Offline Mediation Controller Security Overview

Basic Security Considerations

The following principles are fundamental to using any application securely:

Keep software up to date. This includes the latest product release and any patches that apply to it.
Limit privileges as much as possible. Give users only as much access as necessary to perform their work. Review user privileges regularly to determine relevance to current work requirements.
Monitor system activity. Establish who should access which system components, and how often, and monitor those components.
Install software securely. For example, use firewalls, secure protocols such as SSL, and secure passwords.

See "Performing a Secure Offline Mediation Controller Installation" for more information.
Learn and use the Offline Mediation Controller security features. See "Managing Offline Mediation Controller Security".
Use secure development practices. For example, configure secure file transfers. See "Distributing Files Securely" for more information.
Keep up to date on security information. Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible.

See Critical Patch Updates, Security Alerts and Bulletins on the Oracle website.

About Offline Mediation Controller Security

Oracle Communications Offline Mediation Controller uses Oracle Unified Directory (OUD), an LDAP database, to store credentials for the users who should be authenticated to use the system. Offline Mediation Controller creates the default password policy for all the users. See the OUD documentation for more information.

Note:

To enable user authentication, always install and configure OUD when you install Offline Mediation Controller.

An OUD Administrator role is created at installation. The Administrator role can perform all operations. Change the Administrator password immediately after installation. Assign the User role to most users.

Offline Mediation Controller uses Secure Sockets Layer (SSL) to enable secure communications between applications for inter-process communication. SSL enables authentication, data integrity, and data encryption. SSL certificates are stored in a secure Java KeyStore. Oracle recommends using CA-certified certificates in a production environment.

Offline Mediation Controller allows deploying Node Managers on different physical hosts, which are administered through a single Administration Server. It is mandatory to run either SSL enabled or SSL disabled on all components.

Note:

Oracle does not recommend running the Administration Server in unauthenticated mode.

About Protecting Data

When planning your Offline Mediation Controller implementation, consider the following:

Which resources need to be protected?

You need to protect internal data, such as network accounting records, which hold the usage information from the network for billing, reporting, and monitoring.
Who are you protecting data from?

For example, the network accounting records carry mediation data with identifiable information. This data should only be accessible to users that have a business need to see it.
What will happen if protections on strategic resources fail?

In some cases, a fault in your security scheme is nothing more than an inconvenience. In other cases, a fault might cause great damage to you or your customers. Understanding the security ramifications of each resource helps you protect it properly.

If the security of network accounting records is compromised, data can be corrupted, which could lead to revenue leakage. Protecting the network accounting records provides revenue assurance.

Distributing Files Securely

Oracle Communications Offline Mediation Controller can use distribution cartridges to distribute the mediation data as files to either a local directory in the file system or to a remote directory. To distribute files, Offline Mediation Controller can use FTP or SFTP. Make sure you select SFTP to make the file transfer secure.

If you are using the JDBC Distribution Cartridge, the credentials are stored in a JDBC DC configuration file. This file must carry a file permission of 600.