This chapter explains the steps necessary to install Oracle Communications Services Gatekeeper securely.
Before you install Services Gatekeeper, review the following security considerations:
To ensure optimal performance by Services Gatekeeper, tune the underlying WebLogic Server to the requirements of your environment. For example, select the appropriate startup mode for your installation.
For information about the default tuning values for WebLogic Server development and production modes, see Oracle Fusion Middleware Performance and Tuning for Oracle WebLogic Server.
Before you set up roles and user privileges, review the security considerations associated with security policies, users, GPRS, and security roles. Set up secure file system access permissions for the Oracle database.
See ”Users, Groups, and Security Roles” in Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server.
Set up secure processes associated with the various types of user accounts that you create:
Services Gatekeeper Database User
After installing the Oracle database during the pre-installation process, you configure the Services Gatekeeper database user. The Services Gatekeeper database user account is configured with an unlimited quota and has privileges to create sessions and tables.
Safeguard these credentials by recording and protecting them as you would any other administrative password. You reference them during domain configuration. For information, see ”Creating the Database and a Database User” in Services Gatekeeper Multi-tier Installation Guide for details.
Administrator User
Every implementation must have a main administrator user. You create this user when you first configure a domain by entering the user name and password. Record and protect these credentials because the main administrator user has the power to grant or deny access for all other users. Select only trusted users to receive Services Gatekeeper administrator privileges. For information, see ”Managing Management Users and User Groups” in Services Gatekeeper System Administrator's Guide.
Management Users
Management users manage and administer Services Gatekeeper itself. Create as few management users as possible, protect their credentials, and have procedures in place that allow you to quickly remove management users as they are relieved of responsibility.
For information, see ”Managing Management Users and User Groups” in Services Gatekeeper System Administrator's Guide.
Partners and partner groups
The partners and partner groups that use the Partner Portal GUI to create applications from your APIs.
Network Service Suppliers
The network service suppliers (NSSs) that use the NSS Portal to create interfaces that your APIs use.
Partner Manager
The Partner Manager that administers the Partner and API Management Portal GUI that you use to create APIs and manage partners and NSSs. You already selected a new username and password for this first user during installation. If you create more partner manager administrators, use unique usernames and strong passwords
Traffic Users
Traffic users are applications that use application-facing instances to send traffic.
See the discussion on creating and administering users in ”Managing Users and User Groups” in Services Gatekeeper Administrator's Guide at the Services Gatekeeper documentation web site here:
http://docs.oracle.com/cd/E50778_01/doc.60/e50758/adm_mgmtuser.htm#SGADM146
See the Services Gatekeeper API Management Guide for details about the partners, partner managers, and NSS users and how they interact with Services Gatekeeper. This guide is available at the Oracle documentation web site:
Set up a secure system to control the permissions for access to files and to your data. Use password encryption and store the files containing encrypted passwords in a secure location.
Establish a password policy that protects your system from possible intrusion. For information about:
Managing security, see ”Managing Security for Oracle Database Users” in Oracle Database Security Guide.
Authentication security providers in WebLogic Server, see "Configuring Authentication Providers" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
Follow the steps in Services Gatekeeper Multi-tier Installation Guide to install Services Gatekeeper. However, the port numbers, user name, password, and database SID should be changed from the default values.
You can perform a custom installation or a typical installation. Perform a custom installation to avoid installing options and products you do not need. If you perform a typical installation, remove or disable features that you do not need after the installation.
The Java Management Extension (JMX) operations, administration, and management (OAM) MBeans control access to the Services Gatekeeper OAM functionality. You can change these MBean settings using the Administration Console or through an external mechanism. Access to these MBeans are controlled by JMX Policy, which associates administrative user groups with access privilege levels. By default any administrative user can access and change the Services Gatekeeper OAM MBeans. You may want use the instructions in this section to add more restrictive access control to prevent inadvertent or malicious changes to these MBeans. However, the decision should be based on your implementation's security policies.
Administrative users and groups are set up as described in ”Managing Users and User Groups” in Services Gatekeeper Administrator's Guide. To control how these users have access to MBeans, and thus OAM functionality, you must assign JMX Policy to these user groups. You use WebLogic Server Administration Console to do this. For details see the discussion on managing security policies in Oracle WebLogic Server Administration Console Online Help at:
https://docs.oracle.com/cd/E24329_01/apirefs.1211/e24401/taskhelp/security/ManageSecurityPolicies.html
Each policy can do the following:
Control read access for all an MBean's attributes or for specific attributes that you select.
