1. System Administrator's Guide
  2. Implementing Security
  3. Managing Login Names and Passwords

19 Managing Login Names and Passwords

Learn how to manage login names and passwords in Oracle Communications Billing and Revenue Management (BRM).

Topics in this document:

See also "Logging Customer Service Representative Activity Events" and "Setting Up Permissions in BRM Applications".

Managing Login Names and Passwords for BRM Access

To access the BRM database, a client application must provide the following:

  • An account name

  • The password for that account

  • The service

  • The database number of the BRM database

There are two services created to manage client connections: admin_client and pcm_client.

  • BRM client applications log in to the admin_client service.

  • Other BRM utilities and programs, such as optional service integration components, log in to the pcm_client service.

For more information about the BRM users, see the following:

Default Users

Prior to BRM 15.0, when you installed BRM, the system created a single user account with general permission to the BRM system. This login name was root.0.0.0.n (where n is your database number), and you provide its password during the BRM installation process. This account is still created in BRM 15.0, but it is no longer the only user created.

The default users that are created in addition to the root account are listed in Table 19-1. In the table, db_num represents the database number, for example, 0.0.0.1.

Table 19-1 Default Users Created During Installation

User Name Role Names Description
acct_recv.db_num AccountsReceivableRole This user runs A/R utilities.
bc_client.db_num BillingCareRole This is the user for the Billing Care client.
bill_inv_pymt_sub.db_num BillInvPymtSubscrnRole This user runs billing, invoicing, payments and subscriptions.
billing.db_num BillingRole This user runs billing utilities.
boc_client.db_num

BOCAdminClientRole

BOCPcmClientRole

 This is the user for the Business Operations Center (BOC) client. It also runs the pin_generate_analytics utility for BOC.
collections.db_num CollectionsutilsRole This user runs Collections utilities.
crypt_utils.db_num CryptutilsRole This user runs crypt utilities.
cust_center.db_num CustomerCenterRole This is the user for Customer Center.
cust_mgnt.db_num CustomermanagerRole This user runs subscription tools.
ece.db_num ECERole This is the user for Elastic Charging Engine (ECE).
invoicing.db_num InvoicingRole This user runs invoicing utilities.
java_client.db_num

JavaAppPcmClientRole

JavaAppAdminClientRole

 This user runs Java utilities.
load_utils.db_num LoadutilsRole This user runs load utilities.
payments.db_num PaymentsRole This user runs payments utilities.
pcc_client.db_num PipelineConfigCenterRole This is the user for Pipeline Configuration Center.
rerating.db_num ReratingRole This user runs rerating utilities.
rsm.db_num RestServicesManagerRole This is the user for Rest Services Managers.
super_user.db_num SuperUserRole Creates, updates, and deletes roles.
ui_client.db_num ThickClientsRole This is the user for thick clients.

Users are created to run all of the admin clients. See Table 19-2 for the users associated with each client. In the table, db_num represents the database number, for example, 0.0.0.1.

Table 19-2 Admin Client Default Users

User Name Associated Clients
bc_client.db_num Billing Care
boc_client.db_num Business Operations Center
cust_center.db_num Customer Center
pcc_client.db_num Pipeline Configuration Center (PCC)
root.db_num Developer Center
rsm.db_num Rest Services Manager
ui_client.db_num

BusinessConfigurationCenter

CollectionsConfigurator

CustomerCareSDK

GSMMgrCustCtrExt

IPAddressAdministrationCenter

NumberAdministrationCenter

PaymentCenter

PermissioningCenter

PricingCenter

RevenueAssuranceCenter

SelfCareManager

SIMAdministrationCenter

SuspenseManagementCenter

VoucherAdministrationCenter

The default users can run specific pcm_client applications. These applications must be run from the directories listed in Table 19-3 to avoid authorization failure errors. These directories also contain the pin.conf or Infranet.properties files, which contain the user names listed below. In the table, db_num represents the database number, for example, 0.0.0.1.

