This chapter explains the steps necessary to install Oracle Communications Services Gatekeeper securely.
Before you install Services Gatekeeper, review the following security considerations:
To ensure optimal performance by Services Gatekeeper, tune the underlying WebLogic Server to the requirements of your environment. For example, select the appropriate startup mode for your installation.
For information about the default tuning values for WebLogic Server development and production modes, see Oracle Fusion Middleware Performance and Tuning for Oracle WebLogic Server.
Ensure that you configure the identity and trust store for WebLogic Server securely with SSL. See "Configuring Identity and Trust" in Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server.
When you create the WebLogic Server domain for Services Gatekeeper, ensure that SSL ports are used for:
The WebLogic Server domain for Services Gatekeeper.
The cluster addresses if you install Services Gatekeeper in a cluster environment
For more information, see ”Configuring SSL” in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Before you set up roles and user privileges, review the security considerations associated with security policies, users, GPRS, and security roles. Set up secure file system access permissions for the Oracle database.
See ”Users, Groups, and Security Roles” in Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server.
Set up secure processes associated with the various types of user accounts that you create:
Services Gatekeeper Database User
After installing the Oracle database during the pre-installation process, you configure the Services Gatekeeper database user. The Services Gatekeeper database user account is configured with an unlimited quota and has privileges to create sessions and tables.
Safeguard these credentials by recording and protecting them as you would any other administrative password. You reference them during domain configuration. For information, see ”Creating the Database and a Database User” in Services Gatekeeper Multi-tier Installation Guide for details.
Administrator User
Every implementation must have a main administrator user. You create this user when you first configure a domain by entering the user name and password. Record and protect these credentials because the main administrator user has the power to grant or deny access for all other users. For information, see ”Managing Management Users and User Groups” in Services Gatekeeper System Administrator's Guide.
Management Users
Management users manage and administer Services Gatekeeper itself. Create as few management users as possible, protect their credentials, and have procedures in place that allow you to quickly remove management users as they are relieved of responsibility.
For information, see ”Managing Management Users and User Groups” in Services Gatekeeper System Administrator's Guide.
Traffic Users
Traffic users are applications that use application-facing instances to send traffic.
Set up a secure system to control the permissions for access to files and to your data. Use password encryption and store the files containing encrypted passwords in a secure location.
Establish a password policy that protects your system from possible intrusion. For information about:
Managing security, see ”Managing Security for Oracle Database Users” in Oracle Database Security Guide.
Authentication security providers in WebLogic Server, see "Configuring Authentication Providers" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Follow the steps in Services Gatekeeper Multi-tier Installation Guide to install Services Gatekeeper. However, the port numbers, user name, password, and database SID should be changed from the default values.
You can perform a custom installation or a typical installation. Perform a custom installation to avoid installing options and products you do not need. If you perform a typical installation, remove or disable features that you do not need after the installation.
Your Services Gatekeeper domain is based on Oracle WebLogic Server. For information about:
Possible domain configurations, see ”Configuring the Services Gatekeeper Domain” in Services Gatekeeper Multi-tier Installation Guide.
High availability considerations with respect to WebLogic Server, Oracle database access, and Oracle ASAOA suite, see Oracle Fusion Middleware High Availability Guide.
Clustering, see ”Clustering Best Practices” in Oracle Fusion Middleware Using Clusters for Oracle WebLogic Server.
Setting security configuration options for the domain, see ”Configuring Security for a WebLogic Domain” in Oracle Fusion Middleware Securing Oracle WebLogic Server.
This section explains security-related tasks that you perform during and immediately after installing Services Gatekeeper, but before you put it into production.
Secure the Services Gatekeeper Partner Relationship Management portals by securing the administrative users. See "Administering Partners".
For more information, see ”Security” in Services Gatekeeper Portal Developer's Guide.
Web services security determines the level of protection that Services Gatekeeper requires for the web messages it sends and receives. The default level of security requires authentication tokens (user name and password) for all messages. The choices are:
User name/password authentication (user name token)
XML digital signatures (X.509 certificate token)
Encryption (SSL or TLS SAML tokens)
You set the authentication level by web service by using the Services Gatekeeper Administration Console, and, if more security is required, by using WebLogic Server tools.
For information about securing web services and MBeans, see ”About Services Gatekeeper Communication Security” in Services Gatekeeper System Administrator's Guide.
A password validator is not required to run Services Gatekeeper. However, it does ensure that your partners and their subscribers adhere to a consistent level of password security. See "(Optional) Adding a Custom Password Validator" in Services Gatekeeper Multi-tier Installation Guide for information about adding custom password validators.
Java Cryptography Extension (JCE) is not required for Services Gatekeeper to run. However, it does relieve web servers from the burden imposed by SSL security. See ”(Optional) Adding Java Cryptography Extensions” in Services Gatekeeper Multi-tier Installation Guide for information about adding JCE.