Omni-Gen™ Security Guide > Implementation for PCI Security Standards > Build and Maintain a Secure Network and Systems

Build and Maintain a Secure Network and Systems

Topics:

The following are recommendations and information for the Build and Maintain a Secure Network and Systems requirements.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

  • The Omni-Gen products should be installed on an internal (trusted) network segment.
  • Data acquisition channels for bringing data into the Omni-Gen on-ramps should be configured through the Demilitarized Zone (DMZ). If the client is using the Information Builders iWay 8 product for integration services on the data acquisition, then the PCI compliance chapter in that document will provide more information on configuring Integration channels within and outside of the DMZ.
  • TCP/IP listener ports are required for the Omni server and applications to communicate internally and externally. The ports are configurable by the user and can be changed during the product installation.

Omni-Gen Ports

The following table lists the default Omni-Gen ports and their use.

Component

Type

Port

Security

Omni Controller/Console

external

9500

https

Omni Server

internal

9514

https

Omni Server Data Quality High-Speed TCP

internal

9532

TLS 1.0

Data Quality Cleanse

external

9504

https

Data Quality Cleanse

internal

9505

TLS 1.0

Data Quality Match

external

9506

https

Data Quality Match

internal

9507

TLS 1.0

Data Quality Merge

external

9508

https

Data Quality Merge

internal

9509

TLS 1.0

Data Quality Remediation

external

9510

https

Data Quality Remediation

internal

9511

TLS 1.0

OGC Tomcat Shutdown

internal

9524

TLS 1.0

OGC WSO2

external

9503

https

OGC Tomcat Console

external

9526

https

WSO2 RMI Registry

internal

9534

WSO2 Config

WSO2 RMI Server

internal

9535

WSO2 Config

WSO2 LDAP Server

internal

9536

WSO2 Config

WSO2 KDC Server

internal

9537

WSO2 Config

Omni Designer TCP Shutdown

internal

9515

TLS 1.0

Omni Designer Console

external

9516

https

Omni Designer Redirect

internal

9518

https

Omni Designer TCP Jmx

internal

9519

Tomcat Config

Omni Designer EMF

internal

9520

https

Deployment Console

external

9521

http

Deployment Console

external

9502

https

GIT/SVN

external

80/(8800,8443)

Repository Config

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Omni-Gen consists of several components. It is strongly advised to change all default credentials to client controlled and maintained credentials.

The user is advised not to install any unrelated components, scripts, jars, or any other files on the production systems, other than the ones required for the product to run. The client is also advised to disable any Omni components not in use to prevent accidental and unintended access.

  • Omni Server Console. This is utilized for operations and monitoring. It is meant for the internal operations user and not for external communication. The console can be disabled, if needed, and other operation monitoring components can be used. The user is advised to change the default log in for the Omni Server Console, regardless of their plan on using this component.
  • Omni Governance Console. This is a business user-facing interface. The security for the end user is managed by the available Tomcat and WSO2 configurations. The user is advised to change the default settings for accessibility and create different roles for different types of users to prevent unintended data access.
  • Omni Designer. This is a developer tool for creating a Master Data Management model and is required only during the development time. The Omni Designer should not be running in a production environment. It utilizes integration with the source management system (SVN/GIT), which provides for user accessibility.