C:\Program Files (x86)\Portal Software\BOC_HOME\wallet\client" -parameter infranet.log.level -value 1

     If you run the command without the -value parameter, it prompts for the values for the infranet.connection entries and stores them in the Business Operations Center wallet. At the command prompt, enter values listed in Table 11-2.

3. Enter the Business Operations Center client wallet password.

   The value is stored in the Business Operations Center wallet.

For retrieving stored configuration entries, see "About Oracle Wallet" in BRM System Administrator's Guide.