This chapter describes the Oracle Communications Converged Application Server security features.
The following principles are fundamental to using any application securely:
Keep software up to date. This includes the latest product release and any patches that apply to it.
Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements.
Monitor system activity. Establish who should access which system components, and how often, and monitor those components.
Install software securely. For example, use firewalls, secure protocols such as SSL and secure passwords.
Learn about and use the Converged Application Server security features. See "Converged Application Server Security Concepts" for additional overview information on Converged Application Server security features.
Use secure development practices. For example, take advantage of existing database security functionality instead of creating your own application security.
Keep up to date on security information. Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible. See the ”Critical Patch Updates and Security Alerts” Web site:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Converged Application Server relies on the underlying security features of the Oracle WebLogic platform. As such, Converged Application Server benefits from the security features of the underlying WebLogic platform, including security realms, security monitoring features, and more.
See "Oracle Security Documentation" for information about securing the WebLogic platform.
Additional security features applicable to Converged Application Server include:
Network channel-based security in the form of support for HTTPS and SIPS. See Oracle Communications Converged Application Server Administrator's Guide for more information on network channel security.
Flexible client authentication mechanisms, including identity assertions by security providers, client certificate authentication, and digest-based authentication.
This document describes the security features specific for Converged Application Server. For WebLogic information, including information about performing a secure installation and implementing application security, see the Oracle WebLogic Server 11g documentation.
When planning your Converged Application Server implementation, consider the following:
Which resources need to be protected?
You need to protect customer data, such as credit-card numbers.
You need to protect internal data, such as proprietary source code.
You need to protect system components from being disabled by external attacks or intentional system overloads.
Who are you protecting data from?
For example, you need to protect your subscribers' data from other subscribers, but someone in your organization might need to access that data to manage it. You can analyze your workflows to determine who needs access to the data; for example, it is possible that a system administrator can manage your system components without needing to access the system data.
What will happen if protections on a strategic resources fail?
In some cases, a fault in your security scheme is nothing more than an inconvenience. In other cases, a fault might cause great damage to you or your customers. Understanding the security ramifications of each resource will help you protect it properly.
To implement security, you configure Converged Application Server security features as well as those in the products on which it relies.
See the following documents for more information:
Oracle Fusion Middleware Securing Oracle WebLogic Server in the Oracle WebLogic Server documentation.
Oracle Fusion Middleware Application Security Guide in the Oracle WebLogic Server documentation
Oracle Communications Converged Application Server Administrator's Guide.
Oracle Communications Converged Application Server Developer's Guide.
Table 1-1 lists Converged Application Server configuration tasks and provides links to additional information.
Table 1-1 Security Configuration Tasks
| Task | Document Reference |
|---|---|
|
Configure a DNS resolver that supports DNSSEC. |
See the IETF specifications dealing with DNS security. |
|
Understanding the Digest identity assertion providers Configuring LDAP Digest authentication Configuring Digest authentication with an RDBMS |
|
|
Understanding client-cert authentication solutions Delivering X509 certificates over 2-way SSL Developing a Perimeter authentication solution Using the Converged Application Server |
|
|
Understand forwarding rules for SIP messages having the Configuring |
See "Overview of SIP Servlet Identity Assertion Mechanisms". |
|
Defining security constraints for a SIP Servlet Mapping SIP Servlet roles to Converged Application Server roles and principals Debugging SIP Servlet security constraints |
See "Securing SIP Servlet Resources" in Converged Application Server Developer's Guide |
|
Configuring trusted hosts |
See information on the sip-security setting in sipserver.xml, as described in Oracle Communications Converged Application Server Administrator's Guide |