4 Securing Provisioning Gateway

Provisioning Gateway allows administrators to remotely provision application credentials to Logon Manager users using either the included Provisioning Gateway Web console or by interfacing with Oracle and third-party identity management solutions.

On the server side, Provisioning Gateway runs as two Web applications hosted via Microsoft IIS:

• Provisioning Gateway Web Service - enables the remote provisioning functionality, including receiving provisioning instructions from the Web Console service or external identity management solutions (via appropriate connector plug-ins) and writing them to the Logon Manager repository.

• Provisioning Gateway Web Console - provides a management front-end to the Provisioning Gateway Web Service, enabling configuration of Provisioning Gateway and credential provisioning.

On the end-user side, a plug-in within Logon Manager reads the provisioning instructions stored in the Logon Manager repository during each synchronization event and executes them by adding, modifying, or deleting application credentials from the user's Logon Manager credential store.

4.1 Securing Provisioning Gateway on the Client Side

Provided that Logon Manager has been securely deployed and configured as described in Securing Logon Manager, no extra work is necessary to secure Provisioning Gateway on the client side. This is because the Provisioning Gateway plug-in within Logon Manager uses Logons Manager's synchronization mechanism to interact with the repository, eliminating the need for a dedicated connection. Connection and data security is ensured by Logon Manager's built in encryption mechanisms, provided the repository connection is utilizing SSL.

4.2 Securing Provisioning Gateway on the Server Side

To secure Provisioning Gateway on the server side, you must do the following:

• Make sure you have structured and configured your Logon Manager repository in a secure manner as described in Securing Logon Manager,

• Configure the Provisioning Gateway Web services listed in the previous section to only accept SSL connections. Instructions are available in the Oracle ESSO Suite Plus Installation Guide.

• Configure the Provisioning Gateway Web Console service to use an "https" URL to connect to the Provisioning Gateway Web service. Instructions are available in the Oracle ESSO Suite Plus Installation Guide.

• The default name for this account is PMSERVICE; however, you may name the account as required by your environment and configure Provisioning Gateway to use the customized name.

• If integrating with Oracle Privileged Account Manager, you must install the required SSL certificates into the Provisioning Gateway Server machine's Trusted Root Certificate Authority at the computer account level. More information can be found in the Enterprise Single Sign-On Suite Installation Guide. Oracle Privileged Account Manager does not allow unencrypted (non-SSL) connectivity.

• If you are upgrading from a previous release of Provisioning Gateway and are using an Oracle database to store Provisioning Gateway event log data, after you have completed all upgrade tasks, you must log on to the Provisioning Gateway Console. This will encrypt the database connection string (which may contain database logon credentials) stored in the Windows registry.

• The appSettings section of the web.config file used by the Provisioning Gateway Server Web application should be encrypted at all times. Instructions can be found in the Enterprise Single Sign-On Suite Installation Guide.

• Create a dedicated account within the domain hosting the Logon Manager repository that the Provisioning Gateway Web service will use to connect to the repository, and limit that account's access privileges to the bare minimum required for Provisioning Gateway to function properly. Create the account as follows:

  • The service account must be a member of the Domain Users group within the domain to which Provisioning Gateway servers belong.

  • The service account must be a member of the local Administrators group on each Provisioning Gateway server machine.

  • The default name for this account is PMSERVICE; however, you may name the account as required by your environment and configure Provisioning Gateway to use the customized name

The configuration instructions are provided in the Enterprise Single Sign-On Suite Installation Guide, Enterprise Single Sign-On Suite Administrator's Guide, and standalone Provisioning Gateway documentation, all available on the Oracle Support website.