| Oracle® Communications Service Broker System Administrator's Guide Release 6.0 Part Number E23523-02 |
|
|
View PDF |
| Oracle® Communications Service Broker System Administrator's Guide Release 6.0 Part Number E23523-02 |
|
|
View PDF |
This chapter explains how to configure and use the Oracle Communications Service Broker (Service Broker) Credential Store feature. You use this feature to securely store, encrypt, and validate the credentials that Service Broker requires to communicate with external non-SSL compliant credential readers.
Oracle recommends that your Service Broker application-facing network traffic have a minimum security level that is usually satisfied by a combination of firewall protection and HTTPS/SSL/TLS support. Oracle recognizes however, that Service Broker must also communicate with certain non-HTTPS-compliant entities that still require credentials. The Service Broker Credential Store feature is designed to securely store credentials for these types of features.
The Credential Store provides a consistent, efficient, secure way for each OSGI bundle to encrypt, store, and validate credentials for Service Broker features. For example, an SMS-C on a telecom network usually requires a password for access. Credential Store provides a secure place for Service Broker entities such as the SMPP Protocol Adaptor to store and validate that password when accessing SMS-C data and features.
The Credential Store:
Stores and validates passwords (1-way encryption).
Stores and retrieves passwords (2-way encryption)
Stores and retrieves keystores (databases of credentials).
The Credential Store components include:
A single encrypted file that contains the credential stores for all OSGi bundles in a domain.
A master password file to unencrypt each file of credentials.
GUI interfaces in the Administration Console that you use to add credentials to the credential file singly.
MBean operations to provision the credential store in bulk
All Service Broker features that use Credential Store have Credential Store subtabs in the Administration Console. Figure 7-1 shows the Credential Store subtab of the Administration Console Data Store tab. The other Credential Store subtabs are the same or very similar.
Figure 7-1 Example Credential Store Subtab
Credential Store works on the Service Broker domain level; all credentials for all OSGi bundles in a domain are stored in a single file. You configure and use Credential Store features through the Administration Console or the MBean interface.
By default, Service Broker creates a credential store file in each domain for use by the Service Broker components in that domain. Figure 7-2 shows the Credential Store components. Each Service Broker domain contains two files, a credential file and a master password file. The credential file stores the credentials and the master password file unencrypts the credential file.
Each credential that Service Broker stores is composed of two parts: a key (such as a username) that identifies the protected entity and an associated authorization (such as a password or keystore certificate) to make it accessible. Both the key (sometimes referred to as a CredentialKey) and the authorization are stored as arbitrary strings. For example, a key could be a simple username, a fully qualified LDAP domain name, or a logical alias to a credential.
Figure 7-2 Provisioning Credential Stores
The credential file is encrypted and can be unencrypted with the master password stored in the second credential store file, the master password file. A default master master password is created automatically for each credential store file when its Service Broker domain is created. The default master password is a human-readable random string. Once created, you can change this password as necessary.
Table 7-1 shows the default credential store filenames and locations for each domain.
Table 7-1 Credential Store System Properties
| Property | Default Value | Description |
|---|---|---|
|
axia.credential.store.url |
Domain_home/protected/cs_store |
Specifies the URL of the credential file. All Service Broker components (for example all managed servers and consoles) that access a domain share the same credential file. This file must also be secured by the operating system file permission settings. |
|
axia.credential.store.key.url |
Domain_home/protected/cs_key |
Specifies the URL of the master password protecting the Credential Store file. All Service Broker components that access a domain share the same master password file. This file must also be secured by the operating system file permission settings, and Oracle recommends that you move this file from its default location as an extra level of security. See "Moving the Credential Store Key Files" for more information. |
The Credential Store feature creates one set of these credential file/master password file pairs for each Service Broker domain, for use by all OSGi bundles in that domain. However each credential store within the credential file is isolated, so credentials do not need to be unique within the domain, just unique within one OSGi bundle. You can store identical credentials in different credential stores in the same credential file.
