Oracle® Communications ASAP Security Guide
Release 7.2
E28042-01
  Go To Table Of Contents
Contents

Previous
Previous
 
Next
Next
 

1 ASAP Security Overview

This chapter provides an overview of Oracle Communications ASAP security.

Basic Security Considerations

The following principles are fundamental to using any application securely:

Understanding the ASAP Environment

When planning your ASAP implementation, consider the following:

Overview of ASAP Security

Figure 1-1 shows all the various components that can comprise ASAP, including the components to which it connects.

Figure 1-1 ASAP Components

ASAP component diagram.

ASAP security is designed for three essential functions: managing ASAP WebLogic-based users, securing data, and protecting diagnostics files. ASAP provides these security functions in the following locations:

Recommended Deployment Topologies

This section describes recommended deployment topologies for ASAP.

Single-Computer Installation Topology

Figure 1-2 shows a single-computer installation topology.

Figure 1-2 Single-Computer Deployment

This graphic displays a single computer deployment.

In this topology, all the application components and data are kept on a single system, protected from external attacks by a firewall. The firewall can be configured to block known illegal traffic types. There are fewer resources to secure because all the components are on a single system and all the communication is local. Fewer ports have to be opened through the firewall.

Conversely, there are fewer points of attack, and if security is compromised, an attacker would have access to the entire system and data.

A single-computer installation topology is best suited for test and lab environments:

A single-computer deployment is cost effective for small organizations but does not provide high availability because all components are stored on a single system.

Tiered Deployment

Figure 1-3 shows a tiered installation deployment: a scalable ASAP deployment offering greater security and high availability.

Figure 1-3 Tiered Deployment

This graphic displays a tiered deployment.

In this topology, the application tier is isolated by firewalls from both the Internet and the intranet. The database and servers are protected from potential attacks by two layers of firewall. Both firewalls can be configured to block known illegal traffic types. The two layers of firewall provide intrusion containment. Although there are a greater number of components to secure, and more ports have to be opened to allow secure communication between the tiers, the attack surface is spread out.

ASAP Port Requirements

Table 1-1 lists and describes ASAP ports.

Table 1-1 ASAP Ports

Port Description

SARM server

The SARM server port for sending and receiving.

Control server

The Control server port for sending and receiving.

NEP server

JNEP listener

The NEP server port for sending and receiving.

The JNEP listener port for sending and receiving.

Admin server

The Admin server port for sending and receiving.

Daemon server

The Daemon server port for sending and receiving.

OCA server

The OCA server port for sending and receiving.

JSRP sending WO

JSRP receiving WO

The JSRP port for sending work orders.

The JSRP port for receiving work orders.

Database connection

The port in the Oracle database connection string. There may be multiple ports if an Oracle Real Application Clusters (RAC) database is used.

WebLogic connection

The port for the ASAP WebLogic server and optional managed server. In addition, if the ASAP WebLogic server is installed on a different machine, you must also open the ports to the Oracle database from there.

Telnet for remote servers

If ASAP is deployed on multiple servers in a distributed configuration, the telnet port for rsh connectivity must be open.


Operating System Security

See the following documents:

Oracle Database Security

For more information about securing an Oracle Database, see Oracle Database Security Guide and Oracle Database Advanced Security Administrator's Guide.

WebLogic Server Security

For information about securing an ASAP WebLogic server, see Oracle Fusion Middleware Securing a Production Environment for Oracle WebLogic Server.

LDAP Security

Oracle recommends that you use Oracle Internet Directory for identity management (for example, users, roles, certificates). You can also use an external LDAP, which you must integrate with ASAP through the ASAP WebLogic server.

For information about setting up Oracle Internet Directory, see Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

For information about setting up an external LDAP, see the LDAP application documentation. For information about security realms and setting up ASAP with an external LDAP, see ASAP System Administrator's Guide.

Oracle Security Documentation

ASAP uses other Oracle products, such as Oracle Database and Oracle WebLogic server. See the following documents, as they apply to ASAP: