| Oracle® Communications Calendar Server Security Guide Release 7.0.5 E54936-01 |
|
|
PDF · Mobi · ePub |
| Oracle® Communications Calendar Server Security Guide Release 7.0.5 E54936-01 |
|
|
PDF · Mobi · ePub |
This chapter provides an overview of Oracle Communications Calendar Server security.
The following principles are fundamental to using any application securely:
Keep software up to date. This includes the latest product release and any patches that apply to it.
Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements.
Monitor system activity. Establish who should access which system components, how often they should be accessed, and who should monitor those components.
Install software securely. For example, use firewalls, secure protocols (such as SSL), and secure passwords. See "Performing a Secure Calendar Server Installation" for more information.
Learn about and use Calendar Server security features. See "Implementing Calendar Server Security" for more information.
Use secure development practices. For example, take advantage of existing database security functionality instead of creating your own application security.
Keep up to date on security information. Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible. See "Critical Patch Updates and Security Alerts" on the Oracle Web site at:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
When planning your Calendar Server implementation, consider the following:
Which resources must be protected?
For example:
Calendar Server front end
Calendar Server back end (MySQL Server or Oracle Database)
Document store (can be local, remote, or dbdocstore)
Dependent resources, such as GlassFish Server and Directory Server
From whom am I protecting the resources?
In general, resources must be protected from everyone on the Internet. But should the Calendar Server deployment be protected from employees on the intranet in your enterprise? Should your employees have access to all resources within the GlassFish Server environment? Should the system administrators have access to all resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. On the other hand, perhaps it would be best to allow no system administrators access to the data or resources.
What happens if protections on strategic resources fail?
In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use Calendar Server. Understanding the security ramifications of each resource help you protect it properly.
Figure 1-1 shows all the various components that can comprise Calendar Server, including the components to which it connects. Each installed or integrated component requires special steps and configurations to ensure system security.
You can deploy Calendar Server on a single host or on multiple hosts, splitting up the components into multiple front-end hosts and multiple back-end hosts. You can also install the document stores onto separate hosts. For more information, see the topic on planning your installation in Calendar Server Installation and Configuration Guide.
The general architectural recommendation is to use the well-known and generally accepted Internet-Firewall-DMZ-Firewall-Intranet architecture. For more information on addressing network infrastructure concerns, see the Determining Your Communications Suite Network Infrastructure Needs documentation at:
https://wikis.oracle.com/display/CommSuite/Determining+Your+Communications+Suite+Network+Infrastructure+Needs
This section lists Calendar Server-specific OS security configurations. This section applies to all supported OSs.
Calendar Server communicates with various components on specific ports. Depending on your deployment and use of a firewall, you might need to ensure that the firewalls are configured to manage traffic for the following components:
MySQL Database port (default 3306)
Oracle Database server port (default 1521)
Calendar Server back-end remote document store port (default 8008)
GlassFish Server administration server port (default 4848)
Calendar Server access port (default 443)
Notification mail server port (default 25)
Close all unused ports, especially non-SSL ports. Opt for SSL-enabled ports, instead of non-SSL ports, for all communications (for example: HTTPS, IIOPS, t3s).
For more information about securing your OS, see your OS documentation.
For more information about securing Oracle Database, see Oracle Database Security Guide and Oracle Database Advanced Security Administrator's Guide, at:
http://www.oracle.com/pls/db112/portal.portal_db?selected=25&frame=
For more information about securing MySQL Server, see Security in MySQL, at:
http://dev.mysql.com/doc/mysql-security-excerpt/5.6/en/index.html
Secure connections between applications connected over the World Wide Web can be obtained by using protocols such as Secure Socket Layer (SSL) or Transport Layer Security (TLS). SSL is often used to refer to either of these protocols or a combination of the two (SSL/TLS). Due to a security problem with SSLv3, Calendar Server recommends the use of only TLS. However, throughout this guide, secure communications may be referred to by the generic term SSL.
In a Calendar Server deployment, you can enable the use of TLS between the following components:
GlassFish Server and client connections
Calendar Server and Directory Server
GlassFish Server and the JMX port used by Calendar Server administration utility
Calendar Server and the back-end database
Calendar Server and the document store
See "Implementing Calendar Server Security" for more information.
|
 Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
