3 Implementing IP Service Activator Security
This chapter explains the security features of Oracle Communications IP Service Activator.
Configuring and Using Access Control
This section explains the authorization system used to control access to data, resources, and processes. Authorization is used to control access by:
-
Permitting only certain users access or actions
-
Applying varying limitations on user access or actions
IP Service Activator uses groups and roles to control access to network topology objects. To change these settings, start the IP Service Activator client and follow the steps in "About Users and Security" in IP Service Activator System Administrator's Guide. The IP Service Activator user password policies are also defined in the IP Service Activator client. For more information, see "Passwords" in IP Service Activator System Administrator's Guide.
IP Service Activator User Accounts
Oracle recommends that you use a separate router user account to log in and provision the devices. This is the user account that is defined and used under the IP Service Activator Device Security panel. If there is a security threat, this user can be locked out by the Administrator.
Configuration Management Security
Oracle recommends that you create a custom IP Service Activator user for the Configuration Management module so that you can monitor and audit Configuration Management activities. You must also ensure that each user has a separate account/user to log in to Configuration Management so that you can monitor and audit operations described in "Configuring and Using Security Audit".
If you are using the restore functionality, Oracle recommends that you clean the router configuration out of the directory after the restore. If the router configuration is left in the directory, it could be downloaded by other users.
Configuring and Using Security Audit
Each application (IP Service Activator, Oracle Database, and WebLogic) has separate logs and audit logs that you can use to monitor activities. You can view WebLogic audit logs and IP Service Activator Web service logs using the Enterprise Manager (if enabled) or in a text editor.
The IP Service Activator application audit and systems logs are stored in the application installed directory. You can open these files in a text editor.
For information about the WebLogic logs, see the WebLogic Server documentation.
For information about the Oracle logs, see the Oracle Database documentation.
IP Service Activator Logs
IP Service Activator creates logs of all the commands and configuration sent to the routers. The logs are located in the IP Service Activator installation directory called Audit Trails, and you can view the logs in a text editor. For example:
/opt/OracleCommunications/ServiceActivator/AuditTrails
IP Service Activator stores and records all transactions, their operations, and their statuses, which you can view using the client. For more information about logs, see IP Service Activator System Administrator's Guide.
You can open these logs in a text editor.
The following examples show sample IP Service Activator Device configuration logs.
2012-05-17 21:10:55|10.156.68.43|#Applying Configuration 2012-05-17 21:10:56|10.156.68.43|terminal length 0 2012-05-17 21:10:56|10.156.68.43|conf t 2012-05-17 21:10:56|10.156.68.43|interface Tunnel899 2012-05-17 21:10:56|10.156.68.43|description test 2012-05-17 21:10:57|10.156.68.43|alias exec IpsaConfigVersion 2012-05-17T21:10:55.653Z 2012-05-17 21:10:57|10.156.68.43|end 2012-05-17 21:10:57|10.156.68.43|copy running-config startup-config 2012-05-17 21:10:57|10.156.68.43|startup-config 2012-05-17 21:10:59|10.156.68.43|logout 2012-05-17 21:11:00|10.156.68.43|#End Configuration
Enabling SSL for CORBA
IP Service Activator supports secure (SSL) communication between the IP Service Activator server and the IP Service Activator GUI client. For more information, see the section on “Enabling SSL for CORBA" in the chapter, “Using the Configuration GUI" in IP Service Activator System Administrator's Guide.