2 Security Shield Transport Layer Security

Communications among the Session Border Controller (SBC), Cloud Communication Service (CCS), and the Oracle Communications Security Shield Cloud Service (Security Shield) cloud components, and among the Security Shield cloud components with Cloud Analytics service in the Oracle Cloud Infrastructure (OCI) and external data sources occur through the REST API and are protected by Transport Layer Security (TLS). The Security Shield service uses only TLS1.2 along with the following recommended cipher suites.

On-Premises TLS Connections

The Security Shield service supports the following ciphers for on-premises TLS connections, which includes TLS connections between the CCS and the Security Shield, and between the CCS and the SBC:
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES256-GCM-SHA384

Cloud Services TLS Connections

The Security Shield service supports the following ciphers for TLS connections with Security Shield cloud services, which includes the TLS connection between CCS and OCSS cloud, and between CCS and CCS Agent:
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384

TLS Server Certificate Requirements

  • Minimum of 2048 bits for RSA keys or 256 bits for ECDSA keys for certificates.
  • Use only a strong hash algorithm for the certificate signature. (SHA256 or stronger).
  • Rotate the server certificate routinely. (Yearly or less).
  • Ensure that DigiCert Intermedia CA (DigiCert Global G2) with SHA256 with RSA signs the Oracle server certificates.
  • Ensure that a trusted commercial CA signs the CCS server certificate facing the Security Shield cloud. Oracle ships Java SE 11 with a list of root CAs that Oracle trusts.
  • Oracle recommends that either internal CA or commercial CA, per your security policy, sign the CCS server certificate facing the Security Shield and the SBC server certificate.
  • Ensure that you do not use any self-signed server certificates.

Note:

Oracle ships the CCS Docker image with Oracle CA. (SHA-256 Digitizer Public ROOT and Intermediate CA certificates)