1/10

Contents

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents

1 Services Gatekeeper Security Overview

• Basic Security Considerations
• Overview of Services Gatekeeper Security
• Understanding the Services Gatekeeper Environment
• Recommended Deployment Configurations
• Securing Services Gatekeeper Components
  • Operating System Security
  • Database Security
    • Oracle Databases
    • MySQL Databases
  • WebLogic Server Security
    • Security Considerations for Relational Database Authentication Providers
  • Related Applications Security
  • External Firewall Security
  • Virtual Environments Security

2 Performing a Secure Services Gatekeeper Installation

• Pre-Installation Configuration
  • Ensuring Services Gatekeeper Performance and Security
  • Security Considerations Related to User Privileges
  • Security Considerations Relating to Passwords
• Installing Services Gatekeeper Securely
  • Securing the OAM MBeans
    • Administrative Groups
    • Administrative Service Groups
  • Configuring a Secure Domain for Services Gatekeeper
• Post-Installation Configuration
  • Configure the Default Services Gatekeeper Communication Ports
    • Securing Single-Tier Communication
    • Securing Multi-Tier Communication
  • Encrypt Application Passwords
    • Configuring Application Password Encryption
  • Configuring SSL Communication
  • Configuring Clustered SSL Communication
  • Securing Partner Relationship Management Portals
  • Adding Custom Password Validators
  • Installing Java Cryptography Extension (JCE)
  • Securing Communication with Web-based Applications
  • Using Tunneled Parameters

3 Securing Network Traffic

• Understanding How to Secure Network Traffic
• Configuring Network Traffic Security with ApiFirewallMBean
  • Creating a List of Trusted APIs Using ApiConfigXml
• Implementing Denial-of-Service Attack Protection with ApiFirewall
• Protecting REST APIs with a White List of IP Addresses
• Removing External Entity Reference Security
• Implementing Network Traffic Security for APIs
  • Authenticating Users and Applications
    • Authenticating Applications
    • Authenticating Users

4 Securing Communication Services

• Understanding Communication Services Traffic Security
• Security Considerations for All Communication Services
  • Authorizing Access to Services with Single Sign-On
  • Authorizing Access to Services with SLAs
  • Authenticating and Authorizing Resources with OAuth
• Securing SOAP-Based Communication
  • Setting up UsernameToken with Password Digest (Digest Authentication)
  • Setting up UsernameToken with X.509
  • Removing Outbound Web Security
  • Creating and Using a custom WS-Policy
    • Available default WS-Policies
• Securing RESTful Web Services with SSL
  • Configuring Application-Facing Servers for SSL
    • Enabling and Configuring SSL for Each Application Tier Server
    • Adding Certificates to the Application Tier Servers and Applications
  • Securing Network-Facing Servers With Keystores
• Securing Native Communication Services

5 Administering Services Gatekeeper Securely

• Monitoring Your Services Gatekeeper Implementation
• Backing Up and Restoring Services Gatekeeper Configuration Data
• Security Considerations for Services Gatekeeper System Administrators
• Securing Communication with Service Interceptors
• Administering Partners
  • Setting Up the Partner Relationship Management Portals

6 Deploying Services Gatekeeper in a Demilitarized Zone

• Overview and Recommended Configurations
• Securing Services Gatekeeper Components in the DMZ
  • Securing Traffic Between the Internet and the Access Tier
    • Configuring a Firewall to Protect the Access and Portal Tiers
    • Hardening the Operating System
    • Hardening Oracle Linux 6
    • Hardening Oracle Solaris 11
  • Securing Traffic Between the Access and Portal Tiers
    • Encrypting RMI Traffic Between the Access Tier and the Network Tier
  • Securing Traffic between the Access Tier and the Network Tier
    • Configuring a Firewall Between the ATs/Portals and the NTs
  • Securing the Services Gatekeeper Administration Server
    • Restricting Administration Server to SSL
  • Securing the Database
• Securing OBIEE in Services Gatekeeper
• Securing Node Manager Access to Services Gatekeeper
• Configuring Connection Filters Instead of a Firewalls

7 Securing Services Gatekeeper for PCI-DSS

• Payment Card Industry - Data Security Standard Compliance
  • Understanding Services Gatekeeper Security
• Installing Services Gatekeeper for PCI
  • Change the WebLogic Administrator Name and Use a Secure Password
  • Change the Partner Manager Administrative Username and Use a Secure Password
• Implementing Services Gatekeeper for PCI
  • Protect Services Gatekeeper Components With Firewalls
  • Specify SSL-only Communication
  • Configure the Default Services Gatekeeper Communication Ports
  • Understanding Users, User Groups and their Access to System Components
  • Configure WebLogic Auditing to Monitor All Access to Network Resources
  • Configure User Lockout Features
  • Encrypt Application Passwords
  • Configure Web Services Securely