4 Performing a Secure ECE Installation

Learn how to create a secure Oracle Communications Elastic Charging Engine (ECE) installation.

Topics in this document:

• About Deploying ECE into a Secure Environment

• Installing ECE

• About ECE Security

• About Oracle Coherence Security

• About Oracle Database Security

• About Oracle NoSQL Database Security

• About Cluster Security

• About the KeyStore Files and SSL Considerations

• About Trusted Host Information

• About JMX Security

• Postinstallation Security Tasks

About Deploying ECE into a Secure Environment

Deploy ECE into a secure environment. For example, ensure that:

• ECE is deployed in a closed networked environment in which any public access to the network is denied.

• All ECE hosts are connected to a single switch or in a parallel switch configuration.

• No external processes are run on the hosts running ECE and its constituents.

• Access to the ECE infrastructure is restricted.

You can further harden ECE security by following the instructions in this chapter.

Installing ECE

By default, ECE is installed in a secure mode. ECE uses security measures such as cluster security and host authorization.

When you install ECE, you will be prompted to select your preferred security configuration, such as whether to enable secure socket layer (SSL) configuration. Based on the security configuration you select in the installer, ECE sets parameters in the relevant Oracle Coherence and ECE configuration files for enabling the following security levels:

• JMX security. Clients require a JMX user name and password to connect to ECE JMX Management servers. For example, Elastic Charging Controller (ECC) can use a JMX user name and password to be authenticated to log in to the cluster.

• Authorized host list. A process that joins the Coherence cluster will have access to ECE services only if it is running on a host defined in the authorized host list.

• Coherence node authentication. ECE nodes are required to authenticate themselves when trying to join the Coherence cluster. The node credentials are stored in a key store file that must be deployed on the ECE nodes.

• SSL encryption (intra-cluster communication). Communication across ECE nodes in the Coherence cluster will be encrypted.

About ECE Security

Access to ECE files is controlled by creating user accounts and groups and granting specific permissions. The file permissions are granted using Linux commands in a Linux shell. After you have created user accounts and groups and set permissions, users can use ECC to manage ECE files. ECC requires that you set up a password-less SSH. You use the ECE user, a Linux account, for setting up password-less SSH. See "Setting Up and Managing Elastic Charging Engine Security" in BRM System Administrator's Guide.

About Oracle Coherence Security

To restrict access to the ECE Coherence cluster, set up an authorized hosts list. You can optionally enable SSL for intra-cluster communication, in which case you must also enable Well Known Addresses (WKA). See "Setting Up Cluster Security" in BRM System Administrator's Guide.

About Oracle Database Security

If you are using Oracle Database for data persistence, configure Oracle Database advanced security encryption and integrity algorithms for a secure connection from the installer. See the Oracle Database documentation for advanced security configuration parameters. This is required for the ECE installer to make a secured (encrypted) database connection over the network. For more details, see Oracle Database Advanced Security Administrator's Guide.

About Oracle NoSQL Database Security

If you are using Oracle NoSQL Database for data persistence, install Oracle NoSQL Database in a secure location where physical and network access to the store is restricted to trusted users. For this reason, Oracle NoSQL Database's security model is designed to prevent accidental access to the data. It is not designed to prevent malicious access or denial-of-service attacks.

You can access the KVStore and its data in two different ways. Access to data is possible through the Java API. Administrative access is performed by using a command line interface or a browser-based graphical user interface. System administrators use these interfaces to perform the few administrative actions that are required by Oracle NoSQL Database. You can also monitor the store using these interfaces.

About Cluster Security

ECE uses a file based credentials store or a KeyStore to keep node credentials that are required to join the cluster and that are used for enabling encryption of cluster communication. The KeyStore is in the ECE_home/oceceserver/config/server.jks file. Though the ECE installer creates a server.jks file, you can create your own as well if required. If you create a JKS file of your own, make sure it has very limited permissions so that unauthorized access is not allowed.

ECE uses Oracle wallet to store passwords required to connect to boundary systems such as Oracle Communications Billing and Revenue Management (BRM) and Oracle Communications Pricing Design Center (PDC).

When you install ECE, you enter the following information:

• The account alias for Coherence cluster security

• The key password for Coherence cluster security (the password for the alias)

• The key password for the boundary system alias

• The password for accessing the KeyStore (the certificate store password)

• DName details

  The DName value specifies the authorization of users for what they can do regarding cluster security.

  The DName is used for authorization as defined in ECE_home/oceceserver/config/permissions.xml.

