Oracle® Communications Services Gatekeeper Security Guide Release 5.1 E36134-01 |
|
|
PDF · Mobi · ePub |
This chapter explains the steps necessary to securely install Oracle Communications Services Gatekeeper (Services Gatekeeper).
The following sections explain how to install Services Gatekeeper securely.
See Oracle Communications Services Gatekeeper Deployment Guide for a description of the Services Gatekeeper components, and a discussion of how to protect them from software attack. Oracle Communications Services Gatekeeper Deployment Guide also explains the deployment templates that Services Gatekeeper includes for deploying the different types of deployments that Services Gatekeeper supports.
The discussion on XML appliances in Oracle Communications Services Gatekeeper Deployment Guide explains where your firewalls should be situated to protect your Services Gatekeeper components.
This section explains security-related tasks that you perform before installing Services Gatekeeper.
Before installing Services Gatekeeper, you must install a database to support Services Gatekeeper information. See the discussion on supported databases in Oracle Communications Services Gatekeeper Installation Guide for a list of the supported databases.
Oracle strongly recommends that you deploy the Services Gatekeeper database in its own tier, for both security and performance reasons. See Oracle Communications Services Gatekeeper Deployment Guide for more details.
Your database must have a database user for Services Gatekeeper with an unlimited quota and have privileges to create sessions and tables. Record and protect these credentials as you would any other administrative password. You reference them during domain configuration. See the discussions on defining a database user for the Oracle Database and configuring domain settings in Oracle Communications Services Gatekeeper Installation Guide for details.
You perform a secure Services Gatekeeper installation by:
Installing Services Gatekeeper in a clustered deployment (separate application and networking tiers) so that the individual components are easier to defend.
Obtaining and installing firewalls between the tiers for protection. See "Securing Services Gatekeeper Components with Firewalls" for more information.
Creating Services Gatekeeper administrative users to administer Services Gatekeeper and any third-party services developers. See "Creating Administrative Users" for more information.
Obtaining and installing Java Cryptography Extension (optional).
Obtaining and installing a custom password validator (optional).
See the Oracle Communications Services Gatekeeper Installation Guide for instructions on how to perform these tasks. The sections that follow provide more information.
Firewalls are essential for securing production implementations, but may be omitted for test and evaluation implementations. See Oracle Communications Services Gatekeeper Deployment Guide for examples of where to place firewalls in your implementation.
You create two different types of administrative users: traffic users are application instances that use application-facing instances to send traffic, and management users that administer Services Gatekeeper itself. You collect these types of users into groups to more easily manage them.
Every implementation must have a main administrator user that you create when you first configure a domain, by entering the username and password. Record and protect these credentials because the main administrator user has the power to grant or deny access for all other users. See the discussions on configuring administrator user names and passwords in Oracle Communications Services Gatekeeper Installation Guide for details on creating the main administrator user.
Create as few management users as possible, protect their credentials, and have procedures in place that allow you to quickly remove management users as they are relieved of responsibility.
You also need to create traffic users (application instances) that use the application-facing instances to send traffic, and other management users to manage and administer Services Gatekeeper itself. See the discussion on managing management users and management user groups in Oracle Communications Services Gatekeeper System Administrator's Guide for details. That discussion also contains the APIs that you use to manage traffic and management users.
This section explains security-related tasks that you perform during and immediately after installing Services Gatekeeper, but before you put it into production.
For information on securing Services Gatekeeper domains, see the discussion on RDBMS security store in Oracle Communications Services Gatekeeper Installation Guide.
Services Gatekeeper is based on a WebLogic server, and it share many of the same security concerns. For example:
The ability to use SSL/TLS security to protect web-based traffic.
The ability to use a credential store to protect web-based traffic.
The ability to create single sign-on (SSO) logins for your subscribers (or your customer's subscribers).
For an overview and details, see Oracle Fusion Middleware Securing Oracle WebLogic Server here: http://docs.oracle.com/cd/E24329_01/index.htm
You need to configure the JDBC data and Oracle RAC Multi-Data sources by referencing the database users you created in "Creating and Authorizing Database Users" section. For details see the discussion on configuring domain settings in Oracle Communications Services Gatekeeper Installation Guide.
By default any administrative user can access and change the OAM MBean settings using the Oracle Fusion Middleware Oracle WebLogic Server Administration Console. If your implementation requires a more restrictive control, see the discussions on securing web services and OAM MBeans in Oracle Communications Services Gatekeeper System Administrator's Guide.
Web services security determines the level of protection that Services Gatekeeper requires for the web messages it sends and receives. The default level of security requires authentication tokens (username and password) for all messages. The choices are:
Username/Password Authentication (Username Token)
XML Digital Signatures (X.509 Certificate Token)
Encryption (SSL or TLS SAML Tokens)
You set authentication level by web service using the Services Gatekeeper Administration Console, and if more security is required, using WebLogic tools.
For details see the discussions on securing web services and Oracle Access Manager MBeans in Oracle Communications Services Gatekeeper System Administrator's Guide. Some of those procedures require database administration privileges. For details, see the discussion on configuring administrator user names and passwords in Oracle Communications Services Gatekeeper Installation Guide.
For instructions on setting up TLS/SSL see Oracle Fusion Middleware Securing Oracle WebLogic Server.
For information about installing Oracle Service Bus (OSB), see Oracle Fusion Middleware Installation Guide for Oracle Service Bus 11g Release 1 (11.1.1.3) at: http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15017/toc.htm
For information on securing Services Gatekeeper Service Oriented Architecture (SOA) see the discussion on managing and configuring SOA facades in Oracle Communications Services Gatekeeper System Administrator's Guide.
Separating Services Gatekeeper geographically protects you against data loss and service failure in the event of a natural disaster or other catastrophic event.
For details on geographically redundant deployments, see Oracle Communications Services Gatekeeper Deployment Guide.
A password validator is not required to run Services Gatekeeper, but it ensures that your partners and their subscribers adhere to a consistent level of password security. See the discussion on post installation in Oracle Communications Services Gatekeeper Installation Guide for details on adding custom password valdiators.
Java Cryptography Extension (JCE) is not required for Services Gatekeeper to run, but it does relieve web servers from the burden imposed by secure socket layer (SSL) security. See the discussion on post installation in Oracle Communications Services Gatekeeper Installation Guide for details on adding JCE.