Control write access for all an MBean's attributes or for specific attributes that you select.
Control invoke access for all an MBean's operations or for specific operations that you select.
For example, to give a user complete access to an MBean, select the WLNG_Administrator's Group in the policy condition.
In addition to controlling access to OAM functionality in a general way – ReadOnly, ReadWrite, and so on – you may also want to control access by Service group. So, for example, if you have users whose job is limited to setting up and managing Application Service Providers through a system using the Partner Relationship Management interfaces, you might want to give them, and only them, ReadWrite privileges, but only to a subset of the available MBeans, those having to do with the operator part of those transactions. To do this, you have to create custom XACML policies to attach to these subsets. Services Gatekeeper uses the standard WebLogic Server mechanisms for this purpose. For the basic process you must:
Determine the special identifier (called the resourceId) for each MBean.
Create an XACML policy for a security role.
Specify one or more Rule elements that define which users, groups, or roles belong to the new security role.
Attach this role to the MBean by way of the resourceId.
For details on using XACML documents to secure WebLogic resources, see "Using XACML Documents to Secure WebLogic Resources" in Oracle WebLogic Server Securing Resources Using Roles and Policies for Oracle WebLogic Server.
For a reference for XACML on WebLogic Server, see ”Reference for XACML on WebLogic Server” in Oracle WebLogic Server Securing Resources Using Roles and Policies for Oracle WebLogic Server.
Your Services Gatekeeper domain is based on Oracle WebLogic Server. For information about:
Possible domain configurations, see ”Configuring the Services Gatekeeper Domain” in Services Gatekeeper Multi-tier Installation Guide.
High availability considerations with respect to WebLogic Server, Oracle database access, and Oracle ASAOA suite, see Oracle Fusion Middleware High Availability Guide.
Clustering, see ”Clustering Best Practices” in Oracle Fusion Middleware Using Clusters for Oracle WebLogic Server.
Setting security configuration options for the domain, see ”Configuring Security for a WebLogic Domain” in Oracle Fusion Middleware Securing Oracle WebLogic Server.
This section explains security-related tasks that you perform during and immediately after installing Services Gatekeeper, but before you put it into production.
Configure the Default Services Gatekeeper Communication Ports
(UNKNOWN STEP NUMBER) (UNKNOWN STEP NUMBER) Configuring SSL Communication
This section explains how to securely configure communication for the Services Gatekeeper components. The list of ports is different for single-tier and multi-tier implementations. You already configured ports 7002 and 8002 in "Configuring SSL Communication" but they are also listed here for completeness.
Configure your firewalls to block communication between Services Gatekeeper components using any ports not listed in the tables in this section.
Table 2-1 lists the Administration server communication ports that you need to configure.
Table 2-1 Administration Server Default Ports
| Port | Proctocols Used | Required Action | Configure Using... |
|---|---|---|---|
|
7001 |
IIOP, T3, LDAP, SNMP, HTTP |
Disable, because it allows HTTP communication. |
The Administration Console. Do this at the same time you enable SSL. See "Configuring SSL Communication" for instructions. |
|
7002 |
IIOPS, T3S, LDAP, HTTPS |
Enable. Specifies HTTPS communication. |
The Administration Console. Do this at the same time you enable SSL. See "Configuring SSL Communication" for instructions. |
Table 2-2 lists the Managed server communication ports that you need to configure.
Table 2-2 Managed Server Default Ports
| Port | Protocols Used | Required Action | Configure Using... |
|---|---|---|---|
|
8001 |
IIOP, T3, LDAP, SNMP, HTTP |
Disable, because it allows HTTP communication. |
The Administration Console. Do this at the same time you enable SSL. See "Configuring SSL Communication" for instructions. |
|
8002 |
IIOPS, T3S, LDAP, HTTPS |
Enable. Specifies HTTPS communication. |
The Administration Console. Do this at the same time you enable SSL. See "Configuring SSL Communication" for instructions. |
|
5060 |
SIP |
Disable or block if unused. |
See your firewall documentation for details. |
|
5061 |
SIPS |
Disable or block if unused. |
See your firewall documentation for details. |
|
8101 |
Coherence |
Disable multicast and configure unicast with different Well Known Addresses (WKAs). |
The CoherenceClusterParamsBean and CoherenceClusterWellKnownAddressesBean parameters. See "Configure Cluster Communication in Oracle Fusion Middleware Administering Clusters for Oracle WebLogic Server at the Oracle documentation web site:
|
A multi-tier implementation requires you to configure the ports in Table 2-1 as well as those in this section.
