1 Convergence Security Overview

This chapter provides an overview of security for Oracle Communications Convergence.

Basic Security Considerations

The following principles are fundamental to using any application securely:

  1. Keep software up to date. This includes the latest product release and any patches that apply to it.

  2. Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements.

  3. Monitor system activity. Establish who should access which system components, how often they should be accessed, and who should monitor those components.

  4. Install software securely. For example, use firewalls, secure protocols (such as SSL), and secure passwords. See "Performing a Secure Convergence Installation" for more information.

  5. Learn about and use Convergence security features. See "Implementing Convergence Security" for more information.

  6. Use secure development practices. For example, take advantage of existing database security functionality instead of creating your own application security.

  7. Keep up to date on security information. Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible. See the Oracle Critical Patch Updates and Security Alerts web site:

    http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Understanding the Convergence Environment

When planning your Convergence environment, consider the following:

  • Which resources require protection?

    For example:

    • Convergence

    • Protocols, such as HTTP, WMAP, WCAP, LDAP, XMPP, WABP, NABP

    • Dependent resources, such as Oracle GlassFish Server, Directory Server, Index Search Service, Messaging Server, Calendar Server, Instant Messaging Server, WebRTC Session Controller, Oracle Outside In Transformation Server

  • From whom do the resources require protection?

    In general, resources must be protected from everyone on the Internet. But should the Convergence deployment be protected from employees on the intranet in your enterprise? Should your employees have access to all resources within the GlassFish Server environment? Should the system administrators have access to all resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. On the other hand, perhaps it would be best to allow no system administrators access to the data or resources.

  • What happens if protections on strategic resources fail?

    In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use Convergence. Understanding the security ramifications of each resource help you protect it properly.

Overview of Convergence Server Security

Figure 1-1 shows the various components that comprise a Convergence deployment. Each installed or integrated component requires special steps and configurations to ensure complete system security.

The top layer shows the services provided by Convergence. The middle layer represents the Convergence server itself, deployed to an Oracle GlassFish Server domain. The bottom layer shows the dependencies that the Convergence server has on other applications to provide its services and features.

Convergence consists of the following core services:

  • Service Proxies

  • XMPP over HTTP Gateway

  • Address Book Service

  • Authentication & Authorization

  • SSO (Oracle Access Manager/Messaging SSO)

  • Configuration management

  • Logging

  • Basic Monitoring

The service proxies communicate using various protocols to the Oracle Communications software products used to deliver Convergence services.

Figure 1-1 Convergence Components

Description of Figure 1-1 follows
Description of "Figure 1-1 Convergence Components"

Recommended Deployment Topologies

Because Convergence is an end-user client program, it occupies the User Tier in any deployment topology.

Figure 1-2 shows the high-level logical Convergence architecture.

Figure 1-2 Convergence High-Level Logical Architecture

Convergence Logical Architecture

The general architectural recommendation is to use the well-known and generally accepted Internet-Firewall-DMZ-Firewall-Intranet architecture. For more information on addressing network infrastructure concerns, see the Unified Communications Suite wiki:

https://wikis.oracle.com/display/CommSuite/Determining+Your+Communications+Suite+Network+Infrastructure+Needs

Operating System Security

This section lists Convergence-specific OS security configurations. This section applies to all supported OSs.

Firewall Port Configuration

Convergence communicates with various components on specific ports. Depending on your deployment and use of a firewall, you might need to ensure that the firewalls are configured to manage traffic for the following components:

  • GlassFish Server administration server (default 4848)

  • Convergence (http 8080, https [default] 8181)

  • WebMail Server (http 8990, https [default] 8991)

  • Contacts Server (http 8080, https [default] 8181)

  • Calendar Server (http 8080, https [default] 8181)

  • Instant Messaging Server (default 5269, for both http and https)

  • Indexing and Search Service (http 8080, https [default] 8181)

  • LDAP (ldap 389, ldaps [default] 636)

  • Oracle Access Manager (the WebLogic server default port)

  • Outside In Transformation Server (default 60611)

  • WebRTC Session Controller (the WebLogic server default port)

Close all unused ports, especially non-SSL ports. Opt for SSL-enabled ports, instead of non-SSL ports, for all communications.

For more information about securing your OS, see your OS documentation.

GlassFish Server Security

Convergence Server is deployed to a GlassFish server domain. For information about installing and configuring GlassFish Server, see Oracle GlassFish Installation Guide.

For information about securing GlassFish Server, see Oracle GlassFish Security Guide, at:

http://docs.oracle.com/cd/E18930_01/html/821-2435/index.html

Run the GlassFish Server installer in a Secure Administration Server Instance. If you do not run the GlassFish Server as an admin program in secure mode, then you are unable to run the Convergence init-config program in secure mode without running into errors. Therefore, install and configure the GlassFish server and Convergence in secure mode.

