1 Overview

This chapter provides an overview of Oracle Application Integration Architecture (Oracle AIA) security.

Basic Security Considerations

The following principles are fundamental to using any application securely:

  • Keep software up to date. This includes the latest product release and any patches that apply to it.

  • Limit privileges as much as possible. Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements.

  • Monitor system activity. Establish who should access which system components, and how often, and monitor those components.

  • Install software securely. For example, use firewalls, secure protocols (such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL)), and secure passwords. See "Performing a Secure Oracle AIA Installation" for more information.

  • Learn about and use the Oracle AIA security features. See "Implementing Oracle AIA Security" for more information.

  • Use secure development practices. For example, take advantage of existing database security functionality instead of creating your own application security. See "Security Considerations for Developers" for more information.

  • Keep up to date on security information. Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible. See the Critical Patch Updates and Security Alerts website:

    http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Overview of Oracle AIA Security

Oracle AIA security is designed to protect product, account, order, and asset data, logs, and interfaces.

Oracle AIA pre-built integrations are built on Oracle Service-Oriented Architecture (SOA) and an infrastructure stack that includes Oracle WebLogic Server and Oracle Database. This stack is secured by default by the WebLogic Server Security Infrastructure.

  • Application security: Access to application modules and artifacts is authenticated using the WebLogic Server authentication framework.

  • Data security: Solution data, including product, account, order, and asset data, is stored in Oracle Metadata Services and SOA schemas in the Oracle Database, which requires database credentials to access.

  • Interface security: Oracle AIA composite service and references (interfaces) are secured by WebLogic Server security policies using Web Services Manager (WSM). Credentials for accessing external systems are configured and stored securely.

  • Application log security: Application log content is configured by users of the WebLogic Server Administrators group. The application distribution, settings and properties, and logs are protected by the user authorization and authentication procedures of the host operating system. Only the user who starts WebLogic Server has access to the files, based on file permissions.

  • Database security: The database credentials are stored securely in Oracle AIA configuration files in the WebLogic Server SOA domain.

Understanding the Oracle AIA Environment

When planning your Oracle AIA implementation, consider the following:

  • Which resources need to be protected?

    • You need to protect customer data, such as credit card numbers.

    • You need to protect internal data, such as confidential proprietary source code.

    • You need to protect system components from being disabled by external attacks or intentional system overloads.

  • Who are you protecting data from?

    For example, you need to protect your subscribers' data from other subscribers, but someone in your organization might need to access that data to manage it. You can analyze your workflows to determine who needs access to the data; for example, it is possible that a system administrator can manage your system components without needing to access the system data.

  • What will happen if protections on strategic resources fail?

    In some cases, a fault in your security scheme is nothing more than an inconvenience. In other cases, a fault might cause great damage to you or your customers. Understanding the security ramifications of each resource will help you protect it properly.

Recommended Deployment Topology

In the recommended deployment for Oracle AIA all applications reside on your premises and are protected from attacks by a firewall, which can be configured to block known illegal traffic types. Communication occurs between queues, adapters and agents.

Figure 1-1 shows on an on-premises topology with the following integrated applications:

  • Siebel CRM for customer relationship management and order capture

  • Oracle Communications Order and Service Management (OSM) for order processing and fulfillment

  • Oracle Communications Billing and Revenue Management (BRM) for billing

  • Oracle Communications Pricing Design Center (PDC), Oracle Product Hub, and Oracle Data Integrator for Communications for product and pricing management

Figure 1-1 On-Premises Oracle AIA Topology

Description of Figure 1-1 follows
Description of ''Figure 1-1 On-Premises Oracle AIA Topology''

Operating System Security

This section describes operating system security topics that are specific to Oracle AIA. Oracle AIA is configured and managed within WebLogic Server, the SOA container, and the SOA Core Extension.

See the documentation for your operating system and for these foundation applications for general information about security.

See the Certifications tab on My Oracle Support for information about required software versions and patches.

Restricting Permissions for Oracle AIA Directories

Oracle recommends keeping the permissions as restrictive as possible for your business needs. When installing on UNIX or Linux, consider using umask 066 to deny read and write permission to all users except the user that installed the software. Oracle AIA creates files in the directories listed in Table 1-1. Examine these directories to ensure they have the appropriate permissions.

Table 1-1 Oracle AIA Directories

Name Description

Fusion Middleware home

The directory in which Oracle Fusion Middleware components are installed. This directory contains the base directory for Oracle WebLogic Server, among other files and directories.

Oracle AIA home (COMMS_HOME environment variable)

The directory in which Oracle AIA is installed. This is the comms_home directory within the Oracle base directory.

Domain home

The directory that contains the configuration for the domain onto which Oracle AIA is deployed.The default is MW_home/user_projects/domains/domain_name (where MW_home is the Fusion Middleware home and domain_name is the name of the Oracle AIA domain), but it is frequently set to some other directory at installation.

Port Security

Oracle AIA communicates over a limited number of ports. Depending on your solution requirements, additional ports may be required, especially if Oracle AIA is deployed to a WebLogic Server cluster.

The types of ports Oracle AIA uses are listed in Table 1-2.

Table 1-2 Oracle AIA Ports

Port Port Description

Administration server port

The default value is 7001, but a different value can be set during domain creation.

Administration server SSL port

The default value is 7002, but a different value can be set during domain creation.

Node Manager port

The default value is 5556, but a different value can be set during Node Manager configuration.

SOA managed server ports

The default value is 8001, but a different value can be set during domain creation.

In a clustered deployment, each managed server should have a different port. For example, 8002, 8003, and so on.

Oracle HTTP Server port

The default value is 7777, but a different value can be set during Oracle HTTP Server configuration.

SOA database port

The default is 1521, but a different value can be set during database creation.

Oracle Database Security

This section describes database security topics specific to Oracle AIA. For more information about securing Oracle Database, see Oracle Database Security Guide and Oracle Database Advanced Security Guide.

Dependent Schemas

Before creating the WebLogic Server domain, you must create certain database schemas using the Oracle Fusion Middleware Repository Creation Utility (RCU). For information about RCU, see Oracle Fusion Middleware Creating Schemas with the Repository Creation Utility.

WebLogic Server Security

This section contains WebLogic Server security information relevant to Oracle AIA.

For additional information about WebLogic Server security, see Oracle Fusion Middleware Securing a Production Environment for Oracle WebLogic Server and Oracle Fusion Middleware Administering Security for Oracle WebLogic Server.

When planning your WebLogic Server domain installation, keep the following recommendations in mind:

  • Secure the WebLogic Server host: WebLogic Server domain and server configuration files should be accessible only by the operating system users who configure or run WebLogic Server. The AIAInstallProperties.xml and AIAConfigurationProperties.xml files should be readable by the Oracle AIA user. No other operating system user (apart from the system administrators) should have read, write, or execute access to WebLogic Server product files or your domain files.

  • Do not run WebLogic Server in development mode in a production environment: Production mode sets the server to run with settings that are more secure and appropriate for a production environment. For more information about development mode and production mode, see the information about domain modes in Understanding Domain Configuration for Oracle WebLogic Server.

  • Use appropriate encryption: WebLogic Server includes a set of demonstration private keys, digital certificates, and trusted certificate authorities that are for development only; do not use the demonstration identity and trust in a production environment. See the topic on configuring keystores in the Oracle WebLogic Server Administration Console Online Help and the information about configuring SSL in Administering Security for Oracle WebLogic Server for more information about encryption.