Table 2-3 lists the Access Tier ports you need to configure.
Table 2-3 Access Tier Default Ports
| Port | Protocol Used | Required Action | Configure Using... |
|---|---|---|---|
|
8001 |
IIOP, T3, LDAP, SNMP, HTTP |
Disable, because it allows HTTP communication. |
The Administration Console. Do this at the same time you enable SSL. See "Configuring SSL Communication" for instructions. |
|
7002 |
IIOPS, T3S, LDAP, HTTPS |
Enable. Specifies HTTPS communication. |
The Administration Console. Do this at the same time you enable SSL. See "Configuring SSL Communication" for instructions. |
Table 2-4 lists the Network Tier ports you need to configure.
Table 2-4 Network Tier Default Ports
| Port | Protocol Used | Required Action | Configure Using... |
|---|---|---|---|
|
8001 |
IIOP, T3, LDAP, SNMP, HTTP |
Disable, because it allows HTTP communication. |
The Administration Console. Do this at the same time you enable SSL. See "Configuring SSL Communication" for instructions. |
|
7002 |
IIOPS, T3S, LDAP, HTTPS |
Enable. Specifies HTTPS communication. |
The Administration Console. Do this at the same time you enable SSL. See "Configuring SSL Communication" for instructions. |
|
8088 or 8086 |
Coherence |
Disable multicast and configure unicast with different Well Known Addresses (WKAs). |
The CoherenceClusterParamsBean and CoherenceClusterWellKnownAddressesBean parameters. See ”Configure Cluster Communication" in Oracle Fusion Middleware Administering Clusters for Oracle WebLogic Server at the Oracle documentation web site:
|
|
16272 |
SMPP |
Block communication. |
See your firewall documentation for details. |
|
5075 |
UCP |
Block communication. |
See your firewall documentation for details. |
Application instance passwords are encrypted using an AES algorithm and stored in persistent storage. By default, the Java Development Kit (JDK) that Services Gatekeeper supports only allows 16-byte encryption. Oracle recommends that you take full advantage of the AES features and use 24- or 32-byte long keys.
You downloaded and installed the Java Cryptography Extension (JCE) during the ”Installing the JDK and JCE” procedure in Services Gatekeeper Getting Started Guide. If not, you can do that now. Then follow the instruction in "Configuring Application Password Encryption" to set a 24- or 32-byte key.
You can encrypt application passwords using the Administration Console, or use the ApplicationInstanceMBean.
If no encryption key is configured, a default encryption key is used. However, the best practice is to use your own 24-byte key.
To configure the encryption key.
Start the Administration Console.
In the Change Center, click Lock and Edit.
Navigate to Security Realms, then your realm name.
Click Providers, then Authentication.
Click WLNG Application Authenticator, then Settings for WLNG Application Authenticator, then Configuration.
Click Provider Specific.
In the Encryption Key field enter your key, and then enter it again in the Please Confirm field.
In the Change Center, click Activate Changes.
For information on the ApplicationInstanceMBean methods and fields, see the "All Classes" section of Services Gatekeeper OAM Java API Reference.
Ensure that you configure the identity and trust store for WebLogic Server securely with SSL. See ”Configuring Identity and Trust” in Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server.
When you create the WebLogic Server domain for Services Gatekeeper, ensure that SSL ports are used for:
The WebLogic Server domain for Services Gatekeeper.
The cluster addresses if you install Services Gatekeeper in a cluster environment
Services Gatekeeper supports the transport level security (TLS) versions that the Java Development Kit (JDK) supports. JDK 8 supports TLS levels 1.1 and 1.2 by default.
You need to configure SSL communication for the Services Gatekeeper Administration server (and set the correct ports):
To Enable SSL on the Administration Server:
Start the Administration Console.
