This chapter explains how to protect the traffic between Oracle Communications Services Gatekeeper and the web-based users and applications that it communicates with. This chapter starts by explaining how to protect all Services Gatekeeper implementations from malware and denial of service (DOS) attacks, and then provides information specific to API management features.
Securing network traffic between your Services Gatekeeper and the users and applications that connect to it over the Internet involves these general categories:
In addition, there are special considerations for API management users, and communication services. See these sections for details:
You configure network security traffic by performing the following general tasks:
Deciding which error message to return when a SOAP or REST message is rejected. The default error message is 400 Bad Request, which is the most descriptive. You set the error message by using the getErrorStatus attribute of ApiFirewallMBean. See the ”All Classes” section of Services Gatekeeper OAM Java API Reference for details.
Deciding whether to direct Services Gatekeeper to create an EDR and alarm for each firewall violation by using the CreateViolationEdrs attribute to ApiFirewallMBean. The attribute is boolean and the default value is yes.
The EDR is created with one of these statuses:
Reject - no further status is available.
Reject: json - An exception was thrown while parsing JSON.
Reject: size - The message was too big.
Reject: scheme - Protocol scheme was not allowed (for example, HTTP was used to access a HTTPS only API).
The new alarm number is 390000. For details see "390000: Request Rejected by API Firewall” in Services Gatekeeper Alarms Handling Guide.
This is an example CreateViolationEdrs EDR:
ServiceName = null Timestamp = 1473942471250 ContainerTransactionId = null ServerName = servername Class = oracle.ocsg.api_firewall.filter.GenericAPIFirewallFilter Method = doFilter Source = Exception HttpStatusCode = 400 Status = Reject: size Position = after Method = doFilter TransactionId = 67e7ed6c-26cc-4c07-b59c-bb36f40e502d State = API-FW Class = oracle.ocsg.api_firewall.filter.GenericAPIFirewallFilter HttpMethod = POST Timestamp = 1473942471250 Source = Exception URL = /weather-soap/1/weather ErrCat = API-FW ServerName = servername
Setting the maximum limits for error messages, including:
The maximum total size of a single message entity, such as a comment, by using the MaxItemValueLength attribute of ApiFirewallMBean.
The maximum total size of an error message by using the getMaxMessageSize attribute of ApiFirewallMBean.
The maximum number of nested message elements by using the getMaxChildElementDepth attribute of ApiFirewallMBean.
The maximum number of unbounded elements by using the getMaxUnboundedItems attribute of ApiFirewallMBean.
Note:
The maximum size supported for any single message is 200 MB.(Optional) Creating a list of trusted APIs. Most of the ApiFirewall MBean security attributes filter messages that are potential security risks. This filtering process degrades performance slightly. To avoid this performance penalty, create a list of trusted APIs that are exempt from the filtering process by using the setApiConfigXml attribute of ApiFirewallMBean. See ”Creating a List of Trusted APIs Using ApiConfigXml” for details.
(Optional) creating a list of trusted IP addresses for REST-based communication. See "Protecting REST APIs with a White List of IP Addresses" for instructions.
You can change ApiFirewallMBean attributes from the Administration Console or by editing the MBean directly. For a description of the attributes and operations of the ApiFirewallMBean MBean, see the ”All Classes” section of Services Gatekeeper OAM Java API Reference.
You use the ApiConfigXml element of ApiFirewallMBean to create a ”white list” of well-known API URLs. Once created, traffic from those URLs passes into Services Gatekeeper without the standard network traffic security checks. This is more efficient but less secure. So be sure that the URLs you exempt from security checks really are trusted.