Together the credential file/master password file pairs protect the credentials in the credential store file.
You can change the Credential Store encryption methods to suit your needs. For more information see "Changing Credential Store Encryption Settings".
You administer credentials singly using the Administration Console or in bulk using an MBean interface. See "Provisioning and Administering Credential Stores" and "Using the Credential Store Management API" for more information.
Using Credential Store with hosted domains requires special considerations. To make credentials more secure, the default Credential Store files are located in a special /protected directory in each domain. This location is not accessible to other Managed Servers through HTTP.
These are two options for using Credential Store with hosted domains:
The most secure strategy is to copy the cs_store and cs_key files from the Domain_Home/protected location to an identical location on each of Managed Servers accessing the hosted domain. If this default location does not work for your implementation, you can change it by specifying a different path in the Java system properties using: axia.credential.store.url and axia.credential.store.key.url. For example:
-Daxia.credential.store.url=file:///local_path/cs_store -Daxia.credential.store.key.url=file:///local_path/cs_key
This approach requires that the cs_store file be copied to all Managed Servers every time the Credential Store files change. If the encryption key is ever updated, the cs_key file must be copied to each of the domain Managed Servers again, but this is uncommon.
A “medium” level security alternative is to copy the cs_key file from Domain_Home/protected to an identical location on each of the Managed Servers, and move the cs_store file to the Administration Console Domain_Home.
To make this work, you must change the system properties on both the Administration Console and all of the Managed Servers to specify the new file locations. For example, you could use this system property to start the Administration Console:
-Daxia.credential.store.url=file:///Domain_Home/cs_store
And use this system property on each of the Managed Servers accessing the hosted domain:
-Daxia.credential.store.url=https://Domain_Post_IP:9000/cs_store
This approach removes the need to manually copy the cs_store file for each Credential Store update, but still protects the encryption key from being shared over the network.If the encryption key is ever updated, the cs_key file will need to be copied to each of the domain Managed Servers again, but this is uncommon.
The following sections explain the options for changing Credential Store settings. The settings in the following sections apply to all features that use Credential Store in a single domain. These settings apply to the entire Credential Store file. Because they apply to all features within a domain using Credential Store, you should only set them once, before you start storing credentials in them.
The default /protected location that Service Broker uses for the credential store files is a special area of the domain is that is more secure than most. It is accessible by the Administration Console but not the managed server.
You can move the Credential Store files to new locations as desired by renaming the Credential Store path in the System Property.
Note:
For extra security, Oracle recommends that you move the cs_key master password file to a non-default location and give it the minimum possible access permissions.This section explains how to change the Credential Store password storage configuration settings. Table 7-2 lists the default encryption methods and the system properties you use to change them.
WARNING:
Previously stored credentials become unavailable if you change encryption settings. Make encryption setting changes before you start storing credentials.
Table 7-2 Credential Store Default Encryption Settings
| System Property in common.properties | Default Value | Notes |
|---|---|---|
|
oracle.axia.credential.store.cipher.algorithm |
AES |
Sets the cipher algorithm that encrypts/decrypts data. |
|
oracle.axia.credential.store.key.generator.alorithm |
AES |
Sets the algorithm that generates secret keys. |
|
oracle.axia.credential.store.digest.algorithm |
SHA-256 |
Sets the algorithm that hashes data. |
To change these settings add these entries to the Oracle_home/ocsb60/admin_console/properties/common.properties file and then restart the domain.:
oracle.axia.credential.store.cipher.algorithm=DES oracle.axia.credential.store.key.generator.algorithm=RC2 oracle.axia.credential.store.digest.algorithm=
Table 7-3 lists the types of algorithms to use. See this discussion on Java Cryptography Architecture Standard Algorithm Name Documentation for more information on the encryption algorithms available: http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html.