See ECE Installation Guide for more information.

About the KeyStore Files and SSL Considerations

ECE maintains the server.jks KeyStore file, which stores credentials for cluster node authentication. The file is also used for encrypting intra-cluster communication over SSL.

KeyStore passwords for SSL are stored by default in the ECE_home/oceceserver/config/charging-coherence-override-secure-prod.xml file. These can, however, be overridden by defining their respective system properties in the ECE_home/oceceserver/config/defaultTuningProfile.properties file.

Note:

Oracle strongly recommends not overriding the default ECE_home/oceceserver/config/charging-coherence-override-secure-prod.xml file.

Installation Settings when SSL Is Enabled

When you select the SSL options during installation, the following are set:

• In ECE_home/oceceserver/config/ece.properties:

  • tangosol.coherence.override=charging-cache-config-secure-prod.xml

  • The WKA list in the charging-cache-config-secure-prod.xml file

    This should contain the WKA host list provided during the installation.

• In ECE_home/oceceserver/config/charging-coherence-override-secure-prod.xml:

  • -Dtangosol.coherence.ssl.keypassword=keypassword

  • -Dtangosol.coherence.ssl.storepassword=storepassword

  where keypassword and storepassword are the key and store passwords given during installation.

About Trusted Host Information

The ECE caches contain your subscribers' data. To restrict access to this data, you must specify the machines or processes that you trust and allow to be part of the cluster.

Obtain the IP addresses or host names of all machines or processes that are allowed to access the cluster. Trusted hosts include all of the server machines across which the Coherence cluster is deployed and any other machine that is to be part of the cluster. Include the server machine that runs the Elastic Charging Controller (ECC), and if you use Oracle Enterprise Manager, include the JMX client host running it.

See "Installing Elastic Charging Engine" in ECE Installation Guide for more information.

About JMX Security

JMX security is based on standard Java guidelines, as discussed in "Security" in Java Platform, Standard Edition Java Management Extensions Guide.

For ECE, JMX can be secured by setting the following system parameters:

• In ECE_home/oceceserver/config/ece.properties:

  com.sun.management.jmxremote.authenticate=true

• In ECE_home/oceceserver/config/defaultTuningProfile.properties:

  -Dcom.sun.management.jmxremote.password.file=../config/jmxremote.password

The file permission of jmxremote.password must be set to 400; otherwise, Elastic Charging Server nodes will not start up.

ECE bundles a jmxremote.password password file in the ECE_home/oceceserver/config directory and contains two default accounts for JMX credentials as defined in JRE_home/lib/management/jmxremote.password.template:

• monitorRole with read-only permissions

• controlRole with read and write permissions

Passwords for these two accounts can be set in the jmxremote.password file bundled in ECE_home/oceceserver/config. If more accounts need to be added, add those accounts in the jmxremote.password file as well. See "Monitoring and Management Using JMX Technology" in Java Platform, Standard Edition Monitoring and Management Guide for more information about using the jmxremote.password file.

Because the JMX passwords are human readable in jmxremote.password, the file permission must be set to 400.

Note:

The jmxremote.password file is used for more than JMX. This file is also used for storing passwords required to authenticate cluster nodes and required to encrypt and decrypt passwords for JMS notification services. See "About Managing External Application Passwords" in BRM System Administrator's Guide for more information.

All of the Elastic Charging Controller (ECC) shell commands are JMX aware: if JMX is made secure, you must provide a user name and password with the command that starts ECE services.

If JMX is secured, commands like start server or starting a single node, such as start ecs1, start configLoader, and so on must provide a user name and password. For example:

start server username=controlRole password=password_as_defined

In secured mode, Oracle recommends using the ECC shell in an interactive mode (all commands are run within the shell and not as arguments to the ECC script). The ECC command sets the file permissions of the file that saves the history of the commands that have been run to 600. This protects unauthorized access to old commands to retrieve passwords typed in the command line.

In applications such as JConsole, jVisualVM, or other JMX client applications, you must specify the user name and password when a connection is made.

Postinstallation Security Tasks

For the most part, the Oracle Universal Installer requests you to enter security information that takes care of postinstallation steps typically required for security.

After installation, verify the following in the ECE_home/oceceserver/config/permissions.xml file:

• The principal section has the same DName information as was defined during the installation process for creating the server.jks file.

• A complete access to all resources is allowed for an authenticated user.

• If the secure.access.name system property is set, the tangosol.coherence.security system property must be set to true. If the tangosol.coherence.security system property is set to false, the secure.access.name system property should not be set.