Example 3-1 shows the ApiConfigXml syntax:
Example 3-1 ApiConfigXml Schema Syntax
<?xml version="1.0" encoding="UTF-8"?>
<schema xmlns="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://oracle/ocsg/api_firewall/management/xml"
xmlns:tns="http://oracle/ocsg/api_firewall/management/xml"
elementFormDefault="qualified">
<element name="baseApis">
<complexType>
<complexContent>
<extension base="tns:Apis">
</extension>
</complexContent>
</complexType>
</element>
<complexType name="Apis">
<sequence>
<element name="apis" type="tns:Api" minOccurs="0" maxOccurs="unbounded"></element>
</sequence>
</complexType>
<complexType name="Api">
<sequence>
<choice>
<element name="requestUrl" type="string"></element>
<element name="requestUrl_regex" type="string"></element>
</choice>
<element name="method" type="string" minOccurs="0" maxOccurs="unbounded"></element>
</sequence>
</complexType>
</schema>
Example 3-2 shows how to exclude URLs for OneAPI SMS sendSms and Px21 SMS sendSmsLogo from security checks:
Example 3-2 Exempting OneAPI SMS and Parlay x21 SMS
<?xml version="1.0" encoding="UTF-8"?>
<baseApis xmlns="http://oracle/ocsg/api_firewall/management/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<apis>
<requestUrl>/parlayx21/sms/SendSms</requestUrl>
<method>sendSmsLogo</method>
</apis>
<apis>
<requestUrl_regex>/oneapi/1/smsmessaging/outbound/(.*)/requests</requestUrl_regex>
<method>POST</method>
</apis>
</baseApis>
Your network implementation can be vulnerable to denial of service (DOS) attacks, which generally try to interfere with legitimate communication inside the Services Gatekeeper Access Tier. To prevent these messages from reaching your network, Services Gatekeeper offers configurable SOAP and RESTful message filtering. You configure this filtering behavior by using the ApiFirewall configuration MBean. ApiFirewall determines how Services Gatekeeper filters messages attempting to enter the Services Gatekeeper application tier.
Table 3-1 lists network attacks that Services Gatekeeper protects against, and lists where you can find information about configuring those protections.
Table 3-1 Message-Based Attacks and How to Protect Against Them
| Attack Strategy | Protection Strategy | Default Result |
|---|---|---|
|
Malicious Content Attack, including: SOAP message attacks:
RESTful message attacks:
|
The ApiFirewall MBean settings (application tier) limit the acceptance of oversize message entities. See the ”All Classes” section of Services Gatekeeper OAM Java API Reference for details. |
Rejects the message and returns the error message specified with the ErrorStatus attribute of ApiFirewallMBean. |
|
Continuous wrong password attack. |
The default WebLogic Security Provider setting (application tier) locks a subscriber out for 30 minutes after 5 wrong password attempts. This behavior is configurable. See the section on ”Protecting user Accounts” in Administering Security for Oracle WebLogic Server for more information. |
Rejects the message and returns a 500 Internal Server Error message. |
|
Malformed SOAP Message (does not match the SOAP schema), including:
|
You can direct the WebLogic SOAP message processor (application tier) to validate the SOAP schema and reject malformed messages. See ”Validating the XML Schema” in Oracle Fusion Middleware Getting Started with JAX-WS Web Services for Oracle Weblogic Server for more information. Also, the WebLogic Server SOAP engine ignores any attempt to change the DTD definition in a SOAP message. |
Rejects the message and returns a 500 Internal Server Error message. |
|
Malformed RESTful messages (do not match the REST schema). |
The Jersey parsing engine (network tier) rejects these types of messages. |
Rejects the message and returns a 500 Internal Server Error message. |
|
External Entity Reference |
The Services Gatekeeper ApiFirewall (application tier) prohibits all references to external entities. It is possible to remove this protection. See "Removing External Entity Reference Security" for details. |
Rejects the message and returns a 500 Internal Server Error message. |
This feature allows you to protect your REST-based APIs by limiting access to them to a specific list of trusted IP addresses. You specify the trusted IP addresses using a special key/value pair in a call to the Services Gatekeeper application tier (AT) using the updateAllSysConfig system configurations operation. The prmIPAddressWhitelist key in this operation matches a value that specifies the white list of IP addresses. The key value accepts alpha-numeric characters, dots, and asterisk (*) wildcard character to specify IP addresses, and commas to separate IP address items. Table 3-2 lists some example values to go with the prmIPAddressWhitelist key.
