WebSphere brand IBM WebSphere Telecom Web Services Server, Version 7.1

Address Masking

Allows you to hide the real identity of the subscriber from any third-party application.

Description

Prior to sending a message out to a third-party application, the service message object (SMO) is inspected for the presence of any address fields. The selected address fields are masked or shadowed before the contents of the SMO are sent the third-party application.

An example of the masking usage would pertain to the notifySmsReception operation of the SmsNotification interface, which is found in the short messaging (SMS) Web services.

Policy configurations

This mediation primitive uses the following policies for runtime configuration :

requester. MaskingEnabled: Indicates whether masking or shadowing should be performed on the message. True indicates masking, shadowing, or maskingwithexpiry is enabled. Andfalse indicates no masking, shadowing, or maskingwithexpiry enabled.
  • Type: Boolean
  • Default: False
  • Allowed values: true or false
requester.MaskingMode.Inbound: The type of operation to be used in the request flow. It applies to all inbound flows from the third-party application.
  • Type: String
  • Default: Unmasking
  • Allowed values:
    • masking
    • unmasking
    • shadowing
    • unshadowing
    • maskingWithExpiry
    • unmaskingWithExpiry
requester.MaskingMode.Outbound: The type of operation to be used in the response flow. It applies to all outbound flows to the third-party application.
  • Type: String
  • Allowed values:
    • masking
    • unmasking
    • shadowing
    • unshadowing
    • maskingWithExpiry
    • unmaskingWithExpiry
address.InternalLifetime : Length of time that the masked address is kept within the network. (Used only by the MaskingWithExpiry and UnmaskingWithExpiry operations).
  • Type: Numeric
  • Default: 1
  • Allowed values: any positive number
address.ExternalLifetime: Length of time that the masked address may be used by a requester to invoke a Web service. (Used only by the MaskingWithExpiry and UnmaskingWithExpiry operations.)
  • Type: Numeric
  • Default: 1
  • Allowed values: any positive number
address.TimeUnit: The time unit to be used by the address.Internal Lifetime and address.ExternalLifetime policies. For example, to configure a duration of 10 days, you would specify address.ExternalLifetime=10 and address.TimeUnit =days. (Used only by the MaskingWithExpiry operation.)
  • Type: TimeSpecification
  • Default: Day
  • Allowed values: (Millisecond)|(Second)|(Minute)|(Hour)|(Day)|(Week)|(Month)|(Year)
address.ExternalCount: Number of times the masked address may be used by a requester. This overrides the address.ExternalLifetime if met before time expiry is reached. (Used only by the MaskingWithExpiry and UnmaskingWithExpiry operations.)
  • Type: Integer
  • Default: 10
  • Allowed values: any positive integer

Masking operations

The Address Masking mediation primitive is responsible for hiding the real identifier of the subscriber (MSISDN or SIP address) from Web service client applications or third-party applications. There are situations in which you would not want to reveal a subscriber's actual address to such an application. In such cases, the address is replaced with a pseudo-address or an encrypted address value before the request is sent to the third-party application. Similarly, when a response arrives from a third-party application, your application would unmask or unshadow the address in the response to get the subscriber's actual address.

The operations to be performed are configured as policies defined to the Service Policy Manager. The field or fields to be masked/unmasked or shadowed/unshadowed are configured as XPath properties in the Address Masking mediation primitive. The mediation primitive calls the operations that are offered in the Address Masking Web service, which is a Service Platform component.

The following operations are provided:
Masking
Encrypts the address fields contained in a request message, using an encryption algorithm. The encrypted address value is composed of numbers, alphanumeric characters and special characters.
Unmasking
Decrypts one or more masked address values contained in a request message. This operation and the masking operation are complementary.
Shadowing
Replaces the MSISDN contained in a request message with a pseudo-MSISDN value, and returns the pseudo value to the requester. For example, the MSISDN 9818010846 might be replaced by 98180XXXXX where X is any digit from 0 to 9. The number of digits to be shadowed is user configurable.
Note: Pay attention to the fact that the algorithm used for shadowing is very difficult to decipher, but not impossible. Also, be aware that there is a possibility of the generated shadowed number appearing as a valid MSISDN number. Hence, Shadowing is a comparatively vulnerable option as compared to the Masking or MaskingWithExpiry operations. If you are concerned about security, you should not use the Shadowing operation.
Unshadowing
Replaces the pseudo-MSISDN value contained in a request message with the actual MSISDN, and returns the unshadowed MSISDN to the requester. This operation and the masking operation are complementary.
MaskingWithExpiry
Replaces the address fields with a pseudo (random) number, which is configured for expiry–in other words, the pseudo number can be used only for a certain period of time, after which the address expires. Any subsequent requests that use an expired number are rejected. This operation and the UnmaskingWithExpiry operation are complementary.
UnmaskingWithExpiry
Given a masked number, it retrieves the corresponding original number from a database and sends the response back to the user. This operation and the MaskingWithExpiry operation are complementary.
Note: The Address Masking component Web service mediation primitive is deployed as a Service Platform components, and the mediation primitive uses the Service Policy Manager for masking configurations. This mediation primitive is available only with the version 7.1 levels of the TWSS Access Gateway and Service Policy Manager.
Note: The Address Masking component Web service is deployed as a common component, and the Address Masking mediation primitive uses the Service Policy Manager for masking configurations. The version 7.1 Access Gateway and Service Policy Manager both are required prerequisites for using this feature. The Access Gateway and Service Platform components system times should be in synch at all times. This is done to prohibit any discrepancies between the expiration intervals sent from the Address Masking component Web service mediation primitive and the received Address Masking component Web service.

Configuration parameters

Some properties must be specified in order for the mediation primitive to perform its operations. The following configuration parameters are utilized by the Address masking mediation primitive:
XPath
This is an XPath that identifies the SMO element(s) to mask, unmask, shadow, unshadow, maskwithexpiry or unmaskwithexpiry. The XPath value should specify the exact path to the element to be masked. Multiple XPath elements are acceptable. For example; body/getReceivedSms/senderAddress.
Digits
For a shadowing operation, the number of digits to replace in the MSISDN. This is a promotable property with a default value of 5.
Event Type
Indicates whether the message being operated on is an inbound request message or an outbound response message. This property allows the mediation primitive to look up corresponding policies from the Service Policy Manager. Valid values are AG_INBOUND_REQUEST and AG_OUTBOUND_RESPONSE for a response flow.
AddressMaskingEndpoint
The endpoint URL for the Address Masking component Web service. This is a promotable property and the default value is http://localhost:9080/AddressMaskingWeb/services/AddressMasking.



Terms of use
(C) Copyright IBM Corporation 2009. All Rights Reserved.