Whitelist addresses

You can configure SecureTransport to restrict the partner IP addresses that can log in using whitelists, which you can use for flows where a partner is a client who logs on SecureTransport.

Enable whitelists

On Central Governance, enable the login whitelist by accessing the feature.st.whitelisting.enabled flag in the

<CG dir>/runtime/com.axway.nodes.ume_${id}/conf/com.axway.cmp.features-default.cfg file and setting the value to on.

To disable, set this value to off.

Register SecureTransport

If whitelisting is enabled on Central Governance, registering a SecureTransport automatically:

  1. Creates a Login Restriction Policy on SecureTransport, where:
    • Policy Name = CentralGovernanceLoginPolicy
    • Policy Type = ALLOW_THEN_DENY
  2. Sets the default business unit for Central Governance, CentralGovernanceBusinessUnit, as follows:

If whitelisting is disabled or not set on Central Governance, no whitelist settings are performed on SecureTransport during registration.

Add a partner to the whitelist

For each partner that you want to be able to log on SecureTransport, enter the partner's IP address or hostname in the Client address field of its partner definition.

How whitelisting works

The following actions are performed by Central Governance when whitelisting is enabled:

  1. Before deploying a flow with the partner as client to SecureTransport, Central Governance checks if the partner's Client address is defined. If it is not, flow deployment fails.
  2. If it is the first flow with SecureTransport, Central Governance checks if the CentralGovernanceLoginPolicy exists on SecureTransport. If it does not, it creates a policy as described above in Register SecureTranport.
  3. For flows with a partner as the client, an account is created or updated on SecureTransport where the Login Restriction Policy where:
    • Account = None
    • Business Unit = CentralGovernanceLoginPolicy
  4. For all other flows, the account Login Restriction Policy is set to None.
  5. For each partner acting as a client to SecureTransport in the flow being deployed, a New rule is created in the CentralGovernanceLoginPolicy where:
    • Name = <account_name> policy
      • FTP/SFTP account_name is the partner client communication profile login
      • PESIT account_name is the name of the SecureTransport in Central Governance
    • Type = Allow
    • Client address = IP address of partner acting as client to SecureTransport in the deployed flow
    • Description = Policy created for the account <account name>

Limitation

You cannot use whitelists for PeSIT flows having several partners that are clients to SecureTransport. In this case, one account is created for all partners, and one login policy rule is created for the last deployed partner.

Impact management

If you change the whitelist settings, this impacts the following deployed flows scenarios:

Action

Impact on flows

Change the feature.st.whitelisting.enabled value from on to off

Impact on flows is not calculated.

On SecureTransport you must manually remove the Login restriction policies from the CentralGovernanceLoginPolicy.

Change the feature.st.whitelisting.enabled value from off to on

When Central Governance next restarts, the impact on deployed flows with a partner as client to SecureTransport is calculated 2 minutes after the restart.

The status of flows that need to be redeployed changes to Saved, Not Deployed.

Modify the Client address of a partner that is used in deployed flows

The status of flows deployed with this partner becomes Saved, Not Deployed.

 

 

Central Governance | Document Directory

Related Links