Table 3-2 Example prmIpAddressWhiteList Values
| IP Address Value | IP Addresses in the White List |
|---|---|
|
192.0.2.2 |
Only the 192.0.2.2 address. |
|
192.0.2.* |
All IP addresses that match these first three bytes: 192.0.2. |
|
103.0.113.4,192.0.2.* |
The 103.0.113.4 IP address, and all IP addresses that match these first three bytes: 192.0.2. |
|
103.0.113.4,192.0.2.*,198.* |
The 103.0.113.4 IP address, all IP addresses that match these first three bytes: 192.0.2, and all IP addresses that match this first byte: 198. |
This example call to updateAllSysConfig creates a white list of IP addresses allowed to communicate with Services Gatekeeper. The list includes all IP addresses that use the first byte of 192:
curl
'http://localhost:8001/prm_pm_rest/services/prm_pm/services/partner_manager/sysconfig/updateAllSysConfig'\
-X PUT -H 'Pragma: no-cache' -H 'Origin: http://localhost:7005' -H 'Accept-Encoding: gzip, deflate,
sdch'\
-H 'Accept-Language: en-US,en;q=0.8' -H 'Authorization: Basic b3A6d2VibG9naWMxMjM='\
-H 'Content-Type: application/json' -H 'Accept: application/json, text/javascript, */*; q=0.01'\
-H 'Cache-Control: no-cache' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive'\
-H 'Referer: http://localhost:7005/portal/partner-manager/index/main.html'\
--data-binary '{"updateAllSysConfig":{"sysConfig":[{"key":"obieServerAddress","value":""},
{"key":"obieServerUserName","value":""},{"key":"obieServerPassword","value":"
{AES}tAtwHZPedgVyZISQdjuYng=="},{"key":"mailServerAddress","value":""},
{"key":"mailServerPort","value":""},{"key":"isMailServerSSL","value":"false"},
{"key":"mailServerUsername","value":""},{"key":"mailServerPassword","value":"
{AES}tAtwHZPedgVyZISQdjuYng=="},{"key":"isMailHttpProxy","value":"false"},
{"key":"mailProxyHost","value":""},{"key":"mailProxyPort","value":""},
{"key":"isAutoApprovalReg","value":"true"},{"key":"isAutoApprovalApp","value":"true"},
{"key":"ocsgServerAddr","value":""},{"key":"ocsgServerPort","value":""},
{"key":"ocsgServerSslPort","value":""},{"key":"isOcsgMultiTier","value":"false"},
{"key":"ocsgNtServerAddr","value":""},{"key":"ocsgNtServerPort","value":""},
{"key":"ocsgNtServerSslPort","value":""},{"key":"prmIPAddressWhitelist","value":"192.*"}]}}' --compressed
See "updateAllSysConfig" for more information.
WARNING:
The instructions in this section remove a key network security feature protecting Services Gatekeeper. Do NOT follow these instructions unless you fully understand the security vulnerabilities and are sure that your implementation is immune to them.
By default, Services Gatekeeper does not allow references to external entities. You can use this Java system property to remove this protection:
oracle.ocsg.api_firewall.isSupportingExternalEntities=true
Linux example:
JAVA_OPTIONS="${JAVA_OPTIONS} -Doracle.ocsg.api_firewall.isSupportingExternalEntities=true"
Windows example:
set JAVA_OPTIONS=%JAVA_OPTIONS% -Doracle.ocsg.api_firewall.isSupportingExternalEntities=true
Securing network traffic between your Services Gatekeeper API management system and the users and applications that connect to it involves these general categories:
This section explains how to authenticate the users and applications that connect Services Gatekeeper to access your APIs.
To authenticate applications, you select a security method when you create the API. The choices depend on the type of API you creating, and include:
None - In some cases you can create an API that does not require authentication.
Text - Authenticates using a username and password.
OAuth - Protects third-party resources using security tokens.
Appkey - Authenticates using an application key.
See ”Securing Services Gatekeeper Methods and API Services” in Services Gatekeeper API Management Guide for more information on these options.
For authenticating users you configure one or more of the WebLogic server security providers by using the Administration Console. Follow these general steps to configure a WebLogic security provider:
Start the Administration Console.
See ”Starting and Using the Administration Console” in Services Gatekeeper System Administrator's Guide for details
In the Domain Structure pane, navigate to Security Realms, then realm_name (myrealm by default), and click Providers.
The Authentication tab displays the list of Authentication Providers (security providers).
Configure one or more provider to authenticate users.
Note:
If the provider has a Control Flag setting (JAAS flag), choose the Optional option, so Services Gatekeeper will also use the API application authorization setting (text, OAuth, or Appkey). That is, simply authorizing the user is insufficient protection; you also need to authorize the application using the API authorization method.Save your changes and release the configuration.
For more information on WebLogic security providers and instructions on how to configure them in ”Configuring WebLogic Security Providers” in Fusion Middleware Securing Oracle WebLogic Server.