Allows you to hide the real identity of the subscriber
from any third-party application.
Description
Prior to sending a message out
to a third-party application, the service message object (SMO) is
inspected for the presence of any address fields. The selected address
fields are masked or shadowed before the contents of the SMO are sent
the third-party application.
An example of the
masking usage would pertain to the notifySmsReception operation
of the SmsNotification interface, which is found in the short messaging
(SMS) Web services.
Policy configurations
This mediation primitive
uses the following policies for runtime configuration :
requester.
MaskingEnabled: Indicates whether masking or shadowing
should be performed on the message.
True indicates
masking, shadowing, or maskingwithexpiry is enabled. And
false indicates
no masking, shadowing, or maskingwithexpiry enabled.
- Type: Boolean
- Default: False
- Allowed values: true or false
requester.MaskingMode.Inbound:
The type of operation to be used in the request flow. It applies to
all inbound flows from the third-party application.
- Type: String
- Default: Unmasking
- Allowed values:
- masking
- unmasking
- shadowing
- unshadowing
- maskingWithExpiry
- unmaskingWithExpiry
requester.MaskingMode.Outbound:
The type of operation to be used in the response flow. It applies
to all outbound flows to the third-party application.
- Type: String
- Allowed values:
- masking
- unmasking
- shadowing
- unshadowing
- maskingWithExpiry
- unmaskingWithExpiry
address.InternalLifetime :
Length of time that the masked address is kept within the network.
(Used only by the MaskingWithExpiry and UnmaskingWithExpiry operations).
- Type: Numeric
- Default: 1
- Allowed values: any positive number
address.ExternalLifetime:
Length of time that the masked address may be used by a requester
to invoke a Web service. (Used only by the MaskingWithExpiry and UnmaskingWithExpiry
operations.)
- Type: Numeric
- Default: 1
- Allowed values: any positive number
address.TimeUnit: The
time unit to be used by the address.Internal Lifetime and address.ExternalLifetime
policies. For example, to configure a duration of 10 days, you would
specify
address.ExternalLifetime=10 and
address.TimeUnit
=days. (Used only by the MaskingWithExpiry operation.)
- Type: TimeSpecification
- Default: Day
- Allowed values: (Millisecond)|(Second)|(Minute)|(Hour)|(Day)|(Week)|(Month)|(Year)
address.ExternalCount: Number of
times the masked address may be used by a requester. This overrides
the address.ExternalLifetime if met before time expiry is reached.
(Used only by the MaskingWithExpiry and UnmaskingWithExpiry operations.)
- Type: Integer
- Default: 10
- Allowed values: any positive integer
Masking operations
The Address Masking mediation
primitive is responsible for hiding the real identifier of the subscriber
(MSISDN or SIP address) from Web service client applications or third-party
applications. There are situations in which you would not want to
reveal a subscriber's actual address to such an application.
In such cases, the address is replaced with a pseudo-address or an
encrypted address value before the request is sent to the third-party
application. Similarly, when a response arrives from a third-party
application, your application would unmask or unshadow the address
in the response to get the subscriber's actual address.
The
operations to be performed are configured as policies defined to the Service Policy Manager.
The field or fields to be masked/unmasked or shadowed/unshadowed are
configured as XPath properties in the Address Masking mediation primitive.
The mediation primitive calls the operations that are offered in the
Address Masking Web service, which is a Service Platform component.
The following operations are provided:
- Masking
- Encrypts the address fields contained in a request message, using an encryption algorithm. The encrypted address value is composed of numbers, alphanumeric characters and special characters.
- Unmasking
- Decrypts one or more masked address values contained in a request message. This operation and the masking operation are complementary.
- Shadowing
- Replaces the MSISDN contained in a request message with a pseudo-MSISDN value, and returns the pseudo value to the requester. For example, the MSISDN 9818010846 might be replaced by 98180XXXXX where X is any digit from 0 to 9. The number of digits to be shadowed is user configurable.
Note: Pay attention to the fact that the algorithm used for shadowing is very difficult to decipher, but not impossible. Also, be aware that there is a possibility of the generated shadowed number appearing as a valid MSISDN number. Hence, Shadowing is a comparatively vulnerable option as compared to the Masking or MaskingWithExpiry operations. If you are concerned about security, you should not use the Shadowing operation.
- Unshadowing
- Replaces the pseudo-MSISDN value contained in a request message with the actual MSISDN, and returns the unshadowed MSISDN to the requester. This operation and the masking operation are complementary.
- MaskingWithExpiry
- Replaces the address fields with a pseudo (random) number, which is configured for expiry–in other words, the pseudo number can be used only for a certain period of time, after which the address expires. Any subsequent requests that use an expired number are rejected. This operation and the UnmaskingWithExpiry operation are complementary.
- UnmaskingWithExpiry
- Given a masked number, it retrieves the corresponding original number from a database and sends the response back to the user. This operation and the MaskingWithExpiry operation are complementary.
Note: The Address Masking component Web service mediation primitive is deployed as a Service Platform components, and the mediation primitive uses the Service Policy Manager for masking configurations. This mediation primitive is available only with the version 7.1 levels of the TWSS Access Gateway and Service Policy Manager.
Note: The Address Masking component Web service is
deployed as a common component, and the Address Masking mediation
primitive uses the Service Policy Manager for
masking configurations. The version 7.1 Access Gateway and Service Policy Manager both
are required prerequisites for using this feature. The Access Gateway and Service Platform components system
times should be in synch at all times. This is done to prohibit any
discrepancies between the expiration intervals sent from the Address Masking component Web service mediation
primitive and the received Address Masking component Web service.
Configuration parameters
Some
properties must be specified in order for the mediation primitive
to perform its operations. The following configuration parameters
are utilized by the Address masking mediation primitive:
- XPath
- This is an XPath that identifies the SMO element(s) to mask, unmask,
shadow, unshadow, maskwithexpiry or unmaskwithexpiry. The XPath value
should specify the exact path to the element to be masked. Multiple
XPath elements are acceptable. For example; body/getReceivedSms/senderAddress.
- Digits
- For a shadowing operation, the number of digits to replace in
the MSISDN. This is a promotable property with a default value of 5.
- Event Type
- Indicates whether the message being operated on is an inbound
request message or an outbound response message. This property allows
the mediation primitive to look up corresponding policies from the Service Policy Manager.
Valid values are AG_INBOUND_REQUEST and AG_OUTBOUND_RESPONSE for a
response flow.
- AddressMaskingEndpoint
- The endpoint URL for the Address Masking component Web service.
This is a promotable property and the default value is http://localhost:9080/AddressMaskingWeb/services/AddressMasking.