Table of Contents

• Title and Copyright Information
• My Oracle Support
• Acronyms
• What’s New in DSR Security Guide
• 1 Introduction
  • 1.1 Audience
  • 1.2 References
• 2 Diameter Singling Router Security Overview
  • 2.1 Basic Security Considerations
  • 2.2 Accessing Diameter Signaling Router System
• 3 Implement Oracle Communications Diameter Signaling Router Security
  • 3.1 Diameter Signaling Router Web GUI Standard Features
    • 3.1.1 User Administration
      • 3.1.1.1 Establishing Groups and Group Permissions
      • 3.1.1.2 Creating Users and Assigning to Groups
    • 3.1.2 User Authentication
      • 3.1.2.1 Passwords
      • 3.1.2.2 Changing DSR Administrative Account Passwords
      • 3.1.2.3 Password Complexity
      • 3.1.2.4 Password Expiration
      • 3.1.2.5 Restricting Concurrent Logins
      • 3.1.2.6 External Authentication
      • 3.1.2.7 LDAP Authentication for Users
      • 3.1.2.8 SSO Authentication for Users
      • 3.1.2.9 Password Strengthening Procedures
        • 3.1.2.9.1 Setting Password Strength with Minimum Digit Characters
        • 3.1.2.9.2 Setting Password Strength with Minimum Uppercase Characters
        • 3.1.2.9.3 Setting Password Strength with Minimum Special Characters
        • 3.1.2.9.4 Setting Password Strength with Minimum Lowercase Characters
        • 3.1.2.9.5 Setting Deny for Failed Password Attempts
        • 3.1.2.9.6 Setting Minimum Password Length
      • 3.1.2.10 Login and Welcome Banner Customization
      • 3.1.2.11 SSH Security Hardening Procedures
        • 3.1.2.11.1 Setting SSH Client Alive Count
        • 3.1.2.11.2 Disabling SSH Access through Empty Passwords
        • 3.1.2.11.3 Enabling SSH Warning Banner
        • 3.1.2.11.4 Denying SSH Environment Options
        • 3.1.2.11.5 Generating RSA SSH Key for Admin User
        • 3.1.2.11.6 Setting SSH Log Level
        • 3.1.2.11.7 Enabling SSH IgnoreRhosts
        • 3.1.2.11.8 Disabling SSH X11 Forwarding
        • 3.1.2.11.9 Disabling SSH HostbasedAuthentication
        • 3.1.2.11.10 Setting SSH LoginGraceTime
        • 3.1.2.11.11 Disabling SSH Insecure Key Exchange Algorithms and Setting Up Key Length
        • 3.1.2.11.12 Disabling SSH Weak Key Exchange Algorithms
      • 3.1.2.12 Services Hardening Procedures
        • 3.1.2.12.1 Uninstalling tftp-server Package
        • 3.1.2.12.2 Disabling xinetd Service
        • 3.1.2.12.3 Uninstalling xinetd Service
        • 3.1.2.12.4 Disabling ntpdate Service
  • 3.2 SNMP Configuration
    • 3.2.1 Enabling SNMP Versions
    • 3.2.2 Configuring Community Names
  • 3.3 SNMPv3 on PMAC
    • 3.3.1 Enabling SNMPv3 Support on PMAC
    • 3.3.2 Configuring SNMPv3 Security Model and Trap Servers
  • 3.4 Authorized IPs
  • 3.5 Certificate Management
    • 3.5.1 Creating a New Certificate for WebLogic and Tomcat Servers
      • 3.5.1.1 Creating Keystore and Certificate Signing Request
      • 3.5.1.2 Importing Certificate
      • 3.5.1.3 Configuring Keystore on WebLogic
      • 3.5.1.4 Creating Keystore in the Tomcat Server
      • 3.5.1.5 Modifying the Tomcat File Configuration
  • 3.6 SFTP Administration
• 4 Host Intrusion Detection System (HIDS)
  • 4.1 Host Intrusion Detection System Overview
  • 4.2 Checking the Host Intrusion Detection System Status
  • 4.3 Initializing the Host Intrusion Detection System
  • 4.4 Enabling or Disabling Host Intrusion Detection System
  • 4.5 Suspending or Resuming Host Intrusion Detection System
  • 4.6 Running On-Demand HIDS Security Check
  • 4.7 Updating Host Intrusion Detection System Baseline
  • 4.8 Deleting Host Intrusion Detection System
  • 4.9 Host Intrusion Detection System Alarms
• 5 Diameter Signaling Router OS Standard Features
  • 5.1 Configuring NTP Servers
    • 5.1.1 Configuring NTP for the Host OS of the Application Guest VM
  • 5.2 Setting the Time on the TVOE Host
  • 5.3 Configuring Password Settings for OS Users
  • 5.4 Configuring Passwords without Embedding Usernames
  • 5.5 Configuring Other Session and Account Settings for OS Users
    • 5.5.1 Configuring Session Inactivity for OS Users
    • 5.5.2 Configuring Number of Failed Login Attempts
    • 5.5.3 Configuring Lockout Time for Inactive Accounts
  • 5.6 Updating the TPD-Provd Cipher List
  • 5.7 Operational Dependencies on Platform Account Passwords
  • 5.8 Updating the SELinux Mode on the Server
• 6 Other Optional Configurations
  • 6.1 Authentication for Single User Mode
  • 6.2 Changing OS User Account Default Passwords
  • 6.3 Changing Login Display Message
  • 6.4 Forcing iLO to Use Strong Encryption
  • 6.5 Setting Up rsyslog for External Logging
  • 6.6 Adding sudo Users
  • 6.7 Reporting and Disabling Expired OS User Accounts
• 7 Ethernet Switch Considerations
  • 7.1 Configuring SNMP in Switches
  • 7.2 Configuring Community Strings
  • 7.3 Configuring SNMP Traps
• 8 Security Logs and Alarms
• 9 Optional IPsec Configuration
  • 9.1 IPsec Overview
    • 9.1.1 Encapsulating Security Payload
    • 9.1.2 Internet Key Exchange
  • 9.2 IPsec Process
  • 9.3 Setting Up IPsec
  • 9.4 IPsec IKE and ESP Elements
  • 9.5 Adding an IPsec Connection
  • 9.6 Editing an IPsec Connection
  • 9.7 Enabling and Disabling an IPsec Connection
  • 9.8 Deleting an IPsec Connection
• 10 Firewall Configuration Changes
  • 10.1 IP tables
  • 10.2 TCP Wrappers
• 11 Internal Web Services
  • 11.1 Changing Internal Web Service Passwords
  • 11.2 Changing TPD Web Service Password
  • 11.3 Changing Internal Web Service Certificates and Key Material
• 12 Updating the MySQL Password
• 13 Appendix
  • 13.1 Secure Deployment Checklist