Omni-Insurance Security Guide > Implementation for PCI Security Standards > Build and Maintain a Secure Network and Systems

Build and Maintain a Secure Network and Systems

Topics:

The following are recommendations and information for the Build and Maintain a Secure Network and Systems requirements.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

  • The Omni-Insurance products should be installed on an internal (trusted) network segment.
  • Data acquisition channels for bringing data into the Omni-Insurance on-ramps should be configured through the Demilitarized Zone (DMZ). If the client is using the Information Builders iWay 8 product for integration services on the data acquisition, then the PCI compliance chapter in that document will provide more information on configuring Integration channels within and outside of the DMZ.
  • TCP/IP listener ports are required for the Omni server and applications to communicate internally and externally. The ports are configurable by the user and can be changed during the product installation.

Omni-Insurance Ports

The following table lists the default Omni-Insurance ports and their use.

Component

Type

Port

Security

Omni Controller/Console

external

9500

TLS 1.2

Omni Server

internal

9514

TLS 1.2

Omni Server Data Quality High-Speed TCP

internal

9532

none

Data Quality Cleanse

external

9504

none

Data Quality Cleanse

internal

9505

none

Data Quality Match

external

9506

none

Data Quality Match

internal

9507

none

Data Quality Merge

external

9508

none

Data Quality Merge

internal

9509

none

Data Quality Remediation

external

9510

none

Data Quality Remediation

internal

9511

none

OGC Tomcat Shutdown

internal

9524

none

OGC Tomcat Console

external

9501

Tomcat Config

OGC Tomcat AJP

internal

9525

Tomcat Config

OGC WSO2

external

9503

WSO2 Config

OGC Redirect

internal

9526

none

OGC Logstash

internal

9528

none

WSO2 RMI Registry

internal

9534

WSO2 Config

WSO2 RMI Server

internal

9535

WSO2 Config

WSO2 LDAP Server

internal

9536

WSO2 Config

WSO2 KDC Server

internal

9537

WSO2 Config

WSO2 Thrift Entitlement Receiver

internal

9538

WSO2 Config

Omni Designer Tomcat

internal

9515

TLS 1.2

Omni Designer Console

external

9516

TLS 1.2

Omni Designer Redirect

internal

9518

TLS 1.2

Omni Designer AJP

internal

9517

Tomcat Config

Omni Designer Bridge

internal

9519

Tomcat Config

Omni Designer EMF

internal

9520

TLS 1.2

Deployment Console

external

9521

none

Deployment Console

external

9502

TLS 1.2

GIT/SVN

external

80/(8800,8443)

Repository Config

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Omni-Insurance consists of several components. It is strongly advised to change all default credentials to client controlled and maintained credentials.

The user is advised not to install any unrelated components, scripts, jars, or any other files on the production systems, other than the ones required for the product to run. The client is also advised to disable any Omni components not in use to prevent accidental and unintended access.

  • Omni Server Console. This is utilized for operations and monitoring. It is meant for the internal operations user and not for external communication. The console can be disabled, if needed, and other operation monitoring components can be used. The user is advised to change the default log in for the Omni Server Console, regardless of their plan on using this component.
  • Omni Governance Console. This is a business user-facing interface. The security for the end user is managed by the available Tomcat and WSO2 configurations. The user is advised to change the default settings for accessibility and create different roles for different types of users to prevent unintended data access.
  • Omni Designer. This is a developer tool for creating a Master Data Management model and is required only during the development time. The Omni Designer should not be running in a production environment. It utilizes integration with the source management system (SVN/GIT), which provides for user accessibility.