1 Overview

Learn about the Oracle Communications Solution Test Automation Platform (STAP) security.

Topics in this chapter:

• Basic Security Considerations
• Overview of Oracle STAP Security

Basic Security Considerations

The following principles are essential for ensuring the secure use of any application:

• Keep software up-to-date: This includes the latest product release and any patches that apply to it.

• Limit user access or privileges: Users should be given only the access necessary to perform their work. User privileges should be reviewed periodically to determine relevance to current work requirements.

• Monitor system activity: Establish who should access which system components, and how often, and monitor those components.

• Install software securely: For example, use firewalls, secure protocols (such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL), and secure passwords). See "Securing STAP Deployment" for more information.

• Learn about secure coding guidelines: Secure-Text Encryption Tool employs AES-192 for encryption and decryption, creating unique keys and initialization vectors for each operation. It ensures the protection of confidential information, such as passwords and OAuth details, in environment configuration files. See "Secure Coding Guidelines for STAP" for more information.

• Ensure secure STAP deployment: Follow the necessary steps to ensure secure deployment for STAP. See "Ensuring a secure STAP deployment" for more information.

• Keep up to date on security information: Oracle regularly issues security-related patch updates and security alerts. You must install all security patches as soon as possible. See the Critical Patch Updates and Security Alerts website:

  http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Overview of STAP Security

STAP security is designed to protect product, account, order, and asset data, as well as logs, and interfaces.

• Application security: Access to application modules and artifacts is authenticated using Basic Auth/Oauth.

• Data security: Scenarios, environment data, user information, and reports are secured in an encrypted database.

• Interface security: STAP composite service and references (interfaces) are secured by WebLogic Server security policies using Web Services Manager (WSM). Credentials for accessing external systems are configured and stored securely.

Understanding the STAP Environment

When planning your Oracle STAP implementation, consider the following:

• Which resources need to be protected?

  • Customer data, such as credit card numbers.

  • Internal data, such as confidential proprietary source code.

  • System components from being disabled by external attacks or intentional system overloads.

• Who are you protecting data from?

  Oracle recommends that you do not use any real-world data with STAP. Always use test data which can be generated from STAP or a supported external text generation tool. You can analyze your workflows to determine who needs access to the data; for example, it is possible that a system administrator can manage your system components without needing to access the system data.

• What will happen if protections on strategic resources fail?

  In some cases, a fault in your security scheme is merely an inconvenience. In other cases, it might cause significant damage to you or your customers. Understanding the security implications of each resource will help you protect it properly.

Restricting Permissions for Oracle STAP Directories

Oracle recommends keeping the permissions as restrictive as possible for your business needs. When installing on UNIX or Linux, consider using umask 066 to deny read and write permission to all users except the user who installed the software. Table 1-1 lists the directories in which Oracle STAP creates files. Examine these directories to ensure they have the appropriate permissions.

Table 1-1 Oracle STAP Directories

Name	Description
Fusion Middleware home	The directory in which Oracle Fusion Middleware components are installed. This directory contains the base directory for Oracle WebLogic Server, among other files and directories.
Oracle STAP home (COMMS_HOME environment variable)	The directory in which Oracle STAP is installed. This is the comms_home directory within the Oracle base directory.
Domain home	The directory that contains the configuration for the domain onto which Oracle STAP is deployed. The default is MW_home/user_projects/domains/domain_name (where MW_home is the Fusion Middleware home and domain_name is the name of the Oracle STAP domain), but it is frequently set to some other directory at installation.

Port Security

STAP communicates over a limited number of ports. Depending on your solution requirements, additional ports may be required, especially if Oracle STAP is deployed to a WebLogic Server cluster.

Table 1-2 lists the types of ports Oracle STAP uses.

Table 1-2 Oracle STAP Ports

Port	Port Description
Administration server port	The default value is 7001, but a different value can be set during domain creation.
Administration server SSL port	The default value is 7002, but a different value can be set during domain creation.
Node Manager port	The default value is 5556, but a different value can be set during Node Manager configuration.
SOA managed server ports	The default value is 8001, but a different value can be set during domain creation. In a clustered deployment, each managed server should have a different port. For example, 8002, 8003, and so on.
Oracle HTTP Server port	The default value is 7777, but a different value can be set during Oracle HTTP Server configuration.
SOA database port	The default is 1521, but a different value can be set during database creation.