This chapter provides an overview of Oracle Communications Delegated Administrator security.
The following principles are fundamental to using any application securely:
Keep software up to date. This includes the latest product release and any patches that apply to it.
Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements.
Monitor system activity. Establish who should access which system components, how often they should be accessed, and who should monitor those components.
Install software securely. For example, use firewalls, secure protocols (such as SSL), and secure passwords. See "Performing a Secure Delegated Administrator Installation" for more information.
Learn about and use Delegated Administrator security features. See "Implementing Delegated Administrator Security" for more information.
Use secure development practices. For example, take advantage of existing database security functionality instead of creating your own application security.
Keep up to date on security information. Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible. See ”Critical Patch Updates and Security Alerts” on the Oracle Web site:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
For an introduction to the features in Delegated Administrator, see the overview in Delegated Administrator System Administrator's Guide. To see Delegated Administrator's high-level architecture, see the information about the different scenarios for provisioning users in Delegated Administrator System Administrator's Guide. For an overview of operating system security, see Oracle Solaris Security for System Administrators.
To better understand your security needs, ask yourself the following questions:
Which resources am I protecting?
In a Delegated Administrator production environment, consider which of the following resources you want to protect and what level of security you must provide:
GlassFish Server
Access Manager (optional): To provide authentication and authorization services when Delegated Administrator accesses the LDAP directory data.
The Delegated Administrator server must be deployed to the web container used by Access Manager.
Directory Server: To store user, group, and domain data that Delegated Administrator provisions for the Communications Suite components.
Oracle Communications Messaging Server: Required to provide mail service for users and groups provisioned by Delegated Administrator. Not required if you do not provision mail users.
Oracle Communications Calendar Server: Required to provide calendar service for users and groups provisioned by Delegated Administrator 7. Not required if you do not provision calendar users.
From whom am I protecting the resources?
In general, resources must be protected from everyone on the Internet. But should the Delegated Administrator deployment be protected from employees on the intranet in your enterprise? Should your employees have access to all resources within the GlassFish Server environment? Should the system administrators have access to all resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. On the other hand, perhaps it would be best to allow no system administrators access to the data or resources.
What will happen if the protections on strategic resources fail?
In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or to users who use Delegated Administrator. Understanding the security ramifications of each resource helps you protect it properly.
Delegated Administrator lets you provision users, groups, domains, and resources in an LDAP directory used by Communications Suite applications such as Messaging Server, Calendar Server, Instant Messaging Server, and Contacts Server. Delegated Administrator can be installed in one- and two-tier deployments. For more information, see the following information:
Discussion of provisioning tools and schema in Installation and Configuration Guide.
Discussion of Service Provider Administrator and Service Provider Organizations in Delegated Administrator System Administrator's Guide.
Discussion of Messaging Server logical architecture in Installation and Configuration Guide for Messaging Server 8.0.1.
The general architectural recommendation is to use the well-known and generally accepted Internet-Firewall-DMZ-Firewall-Intranet architecture. For more information on addressing network infrastructure concerns, see the discussion about determining your Messaging Server network infrastructure needs in Installation and Configuration Guide for Messaging Server 8.0.1
This section lists Delegated Administrator-specific OS security configurations. This section applies to all supported operating systems.
Delegated Administrator communicates with various components on specific ports. Depending on your deployment and use of a firewall, you might need to ensure that the firewalls are configured to manage traffic for the following components:
Delegated Administrator server port (default 8080)
SSL port (default 433)
Web Server HTTP port (default 80)
Administration server port (default 8800)
Close all unused ports, especially non-SSL ports. Opt for SSL-enabled ports, instead of non-SSL ports, for all communications (for example: HTTPS, IIOPS, t3s).
For more information about securing your OS, see your OS documentation.
For information about securing GlassFish Server, see Oracle GlassFish Server Security Guide, at:
http://docs.oracle.com/cd/E18930_01/html/821-2435/index.html
SSL enables secure communication between applications connected through the Web. In a Delegated Administrator deployment, you can configure SSL between the following components:
GlassFish Server and client connections
Delegated Administrator and Directory Server
See "Implementing Delegated Administrator Security" for more information.
To enhance client security in communicating with Directory Server, use a strong password policy for user authentication. For more information on securing Directory Server, see the discussion about Directory Server security in Oracle Directory Server Enterprise Edition Administration Guide.