WebSphere brand IBM WebSphere IP Multimedia Subsystem Connector, Version 6.2

Security considerations

Diameter Enabler uses the security provided by WebSphere® Application Server Network Deployment. You should consider securing access to the various Diameter Enabler Web services, J2EE access to the internal Diameter Enabler infrastructure, security on connections, and end-to-end security for messages.

Application level security

Each Web service application has the ability to enable or disable application security. Because Diameter Enabler is an AAA protocol, it is recommended that these Web services be secured. You should enable WebSphere Application Server security for the Rf accounting Web service, Ro online charging Web service, and Sh subscriber profile Web service.

Once they are secured, to invoke any of the Web services provided by the Diameter Enabler, you need to include the WebSphere Application Server principal and credentials.

Diameter Enabler uses basic authentication to protect its Web services. It is recommended that you use Secure Sockets Layer (SSL)/Transport Layer Security (TLS) on your HTTP Transport chains if you want to have your Web service calls encrypted.

J2EE Access to internal Diameter Enabler infrastructure

Install the Diameter Web services (Rf, Ro, and Sh) on the same server as the Diameter Enabler base.

For a secure system, you should not install applications unless you are certain of their origin. Diameter Enabler extends the Channel Framework Architecture of WebSphere Application Server. Any application or plug-in to WebSphere Application Server has the ability to access a set of Diameter Enabler connections.

A rogue application could potentially bring up or down any of the Diameter Enabler connections, thus affecting the applications that use the connections. Therefore, an IMS™ Application Server application should not be installed on the same application server as the Rf accounting Web service, Ro online charging Web service, or Sh subscriber profile Web service.

Connections

You can use Transport Layer Security (TLS) or another security mechanism to create secure connections. TLS allows authentication for the client and server using certificates and encrypts the packets using the connection. If TLS is disabled, the connection must be secured with IPsec or by isolating your network so that it does not require transport or network layer security. Enabling TLS may affect performance.

Messages

A Diameter packet might pass through several hops to get to the final destination. After each hop in the path, the packet is decrypted and can be read by each device that receives it. The Base Diameter protocol (RFC 3588) does not provide end-to-end security. If your application requires end-to-end security, you can establish a direct connection between the client and server and use transport layer security or IPsec for this connection.




Terms of use
(C) Copyright IBM Corporation 2009. All Rights Reserved.