This chapter provides an overview of security for Oracle Communications Convergence.
The following principles are fundamental to using any application securely:
Keep software up to date. This includes the latest product release and any patches that apply to it.
Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements.
Monitor system activity. Establish who should access which system components, how often they should be accessed, and who should monitor those components.
Install software securely. For example, use firewalls, secure protocols (such as SSL), and secure passwords. See "Performing a Secure Convergence Installation" for more information.
Learn about and use Convergence security features. See "Implementing Convergence Security" for more information.
Use secure development practices. For example, take advantage of existing database security functionality instead of creating your own application security.
Keep up to date on security information. Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible. See the Oracle Critical Patch Updates and Security Alerts web site:
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
When planning your Convergence environment, consider the following:
Which resources require protection?
For example:
Convergence
Protocols, such as HTTP, WMAP, WCAP, LDAP, XMPP, WABP, NABP
Dependent resources, such as GlassFish Server, WebLogic Server, Directory Server, Index Search Service, Messaging Server, Calendar Server, Instant Messaging Server, WebRTC Session Controller, Oracle Outside In Transformation Server
From whom do the resources require protection?
In general, resources must be protected from everyone on the Internet. But should the Convergence deployment be protected from employees on the intranet in your enterprise? Should your employees have access to all resources within the Oracle certified application server environment? Should the system administrators have access to all resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. On the other hand, perhaps it would be best to allow no system administrators access to the data or resources.
What happens if protections on strategic resources fail?
In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use Convergence. Understanding the security ramifications of each resource help you protect it properly.
Each installed or integrated component requires special steps and configurations to ensure complete system security. See the discussion about Convergence deployment architecture in Convergence System Administrator's Guide for more information about the Convergence components
The top layer shows the services provided by Convergence. The middle layer represents the Convergence server itself, deployed to the Oracle certified application server domain. The bottom layer shows the dependencies that the Convergence server has on other applications to provide its services and features.
Convergence consists of the following core services:
Service Proxies
XMPP over HTTP Gateway
Address Book Service
Authentication & Authorization
SSO (Oracle Access Manager/Messaging SSO)
Configuration management
Logging
Basic Monitoring
The service proxies communicate using various protocols to the Oracle Communications software products used to deliver Convergence services.
Because Convergence is an end-user client program, it occupies the User Tier in any deployment topology. See the discussion about Convergence deployment architecture in Convergence System Administrator's Guide for more information about the Convergence deployment topology.
The general architectural recommendation is to use the well-known and generally accepted Internet-Firewall-DMZ-Firewall-Intranet architecture. For more information on addressing network infrastructure concerns, see the Unified Communications Suite wiki:
https://wikis.oracle.com/display/CommSuite/Determining+Your+Communications+Suite+Network+Infrastructure+Needs
This section lists Convergence-specific OS security configurations. This section applies to all supported OSs.
Convergence communicates with various components on specific ports. Depending on your deployment and use of a firewall, you might need to ensure that the firewalls are configured to manage traffic for the following components:
GlassFish Server administration server (default 4848)
Oracle WebLogic Server administration server (http 7001, https [default] 7002)
Convergence (http 8080, https [default] 8181)
WebMail Server (http 8990, https [default] 8991)
Contacts Server (http 8080, https [default] 8181)
Calendar Server (http 8080, https [default] 8181)
Instant Messaging Server (default 5269, for both http and https)
Indexing and Search Service (http 8080, https [default] 8181)
Directory server (ldap 389, ldaps [default] 636)
Oracle Access Manager (Oracle WebLogic Server default port)
Outside In Transformation Server (default 60611)
WebRTC Session Controller (Oracle WebLogic Server default port)
Close all unused ports, especially non-SSL ports. Opt for SSL-enabled ports, instead of non-SSL ports, for all communications.
For more information about securing your OS, see your OS documentation.
The Convergence Server is deployed on a GlassFish Server domain. For information about installing and configuring GlassFish Server, see GlassFish Installation Guide.
For information about securing GlassFish Server 3, see GlassFish Security Guide, at:
http://docs.oracle.com/cd/E18930_01/html/821-2435/index.html
For information about securing GlassFish Server 5, see GlassFish Security Guide, at:
https://javaee.github.io/glassfish/doc/5.0/security-guide.pdf
Run the GlassFish Server installer in a Secure Administration Server instance. If you do not run the GlassFish Server as an admin program in a secure mode, then you are unable to run the Convergence init-config program in a secure mode without running into errors. Therefore, install and configure the GlassFish Server and Convergence in a secure mode.
When you install GlassFish Server, you should provide the following security information:
Administration User and Administration User password
master password for SSL certificate
port number for HTTPS port
secure administration server instance
To access a web application deployed on a GlassFish Server, use the URL http://localhost:8080/ (or https://localhost:8181/ if it is a secure application), along with the context root specified for the web application. To access the GlassFish Server Administration Console, use the URL https://localhost:4848/ or http://localhost:4848/asadmin/ (its default context root).
The Convergence Server is deployed on the Oracle WebLogic Server domain. For information about installing and configuring Oracle WebLogic Server, see Oracle WebLogic Server Installation Guide, at:
https://docs.oracle.com/middleware/1212/core/WLSIG/create_domain.htm#WLSIG281.
For information about securing Oracle WebLogic Server 12.2.1.3, see Oracle WebLogic Server Security Guide, at:
https://docs.oracle.com/middleware/12213/wls/SECMG/identity_trust.htm.
Run the Oracle WebLogic Server installer in a Secure Administration Server instance. If you do not run Oracle WebLogic Server as an admin program in a secure mode, then you cannot run the Convergence init-config program in a secure mode without running into errors. Therefore, install and configure Oracle WebLogic Server and Convergence in a secure mode.