Table 19-3 PCM Client Applications and Their Base Directories and Default Users

Component Application Directory User
A/R

pin_mass_refund

pin_refund

pin_roll_up_ar_items

 $PIN_HOME/apps/pin_billd bill_inv_pymt_sub.db_num
A/R pin_apply_bulk_adjustment $PIN_HOME/apps/pin_bulk_adjust acct_recv.db_num
Billing

pin_bill_accts

pin_cycle_fees

pin_make_corrective_bills

pin_rollover

pin_update_journal

pin_cycle_forward

 $PIN_HOME/apps/pin_billd bill_inv_pymt_sub.db_num
Billing pin_trial_bill $PIN_HOME/apps/pin_trial_bill billing.db_num
Collections

pin_collections_process

pin_collections_send_dunning

 $PIN_HOME/apps/pin_collections collections.db_num
Crypt Utilities

pin_crypt_upgrade

pin_crypt_upgrade_keys

 $PIN_HOME/apps/pin_crypt crypt_utils.db_num
Customer Management

pin_contracts

pin_deferred_act

pin_gen_notifications

 $PIN_HOME/apps/pin_billd bill_inv_pymt_sub.db_num
Customer Management

pin_deposit_calc_interest

pin_deposit_release_purchased_deposit

pin_deposit_transfer_deposit

 $PIN_HOME/apps/pin_deposits cust_mgnt.db_num
Customer Management pin_monitor_balance $PIN_HOME/apps/pin_monitor cust_mgnt.db_num
Customer Management pin_state_change $PIN_HOME/apps/pin_state_change cust_mgnt.db_num
Customer Management pin_unlock_service $PIN_HOME/apps/pin_unlock_service cust_mgnt.db_num
Invoicing pin_upd_assoc_bus_profile $PIN_HOME/apps/pin_billd bill_inv_pymt_sub.db_num
Invoicing pin_inv_accts $PIN_HOME/apps/pin_inv invoicing.db_num
Invoicing

pin_inv_send

pin_inv_export

 $PIN_HOME/apps/pin_inv invoicing.db_num
Invoicing pin_inv_doc_gen $PIN_HOME/apps/pin_inv_doc_gen invoicing.db_num
Java Applications batch_controller $PIN_HOME/apps/batch_controller java_client.db_num
Java Applications cmt $PIN_HOME/apps/cmt java_client.db_num
Java Applications perflib $PIN_HOME/apps/perflib java_client.db_num
Java Applications pin_job_executor $PIN_HOME/apps/pin_job_executor java_client.db_num
Java Applications pin_rel $PIN_HOME/apps/pin_rel java_client.db_num
Java Applications pin_virtual_gen $PIN_HOME/apps/pin_virtual_columns java_client.db_num
Java Applications sampleHandler $PIN_HOME/apps/sample_handler java_client.db_num
Java Applications uel $PIN_HOME/apps/uel java_client.db_num
Java Applications PortalDevKit $PIN_HOME/PortalDevKit java_client.db_num
Java Applications amt $PIN_HOME/sys/amt java_client.db_num
Java Applications web_services Not applicable java_client.db_num
Load Utilities load_channel_config $PIN_HOME/apps/load_channel_config load_utils.db_num
Load Utilities load_config $PIN_HOME/apps/load_config load_utils.db_num
Load Utilities load_pin_ar_taxes $PIN_HOME/apps/pin_ar_taxes load_utils.db_num
Load Utilities load_ara_config_object $PIN_HOME/setup/scripts load_utils.db_num
Load Utilities

