This chapter provides information for developers about how to secure applications for Oracle Communications Services Gatekeeper.
Your network implementation can be vulnerable to denial of service (DOS) attacks, which generally try to interfere with legitimate communication inside the Services Gatekeeper Access Tier. To prevent these messages from reaching your network, Services Gatekeeper offers configurable SOAP and RESTful message filtering. You configure this filtering behavior by using the ApiFirewall configuration MBean. ApiFirewall determines how Services Gatekeeper filters messages attempting to enter the Services Gatekeeper application tier.
Table 5-1 lists network attacks that Services Gatekeeper protects against, and lists where you can find information about configuring those protections.
Table 5-1 Message-Based Attacks and How to Protect Against Them
| Attack Strategy | Protection Strategy | Default Result |
|---|---|---|
|
Malicious Content Attack, including: SOAP message attacks:
RESTful message attacks:
|
The ApiFirewall MBean settings (application tier) limit the acceptance of oversize message entities. See the ”All Classes” section of Services Gatekeeper OAM Java API Reference for details. |
Rejects the message and returns the error message specified with the ErrorStatus attribute of ApiFirewallMBean. |
|
Continuous wrong password attack. |
The default WebLogic Security Provider setting (application tier) locks a subscriber out for 30 minutes after 5 wrong password attempts. This behavior is configurable. See the section on protecting user accounts in Administering Security for Oracle WebLogic Server for more information. |
Rejects the message and returns a 500 Internal Server Error message. |
|
Malformed SOAP Message (does not match the SOAP schema), including:
|
You can direct the WebLogic SOAP message processor (application tier) to validate the SOAP schema and reject malformed messages. See ”Validating the XML Schema” in Oracle Fusion Middleware Getting Started with JAX-WS Web Services for Oracle Weblogic Server for more information. Also, the WebLogic Server SOAP engine ignores any attempt to change the DTD definition in a SOAP message. |
Rejects the message and returns a 500 Internal Server Error message. |
|
Malformed RESTful messages (do not match the REST schema). |
The Jersey parsing engine (network tier) rejects these types of messages. |
Rejects the message and returns a 500 Internal Server Error message. |
|
External Entity Reference |
The Services Gatekeeper ApiFirewall (application tier) prohibits any references to external entities. This behavior is not configurable. |
Rejects the message and returns a 500 Internal Server Error message. |
You configure network security traffic by performing the following general tasks:
Deciding which error message to return when a SOAP or REST message is rejected. The default error message is 400 Bad Request, which is the most descriptive. You set the error message by using the getErrorStatus attribute of ApiFirewallMBean. See the ”All Classes” section of Services Gatekeeper OAM Java API Reference for details.
Setting the maximum limits for error messages, including:
The maximum total size of a single message entity, such as a comment, by using the MaxItemValueLength attribute of ApiFirewallMBean.
The maximum total size of an error message by using the getMaxMessageSize attribute of ApiFirewallMBean.
The maximum number of nested message elements by using the getMaxChildElementDepth attribute of ApiFirewallMBean.
The maximum number of unbounded elements by using the getMaxUnboundedItems attribute of ApiFirewallMBean.
(Optional) Creating a list of trusted APIs. Most of the ApiFirewall MBean security attributes filter messages that are potential security risks. This filtering process degrades performance slightly. To avoid this performance penalty, create a list of trusted APIs that are exempt from the filtering process by using the setApiConfigXml attribute of ApiFirewallMBean.
For a description of the attributes and operations of the ApiFirewallMBean MBean, see the ”All Classes” section of Services Gatekeeper OAM Java API Reference.