Oracle® Communications Marketing and Advertising System Administrator's Guide Release 5.1 Part Number E20558-01 |
|
|
View PDF |
This chapter provides a high level overview of security settings for Web services and for Operation and Management (OAM) MBeans in Oracle Communications Marketing and Advertising.
It describes two types of security settings:
Web Services Security: controls Marketing and Advertising's interactions with administration Web service clients
MBean Security: controls access to the servers, which governs who can perform OAM functions; implemented by Java Management Extension (JMX policy)
Web services security provides end-to-end message-level security for Web services through an implementation of the WS-Security standard. It defines a mechanism for adding three levels of security to SOAP messages:
Authentication: The client authenticates by supplying a username or X.509 token.
Confidentiality: W3C's XML encryption standard enables the XML body or portions of it to be encrypted to ensure message confidentiality.
Integrity: W3C's XML digital signatures lets the message be digitally signed to ensure message integrity. The signature is based on the content of the message itself (by applying the hash function and public key), so if the message is altered en route, the signature becomes invalid.
Marketing and Advertising uses an Oracle WebLogic Server mechanism for Web Services Security -WSSE policies. For information about WebLogic Security, see Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server at:
http://download.oracle.com/docs/cd/E15523_01/web.1111/e13710/toc.htm
Authentication is handled transparently by WS-Security and subsequently by the configured authentication providers and login modules of the WebLogic Security framework. WS-Security also supports signing and encrypting a message by providing a security token hierarchy associated with the keys used for signing and to ensure message integrity and confidentiality.
The following outlines the general WebLogic security configurations that can be performed, either automatically using a script or manually from the Administration console.
The administration Web services EAR, ocma-ws.ear, is not deployed by default in any installation except for those using the basic collocated domain template.
If you wish to use the administration Web services in other environments, you need to deploy this EAR. The EAR file can be found in Middleware_Home/ocma_5.1/applications.
There are many ways to deploy applications in WebLogic Server. See Deploying Applications to Oracle WebLogic Server at:
http://download.oracle.com/docs/cd/E15523_01/web.1111/e13702/toc.htm
This section describes how to apply an existing WS-Policy. It also describes where to find more information on creating and using custom WS-Policies.
Use this overview to apply a WSSE policy to a Web service endpoint in Marketing and Advertising.
Marketing and Advertising uses standard WebLogic Server mechanisms. See the online help for the WebLogic Server Administration console for a full description of how to associate a WS-Policy file with an administration Web service.
To associate a WS-Policy with an operation
In the Domain Structure panel, select Deployments.
The Summary of Deployments screen appears.
Select the Control tab if is not already selected.
Expand the ocma-ws section by clicking the +.
Under Web services, click the Web service on which you wish to apply Web Services security: for example, AccountManager or CampaignManager.
The Settings for Web Service screen appears.
Click the Configuration tab.
Click WS-Policy sub-tab.
Do one of the following:
To apply a policy to a single operation, expand the operations list by clicking the + next to Web ServiceTypePort and select the operation whose WS-Policy you wish to edit.
To apply a policy to all the operations in a Web service, click Web ServiceTypePort
The Configure a Web Service Policy page appears.
Use the first page if you wish to configure WS-Policy for both inbound and outbound requests. Click Next if you wish to specify only inbound options and Next again if you wish to specify only outbound options.
To apply a policy, select the policy and click the right-facing arrow to it from the Available Policies to the Chosen Policies.
To revoke a policy, select a policy and click the left arrow to move a it from the Chosen Policies to the Available Policies.
When you are done, click Finish.
WS-Policy files can be used to require applications clients to authenticate, digitally encrypt, or digitally sign SOAP messages. For a list of the WS-SecurityPolicy 1.2 files supplied by WLS, see Using WS-SecurityPolicy 1.2 Policy Files at:
http://download.oracle.com/docs/cd/E15523_01/web.1111/e13713/message.htm#WSSOV310
By default, a default_x509_cp credential provider is set up for Marketing and Advertising, but you can modify it to suit your installation. If the built-in WS-Policy files do not meet your security needs, you can build custom policies as described in Creating and Using Custom WS-Policy. WS-Policy assertions are used to specify a Web service's requirements for digital signatures and encryption, along with the related security algorithms and authentication mechanisms.
For information about creating and using a custom policy file for message-level security, see Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server at:
http://download.oracle.com/docs/cd/E15523_01/web.1111/e13713/toc.htm
There is also information about associating a WS-Policy file with a Web service in the on-line help for WebLogic Server Administration console at:
When a deployed WebLogic Web service has been configured to use message-level security (encryption and digital signatures, as described by the WS-Security specification), the Web services runtime determines whether a Web service security configuration is also associated with the service. This security configuration specifies information such as whether to use an X.509 certificate for identity, whether to use password digests, the keystore to be used for encryption, and so on. A single security configuration can be associated with many Web services.
WebLogic Web services are not required to be associated with a security configuration. If the default behavior of the Web services security runtime is adequate, no additional configuration is needed. If, however, a Web service requires different behavior from the default (such as using an X.509 certificate for identity, rather than the default username/password token), the Web service must be associated with a security configuration.
The default security configuration is default_wss. It must be created using the Administration console, following the steps in Create a Web Service security configuration in the Administration Console Online Help at:
You use Java Management Extension (JMX) MBeans Access to control access to the OAM functionality of Marketing and Advertising, both through the Administration console and through external mechanisms. Access to these MBeans is controlled by JMX Policy, which associates management user groups with access privilege levels. When Marketing and Advertising is installed, there are no controls established by default on access to the OAM MBeans. Each installation must make decisions about access based on its own needs.
Management users and groups are set up as described in "Setting Up Management Users". To control how these users have access to MBeans, and thus OAM functionality, you must assign JMX Policy to these user groups. You use WebLogic Server Administration console to do this, as described in the on-line help for the Administration console at:
http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e13952/core/index.html
Each policy can do the following:
Control read access for all an MBean's attributes or for specific attributes that you select.
Control write access for all an MBean's attributes or for specific attributes that you select.
Control invoke access for all an MBean's operations or for specific operations that you select.
In addition to controlling access to OAM functionality in a general way (ReadOnly, ReadWrite, etc.), you may also wish to control access by service group. For example, if you have users whose job is limited to setting up and managing some aspects of provisioning, but not all, you might want to give them, and only them, ReadWrite privileges, but only to a subset of the available MBeans. To do this you have to create custom XACML policies to attach to these subsets. Oracle Communications Services Gatekeeper uses the standard WebLogic Server mechanisms for doing this. For the basic process you must:
Determine the special identifier (called the resourceId) for each MBean.
Create an XACML policy for a security role.
Specify one or more Rule elements that define which users, groups, or roles belong to the new security role.
Attach this role to the MBean by way of the resourceId.
For more information, see "Using XACML Documents to Secure WebLogic Resources" in Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server at:
http://download.oracle.com/docs/cd/E15523_01/web.1111/e13747/xacmlusing.htm#i1276253