load_brm_pricing

load_config_business_event

load_config_dist

load_config_item_tags

load_config_item_types

load_config_provisioning_tags

load_content_srvc_profiles

load_edr_field_mapping

load_event_map

load_localized_strings

load_pin_ach

load_pin_batch_suspense_override_reason

load_pin_batch_suspense_reason_code

load_pin_beid

load_pin_bill_suppression

load_pin_billing_segment

load_pin_bus_params

load_pin_business_profile

load_pin_calendar

load_pin_config_auth_reauth_info

load_pin_config_batchstat_link

load_pin_config_business_type

load_pin_config_controlpoint_link

load_pin_config_export_gl

load_pin_config_ood_criteria

load_pin_config_ra_alerts

load_pin_config_ra_flows

load_pin_config_ra_thresholds

load_pin_customer_segment

load_pin_dealers

load_pin_device_permit_map

load_pin_device_state

load_pin_event_record_map

load_pin_excluded_logins

load_pin_glchartaccts

load_pin_glid

load_pin_impact_category

load_pin_invoice_data_map

load_pin_network_elements

load_pin_notify

load_pin_num_config

load_pin_order_state

load_pin_payment_term

load_pin_recharge_card_type

load_pin_remittance_flds

load_pin_remittance_spec

load_pin_rerate_flds

load_pin_rtp_trim_flist

load_pin_rum

load_pin_service_framework_permitted_service_types

load_pin_sim_config

load_pin_snowball_distribution

load_pin_spec_rates

load_pin_sub_bal_contributor

load_pin_suspense_editable_flds

load_pin_suspense_edr_fld_map

load_pin_suspense_override_reason

load_pin_suspense_params

load_pin_suspense_reason_code

load_pin_telco_provisioning

load_pin_telco_service_order_state

load_pin_telco_tags

load_pin_uniqueness

load_pin_verify

load_pin_voucher_config

load_suspended_batch_info

load_tax_supplier

load_transition_type

load_usage_map

loadpricelist

pin_load_invoice_events

pin_load_invoice_template

pin_load_rerate_jobs

pin_load_template

 $PIN_HOME/sys/data/config load_utils.db_num
Misc pin_channel_export $PIN_HOME/apps/exportapps load_utils.db_num
Misc pin_event_extract $PIN_HOME/apps/pin_event_extract rerating.db_num
Misc pin_export_price $PIN_HOME/apps/pin_export_price load_utils.db_num
Misc pin_generate_analytics/ $PIN_HOME/apps/pin_generate_analytics boc_client.db_num (pcm_client)
Misc pin_ra_check_thresholds $PIN_HOME/apps/pin_ra_check_thresholds bill_inv_pymt_sub.db_num
Misc

pin_remittance

pin_remit_month

 $PIN_HOME/apps/pin_remit bill_inv_pymt_sub.db_num
Misc load_price_list/ $PIN_HOME/setup/scripts load_utils.db_num
Payments pin_balance_transfer $PIN_HOME/apps/pin_balance_transfer payments.db_num
Payments

pin_cc_migrate

pin_deposit

pin_collect

pin_recover

 $PIN_HOME/apps/pin_billd bill_inv_pymt_sub.db_num
Payments

pin_installment_status_change

pin_installments

 $PIN_HOME/apps/pin_installments payments.db_num
Payments pin_sepa $PIN_HOME/apps/pin_sepa payments.db_num
Rerating

load_pin_rerate_flds

pin_rate_change

pin_rerate

 $PIN_HOME/apps/pin_rerate rerating.db_num

The root account includes two services: admin_client and pcm_client.

  • BRM client applications log in to the admin_client service.

  • Other BRM utilities and programs, such as optional service integration components, log in to the pcm_client service.

Note:

You cannot change the payment method of the default accounts or make them parent or child accounts.

Custom Users

When you set up a production BRM system, you create additional accounts—for example, one for each of your customer service representatives (CSRs)—and associate one or more services with each account. You give each account a password and grant certain privileges to the account. For example, you might want to allow only some of your CSRs to handle payment disputes. you must also add an entry in the wallet with a name in the format username_login_pw for the new user.

Before creating CSR accounts, you must use PDC to create and load a CSR package, which defines the services available to CSRs.

You also need to provide an account for any extended applications you use with BRM.

When you create users, you must assign them to roles. These roles can be either predefined or custom. For information about managing custom roles, see "Role Opcode Workflows" in Opcode Guide. Table 19-4 contains information about the roles that are configured by default during installation. In the table, db_num represents the database number, for example, 0.0.0.1.

