This chapter explains the tasks required to implement Oracle Communications Services Gatekeeper securely.
Also see the tasks documented in ”Securing Services Gatekeeper” in Services Gatekeeper Security Guide for additional information and security tasks.
Services Gatekeeper includes tools that monitor the number of transactions that Services Gatekeeper is processing. You use these tools to calculate usage and group reports, but they can also be valuable tools for alerting you of denial of service (DOS) attacks. For more information, see ”Managing and Configuring Statistics and Transaction Licenses” in Services Gatekeeper System Administrator's Guide.
Services Gatekeeper provides a mechanism that alerts you to impending system overload using the Oracle WebLogic Overload Alarms feature.
Regular backups are an essential part of a secure Services Gatekeeper implementation. You must configure secure ways to handle the following:
Redundancy and failover for clustered services
Automatic restart for managed servers
Managed server independence mode
Automatic migration of failed managed servers
Backing up the domain configuration
Restarting a failed administration server
Restarting failed access and network tier servers
Moving an access or network tier server to a different system.
For more information, see ”Managing, Backing Up, and Restoring Services Gatekeeper” in Services Gatekeeper System Administrator's Guide.
If you are the system administrator for Services Gatekeeper, consider the security associated with configuring and managing the following:
Filtering Tunneled Parameters
Securing SOAP-Based Web Services with Web Services Security (WS-Security)
Securing RESTful Web Services with SSL
Encrypting application passwords
Securing Network-Facing Servers With Keystores
Securing the OAM MBeans
For more information, see ”Securing Services Gatekeeper” in Services Gatekeeper System Administrator's Guide.
Configuring tunneling for a communication service can serve as a ”white list” or ”black list” that filters parameters. A while list limits communication service messages to only the parameters that you specify (nothing is limited by default). A black list is a list of just the prohibited messages. White lists especially can be quite restrictive and impractical for most communication, but may fit into your security needs. For information about implementing tunneling, see ”Using Parameter Tunneling” in Services Gatekeeper Extension Developer's Guide.
Your partners use the Partner Manager Portal application to add their services to Services Gatekeeper and to include the network service interfaces created by their network service suppliers. Network service suppliers use the Network Service Supplier application to create the network services interfaces. Partner managers publish or expose these services as APIs. Your partners use the Partner Portal application to create applications with these APIs.
All three roles require secure access control. When partners and network service suppliers log in, the application asks them security questions to obtain the access privilege and authentication with secure passwords. For example, partners are assigned one of the service provider interfaces created for them. These interfaces are administrative user types and must be managed like other administrative users and only granted the access privileges they require.
Configure the required security setup to monitor the accounts being created to ensure that they are legitimate and allowed access to the Partner Portal, Network Services Supplier, and Partner Manager Portal applications. Ensure that the granting, monitoring, and revoking service access is a secure process and takes into account whether the users are internal or external to your organization. For more information, see ”Service Provider Interfaces” in Services Gatekeeper Portal Developer's Guide.
Your service providers use Partner Portal to administer their partner accounts, including granting and revoking service access. The service providers may be internal or external to your organization. Set up Partner Portal and Partner Manager Portal with the security appropriate for your implementation.
Make sure you educate your service providers to:
Enable security for communication services.
Use the secure interfaces supplied with Services Gatekeeper to communicate with Services Gatekeeper.
Use OAuth to manage access to secured resources (such as pictures or secured URLs).
Record their Partner Portal credentials somewhere safe.
Change their automatically generated application IDs as soon as possible because they are predictable.
For more information, see Services Gatekeeper Portal Developer's Guide.