This chapter explains the tasks necessary to make Oracle Communications Services Gatekeeper work with an implementation that uses the Payment Card Industry Data Security Standard (PCI-DSS).
This section explains the tasks required to make Services Gatekeeper work with an implementation that will undergo PCI-DSSv3.1 certification.
Only the PCI-DSS specification tasks that apply to Services Gatekeeper are listed. If a PCI-DSS task does not apply to Services Gatekeeper, it is not listed here.
The Services Gatekeeper security procedures are documented in the sections listed below. If you have a question not otherwise answered by this document, check these sources:
The Services Gatekeeper Security Guide available here:
Services Gatekeeper OAuth Guide
Services Gatekeeper is built on top of the WebLogic Server. Its security procedures are documented here:
Oracle Fusion Middleware Administering Security for Oracle WebLogic Server available here:
It is important to remember that Services Gatekeeper does not store any payment card information itself. It does not transmit, store, or display primary account number (PAN) or cardholder data (CHD).
This section contains tasks that you need to perform during installation to make Services Gatekeeper PCI-DSS compliant.
Services Gatekeeper does not provide any default passwords. Instead, during installation you are prompted for a password to secure the domain (administrator) user called weblogic. During installation, select a different domain username and create a strong password for it.
Also during installation, you are offered the default username of weblogic for the Partner and API Management Portal administrative user, and prompted for a password. Enter a different username and select and use a strong password for this role.
This section explains tasks required to configure and administer Services Gatekeeper for PCI-DSS.
Read and follow the instructions in "Deploying Services Gatekeeper in a Demilitarized Zone" to ensure that the Services Gatekeeper components listed are protected. Specifically, follow these rules while you are implementing Services Gatekeeper to protect it from unauthorized access:
Prohibit direct public access to Services Gatekeeper by isolating the Services Gatekeeper Access Tier and PRM Portal servers (including your API clients, Partner Portal users, and NSS Portal users) by using firewalls.
Isolate the Services Gatekeeper Network Tier servers, Administration server, and PRM Portal Administration servers behind a set of firewalls.
Isolate the Services Gatekeeper database behind a firewall.
Isolate any of your internal network servers from Services Gatekeeper using a firewall.
For details about setting up these firewalls, see ”Overview and Recommended Deployments” in Services Gatekeeper Security Guide available on the Services Gatekeeper documentation web site here:
http://docs.oracle.com/cd/E50778_01/doc.60/e50768/sgsec_dmz.htm#SGSEC226
You need to configure SSL communication for the Services Gatekeeper Administration server (and set the correct ports). See "Configuring SSL Communication" for details.
See "Configure the Default Services Gatekeeper Communication Ports" for details on how to secure Services Gatekeeper by changing port numbers and controlling access to them.
See the discussion on creating and administering users the Services Gatekeeper relies on, see "Security Considerations Related to User Privileges."
Follow the instructions in the ”Configuring WebLogic Auditing Provider” in Oracle Fusion Middleware Administering Security for Oracle WebLogic Server to configure auditing. This document is available from the Oracle documentation web site:
https://docs.oracle.com/middleware/1213/wls/SECMG/audit.htm#SECMG137
Note:
Services Gatekeeper does not store any payment card information so there is no need to configure auditing for it.The WebLogic servers contains user lockout features the you may need to configure. For details see ”Security Realm: User Lockout” in the WebLogic Administration Console Online help at the Oracle documenation web site:
http://docs.oracle.com/cd/E60665_01/fmw121300/WLACH/pagehelp/Securitysecurityrealmrealmuserlockouttitle.html
Application instance passwords are encrypted using an AES algorithm and stored in persistent storage. See "Encrypt Application Passwords" for details on setting the application password.
The security your implementation requires will vary depending on the protocols your web traffic supports. See "Securing Communication Services" for information.