| Oracle® Communications Services Gatekeeper Security Guide Release 5.1 E36134-01 |
|
|
PDF · Mobi · ePub |
| Oracle® Communications Services Gatekeeper Security Guide Release 5.1 E36134-01 |
|
|
PDF · Mobi · ePub |
This chapter explains security considerations for administering your partners and also developers who add services to Oracle Communications Services Gatekeeper (Services Gatekeeper).
Your partners add their services to Services Gatekeeper using the Partner Manager Portal. When your partners create these accounts they also create passwords and security questions. The Partner Manager Portal then uses the passwords and questions to authenticate your partners when they log in.
However, you still need to assign security personnel to monitor the accounts being created to ensure that they are legitimate. Partners are assigned one of the service provider interfaces created for them. These interfaces are administrative user types and must be managed like other administrative users and only granted the access privileges they require. You must grant service providers the necessary privileges to do their jobs, but no more.
See "Setting Up the Partner Portal and Partner Manager Portal" for information on creating these accounts.
See the discussion on service provider login for information on creating service provider accounts, and the discussion on the service provider interfaces for information on granting and removing privileges, both in Oracle Communications Services Gatekeeper Partner Relationship Management Guide.
Your partners (service providers) use the Partner Portal to administer their partner accounts, including granting and revoking service access. The service providers may be internal or external to your organization. Set up the Partner Portal and Partner Manager Portal with the security appropriate for your implementation.
Educate partners to:
Enable security for communication services.
Use the secure interfaces supplied with Services Gatekeeper to communicate with Services Gatekeeper.
Use Oracle OAuth to manage access to secured resources (such as pictures or secured URLs).
Record their Partner Portal credentials somewhere safe.
Change their automatically-generated application IDs as soon as possible because they are predictable.
For details see these documents:
Oracle Communications Services Gatekeeper Partner Relationship Management Guide
Services Gatekeeper Partner Portal online help
The communication services that your partners provide generally require both authentication and authorization services to remain secure. You have several ways of providing this security:
The Services Gatekeeper security provider authenticates subscribers by verifying their application's ids and passwords.
The Services Gatekeeper service-level agreements (SLAs) provide authorization. You secure communication services by authorizing service requests with SLAs, and authenticating the users making the requests with web services security. This is true for services created by you or your partners. SLA can define which API and what TPS the application can use. The following sections discuss these tasks:
Using OAuth to provide both authorization and SSO authentication for third-party resources.
See "Authenticating and Authorizing Resources with OAuth" for details.
See the Oracle Communications Services Gatekeeper OAuth Guide and the discussion on Services Gatekeeper OAuth 2.0 authorization resource servers in Oracle Communications Services Gatekeeper System Administrator's Guide and for details on using the OAuth precool to grant access to resources (such as photos, video, and so on) without compromising the resource owner's security. OAuth can provide both authorization and authentication services, replacing more traditional SSO mechanisms.
Your partners create Service Level Agreements (SLAs) to define who is authorized to use their services. Every communication service must have an SLA that specifies access privileges to Services Gatekeeper and the network nodes it communicates with.
For details, see Oracle Communications Services Gatekeeper Accounts and SLAs Guide.
Communication services do not have security enabled by default because Services Gatekeeper has no way of knowing what kind of security they allow. You must make sure to add or take advantage of their security measures before allowing subscribers to use them. This section lists the security strategies supported by the communication services and explains where to find details.
Services Gatekeeper supports these types of communication services:
SOAP-based
RESTful
Native
Information about securing these communication services is explained in the sections that follow. See the references provided and the discussions on securing web services and Services Gatekeeper MBeans in Oracle Communications Services Gatekeeper System Administrator's Guide, and the discussion on web services security in Oracle Communications Services Gatekeeper Accounts and SLAs Guide for details.
The first step in protecting your SOAP communication services is to ensure that all communication with Services Gatekeeper happen within a session. You set this in the Services Gatekeeper Session Manager Web Service, and it automatically requires applications to provide authorization.
Applications communicating with Services Gatekeeper using a SOAP interface have these options for authentication:
Username/Password Authentication (Username Token)
Digital Signatures (X.509 Certificate Token).
Encryption (SAML Token)
Session IDs
For details on creating and securing a SOAP-based communication service see the discussion on:
Interacting with Oracle Communications Services Gatekeeper
Session management
Session Manager Web Service
in Oracle Communications Services Gatekeeper Application Developer's Guide.
The RESTful service interfaces uses HTTP basic authentication and session IDs for security. For details on implementing HTTP security see the discussion on securing web services and Oracle Access Manager MBeans in Oracle Communications Services Gatekeeper Administrator's Guide.
For details on creating and securing REST communication services see the discussion on interacting with the REST facade in Oracle Communications Services Gatekeeper RESTful Application Developer's Guide.
For details on requiring sessions for all RESTful communication, see the discussions on session management and the Session Manager Web Service in Oracle Communications Services Gatekeeper Application Developer's Guide.
Services Gatekeeper supports communication services using the MM7, SMPP, and UCP protocols. The following sections outline their security considerations and provide links to implementation details.
Services Gatekeeper uses HTTP basic authentication to secure native MM7 communication services. For details see the discussion on managing native MM7 in Oracle Communications Services Gatekeeper Communication Service Guide.
Services Gatekeeper uses authentication credentials to secure native SMPP communication services. For details on creating a native SMPP communications service, see the discussion on native SMPP in Oracle Communications Services Gatekeeper Communication Service Guide.
Services Gatekeeper uses a credential store to secure native UCP communication services. For details on configuring connection information and the credential map, see the discussion on managing and configuring connection information in Oracle Communications Services Gatekeeper System Administrator's Guide.
Configuring tunneling for a communication service serves as a “white list” of parameters that you can create. It limits communication service messages to only the parameters that you specify (nothing is limited by default). This strategy is quite restrictive and impractical for most communication, but may fit into your security needs. For details on implementing tunneling, see the discussion on service interceptors in Oracle Communications Services Gatekeeper Platform Development Studio Developer's Guide.
|
 Copyright © 2011, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
