This chapter describes how to configure and use Oracle Communications Converged Application Server Identity Asserter providers.
A SIP Servlet can be configured to use one of the following identity assertion mechanisms:
P-Asserted-Identity
: With this mechanism, identity must be asserted using the P-Asserted-Identity
header in a SIP message that originates from a trusted domain. This identity assertion mechanism is described in RFC 3325.
Identity
: With this mechanism, identity must be asserted using the Identity
and Identity-Info
headers in SIP messages, which can originate from other domains. This identity assertion mechanism is described in RFC 4474.
Converged Application Server does not support the WebSocket
identity assertion mechanism.
You specify the identity assertion mechanism in the @SipLogin
annotation inside an @SipApplication
annotation. The @SipLogin
annotation element determines which identity assertion mechanism is required for the Servlet. See the JSR 359, section 22.3.3 for information @SipApplication
annotation, and information on configuring the identity assertion for a Servlet. See JSR 359, section 22.3.3.1 for information on @SipLogin
annotation.
Converged Application Server supports identity assertion mechanisms using security providers. The sections that follow describe how Converged Application Server handles messages with each identity assertion mechanism, and how to configure the required security providers.
The P-Asserted-Identity
header is honored only within a trusted domain. In a Converged Application Server system, trusted domains are purely configuration-based. To enable use of the header, you must configure one of two available P-Asserted Identity Assertion providers as described in "Configuring a P-Asserted-Identity Assertion Provider". The P-Asserted-Identity
assertion providers expose the trusted domain configuration for P-Asserted-Identity
headers. If you do not configure a provider, the header considers no IP addresses as being ”trusted.”
When Converged Application Server receives a message having the P-Asserted-Identity
header from a trusted host configured with the provider, it logs in the user specified in the header to determine group membership and other privileges. The value contained in the P-Asserted-Identity
header must be a SIP address (for example, sipuser@oracle.com
). By default, Converged Application Server removes the domain portion of the address (@oracle.com
) and uses the remainder as the user name. If you must support overlapping usernames from different names (for example, sipuser@oracle.com
and sipuser@cea.com
), you can create and use a custom user-name mapper to process the header contents into a unique username (for example, sipsuser_b
and sipuser_c
). Using a custom user name mapper also enables you to support WebLogic user names that contain an "@" character, such as @oracle.com
.
The presence of a P-Asserted-Identity
header combined with the Privacy
header also determines the way in which Converged Application Server proxies incoming requests. The value of the @SipLogin
annotation is also considered. Figure 5-1 describes how incoming SIP requests are managed in relation to the P-Asserted-Identity
header.
Figure 5-2 describes the standard security check procedure that Converged Application Server uses when an asserted user name is not authorized to access a requested resource. The standard security check is performed according to the auth-method
defined in the login-config
element of the sip.xml
descriptor for the current application.
The presence of a P-Asserted-Identity
header or a P-Preferred-Identity
header also affects the processing of outbound SIP requests. Figure 5-3 describes the behavior.
If the contents of a P-Asserted-Identity header are invalid, or if the header is received from a non-trusted host, then the security provider returns an "anonymous" user to the SIP Servlet container. If you configured the PAsserted Identity Strict Asserter provider, an exception is also thrown so that you can audit the substitution of the anonymous user. (If you configured the basic PAsserted Identity Asserter provider, no exception is thrown.)
With either provider, if identity assertion fails and the requested resource is protected (the request matches a security-constraint
defined in sip.xml
), the SIP container uses the auth-method
defined in the sip.xml
deployment descriptor to challenge the end user. For example, digest authentication may be used if the Servlet specifies the digest authentication method.
If the requested resource is not protected, the anonymous user is simply passed to the SIP Servlet without authorization. Because the 3GPP TS 24.229 specification recommends forced authorization even when a resource is unrestricted (and privacy is not requested), you should use declarative security to protect all of a SIP Servlet's resources to remain compliant with the specification. See "Securing SIP Servlet Resources" in Converged Application Server Developer's Guide for more information.