In the Change Center, click Lock and Edit.
Navigate to Environment, then Servers, and then Configuration.
Ensure that the Configuration/General tabs appear.
Select a new SSL Listen Port to use. 7002 is the default.
Select the SSL Listen Port Enabled check box.
Confirm that the (non-SSL) Listen Port Enabled box is not checked.
Navigate to Environment, then Servers, and then Configuration.
Repeat steps 4 through 8 for your remaining Services Gatekeeper servers (server1 is the default).
Click Save.
In the Change Center, click Activate Changes.
For an introduction to configuring SSL in WebLogic, see ”Overview of Configuring SSL in WebLogic” in Oracle Fusion Middleware Administering Security for Oracle WebLogic Server available at the Oracle documentation web site here:
The tasks in this section enable clustered Services Gatekeeper deployments to use SSL for communications. You need to know your server IP addresses and SSL listening ports for this task.
See ”Configure Proxy Plug-ins” in the Fusion Middleware Using Clusters for Oracle WebLogic Server for background.
The examples in this section use this sample clustered environment:
A server1 (302.0.113.113) that includes:
The administration server.
NT1 server
AT1 server
A server2 (302.0.113.114) that includes:
NT2 server
AT2 server
The PRM Portals.
When you installed Server2, you set both server addresses and ports as the backend for the PRM portals.
To configure SSL communication for a clustered deployment:
Follow the instructions in "To Enable SSL on the Administration Server:" to enable SSL communication on all servers.
For each NT and AT server, navigate to Environment, then Clusters, then WLNG_NT_Cluster (or WLNG_AT_Cluster).
Click Configuration, then Replication.
Set Secure Replication Enabled to True.
Click Save.
In the Change Center, click Activate Changes.
Open the Gatekeeper_home/ocsg/applications/clusterProxy.war/WEB-INF/web.xml file for editing.
Define a cluster servlet in the <servlet> element and map it to the PRM API. This example creates a servlet called HttpClusterServlet that connects two AT servers with IP addresses of 203.0.113.113 and 203.0.113.114, that listen on port 8401:
<web-app>
<servlet>
<servlet-name>HttpClusterServlet</servlet-name>
<servlet-class>weblogic.servlet.proxy.HttpClusterServlet</servlet-class>
<init-param>
<param-name>WebLogicCluster</param-name>
<param-value>203.0.113.113:8401|203.0.113.114:8401
</param-value>
</init-param>
<init-param>
<param-name>SecureProxy</param-name>
<param-value>ON</param-value>
<servlet>
<servlet-mapping>
<servlet-name>HttpClusterServlet</servlet-name>
<url-pattern>prm_pm_rest/*>/url-pattern>
</servlet-mapping>
<init-param>
<param-name>Debug</param-name>
<param-value>ON</param-value>
</init-param>
</web-app>
Save and close the file.
Add -Dweblogic.DefaultProtocol=t3s to the Services Gatekeeper start script.
See ”Choosing the WLST Domain Setup Script” in Services Gatekeeper Muli-tier Installation Guide for the list of scripts.
Restart the Services Gatekeeper servers.
Secure the Services Gatekeeper Partner Relationship Management portals by securing the administrative users. See "Administering Partners".
For more information, see ”Security” in Services Gatekeeper Portal Developer's Guide.
A password validator is not required to run Services Gatekeeper. However, it does ensure that your partners and their subscribers adhere to a consistent level of password security. See "(Optional) Adding a Custom Password Validator" in Services Gatekeeper Multi-tier Installation Guide for information about adding custom password validators.
Java Cryptography Extension (JCE) is not required for Services Gatekeeper to run. However, it does relieve web servers from the burden imposed by SSL security. See ”(Optional) Adding Java Cryptography Extensions” in Services Gatekeeper Multi-tier Installation Guide for information about adding JCE.
See "Securing Communication Services" for details on how Services Gatekeeper is protected from malicious attacks, and how to configure those security settings.
Some communication services use tunneled parameters to send information to Services Gatekeeper, which can present a security vulnerability. You can use an interceptor to filter tunneled parameters to control this vulnerability and limit which xparameters can be set by inbound messages. See ”Using Tunneled Parameters” in Services Gatekeeper Security Guide for information on how to configure tunneled parameters securely.