This information provides an overview about security for the Oracle Communications Indexing and Search Service (ISS) product. It also provides links to security topics that provide more indepth information for configuring and administering ISS security.
For an overview of the product, see Introducing Indexing and Search Service. For information on general security principals, such as security methods, common security threats, and analyzing your security needs, see Designing for Security. For an overview of operating system security, see Oracle Solaris Security for System Administrators.
Topics in this section:
This section outlines the planning process for a secure installation and describes several recommended deployment topologies for the systems.
To better understand your security needs, ask yourself the following questions:
- Which resources am I protecting?
In an ISS production environment, consider which of the following resources you want to protect and what level of security you must provide:
- Web host (runs ISS search services)
- Index host (runs ISS indexing services)
- Dependent resources, such as GlassFish Server, Directory Server, and Messaging Server
- From whom am I protecting the resources?
In general, resources must be protected from everyone on the Internet. But should the ISS deployment be protected from employees on the intranet in your enterprise? Should your employees have access to all resources within the GlassFish Server environment? Should the system administrators have access to all resources? Should the system administrators be able to access all data? You might consider giving access to highly confidential data or strategic resources to only a few well trusted system administrators. On the other hand, perhaps it would be best to allow no system administrators access to the data or resources.
- What will happen if the protections on strategic resources fail?
In some cases, a fault in your security scheme is easily detected and considered nothing more than an inconvenience. In other cases, a fault might cause great damage to companies or individual clients that use ISS. Understanding the security ramifications of each resource help you protect it properly.
You can deploy ISS on a single host or on multiple hosts, splitting up the components into multiple web and index hosts. For more information, see the following information:
- Indexing and Search Service Deployment Planning
- Developing a Communications Suite Logical Architecture.
The general architectural recommendation is to use the well-known and generally accepted Internet-Firewall-DMZ-Firewall-Intranet architecture. For more information on addressing network infrastructure concerns, see Determining Your Communications Suite Network Infrastructure Needs.
ISS is deployed within GlassFish Server. For information on how to install and configure GlassFish Server, see Installation Scenario - GlassFish Server. To operate GlassFish Server in secure mode, see Secure Administration Overview. For more information, see Oracle GlassFish Server 2.1.1 Security Guide. For more information on handling GlassFish SSL certificates, see Administering JSSE Certificates.
ISS requires GlassFish Message Queue. When you set up GlassFish Message Queue, you must:
- Create a Message Queue user on the Messaging Server host. Use an appropriate password for this user. See Preparing Messaging Server for Indexing and Search Service Integration for more information.
- Reset the default passwords for the Message Queue administrative accounts on the ISS host. See Configure GlassFish Message Queue 4.4u1 on the ISS Host for more info.
The installation prompts for authentication credentials for the following:
- Messaging Server read-only message store administrator (store.indexeradmin)
- Message Queue broker handling Messaging Server notifications (user account)
- ISS Message Queue broker (user and administrator accounts)
- Directory Server manager (bind DN and password)
The following procedure describes how to enable Secure Sockets Layer (SSL) from ISS components to the User/Group Directory Server.
Import the certificate for the User/Group Directory Server to the operating system before running the ISS setup command. Otherwise, the setup command fails when trying to verify Messaging Server parameters.
- On the User/Group Directory Server, use the dsadm command to display the certificate.
- Copy the user-group1.cert file to the ISS machine.
- Use the certutil command to import the certificate.
On Red Hat Linux, you need to create the /var/ldap directory.
- When running the setup command to configure ISS, set the following option and adjust the port.
- (Optional) If you are using a list of User/Group Directory Servers for mail.ldap, repeat for each server in the list.
- To enable Secure Sockets Layer/Transport Layer Security (SSL/TLS)s between the ISS indexing node and the Messaging Server IMAP server, set the following options when running the setup command to configure ISS:
If necessary, you can change these values later by editing the iss-dir/etc/jiss.conf file. If you do edit the jiss.conf file, you need to restart the ISS indexing services by using the iss-dir/bin/svc_control.sh command.
To configure Convergence to access ISS, see Convergence Administrative Tasks. If you want a secure connection between Convergence and ISS, set the Convergence ISS.enablessl parameter to true, for example:
Correspondingly, you must also set the port number (ISS.port) to the SSL port number.
To configure the security protocol used by the IMAP connection to the Messaging Server, configure either the --protocol ssl or --protocol tls option. See Indexing and Search Service Command-Line Utilities for more information.
When uninstalling the ISS software, you also need to remove the indexing data that was created by ISS. The following steps describe how to uninstall ISS:
- Run the setup -u command.
- Remove all ISS generated data by running the iss-dir/bin/scrub_index.sh -r script.
Removing the data could take a long time, depending on the size of the index.
- Remove the ISS package (Solaris) or RPM (Red Hat Linux).
Topics in this section:
ISS enables users to read their own files in the Messaging Server message store, but not other users' files. To search mail in the ISS store, users need to authenticate to LDAP to be able to use the RESTful web service. For more information, see ISS Security and Authentication.
Starting with version 220.127.116.11.0, ISS stores passwords in the Java KeyStore. Use the jks utility to set, maintain, and retrieve password values. To refresh the keystore after adding or changing a password value, use the issadmin.sh --refresh command. For more information, see Java KeyStore for Indexing and Search Service.