4 Security Considerations for Developers

This chapter presents planning information for your Oracle Communications Design Studio cartridge development and describes recommended design practices that enhance security.

Secure Variable Values

Define all environment-specific content with model variables. Do not include sensitive model values directly in the design model. Instead, use cartridge model variables as place-holders.

Ensure flag indicating sensitive model and cartridge management variables is used as appropriate (for example, user IDs and passwords). Sensitive variables are obfuscated in the persisted model and redacted in the user interface to protect the actual value.

Use the sensitive flag and SSL connections to secure the configured values.

See "Cartridge Management Security" and Design Studio Help for more information about model variables.

Secure Documentation

The content contained in the cartridge documentation should be considered confidential. This documentation may be exported to a stand-alone document. Access to the exported documentation should employ suitable controls to guard the content. Oracle recommends that highly sensitive information not be placed into the cartridge documentation.

Secure Automation Tasks

The Oracle Communications Order and Service Management (OSM) automated and activation tasks send requests to Oracle Communications ASAP using web services. Web services users are created in a WebLogic credential store by using the OSM credential store administration tool. The OSM automated tasks and activation tasks require the credential map and key.

The credential map and key are specified in the OSM activation task details. To protect the map and key, cartridge variables should be used. The corresponding cartridge variables should be defined with the sensitive data flag enabled.

Custom automation tasks using the automation Java API should use obfuscation for protecting the map and key.

See Order and Service Management System Administrator's Guide for credential store information and ASAP Server Configuration Guide for web service user configuration details.

Secure Reporting

Ensure that you protect model data and report input parameters by using cartridge variables when working with sensitive data. Design Studio reports display cartridge variables in the place of data values when variables are used in report designs.

During report generation, Design Studio does not decode any obfuscated data. Report designers should use the security features available in BIRT to ensure that sensitive input data is not displayed to users.