4 Performing a Secure ECE Installation

Learn how to create a secure Oracle Communications Elastic Charging Engine (ECE) installation.

Topics in this document:

• About Deploying ECE into a Secure Environment

• Installing ECE

• About ECE Security

• About Enhanced Security for JAR Files

• About Oracle Coherence Security

• About Oracle Database Security

• About Oracle NoSQL Database Security

• About Cluster Security

• About the KeyStore Files and SSL Considerations

• About Trusted Host Information

• About JMX Security

• Postinstallation Security Tasks

About Deploying ECE into a Secure Environment

Deploy ECE into a secure environment. For example, ensure that:

• ECE is deployed in a closed network environment where all public access is denied.

• All ECE hosts are connected to a single switch or to switches in a parallel configuration.

• No external processes should run on the hosts running ECE and its components.

• Access to the ECE infrastructure is restricted.

You can further harden ECE security by following the instructions in this chapter.

Installing ECE

By default, ECE is installed in a secure mode. ECE uses security measures such as cluster security and host authorization.

When you install ECE, you are prompted to select your preferred security configuration, such as whether to enable secure socket layer (SSL) configuration. Based on the security configuration you select in the installer, ECE sets parameters in the relevant Oracle Coherence and ECE configuration files for enabling the following security levels:

• JMX security. Clients require a JMX user name and password to connect to ECE JMX Management servers. For example, Elastic Charging Controller (ECC) can use a JMX user name and password to be authenticated to log in to the cluster.

• Authorized host list. A process that joins the Coherence cluster has access to ECE services only if it is running on a host defined in the authorized host list.

• Coherence node authentication. ECE nodes are required to authenticate themselves when trying to join the Coherence cluster. The node credentials are stored in a KeyStore file that must be deployed on the ECE nodes.

• SSL encryption (intra-cluster communication). Communication across ECE nodes in the Coherence cluster are encrypted.

About ECE Security

Access to ECE files is controlled by creating user accounts and groups and granting specific permissions. The file permissions are granted using Linux commands in a Linux shell. After you have created user accounts and groups and set permissions, users can use ECC to manage ECE files. ECC requires setting up passwordless SSH. You use the ECE user account—a Linux account—for this purpose. See "Setting Up and Managing Elastic Charging Engine Security" in BRM System Administrator's Guide.

About Enhanced Security for JAR Files

All ECE-related JAR files are digitally signed with a private key to ensure their authenticity and integrity. This also helps detect any modifications to the files before deployment. You can verify the signatures by using the jarsigner utility, provided in the JDK:

jarsigner -verify -verbose -certs jarName.jar

where jarName is the name of the JAR file.

The expected output is:

jar verified

About Oracle Coherence Security

To restrict access to the ECE Coherence cluster, set up an authorized host list. You can optionally enable SSL for intra-cluster communication, in which case you must also enable Well Known Addresses (WKA). See "Setting Up Cluster Security" in BRM System Administrator's Guide.

About Oracle Database Security

If you are using Oracle Database for data persistence, configure Oracle Database advanced security encryption and integrity algorithms for a secure connection from the installer. See the Oracle Database documentation for advanced security configuration parameters. This is required for the ECE installer to make a secure (encrypted) database connection over the network. For more details, see Oracle Database Advanced Security Administrator's Guide.

About Oracle NoSQL Database Security

If you are using Oracle NoSQL Database for data persistence, install Oracle NoSQL Database in a secure location where physical and network access to the store is restricted to trusted users. For this reason, Oracle NoSQL Database's security model is designed to prevent accidental data access. However, it is not designed to prevent malicious access or denial-of-service attacks.

You can access the KVStore and its data either through the Java API or via administrative access, which is performed using a command-line interface or a browser-based graphical user interface. System administrators use these interfaces to perform the few administrative actions that are required by Oracle NoSQL Database. You can also monitor the store using these interfaces.

About Cluster Security

ECE uses a file-based credentials store or a KeyStore to keep node credentials that are required to join the cluster and that are used for enabling encryption of cluster communication. The KeyStore is located at ECE_home/oceceserver/config/server.jks. Although the ECE installer creates a server.jks file, you can create your own if required. If you create your own JKS file, ensure it has restrictive permissions to prevent unauthorized access.

ECE uses an Oracle wallet to store passwords required to connect to boundary systems such as Oracle Communications Billing and Revenue Management (BRM) and Oracle Communications Pricing Design Center (PDC).

When you install ECE, you enter the following information:

• The account alias for Coherence cluster security

• The key password for Coherence cluster security (the password for the alias)

• The key password for the boundary system alias

• The password for accessing the KeyStore (the certificate store password)

• DName details

  The DName value specifies user authorizations related to cluster security.