When you install Oracle WebLogic Server, you should provide the following security information:
Administration User and Administration User password
master password for SSL certificate
port number for HTTPS port
secure administration server
You should enable SSL and configure keystores to install Oracle WebLogic Server in a secure mode. For more information about enabling SSL and configuring keystores, see Fusion Middleware Administering Security for Oracle WebLogic Server Guide at:
https://docs.oracle.com/middleware/12213/wls/SECMG/identity_trust.htm#SECMG365.
Oracle WebLogic Server supports the following keystore options in its configuration:
DemoIdentityandDemoTrust
CustomIdentityandCommand-lineTrust
CustomIdentityandCustomTrust
CustomIdentityandJavaStandardTrust
Note:
CustomIdentityandCustomTrust and CustomIdentityandJavaStandardTrust are the only supported keystores for configuring the Convergence in Oracle WebLogic Server.To access a web application deployed on Oracle WebLogic Server, use the URL http://localhost/ (or https://localhost/ if it is a secure application), along with the context root specified for the web application. To access the Oracle WebLogic Server Administration Console, use the URL https://localhost:7002/console or http://localhost:7001/console/.
You can obtain secure connections between applications connected over the Web by using protocols such as Secure Socket Layer (SSL) or Transport Layer Security (TLS). SSL is often used to refer to either of these protocols or a combination of the two (SSL/TLS). Due to a security problem with SSLv3, Convergence recommends that you use only TLS.
If you are using GlassFish Server, See "Disabling SSLv3 on Front-End GlassFish Server Hosts" for more information.
If you are using Oracle WebLogic Server, see "Disabling SSLv3 on Front-End Oracle WebLogic Server Hosts" for more information.
In a Convergence deployment, you can configure SSL between the following components:
Oracle WebLogic Server / GlassFish Server administration server port
Oracle WebLogic Managed Server / GlassFish Server for Convergence
Messaging Server
Contacts Server
Calendar Server
Instant Messaging Server
Indexing and Search Service
Directory server
Transformation Server
WebRTC Session Controller
SSL provides a secure means of communication between the web-browser client and the server.
You can enable SSL in Convergence when you run the Convergence configuration script the first time, or in the Oracle certified application server. If you are enabling SSL for Convergence in an application server, you must also set the base.sslport property using the Convergence iwcadmin command-line utility. For example,
iwcadmin -o base.sslport -v base_ssl_port
See Convergence System Administrator's Guide for more information about the base.sslport property and the iwcadmin command.
Authentication-Only SSL is a mechanism in which users are authenticated by using the HTTPS protocol which sends user authentication details in an encrypted format. All other requests from the Convergence client are performed using the HTTP protocol. To configure Convergence to use Authentication-only SSL, you set the base.sslport and base.enableauthonlyssl properties using the iwcadmin command.
For example,
iwcadmin -o base.sslport -v base_ssl_port
iwcadmin -o base.enableauthonlyssl -v true
See Convergence System Administrator's Guide for more information about the base.sslport and base.enableauthonlyssl properties and the iwcadmin command.
Using the iwcadmin command, you can enable a secure data connection between Convergence and the following back-end servers:
To enable SSL to Messaging Server:
iwcadmin -o mail.enablessl -v true
iwcadmin -o mail.port -v mail_port
Messaging Server must be running in SSL mode.
To enable SSL to Calendar Server 7:
iwcadmin -o caldav.enablessl -v true
iwcadmin -o caldav.port -v caldav_port
Calendar Server must be running in SSL mode.
To enable SSL for Convergence address book, configure Convergence with SSL.
To enable SSL between Convergence and Instant Messaging Server, you must enable TLS/SSL in Instant Messaging Server. No configuration changes are required for Convergence. See Instant Messaging Server System Administrator's Guide for more information.
To enable SSL to Contacts Server:
iwcadmin -o nab.enablessl -v true
iwcadmin -o nab.port -v nab_port
To enable SSL to Index Search Service:
iwcadmin -o ISS.enablessl -v true
iwcadmin -o ISS.port -v iss_port
To enable SSL between Convergence and the directory server:
iwcadmin -o ugldap.enablessl -v true
iwcadmin -o ugldap.port -v ldap_port
By default, Convergence listens to requests on both http (non-SSL) and https (SSL) connections. You should close all non-SSL connections, preventing Convergence from listening for non-SSL traffic.
To disable non-SSL connections for GlassFish Server:
List all the http listeners using the GlassFish Server asadmin command-line utility:
asadmin list "*" | grep server-config | grep http-listener
Determine which http listeners are open for non-SSL connections. Use the asadmin command to display all the settings for a particular http listener:
asadmin get server-config.http-service.http-listener.http_listener.*
Where http_listener is any http listeners returned by the asadmin list command.
For each non-SSL Convergence connection, use the asadmin command to disable the connection:
asadmin set server-config.http-service.http-listener.http_listener.enabled=false
Restart the GlassFish Server.
To disable non-SSL connections for Oracle WebLogic Server:
Log into the Oracle WebLogic Server Administration Console.
Click the domain name in the Domain Structure section.
Navigate to Environment > Servers and select the Managed Server on which Convergence is deployed.
Navigate to Configuration > General tab and deselect the Listen Port Enabled option.
Click Save.
Click Activate Changes.
Restart Oracle WebLogic Server and Managed Server.
To enhance client security in communicating with the directory server, use a strong password policy for user authentication. For more information on directory server security, see the discussion on security in Oracle Directory Server Enterprise Edition Administration Guide.