on 09-07-2015 3:34 PM
Hi Guru's
I have a need to ensure that an Odata service is only called by one IP address.
We use Layer7 as our runtime governance of service calls and the Odata service I want to expose contains "confidential" data so I need to ensure that the call has been made by Layer 7. For me the best way to do this is to identify the IP address of the server calling my service - I am just not sure how one does this.
Regards
Dave Cuff
David,
This sounds to me like infrastructure security requirement. IMO, Gateway is not the right place to implement it, rather you should reply on network firewalls. When you expose your Gateway system to external, there will be firewalls involved, and they will have capability to do such things. So I would suggest to contact your infra/network-security teams.
Let us know how it went.
Regards
Krishna
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Krishna
Thank you for your response.
We do already have firewalls in place to protect the SAP system however if I expose this Odata service I need to ensure that only the one IP address is allowed to consume it. Many other IP addresses will be able to consume other less sensitive Odata services. This is why I am looking at being able to identify the calling IP address from within the service itself.
Regards
Dave Cuff
Hi David,
As Krishna suggested, your case can be configured at the firewall level which is also the best place for this. Suppose you have service ZSENSITIVE_SRV which you want to restrict and there are other services like ZOTHER1_SRV, ZOTHER2_SRV.
We should be able to set up some rules at the firewall at URL level so that only particular ip is allowed to access ZSENSITIVE_SRV and while all others services can be less restricted.
Please check with the IT team.
Regards,
Ekansh
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.