| Oracle® Communications Services Gatekeeper Security Guide Release 5.1 E36134-01 |
|
|
PDF · Mobi · ePub |
| Oracle® Communications Services Gatekeeper Security Guide Release 5.1 E36134-01 |
|
|
PDF · Mobi · ePub |
This chapter provides an overview of the Oracle Communications Services Gatekeeper (Services Gatekeeper) security features and considerations.
The following principles are fundamental to using any application securely:
Keep software up to date. This includes the latest product release and any patches that apply to it.
Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements.
Monitor system activity. Establish who should access which system components, and how often, and monitor those components.
Install software securely. For example, use firewalls, secure protocols such as SSL and secure passwords. See "Performing a Secure Services Gatekeeper Installation" for details.
Learn about and use the Services Gatekeeper runtime security features. See "Administering Services Gatekeeper Security" for more information.
Use secure development practices. For example, take advantage of existing database security functionality instead of creating your own application security. See "Securing Partner Accounts and Services" for more information.
Keep up to date on security information. Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible. See the “Critical Patch Updates and Security Alerts” Web site:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
It is useful for you to read through the Oracle Communications Services Gatekeeper Concepts Guide before reading this manual to get an understanding of how Services Gatekeeper works.
Services Gatekeeper is a hardened extension of WebLogic Server 11g that you use to serve TCP/IP applications (services) on telephony networks. It includes tools to connect to telephony networks, and make these services available to subscribers using these networks. These services are generally third-party applications that external developers provide, and Services Gatekeeper provides a Partner Manager Portal that developers (partners) use to manage their services. Services Gatekeeper relies on a database to maintain information about Services Gatekeeper.
Services Gatekeeper can function as a single point of contact for access to the functionality of the underlying network, providing common authentication, authorization, and access control procedures for all applications, both internal and partner-provided.
Services using SOAP-based interfaces can leverage the flexible security framework of Oracle WebLogic Server 11gR1PS2 to provide robust system protection. Applications can be authenticated using plaintext or encrypted (digest) passwords, X.509 certificates, or SAML 1.0/1.1 tokens.
Service requests can use XML encryption based on the W3C standards, for either the whole request message or specific parts of it. And, to ensure message integrity, requests can be digitally signed, using the W3C XML digital signature standards.
Services using RESTful interfaces can leverage HTTP basic authentication: username/password and SSL protection.
Implementing a secure Services Gatekeeper implementation falls generally in to these categories:
Pre-installation tasks, that include installing a database and creating database users.
Perform a secure installation of Services Gatekeeper by:
Installing a database and create and authorize database users.
Installing Services Gatekeeper in a clustered deployment (separate application and networking tiers) so that the individual components are easier to defend.
Creating Services Gatekeeper administrative users to administer Services Gatekeeper and any third-party services developers.
Securing the WebLogic server.
Securing JDBC with database credentials.
Securing domains with RDBMS security.
Obtaining and installing firewalls between the tiers for protection.
Controlling access to Services Gatekeeper Oracle Access Manager MBeans that control OAM functionality.
Securing your web services, and ensure that your partners do the same.
Securing Oracle Service Bus and the Service Oriented Architecture Facades.
Securing geographically redundant deployments.
Adding a custom password validator (optional).
Obtaining and install a custom password validator (optional).
Obtaining and install Java Cryptography Extension (optional).
Administer your Services Gatekeeper implementation securely by:
Creating and maintaining administrative users with just the authorization levels that they require.
Monitoring Services Gatekeeper and the underlying WebLogic server for security attacks.
Assigning administrative users to monitor partner activity and approve their accounts.
Assigning a security contact to create and administer Services Gatekeeper Service Level Agreements (SLAs) that define access to Services Gatekeeper.
Backing up your Services Gatekeeper implementation.
Set up the Services Gatekeeper Partner Portals to allow partner to securely create accounts for themselves and register their services.
Educate partners to:
Enable security for communication services, including using SLAs for authorization and protocol security for authentication. SOAP-based, RESTful, and native (M7, SMPP, and UCP) all have their own secure interfaces.
Service interceptors can also shop secure communication services.
Use Oracle OAuth to manage access to secured resources (such as pictures or secured URLs).
Administer your partners with Partner Manager Portal. This includes:
Recording their Partner Portal credentials somewhere safe.
Changing their automatically-generated application IDs as soon as possible because they are is predictable
These tasks are explained in the chapters that follow.
When planning your Services Gatekeeper implementation, consider the following:
Which resources need to be protected?
You must protect subscriber data, such as credit-card numbers.
You must protect internal data, such as the MBeans that control Services Gatekeeper.
You must protect system components from being disabled by external attacks or intentional system overloads.
Who are you protecting data from?
For example, you must protect partner data from other partners, but someone in your organization might need to access that data to manage it. You can analyze your workflows to determine who needs access to the data; for example, a system administrator might manage your system components without needing to access the system data.
What will happen if protections on a strategic resources fail? In some cases, a fault in your security scheme is nothing more than an inconvenience. In other cases, a fault might cause great damage to you or your customers. Understanding the security ramifications of each resource will help you protect it properly
|
 Copyright © 2011, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