Table 19-4 Default Roles Created During Installation

Role Name Role Object Service Objects Description
AccountsReceivableRole db_num /config/role 408 0 db_num /service/pcm_client 408 0 Allows users to run A/R utilities.
BillingCareRole db_num /config/role 416 0 db_num /service/admin_client 416 0 Allows users to run the Billing Care client.
BillingRole db_num /config/role 402 0 db_num /service/pcm_client 402 0 Allows users to run billing utilities.
BillInvPymtSubscrnRole db_num /config/role 412 0 db_num /service/pcm_client 412 0 Allows users to run billing, invoicing, payments and subscriptions.
BOCAdminClientRole db_num /config/role 415 0 db_num /service/admin_client 415 0 Allows users to run the BOC client.
BOCPcmClientRole db_num /config/role 414 0 db_num /service/pcm_client 414 0 Allows users to run pin_generate_analytics utility for BOC.
CollectionsutilsRole db_num /config/role 411 0 db_num /service/pcm_client 411 0 Allows users to run collections utilities.
CryptutilsRole db_num /config/role 405 0 db_num /service/pcm_client 405 0 Allows users to run crypt utilities.
CustomerCenterRole db_num /config/role 417 0 db_num /service/admin_client 417 0 Allows users to run the Customer Center client.
CustomermanagerRole db_num /config/role 406 0 db_num /service/pcm_client 406 0 Allows users to run subscription tools.
ECERole db_num /config/role 421 0 db_num /service/pcm_client 421 0 Allows users to run the ECE client.
InvoicingRole db_num /config/role 403 0 db_num /service/pcm_client 403 0 Allows users to run invoicing utilities.
JavaAppAdminClientRole db_num /config/role 410 0 db_num /service/admin_client 410 0 Allows users to run admin_client Java utilities.
JavaAppPcmClientRole db_num /config/role 409 0 db_num /service/pcm_client 409 0 Allows users to run pcm_client Java utilities.
LoadutilsRole db_num /config/role 413 0 db_num /service/pcm_client 413 0 Allows users to run load utilities.
PaymentsRole db_num /config/role 404 0 db_num /service/pcm_client 404 0 Allows users to run payments utilities.
PipelineConfigCenterRole db_num /config/role 418 0 db_num /service/admin_client 418 0 Allows users to run the Pipeline Configuration Center.
ReratingRole db_num /config/role 407 0 db_num /service/pcm_client 407 0 Allows users to run rerating utilities.
RestServicesManagerRole db_num /config/role 419 0 db_num /service/admin_client 419 0 Allows users to run Rest Services Managers.
SuperUserRole db_num /config/role 1 0

db_num /service/pcm_client 3 0

db_num /service/admin_client 4 0

User to create, update, delete roles.
ThickClientsRole db_num /config/role 420 0 db_num /service/admin_client 420 0 Allows users to run thick clients.

Configuring the Maximum Number of Invalid Login Attempts

You configure the maximum number of invalid login attempts by setting the MaxLoginAttempts business parameter.

To configure the maximum number of invalid login attempts:

  1. Go to BRM_home/sys/data/config.

  2. Use the following command to create an editable XML file from the BusParamsActivity instance of the /config/business_params object: 

    pin_bus_params -r BusParamsActivity bus_params_act.xml

    This command creates an XML file named bus_params_act.xml.out in your current directory. If you do not want this file in your current directory, specify the path as part of the file name.

  3. In bus_params_act.xml.out, set MaxLoginAttempts to the maximum number of invalid login attempts that are allowed: 

    <MaxLoginAttempts>3</MaxLoginAttempts>

    The default value is 5.

    Caution:

    BRM uses the XML in this file to overwrite the existing instance of the /config/business_params object. If you delete or modify any other parameters in the file, these changes affect the associated aspects of the BRM configuration.

  4. Save and exit the file.

  5. Rename the bus_params_act.xml.out file to bus_params_act.xml.

  6. Use the following command to load your changes into the /config/business_params object: 

    pin_bus_params bus_params_act.xml

    You should run this command from the BRM_home/sys/data/config directory, which includes support files used by the utility. To run it from a different directory, see "pin_bus_params" in BRM Developer's Guide.

  7. Read the object with the testnap utility or the Object Browser to verify that all fields are correct.

    For general instructions on using testnap, see "Using the testnap Utility to Test BRM" in BRM Developer's Guide. For information on how to use Object Browser, see "Reading Objects" in BRM Developer's Guide.

  8. Stop and restart the Connection Manager (CM).

    For more information, see "Starting and Stopping the BRM System" in BRM System Administrator's Guide.

Configuring the CM to Verify Application Logins with the Service Only

By default, the CM is configured to require a service, a login name, and a password. This provides secure access to BRM.

If only secure applications will connect to your CM, you can speed up the login process by configuring the CM to verify only the service but not require a login name or password.