If authorization of the anonymous user fails, Converged Application Server then forces authentication by challenging the user.
Follow these steps to configure a security provider used to support the P-Asserted-Identity
header. Note that one of two providers can be selected, as described in "Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers".
In addition to configuring one of the above providers, configure a secondary, "fallback" login method (for example, using DIGEST or CLIENT-CERT authentication).
To configure a P-Asserted-Identity
provider:
Log in to the Administration Console for the Converged Application Server domain you want to configure.
In the left pane of the Console, select the Security Realms node.
Select the name of your security realm in Realms table in the right pane of the Console.
Select the Providers tab and select the Authentication subtab.
Click New in the Authentication Providers table.
Enter a name for the new provider, and select one of the following options for the Type:
PAssertedIdentityAsserter: Select this option to configure a provider that does not throw an exception when the P-Asserted-Identity
header is invalid or is received from a non-trusted host and an anonymous user is substituted.
PAssertedIdentityStrictAsserter: Select this option to configure a provider that throws an exception when the P-Asserted-Identity
header is invalid or is received from a non-trusted host and an anonymous user is substituted.
See "Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers" for more information.
Click OK.
Select the name of the provider you just created.
Select the Provider Specific tab.
Fill in the fields of the configuration tab as follows:
Trusted Hosts: Enter one or more host names that the provider will treat as trusted hosts. You can enter a list of IP addresses or DNS names, and wildcards are supported.
Note:
The provider does not use trusted hosts configured in thesipserver.xml
file. See information on sip-security
in the Oracle Communications Converged Application Server Administrator's Guide.User Name Mapper Class Name: Enter the name of a custom Java class used to map user names in the P-Asserted-Identity
header to user names in the default security realm. A custom user name mapper is generally used if user names are received from two or more different domains. In this case additional logic may be required to map usernames received from each domain. A custom user name mapper class is required if you want to map usernames in the P-Asserted-Identity
header to WebLogic usernames. See Securing Oracle WebLogic Server in the Oracle WebLogic Server documentation for more information.
Alternatively, leave this field blank to use the default user name mapper. The default mapper simply discards the domain name and takes the resulting user name without applying any additional logic.
Click Save.
Restart the server.
Converged Application Server can also perform identity assertion using the Identity
and Identity-Info
headers, as described in RFC 4474. As with the p-asserted-identity
assertion mechanism, Identity
header assertion requires that you first configure the appropriate security provider (the IdentityHeaderAsserter
provider) in Converged Application Server.
When asserting the identity of inbound requests having the Identity
and Identity-Info
headers, Converged Application Server considers the values of the identity-assertion
and identity-assertion-support
elements in sip.xml
as well as the presence of a configured security provider. Figure 5-4 describes how incoming messages are processed using this assertion mechanism.
Follow these steps to configure the security provider used to support the Identity
header:
Log in to the Administration Console for the Converged Application Server domain you want to configure.
In the left pane of the Console, select the Security Realms node.
Select the name of your security realm from the Realms table in the right pane of the Console.
Select the Providers tab, and then select the Authentication subtab in the right pane.
Click New in the Authentication Providers table.
Enter a name for the new provider, and select IdentityHeaderAsserter for the Type.
Click OK.
Select the name of the provider you just created in the Authentication Providers table.
Select the Configuration tab and then select the Provider Specific subtab.
Fill in the fields of the Provider Specific subtab as follows:
Date Period: Enter the valid period for Date header, in seconds.
Https Channel Name: Enter the name of an HTTPS channel the provider should use to initialize an HTTPS client. An HTTPS channel is required (and must be configured separately) if a remote certificate must be retrieved via HTTPS.
User Name Mapper Class Name (optional): Enter the name of a custom Java class used to map user names in the Identity
header to user names in the default security realm. A custom user name mapper class is required if you want to map usernames in the Identity
header to WebLogic usernames. See Securing Oracle WebLogic Server in the Oracle WebLogic Server documentation for more information.
Click Save.
Restart the server.