When installing GlassFish Server, you are asked for the following security information:

  • Administration User and Administration User password

  • master password for SSL certificate

  • port number for HTTPS port

  • secure administration server instance

Accessing a Web Application Deployed on GlassFish Server

To access a web application deployed on a GlassFish server, use the URL http://localhost:8080/ (or https://localhost:8181/ if it is a secure application), along with the context root specified for the web application. To access the GlassFish Server Administration Console, use the URL https://localhost:4848/ or http://localhost:4848/asadmin/ (its default context root).

Secure Sockets Layer (SSL)

Secure connections between applications connected over the Web can be obtained by using protocols such as Secure Socket Layer (SSL) or Transport Layer Security (TLS). SSL is often used to refer to either of these protocols or a combination of the two (SSL/TLS). Due to a security problem with SSLv3, Convergence recommends the use of only TLS. See "Disabling SSLv3 on Front-End GlassFish Server Hosts" for more information. However, throughout this guide, secure communications may be referred to by the generic term SSL.

In a Convergence deployment, you can configure SSL between the following components:

  • GlassFish Server administration server port

  • GlassFish server for Convergence

  • Messaging Server

  • Contacts Server

  • Calendar Server

  • Instant Messaging Server

  • Indexing and Search Service

  • LDAP

  • Access Manager

  • Transformation Server

  • WebRTC Session Controller

Configuring SSL in Convergence

SSL provides a secure means of communication between the web-browser client and the server.

You can enable SSL in Convergence when you run the Convergence configuration script the first time, or in GlassFish Server. If you are enabling SSL for Convergence in GlassFish Server, you must also set the base.sslport property using the Convergence iwcadmin command-line utility. For example:

iwcadmin -o base.sslport -v base_ssl_port

See Convergence System Administrator’s Guide for more information about the base.sslport property and the iwcadmin command.

Configuring Authentication-Only SSL

Authentication-Only SSL is a mechanism in which users are authenticated by using the HTTPS protocol which sends user authentication details in an encrypted format. All other requests from the Convergence client are performed using the HTTP protocol. To configure Convergence to use Authentication-only SSL, you set the base.sslport and base.enableauthonlyssl properties using the iwcadmin command. For example:

iwcadmin -o base.sslport -v base_ssl_port
iwcadmin -o base.enableauthonlyssl -v true

See Convergence System Administrator’s Guide for more information about the base.sslport and base.enableauthonlyssl properties and the iwcadmin command.

Enabling SSL for Back-End Servers

Using the iwcadmin command, you can enable a secure data connection between Convergence and the following back-end servers:

  • To enable SSL to Messaging Server:

    iwcadmin -o mail.enablessl -v true
iwcadmin -o mail.port -v mail_port

    Messaging Server must be running in SSL mode.

  • To enable SSL to Calendar Server 6.3:

    iwcadmin -o cal.enablessl -v true
iwcadmin -o cal.port -v calendar_port

    To enable SSL to Calendar Server 7:

    iwcadmin -o caldav.enablessl -v true
iwcadmin -o caldav.port -v caldav_port

    Calendar Server must be running in SSL mode.

  • To enable SSL for Convergence address book, configure Convergence with SSL.

  • To enable SSL between Convergence and Instant Messaging Server, you must enable TLS/SSL in Instant Messaging Server. No configuration changes are required for Convergence. See Instant Messaging Server System Administrator's Guide for more information.

  • To enable SSL to Contacts Server:

    iwcadmin -o nab.enablessl -v true
iwcadmin -o nab.port -v nab_port

  • To enable SSL to Index Search Service:

    iwcadmin -o ISS.enablessl  -v true
iwcadmin -o ISS.port  -v iss_port

  • To enable SSL between Convergence and the directory server:

    iwcadmin -o ugldap.enablessl -v true
iwcadmin -o ugldap.port -v ldap_port

Closing Non-SSL Connections

By default, Convergence listens to requests on both http (non-SSL) and https (SSL) connections. You should close all non-SSL connections, preventing Convergence from listening for non-SSL traffic.

To disable non-SSL connections:

  1. List all the http listeners using the Oracle GlassFish Server asadmin command-line utility:

    asadmin list  "*" | grep server-config  | grep http-listener

  2. Determine which http listeners are open for non-SSL connections. Use the asadmin command to display all the settings for a particular http listener:

    asadmin get server-config.http-service.http-listener.http_listener.*

    Where http_listener is any http listeners returned by the asadmin list command.

  3. For each non-SSL Convergence connection, use the asadmin command to disable the connection:

    asadmin set server-config.http-service.http-listener.http_listener.enabled=false

  4. Restart the GlassFish server.

LDAP Security

To enhance client security in communicating with Directory Server, use a strong password policy for user authentication. For more information on securing Directory Server, see the discussion on security in Oracle Directory Server Enterprise Edition Administration Guide.