TLS message encryption

Overview

OSS clients can receive secure JMS XML messages using TLS encryption. To enable TLS for an OSS client, you must import a TLS certificate from an NFM-P main server to a TLS truststore file on the OSS client station. You must also configure Java on the OSS client station by specifying the location of the truststore file on the OSS client station. For more information, see the TLS configuration and management information in the NSP Installation and Upgrade Guide.

See To compile and connect an NFM-P JMS client and the Java documentation for information about configuring Java to use TLS.

The supported Java version may change between NFM-P releases. A difference in the major or minor Java version can affect operation, for example:

• TLS 1.2 is the default security mechanism in Java 8.

• In JDK 8u31, the SSLv3 protocol is deactivated.

For details about changes to the Java Runtime Environment, see the Java release notes and security documentation.

To determine the NFM-P Java version, see To determine the Java version.

HTTPS communication with XML API

The XML API can send requests and receive responses using HTTPS, which requires TLS encryption. See the NSP Planning Guide for the system requirements associated with TLS and HTTPS. See the NSP Installation and Upgrade Guide for information about implementing TLS in an NFM-P system.

Session management

Effective session management requires the AAA functions. Authentication is the verification of a user identification and password. Authorization is the assignment of different levels of access permissions to users. Accounting is the recording of user actions. An NFM-P operator can configure AAA functions using the local security capability of the NFM-P server, a third-party authentication server, or a combination of local and third-party mechanisms.

• Local authentication on the NFM-P server is provided by a local user database and security scheme to verify login attempts and assign permission levels for command execution.

• The supported third-party authentication servers are RADIUS and TACACS+. These products run on their own platforms, with their own user lists and administration processes.

OSS user and group management

An NFM-P administrator can use a GUI or OSS client to manage user and group privileges, sessions, and authentication. Using scope of command and span of control profiles, an administrator can specify which functions are available to a user or group, and restrict the objects that users can view or configure. See the section on NFM-P user security in the NSP System Administrator Guide for more information.

You can configure the following OSS properties of a user account or user group; if the user and group settings differ, the user settings override the group settings:

• maximum number of allowed OSS sessions per user

• priority assigned to OSS requests

• OSS request timeout

When the number of concurrent sessions reaches the system maximum, the NFM-P uses the priority values of the outstanding requests to determine which to process next.

Note: After an upgrade, the NFM-P assigns the default priority value to each existing OSS user and user group.

An OSS request timeout value applies to a request that the NFM-P has accepted but not processed. If the request processing does not begin before the timeout period elapses, the NFM-P rejects the request and returns an error.

Client sessions

All client sessions have username and password protection.

• Each OSS client XML/SOAP message is individually authenticated using cached information from an authorization server.

• JMS messages are protected by the user name and password for the JMS connection.

You can use an MD5-hashed or a clear text password to access the NFM-P server.

MD5-hashed password format

Nokia recommends that you send the password for a request in an MD5-hashed format. You can use the md5hash password utility to generate MD5-hashed passwords to access the NFM-P server. See To generate an MD5-hashed password for NFM-P main server access for more information about how to generate an MD5-hashed password for NFM-P access.

Note: MD5-hashed passwords do not secure the communication channel.

Note: Nokia recommends enabling TLS for secure communication. See the NSP Installation and Upgrade Guide for TLS configuration and management information.

Clear-text password format

OSS users can access the NFM-P using a clear-text password. A clear-text password provides no security unless HTTPS is used, but ensures greater compatibility with RADIUS and TACACS+. Nokia recommends using a clear-text password only when:

• the XML API uses an external mechanism for password authentication, for example, RADIUS or TACACS

  and

• a dedicated HTTPS channel is used for all XML/SOAP requests

See Table 9-1, SOAP message type details for more information about the SOAP XML message structure and format. The following figure shows an example of the clear-text password format.

Figure 3-2: Clear-text password format

<?xml version="1.0" encoding="UTF-8"?>

<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">

    <SOAP:Header>

        <header xmlns="xmlapi_1.0">

            <security>

                <user>username</user>

                <password hashed="false">password</password>

            </security>

            <requestID>XML_API_client@n</requestID>

        </header>

    </SOAP:Header>

    <SOAP:Body>

        <ping xmlns="xmlapi_1.0"/>

    </SOAP:Body>

</SOAP:Envelope>

© 2024 Nokia. Nokia Confidential Information

Use subject to agreed restrictions on disclosure and use.