Product Description
 |
 |
 |
|
 |
Get Adobe Reader |
Security
The following sections describe WebLogic Network Gatekeeper security:
- Overview
- Identification and authentication
- Authorisation and service access
- Integrity and confidentiality
- Auditing and non-repudiation
- Network authentication
- Database security
- Management security
Overview
The security areas covered by the WebLogic Network Gatekeeper are related to the interworking between the WebLogic Network Gatekeeper and the applications, data storage and management security.
Identification and authentication
Web Services
All applications, that is application instances in application instance groups (see Service Provider and Application Administration on page 1) accessing the WebLogic Network Gatekeeper through the Web Services interfaces uses a Kerberos type of service token-based authentication.
The application instance group is provided with a user name (the application instance group ID) and a password. When an application instance in the application instance group wants access to the WebLogic Network Gatekeeper the application instance logs in using the user name and password together with the application account ID and service provider ID to retrieve a service token.
This mechanism can be extended as an option using, for example Passport or other extended Kerberos Key Distribution Centre (KDC) solutions.
Other integrated interfaces
If an integrated interface like CIMD or SMPP is exposed to applications through the WebLogic Network Gatekeeper, that interface's authentication mechanism will be used. Such mechanisms are typically based on a user name and password combination.
Authorisation and service access
Web Services
At log in, the WebLogic Network Gatekeeper verifies that the application instance group's current number of active service sessions is less than the maximum number of allowed concurrent service sessions specified in the application instance group's SLA. If less than the specified maximum, a service token is sent to the application instance. In the case when the number of concurrent service sessions equals the maximum number, the oldest service session is terminated before the service token is sent to the application instance.
For every service request, the application instance includes the service token in the SOAP request's header. Before a service request is accepted, policy is used to verify that the request fulfils the criteria specified in the service provider SLA and in the application SLA.
Other integrated interfaces
Integrated interfaces make use of the same authorisation and service access control mechanisms as described above. That is, policy is used to verify that the service requests fulfil the criteria specified in the service provider SLA and in the application SLA.
SLA data
The following data is specified in the SLAs:
Integrity and confidentiality
To guarantee the integrity and confidentiality in the communication between the WebLogic Network Gatekeeper and the application, the communication can be encapsulated and encrypted using SSL (Web Services) or a Virtual Private Network (VPN) (Web Services and integrated interfaces).
The VPN is a firewall to firewall connection, with VPN routers attached to the WebLogic Network Gatekeeper and the application server, see Figure 12-1, WebLogic Network Gatekeeper to application VPN connection, on page 12-4.
Auditing and non-repudiation
Both successful and unsuccessful log in attempts generate events that are written to the event log and all transactions are stored as CDRs in the database. The policy service generates alarms when service requests are denied due to SLA violations.
Network authentication
The WebLogic Network Gatekeeper protocol plug-ins authenticate with the underlying network nodes if the protocol provides an authentication interface.
Database security
Access to the WebLogic Network Gatekeeper database (see Database on page 9) is protected by host address, user name and password combinations. The different SLEE service database users, have access to a limited set of database tables, that is, only tables related to the service. In addition, SLEE service database users cannot grant additional privileges to themselves or other users, other than for the service's own tables.
Sensitive data, as user and database passwords as well as user certificates and private keys are encrypted before being stored in the database.
Management security
User and password
To work with OAM through the WebLogic Network Gatekeeper management tool, an administrative user needs user name and a password is required. The user names and passwords are encrypted before stored in the WebLogic Network Gatekeeper database.
The user name and password are used when logging in to the management tool and when sending commands from the management tool towards WebLogic Network Gatekeeper.
Access levels and administration groups
At registration all administrative users are provided with an access level. The access level is one of the following:
|
A standard read and write user can read all types of data but only set non critical data. |
||
|
An administrator user can read and set all types of data including user accounts. |
To limit the users' access to the different parts of the platform logical administration groups can be created. The groups are created by the operator to fit the operators OAM organization. One group consists of one or more logically related software modules.
The administrative users are connected to one ore more of these administration groups depending on their responsibilities. A user maintains the same access level through out all groups he or she is connected to.
All OAM work is performed through the WebLogic Network Gatekeeper management tool's graphical or text based interface.
