13 Appendix
This chapter describes the Appendix for DSR.
13.1 Secure Deployment Checklist
The following security checklist helps you secure Oracle Communications Diameter Signaling Router (DSR) and its components:
- Change default passwords.
- Use LDAP for authentication purposes.
- Use the Authorized IP addresses feature.
- Use TLS or IPsec.
- Enforce strong password management.
- Restrict administrative functions to only the required administrator groups.
- Configure community strings and traps as described in the Other Optional Configurations chapter.
- Restrict network access by enabling the DSR firewall feature.
- Enforce iLO to use strong encryption.
- Available Ciphers for SSH and HTTPS/SSL.
The DSR system has been pre configured to require modern strong ciphers for both SSH and TLS. The supported ciphers or MACs for SSH connections are:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
MACs hmac-sha2-512,hmac-sha2-256This is configured in
/etc/ssh/sshd_conf. The supported cipher set
(using openssl notation) for HTTPS/TLS
is:ECDH+AES128:ECDH+AESGCM:ECDH+AES256:DH+AES:DH+AESGCM:DH+AES256:RSA+AES:RSA+AESGCM:!aNULL:!MD5:!DSS:!SSLv3:!3DESFor the default TLS (https) connection, this is configured in /etc/httpd/conf.d/ssl.conf. For certificates loaded through the GUI, this is configured in /var/TKLC/appworks/etc/https.template path.
For detailed information on importing HTTPS or SSL Certificate into VNFM, see Oracle Communications Diameter Signaling Router VNFM Installation and User Guide.