  The DName is used for authorization as defined in ECE_home/oceceserver/config/permissions.xml.

See ECE Installation Guide for more information.

About the KeyStore Files and SSL Considerations

ECE maintains a server.jks KeyStore file that stores credentials for cluster node authentication. The file is also used for encrypting intra-cluster communication over SSL.

KeyStore passwords for SSL are stored by default in ECE_home/oceceserver/config/charging-coherence-override-secure-prod.xml. However, these can be overridden by defining their respective system properties in ECE_home/oceceserver/config/defaultTuningProfile.properties.

Note:

Oracle strongly recommends that you do not override the default ECE_home/oceceserver/config/charging-coherence-override-secure-prod.xml file.

Installation Settings when SSL Is Enabled

When you select the SSL options during installation, the following are set:

• In ECE_home/oceceserver/config/ece.properties:

  • tangosol.coherence.override=charging-cache-config-secure-prod.xml

  • The WKA list in the charging-cache-config-secure-prod.xml file

    This should contain the WKA host list provided during the installation.

• In ECE_home/oceceserver/config/charging-coherence-override-secure-prod.xml:

  • -Dtangosol.coherence.ssl.keypassword=keypassword

  • -Dtangosol.coherence.ssl.storepassword=storepassword

  where keypassword and storepassword are the key and store passwords given during installation.

About Trusted Host Information

ECE caches contain subscriber data. To restrict access, specify the machines or processes you trust and allow to be part of the cluster.

Obtain the IP addresses or host names of all machines or processes that are allowed to access the cluster. Trusted hosts include all server machines where the Coherence cluster is deployed and any other machine that is to be part of the cluster. Include the server machine that runs the Elastic Charging Controller (ECC); if you use Oracle Enterprise Manager, also include the JMX client host running it.

See "Installing Elastic Charging Engine" in ECE Installation Guide for more information.

About JMX Security

JMX security is based on standard Java guidelines, as discussed in "Security" in Java Platform, Standard Edition Java Management Extensions Guide.

For ECE, JMX can be secured by setting the following system parameters:

• In ECE_home/oceceserver/config/ece.properties:

  com.sun.management.jmxremote.authenticate=true

• In ECE_home/oceceserver/config/defaultTuningProfile.properties:

  -Dcom.sun.management.jmxremote.password.file=../config/jmxremote.password

The file permissions for jmxremote.password must be set to 400; otherwise, Elastic Charging Server nodes will not start.

ECE includes a jmxremote.password file in the ECE_home/oceceserver/config directory, which contains two default accounts for JMX credentials, as defined in JRE_home/lib/management/jmxremote.password.template:

• monitorRole with read-only permissions

• controlRole with read and write permissions

Passwords for these accounts can be set in the jmxremote.password file located in ECE_home/oceceserver/config. To add more accounts, simply add them to this file as well. See "Monitoring and Management Using JMX Technology" in Java Platform, Standard Edition Monitoring and Management Guide for more information about using the jmxremote.password file.

Because the JMX passwords are human-readable in jmxremote.password, the file permission must be set to 400.

Note:

The jmxremote.password file is used for more than JMX. This file is also used for storing passwords required to authenticate cluster nodes and required to encrypt and decrypt passwords for JMS notification services. See "About Managing External Application Passwords" in BRM System Administrator's Guide for more information.

All Elastic Charging Controller (ECC) shell commands are JMX-aware. If JMX is secured, you must provide a user name and password when starting ECE services.

If JMX is secured, commands like start server or starting a single node, such as start ecs1, start configLoader, and so on must provide a user name and password. For example:

start server username=controlRole password=password_as_defined

In secured mode, Oracle recommends using the ECC shell in interactive mode (all commands are run within the shell rather than as arguments to the ECC script). The ECC command sets the file permissions of the file that saves the history of the commands that have been run to 600. This prevents unauthorized access to previous commands that might include passwords typed on the command line.

In applications such as JConsole, jVisualVM, or other JMX client applications, you must specify the user name and password when a connection is made.

Postinstallation Security Tasks

The Oracle Universal Installer prompts you to enter security information for postinstallation steps typically required for security.

After installation, verify the following in the ECE_home/oceceserver/config/permissions.xml file:

• The principal section has the same DName information as was defined during the installation process for creating the server.jks file.

• Full access to all resources is allowed for an authenticated user.

• If the secure.access.name system property is set, then the tangosol.coherence.security system property must be set to true. If the tangosol.coherence.security system property is set to false, the secure.access.name system property should not be set.