Each Service Broker feature that uses Credential Store has an Administration Console subtab that looks like the one in Figure 7-1. The following sections describe how to use these subtabs to add credentials to the credential store files and administer them. Figure 7-2 illustrates Credential Store provisioning.
These actions operate on one credential at a time. This may be appropriate for test and evaluation systems and small implementations. Service Broker offers an MBean interface to manage credentials in bulk. See "Using the Credential Store Management API" for more information.
To add a credential to the Credential Store:
Open the Administration Console and navigate to your feature's Credential Store tab or subtab.
In the Password area of the screen enter the following:
Enter a credential key (such as a username) in the Key field.
You can store any credential that can be read as a string.
Enter a password in the Password field.
(Optional) Check the One-Way box to restrict the credential to read-only use.
Do one of the following:
Click Set Password to add the credential to the credential file.
Click Validate Password to confirm that this credential already exists in the credential file.
To add a keystore from a keystore file to a Credential Store:
Open the Administration Console and navigate to your feature's Credential Store tab or subtab.
In the Keystore area of the screen, enter the following:
The keystore name in the Key field.
The keystore password in the KeyStore Password field.
The keystore URL in the KeyStore URL field. This is the location of the keystore file.
Click the KeyStore button to add the keystore to the credential file.
Use these steps to verify whether a credential exists in a credential store file. These steps to not validate the credential.
Open the Administration Console and navigate to your feature's Credential Store tab or subtab.
In the General area of the screen, enter key name in the Key field
Click the Contains Key? button.
Use the following steps to delete credentials from a Credential Store.
Open the Administration Console and navigate to your feature's Credential Store tab or subtab.
In the General area of the screen, enter key name in the Key field
Click one of the following buttons:
Click the Delete Key button to remove the credential from the credential file
Click the Delete All Keys button to remove all credentials in the credential file.
The Service Broker Credential Store feature includes the oracle.axia.api.management.credentialstore.CredentialStore MBean that you use to to manage credentials for OSGi bundles in bulk. The Administration Console also allows you to manage credentials, but only singly.
The following section lists the Credential Store operations for administration and management of credentials, including:
setPassword - Adds passwords to a Credential Store.
validatePasssword - Validates passwords stored in a Credential Store.
setKeystore - Adds keystore credentials to a Credential Store.
containsKey - Confirms that a credential exists in a Credential Store
deleteKey - Deletes keystore credentials from a Credential Store
clear (Removes all Credentials) - Removes all credentials from a Credential Store.
Adds a credential (key and authorization) to the Service Broker bundle's credential store file.
Syntax:
void setPassword(@Name("Key") String key, @Name("Password") String password, @Name("One-way") boolean oneWay)
Where:
Key - The credential key.
Password - The authorization string to use for the credential.
one-way | two-way - one-way encrypts the password and prevents it from being decrypted later (most secure). two-way encrypts the password and allows it to be decrypted later.
Validates credential information against a credential stored in a credential store file. Returns true if the two are identical.
Syntax:
boolean validatePassword(@Name("Key") String key, @Name("Password") String password)
Where:
Key - The credential key.
Password - The authorization string to use for the credential.
Obtains a keystore from a keystore file and stores it in a Credential Store file. Requires a keystore key, password, and the URL of the keystore file.
Syntax:
void setKeystore(@Name("Key") String key, @Name("KeyStore Password") String password, @Name("KeyStore URL") String url)
Where:
Key - The credential key for the keystore.
KeyStore Password - The authorization to use for the keystore.
KeyStore URL - The URL location of the keystore file.
Returns true if the key exists in the Credential Store; false otherwise.
Syntax:
boolean containsKey(@Name("Key") String key)
Where:
key - The credential key to search for.
Deletes a credential from a credential store file.
Syntax:
void deleteKey(@Name("Key") String key)
Where:
key - The credential to delete.
This operation removes all credentials associated with an OSGi bundle from a credential store file.
Syntax:
void clear()
|
 Copyright © 2010, 2012, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|