Skip Headers
Oracle® Fusion Middleware Developer's Guide for Oracle Service Bus
11g Release 1 (11.1.1.6.3)

Part Number E15866-08
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

48 Securing Oracle Service Bus in a Production Environment

This chapter describes recommended strategies for securing Oracle Service Bus in a production environment.

To prepare an Oracle Service Bus installation for production, you must pay special attention to your security needs. The following list outlines some of the tasks you need to perform:

48.1 Undeploying the Service Bus (SB) Resource

Oracle Service Bus provides a resource servlet (MW_HOME/OSB_HOME/lib/sbresourceWar/sbresource.war) that is used to expose the resources registered in Oracle Service Bus. The resources registered with Oracle Service Bus include:

However, this servlet provides anonymous HTTP access to metadata, and as such it may be considered a security risk in some high-security environments.

If you do not want the Oracle Service Bus resources to be available anonymously via HTTP, you can set security roles on sbresources.war to control access to it, or completely undeploy the resource.

Note:

If you undeploy the SB resource you will no longer be able to use the UDDI subsystem.

48.2 Protection of Temporary Files With Streaming body Content

As described in "The Message Context Model" in the Oracle Fusion Middleware Administrator's Guide for Oracle Service Bus for processing message content, you can specify that the Oracle Service Bus pipeline streams the content rather than loading it into memory. When you enable content streaming for a proxy service, you specify whether to buffer the streamed content to memory or a disk file as an intermediate step during the processing of the message.

If you use these temporary disk files, you should protect them.

To lock-down your Oracle Service Bus domain, set the com.bea.wli.sb.context.tmpdir java system property to specify where these temporary files will be written.

Make sure this directory exists and has the right set of access permissions.

For more information see the file access permission and file system recommendations in Oracle Fusion Middleware Securing a Production Environment for Oracle WebLogic Server.

48.3 Protecting Against Denial of Service Attacks on the Oracle Service Bus Administration Console

In a production environment, the Oracle Service Bus Administration Console should not be accessible to users other than administrators.

A denial of service attack can take the form of a high volume of requests from a single source or new connections being made to the server once resource constraints have reached a certain point.

Following are suggestions for protecting against denial of service attacks on the Oracle Service Bus Administration Console.