This chapter presents planning information for your Oracle Communications Evolved Communications Application Server (OCECAS) system and describes recommended deployment topologies that enhance security.
For more information about installing OCECAS, see Oracle Communications Evolved Communications Application Server Installation Guide.
When installing OCECAS, perform these steps for each domain:
You have the option to perform a typical installation or a custom installation. Perform a custom installation to avoid installing options and products you do not need. If you perform a typical installation, remove or disable features that you do not need after the installation.
Disable all non-SSL ports to secure all communication between components, such as with Diameter and HTTP traffic.
Make sure that you enable and use SSL ports for the administration servers for all OCECAS domains. Change the default port numbers.
If installing OCECAS on a cluster of servers, configure the cluster addresses to use SSL ports.
After you have created the WebLogic domains for OCECAS, start the administration server. Then, use t3s to start the managed servers:
startManagerServer.sh ManagedServer_1 t3s://host_name
where ManagedServer_1 is the name of the first managed server, and host_name is the host name of the administration server.
Using the Administration Console, configure certificate identity and trust store to use SSL. Do not use the default, demonstration certificate that comes with WebLogic Server. See the WebLogic Server security and system administration documentation for more information.
Access to files created during the installation is limited. The user account that installs OCECAS has write access to the files created during installation.
Oracle recommends having strong password policies for OCECAS. Consider enforcing the following password policies:
Require that passwords have a minimum of eight characters.
Passwords must contain at least one digit, one capital letter, and one special character.
The user name must not be part of the password.
Stricter rules can be set for the authentication provider using the Administration Console. For details on authentication providers and their configuration, refer to the discussion on securing Oracle WebLogic Server in the WebLogic Server documentation.
See Oracle Communications Evolved Communications Application Server System Administrator's Guide for information about changing and setting OCECAS passwords.
This section explains security configurations to complete after OCECAS is installed.
Create OCECAS user accounts and configure them to lock after several failed login attempts, and to expire after a certain period of idle time.
See Oracle Communications Evolved Communications Application Server System Administrator's Guide for information about changing and setting OCECAS passwords.
For secure communication between WebLogic Server and an external LDAP, enable SSL on both the external LDAP authentication provider and the corresponding WebLogic Security Provider. SSL on the WebLogic security provider is enabled from the Administration Console.
For information about secure communication between WebLogic Server and an external LDAP authentication provider, see Oracle Fusion Middleware Securing Oracle WebLogic Server.