XML API security features controlled through the NFM-P client GUI
Overview
A system administrator can use the security management forms in the NFM-P client GUI to control the following security-related features for XML API:
-
Session logs of NFM-P client GUI and OSS activity; the XML API client ID must use the JMS client ID format described in JMS subscriptions to be uniquely identified as a XML API session.
You must create a scope of command profile to group the OSS Management scope of command role with additional roles. Otherwise, the NFM-P returns the SOAP exception message shown in the following figure :
Figure 3-3: SOAP exception message, insufficient privileges
<?xml version="1.0" encoding="UTF-8"?> |
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> |
<SOAP:Header> |
<header xmlns="xmlapi_1.0"> |
<requestID>XML_API_client@n</requestID> |
<requestTime>Sep 22, 2015 3:13:08 PM</requestTime> |
<responseTime>Sep 22, 2015 3:13:08 PM</responseTime> |
</header> |
</SOAP:Header> |
<SOAP:Fault> |
<faultcode>SOAP:Client</faultcode> |
<faultstring>[security] Users require OSS Management privileges to use XML API.</faultstring> |
<faultactor>XmlApi</faultactor> |
<detail> |
<requestID>XML_API_client@n</requestID> |
</detail> |
</SOAP:Fault> |
</SOAP:Envelope> |
See the chapter on NFM-P user security in the NSP System Administrator Guide for information about managing NFM-P user security.
If a user supplies an incorrect username or password, or if the username or password is missing, the NFM-P returns the SOAP exception message shown in the following figure:
Figure 3-4: SOAP exception message, login failure
<?xml version="1.0" encoding="UTF-8"?> |
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> |
<SOAP:Header> |
<header xmlns="xmlapi_1.0"> |
<requestID>XML_API_client@n</requestID> |
<requestTime>Sep 22, 2015 3:13:08 PM</requestTime> |
<responseTime>Sep 22, 2015 3:13:08 PM</responseTime> |
</header> |
</SOAP:Header> |
<SOAP:Fault> |
<faultcode>SOAP:Client</faultcode> |
<faultstring>[security] Login failure.</faultstring> |
<faultactor>XmlApi</faultactor> |
<detail> |
<requestID>XML_API_client@n</requestID> |
</detail> |
</SOAP:Fault> |
</SOAP:Envelope> |
If a user is not assigned the appropriate scope of command privilege for a class type, or span of control for an object, an exception is returned.
See the NSP System Administrator Guide for information about how listing is filtered by span, and configuration is span-enforced.
Unlike in HTTP or HTTPS where span of control rules are implicitly enforced, span of control rules are not implicitly enforced via JMS. JMS requires the administrator to explicitly specify the required span IDs within the JMS filter. For example, without the correct JMS filter, it may not be possible to listen to events from objects that are not in the users span of control.
Table 3-1: Example JMS filter entries
JMS filter |
Description |
---|---|
ALA_span like '%:2:%’' |
A JMS query that uses this filter results in JMS messages being sent from objects in span 2 (for example, Default Router Span). Events from objects in other spans are not published. |
ALA_span like '%:21:%’' or ALA_span like ‘%:0:%’ |
A JMS query that uses this filter results in JMS messages being sent from objects in span 21 or non-span objects. Events from objects in other spans are not published. |
(ALA_span like ‘%:1:%’ or ALA_span like ‘%:2:%’ or ALA_span like ‘%:3:%’ or ALA_span like ‘%:4:%’ or ALA_span like ‘%:5:%’ or ALA_span like ‘%:6:%’ or ALA_span like ‘%:7:%’ or ALA_span like ‘%:8:%’ or ALA_span like '%:0:%') and (ALA_span not like ‘%:22:%’) |
A JMS query that uses this filter results in JMS messages being sent from all objects (all of Default Spans listed) except those blocked in span 22. |