WebSphere brand IBM WebSphere Telecom Web Services Server, Version 7.1

General considerations for setting up security

Refer to these general considerations to achieve the most efficient and secure use of Telecom Web Services Server.

When planning security for Telecom Web Services Server, consider the following:

Note: When WebSphere Application Server global security is disabled, the Telecom Web Services Server user is assigned to the "unauthenticated" user.

Common user registry

If you enable security but do not choose to use the TAI, then you must use an LDAP directory server, such as IBM Directory Server, to define a common user registry for the Service Platform components, the Access Gateway, and the Service Policy Manager.

The Access Gateway acts as a point of authentication, so it requires a user registry. For authentication to work properly, the following are strongly recommended:
  • The Access Gateway must share a common user registry with the Service Platform components.
  • Single sign-on certificates must be established between the Access Gateway server and the server that houses the Service Platform components. Refer to the WebSphere Application Server information center for information about configuring certificates for single sign-on.

Users and user roles

The following users are required when you deploy WebSphere Telecom Web Services Server.

The Telecom Web Services Server services require that requesters be authenticated. All of the users you define will be authenticated at the Access Gateway before being passed to the individual services.

Considerations for the Access Gateway

The Access Gateway supports standard WebSphere Application Server security features. Access Gateway supports Web services security capabilities according to the level supported by the underlying WebSphere ESB and WebSphere Application Server. For a secure environment, application and administration security must be enabled. Web services security is intended to be applied between third-parties and Access Gateway exported flows. The WebSphere Enterprise Service Bus information center has instructions for enabling Web services security.

The Access Gateway acts as an authentication point for Web service access to the IMS network. The assumption is that the Web services reside in the trusted network. When the Access Gateway passes requests to Web services, it includes header information in the HTTP request. The Access Gateway must be able to front converged HTTP and SIP Web service requests for SIP service implementations. This will require support for the session affinity model.

WebSphere ESB version 6.2.0.2 or 7.0.0.1 does not support propagation of session information. The Access Gateway provides an extension to the platform to allow HTTP information to be propagated. This propagation capability is only a conduit. Access Gateway instances are intended to be stateless, which assures that any failover considerations are pushed to the requesting client application.

The Web service implementations run with security disabled, and they use asserted identities to pass security credentials between the secured Access Gateway and the trusted Web services. A trusted network is assumed; however, you can enable transport-level security if desired.

Single sign-on certificates are used for transactions between the Access Gateway and the Service Platform components. This makes it possible for the Access Gateway to pass requests to the Service Platform components without authentication credentials, which is the recommended approach.

Considerations for Service Platform components

Service Platform components typically are deployed using the TAI trust mechanism, with transport layer security using IPSec or SSL.

Service Platform components also support transport level security (HTTP digest authentication). You can enable SSL (HTTPS) authentication on the HTTP server.

Considerations for Web service implementations

In addition to the security plans you implement for Telecom Web Services Server, the Web service implementations can also be affected by the way in which security is configured for the remote network elements with which they interact–for example, IBM® XDMS or the Parlay Connector.

Some of the Web service implementations require specific Telecom Web Services Server policies if you plan to enable security. For more information, review the policy descriptions for each service implementation you plan to deploy. The descriptions are found in the topic Reference: default policies for the Access Gateway and Web services.




Terms of use
(C) Copyright IBM Corporation 2009. All Rights Reserved.