Security Checklist

Use the following checklist to secure Oracle Communications Session Delivery Manager before, during and after its installation.

1. Do NOT connect your system to any untrusted networks, especially the Internet, until all protections have been configured. Customers have reported systems under configuration compromised within minutes due to incomplete configurations.
2. If you use identity management or single sign-on (SS) technologies, ensure that they are supported by security assertion markup language (SAML).
3. Harden the management environment.
   1. Make sure all equipment is in locked cabinets or at least in a secure room.
   2. Set strong passwords for all accounts and system users (nncentral user and nncentral group, sudo user, e-mail user, the admin user, LIadmin user etc.) during the installation.
   3. During the system installation, use HTTPS (default) as the system running mode.
   4. Use secure protocols, such as SFTP, HTTPS, LDAP and SSH, to communicate with Oracle Communications Session Delivery Manager.
4. Once Oracle Communications Session Delivery Manager is started, use the Security Manager to limit user privileges:
   1. Carefully consider who has access to the administrators password.
   2. Authenticate local groups and users that access the system. The system comes with the following default user groups: monitor, provisioner, administrators, and LIadministrators. Administrators have a complete set of permissions only, and the system provides role-based security policies for access control with dedicated user accounts that have pre-assigned privilege levels.
   3. Authenticate and authorize external users through an existing RADIUS server or Active Directory (AD) server.
5. Configure the inactivity timer in Security Manager to stop the abuse of system services.
6. Use HP Fortify, HP WebInspect, and Tenable Nessus scans to perform static and dynamic security testing on Oracle Communications Session Delivery Manager periodically, or after each release.
7. Continue to monitor system activity to determine if someone is attempting to abuse system services and to detect if there is performance or availability problems. Useful monitoring information can be acquired through audit logs, system logs and SNMP.