1. Security Guide
  2. Performing a Secure IP Service Activator Installation

2 Performing a Secure IP Service Activator Installation

This chapter presents planning information for the Oracle Communications IP Service Activator secure installation.

For information about installing and configuring IP Service Activator, see IP Service Activator Installation Guide and IP Service Activator System Administrator's Guide.

Pre-Installation Configuration

You must have at least one dedicated UNIX group and one dedicated user account within that group for IP Service Activator. You must run the Installer as a non-root user. Oracle recommends that the umask for this user be set to 077. An Oracle Database user must be created with no permissions granted to the public user. See IP Service Activator Installation Guide for the set of permissions.

Note:

If you are using the Configuration Template Module, set the additional permissions listed in IP Service Activator Installation Guide.

If you are using the IP Service Activator Web service, you must create a WebLogic domain. Oracle recommends that you always run in production mode with Oracle WebLogic server. If you are running multiple applications, Oracle recommends that you deploy each application to its own managed server.

When the IP Service Activator Web service is deployed in a managed server that is separate from Oracle Communications Order and Service Management (OSM), a Java Messaging Service message-forwarding mechanism is required to enable JMS message delivery between applications. The Store and Forward (SAF) and IP Service Activator Web Service JMS modules are made secure by using a security policy. For more information, see Solution Uptake Guide for MPLS VPN with Ethernet Access.

Installing IP Service Activator Securely

You can install IP Service Activator using a custom installation or a typical installation. Oracle recommends that you do a custom installation to avoid installing components and options that you do not need. To limit your exposure in a production environment, Oracle recommends that you do not install unused options, components, or sample files.

Secure File System Access

Access to files that are created during installation is limited to the owner. IP Service Activator does not allow installation, and issues a warning, if the installation is attempted by a user that has root access.

File Permissions

The following are the default permissions set for the installed files:

  • rw-,r--,--- 640 (for all library files)

  • rwx,r-x,--- 750 (for all executable files)

  • dwx,rwx,--- 770 (for all directories files)

Default permissions are set to the lowest possible level. Oracle recommends keeping the permissions as restrictive as possible, as per your business needs.

Oracle recommends that the WebLogic Server installation user and the IP Service Activator application installation user share the same group and the same user ID.

IP Service Activator uses the umask of 039 for auto-generated files (for example, log files), which is explicitly set in all scripts.

Protect the WebLogic configuration (JMS, JDBC, and so on) file, config.xml, with the proper permissions. This file is located in the configuration directory of the domain.

The WebLogic Datasource passwords are encrypted using the Oracle-recommended 3AES algorithm and are stored in the WebLogic server configuration files.

Strong Passwords

Oracle recommends having strong password policies for IP Service Activator users and WebLogic Server and Oracle Database schema users. Oracle recommends the following:

  • A password length between 6 and 24 characters

  • A password containing at least one alpha, numeric, and special character. For example: WebLogic@123.

  • That the user name not be part of the password

  • Additional IP Service Activator policies that must be configured using the client:

    • The IP Service Activator user's password should expire every 28 days.

    • The IP Service Activator user's password cannot be the same as any of the previous six passwords.

    • The IP Service Activator user's account is disabled after six login failures.

Oracle WebLogic Server Configurations

After you create the WebLogic Server domain for IP Service Activator, start the Admin Server by running the following command: 

startManagedServer.sh ManagedServer_1 t3s://Hostname:Port

where ManagedServer_1 is the name of the first managed server, and Hostname is the hostname of the admin server. For more information about configuring WebLogic, see the WebLogic documentation.

Post-Installation Tasks

IP Service Activator communicates over CORBA. To control access for CORBA connections, see "CORBA ORB Configuration for IP Service Activator" in IP Service Activator Installation Guide.

IP Service Activator comes with a predefined user account: admin. Oracle recommends that, immediately after you install IP Service Activator, you start the client and change the default password for the admin user. Oracle recommends that you create a new SuperUser and delete the admin user.