Skip Headers
Oracle® Communications Converged Application Server Administration Guide
Release 5.0

Part Number E17647-03
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

25 Overview of Security Features

This chapter describes the Oracle Communications Converged Application Server security features:

Authentication for SIP Servlets

Converged Application Server users must be authenticated when they request access to a protected resource, such as a protected method within a deployed SIP Servlet. Converged Application Server enables you to implement user authentication for SIP Servlets using any of the following techniques:

Different SIP Servlets deployed on Converged Application Server can use different authentication mechanisms as necessary. The required authentication mechanism is specified in the auth-method element of the SIP Servlet's sip.xml deployment descriptor. The deployment descriptor may also define which resources are to be protected, listing specific role names that are required for access. The SIP Servlet v1.1 specification introduces the ability to specify the realm name and identity assertion mechanism required or supported by an application.

See "Securing SIP Servlet Resources" in Converged Application Server SIP Application Development Guide for information about securing resources and mapping roles in the SIP Servlet deployment descriptor. See the SIP Servlet v1.1 specification for information about defining the Servlet authentication and identity assertion mechanism.

Authentication Providers

Converged Application Server authentication services are implemented using one or more authentication providers. An authentication provider performs the work of proving the identity of a user or system process, and then transmitting the identity information to other components of the system.

You can configure and use multiple authentication providers to use different authentication methods, or to work together to provide authentication. For example, when using Digest authentication you typically configure both a Digest Identity Asserter provider to assert the validity of a digest, and a second LDAP or RDBMS authentication provider that determines the group membership of a validated user.

When linking multiple authentication providers, you must specify the order in which providers are used to evaluate a given user, and also specify how much control each provider has over the authentication process. Each provider can contribute a "vote" that specifies whether or not the provider feels a given user is valid. The provider's control flag indicates how the provider's vote is used in the authentication process.

For more information about configuring providers, see either "Configuring Digest Authentication" or "Configuring Client-Cert Authentication".

Overriding Authentication with Trusted Hosts

Converged Application Server also enables you to designate trusted hosts for your system. Trusted hosts are hosts for which Converged Application Server performs no authentication. If the server receives a SIP message having a destination address that matches a configured trusted host name, the message is delivered without Authentication. See Chapter 30, "Engine Tier Configuration Reference (sipserver.xml)" for more information.

Identity Assertion Support

Converged Application Server supports the P-Asserted-Identity SIP header as described in RFC 3325. This functionality automatically logs in using credentials specified in the P-Asserted-Identity header when they are received form a trusted host. When combined with the privacy header, P-Asserted-Identity also determines whether the message can be forwarded to trusted and non-trusted hosts.

Converged Application Server also supports identity assertion using the Identity and Identity-Info headers as described in RFC 4474.

Both identity assertion mechanisms require that you configure an appropriate security provider with Converged Application Server. See "Overview of SIP Servlet Identity Assertion Mechanisms" for more information.

Role Assignment for SIP Servlet Declarative Security

The SIP Servlet API specification defines a set of deployment descriptor elements that can be used for providing declarative and programmatic security for SIP Servlets. The primary method for declaring security constraints is to define one or more security-constraint elements and role definitions in the sip.xml deployment descriptor. Converged Application Server adds additional deployment descriptor elements to help developers easily map SIP Servlet roles to actual principals and/or roles configured in the SIP Servlet container. See "Securing SIP Servlet Resources" in Converged Application Server SIP Application Development Guide for more information.

Security Event Auditing

Converged Application Server includes an auditing provider that you can configure to monitor authentication events in the security realm. See Securing Oracle WebLogic Server in the Oracle WebLogic Server 11g documentation for more information.

Common Security Configuration Tasks

Table 25-1 lists Converged Application Server configuration tasks and provides links to additional information.

Table 25-1 Security Configuration Tasks

Task Description

Configuring Digest Authentication

Understanding the Digest identity assertion providers

Configuring LDAP Digest authentication

Configuring Digest authentication with an RDBMS

Configuring Client-Cert Authentication

Understanding client-cert authentication solutions

Delivering X509 certificates over 2-way SSL

Developing a Perimeter authentication solution

Using the Converged Application Server WL_Client_Cert header to deliver X509 certificates

Overview of SIP Servlet Identity Assertion Mechanisms

Understand forwarding rules for SIP messages having the P-Asserted-Identity header

Configuring P-Asserted-Identity providers

"Securing SIP Servlet Resources" in Converged Application Server SIP Application Development Guide

Defining security constraints for a SIP Servlet

Mapping SIP Servlet roles to Converged Application Server roles and principals

Debugging SIP Servlet security constraints

"sip-security" in Chapter 30, "Engine Tier Configuration Reference (sipserver.xml)"

Configuring trusted hosts