The following section describes enabling security settings for Web Services and for OAM MBeans in Oracle Communications Services Gatekeeper.
One of the first things you must do in setting up your Oracle Communications Services Gatekeeper installation is to make decisions about two key forms of security for your installation: Web Services security and MBean security. Web Services security controls Oracle Communications Services Gatekeeper’s interactions with applications. MBean security controls who can have access to the Runtime MBean Server within your WebLogic Server installation, the mechanism that allows OAM procedures to be done.
Web Services security provides end-to-end message-level security for web services through an implementation of the WS-Security standard.
WS-Security defines a mechanism for adding three levels of security to SOAP messages:
Note: | Out of the box, Oracle Communications Services Gatekeeper is pre-configured to use user name/password authentication. |
Oracle Communications Services Gatekeeper uses a WebLogic Server mechanism for Web Services Security -WSSE policies:
Authentication is handled transparently by WS-Security and subsequently by the configured authentication providers and login modules of the WebLogic Security framework. WS-Security also supports signing and encrypting a message by providing a security token hierarchy associated with the keys used for signing and encryption (for message integrity and confidentiality).
The following steps outline the general WebLogic security configurations that can be performed, either automatically using a script or manually from the Administration Console.
This section outlines how to apply an existing WS-Policy and where to find more information on creating and using custom WS-Policies.
This section outlines how to apply a WSSE policy to a Web Service endpoint in Oracle Communications Services Gatekeeper.
Note: | By default, Oracle Communications Services Gatekeeper is pre-configured to use the WS-Security with UsernameToken. It is also set up to require this authentication only for inbound traffic. The following description is provided in case this particular mechanism does not cover the needs of your installation. |
Standard WebLogic Server mechanisms are used, see the on-line help for the WebLogic Server administration console for a full description of how to associate a WS-Policy file with a Web Service.
This shows the page Settings for <Web Service>
$DOMAIN_HOME/servers/AT1/stage/wlng_at/plan/Plan.xml
(For a single instance development machine, substitute your server name for AT1) Note: | Applying a security policy to a Web Service establishes, by default, both inbound and outbound security policies. Because there is no way for Oracle Communications Services Gatekeeper to know what security policies may be required by a client to which it is returning a notification, outbound security must be turned off. If you wish to secure the link by which Oracle Communications Services Gatekeeper returns notifications, you should use SSL. |
Note: | To turn off outbound security associated with a particular WS-Policy file, you must edit the plan.xml file that is created when you attach Policy to a Web Service, as in step 8 above. The default location is: /domains/<wlng-access-network-domain>/servers/AT1/stage/wlng_at/plan/Plan.xml , but your location may vary. Make sure the <value> element is set to inbound as in the following stanza: |
<variable>
<name>WsPolicy_policy:Auth.xml_Direction_11745107731400</name>
<value>inbound</value>
</variable>
This section outlines how to setting up WSSE with X.509.
This section outlines how to apply a WSSE policy of the type UsernameToken with Digest to a Web Service endpoint in Oracle Communications Services Gatekeeper.
Starting in the Administrative Console:
WEB-INF/policies
directory of the WAR file for the Web Service. Repackage it and redeploy it.
Use the WS-Policy file WsPolicy:UsernameTokenDigestPolicy.xml
Edit the deployment plan, plan.xml
, to indicate inbound only for entry WsPolicy_policy: UsernameTokenDigestPolicy.xml
in plan.xml
<?xml version="1.0"?>
<!-- WS-SecurityPolicy -->
<wsp:Policy
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
>
<!-- Identity Assertion -->
<wssp:Identity>
<wssp:SupportedTokens>
<!-- Use UsernameToken for authentication -->
<wssp:SecurityToken IncludeInMessage="true"
TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
<wssp:UsePassword
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"/>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>
Network Gatekeeper 2.2 and earlier used a different mode of authentication than the WS-Security model. Oracle Communications Services Gatekeeper can be configured to support applications designed to work using the older model, but the WS-Policy that is configured out of the box must be removed.
Note: | The easiest way to do this is to make these changes before you start Oracle Communications Services Gatekeeper for the first time. Certain configuration values are cached on start up. So, for example, if you started Oracle Communications Services Gatekeeper during the Post-Install phase in order to set up additional JMS Servers, you will need to redeploy the wlng_at.ear file after you have made your changes. |
To remove the policy files from a Web Service:
weblogic-webservices-policy.xml
file for that Web Service to remove the policy entries.Note: | See Listing 16-3 and Listing 16-4 for before and after snippets. |
<?xml version='1.0' encoding='UTF-8'?>
<webservice-policy-ref xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<port-policy>
<port-name>AudioCall</port-name>
<ws-policy>
<uri>policy:Auth.xml</uri>
<direction>inbound</direction>
</ws-policy>
</port-policy>
</webservice-policy-ref>
<?xml version='1.0' encoding='UTF-8'?>
<webservice-policy-ref xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"></webservice-policy-ref>
weblogic-webservices-policy.xml
fileFor information about creating and using a custom policy file for message-level security, see Oracle WebLogic Server Securing WebLogic Web Services at http://download.oracle.com/docs/cd/E12840_01/wls/docs103/webserv_sec.
There is also information about this in the on-line help for Weblogic Server Management Console at http://download.oracle.com/docs/cd/E12840_01/wls/docs103/ConsoleHelp/core/index.html
WS-Policy files can be used to require applications clients to authenticate, digitally encrypt, or digitally sign SOAP messages. Out-of-the-box Oracle Communications Services Gatekeeper supplies files to do those three things, respectively: auth.xml, encrypt.xml, and sign.xml. If the built-in WS-Policy files do not meet your security needs, you can build custom policies.
WS-Policy assertions are used to specify a Web Services’ requirements for digital signatures and encryption, along with the security algorithms and authentication mechanisms that it requires, for example Policy for SAML.
Access to the OAM functionality of Oracle Communications Services Gatekeeper- both through the Console and through external mechanisms - is made using Java Management Extension (JMX) MBeans. Access to these MBeans is controlled by JMX Policy, which associates administrative user groups with access privilege levels. When Oracle Communications Services Gatekeeper is installed, there are no controls established by default on access to the OAM MBeans. Each installation must make decisions about access based on its own needs.
Administrative users and groups are set up as described in Managing Management Users and Management User Groups. To control how these users have access to MBeans, and thus OAM functionality, you must assign JMX Policy to these user groups. You use WebLogic Server Administration Console to do this, as described in the on-line help for the Administration Console at http://download.oracle.com/docs/cd/E12840_01/wls/docs103/ConsoleHelp/core/index.html. Each policy can do the following:
For example, to give a user complete access to an MBean, select WLNG_Administrator’s Group in the policy condition.
In addition to controlling access to OAM functionality in a general way - ReadOnly, ReadWrite, etc. - you may also wish to control access by Service group. So, for example, if you have users whose job is limited to setting up and managing Application Service Providers through a system using the Partner Relationship Management interfaces, you might want to give them, and only them, ReadWrite privileges, but only to a subset of the available MBeans, those having to do with the operator part of those transactions. To do this you have to create custom XACML policies to attach to these subsets. Oracle Communications Services Gatekeeper uses the standard WebLogic Server mechanisms for doing this. For the basic process you must:
WebLogic Server Securing WebLogic Resources Using Roles and Policies at http://download.oracle.com/docs/cd/E12840_01/wls/docs103/secwlres/index.html contains details on how to use XACML documents to secure WebLogic resources and a reference for XACML on WebLogic Server.