To configure the CM to verify application logins with the service only:

  1. Open the CM configuration file (BRM_home/sys/cm/pin.conf).

  2. Change the cm_login_module entry from cm_login_pw001.dll to cm_login_null.dll: 

    - cm cm_login_module cm_login_null.dll

  3. Save and close the file.

  4. Stop and restart the CM.

  5. Configure the applications that connect with this CM to provide only service information at log in. In the configuration file for each application, set login_type to 0, and ensure a valid service is listed for userid.

    Note:

    CM Proxy provides another way of connecting to BRM without using a login name and password. See "Using CM Proxy to Allow Unauthenticated Log On".

Enabling Password Restriction for /service Objects

In BRM, you can use password restriction to secure the creation, modification, and deletion of /service objects.

Password restriction forces passwords to adhere to the following rules:

  • Contain a minimum of 8 characters. It is recommended to use the longer password.

  • Include at least one numeric character, one uppercase character, one lowercase character, and one special character.

  • Different from the previous four passwords (NA for customer account creation and service creation).

  • Should not include any part of the user ID.

  • Should not contain dictionary words.

  • Should not contain commonly used combinations.

  • Should not contain birthday of a user or a name of the related person or other personal facts.

  • Should contain minimum six digits for mobile devices.

You can configure the password restrictions using the PCM_OP_CUST_POL_VALID_PASSWD opcode.

By default, password restriction for /service objects is disabled in BRM. To enable it, run the pin_bus_params utility to change the EnablePasswordRestriction business parameter. For information about this utility, see "pin_bus_params" in BRM Developer's Guide.

To enable password restriction for /service objects:

  1. Go to BRM_home/sys/data/config.

  2. Use the following command to create an editable XML file from the Customer instance of the /config/business_params object: 

    pin_bus_params -r BusParamsCustomer bus_params_customer.xml

    This command creates an XML file named bus_params_customer.xml.out in your current directory. If you do not want this file in your current directory, specify the path as part of the file name.

  3. In bus_params_customer.xml.out, set EnablePasswordRestriction to enabled: 

    <EnablePasswordRestriction>enabled</EnablePasswordRestriction>

    Caution:

    BRM uses the XML in this file to overwrite the existing instance of the /config/business_params object. If you delete or modify any other parameters in the file, these changes affect the associated aspects of the BRM configuration.

  4. Save and exit the file.

  5. Rename the bus_params_customer.xml.out file to bus_params_customer.xml.

  6. Use the following command to load your changes into the /config/business_params object: 

    pin_bus_params bus_params_customer.xml

    You should run this command from the BRM_home/sys/data/config directory, which includes support files used by the utility. To run it from a different directory, see "pin_bus_params" in BRM Developer's Guide.

  7. Read the object with the testnap utility or the Object Browser to verify that all fields are correct.

    For general instructions on using testnap, see "Using the testnap Utility to Test BRM" in BRM Developer's Guide. For information on how to use Object Browser, see "Reading Objects" in BRM Developer's Guide.

  8. Stop and restart the Connection Manager (CM).

    For more information, see "Starting and Stopping the BRM System" in BRM System Administrator's Guide.

Storing Passwords in Oracle Wallet

By default, the BRM Installer stores sensitive information, such as database and account passwords, in the Oracle wallet, and BRM applications retrieves the passwords from the Oracle wallet. However, if the database and account passwords are also stored in the Infranet.properties and pin.conf configuration files, the BRM applications retrieve the passwords from the configuration files. The BRM applications automatically decrypt the encrypted passwords when retrieving them from the configuration files.

By default, the passwords in the configuration files are encrypted in the Oracle ZT PKI format. For more information, see "Encrypting Data" in BRM Developer's Guide.

Note:

To encrypt passwords for client applications or optional managers that are not part of base BRM or that are associated with customizations, use the pin_crypt_app utility. For details, see "About Encrypting Passwords" in BRM Developer's Guide.

When you encrypt a password for the Connection Manager (CM), ensure that the password adheres to the following rules:

  • Contain a minimum of eight characters

  • Include at least one numeric character, one uppercase character, and one special character

  • Differ from the previous four passwords

  • Not include any part of the user ID

Configuring Applications to Provide Login Information

BRM client applications provide login information in the login dialog box.

BRM Java-based applications, including Pricing Center, Customer Center, and Configuration Center, ask the user for port numbers and database names when the application starts.

To change most connection information for Java-based client applications, use the login dialog box, which appears when you start the application. The application uses this default information for subsequent sessions.