API Connect

 View Only
  • 1.  IP WhiteListing / BlackListing

    Posted Thu February 22, 2024 11:12 AM

    HI All,

    We are working on API Connect in SaaS.

    We would like information on how to configure IP Client Whitelisting / BlackListing.

    Thanks,

    Paul



    ------------------------------
    Paul Dango
    ------------------------------


  • 2.  RE: IP WhiteListing / BlackListing

    Posted Thu February 22, 2024 01:59 PM

    Hi Paul,

    I understand that SaaS doesn't support user defined policies (assuming you're talking public SaaS), but see our public sample UDP repository and in particular, the clientIPFilter UDP https://github.com/ibm-apiconnect/policy-apigw/tree/master/user-defined-policies/clientip-filter.  All the UDP does is allow dynamic specification of the allow/deny rules and then uses those rules against the client IP with a DataPower extension function, and this is all done is an xslt.  You could use the xslt as an example to do whatever you need to do.
    Best Regards,
    Steve



    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------



  • 3.  RE: IP WhiteListing / BlackListing

    Posted Thu February 22, 2024 03:56 PM
     Hi Steve,

    We are developing in IBM API Connect Based Edition SaaS. In this edition XSLT, GatewayScript, and User Defined Policies are not available. It appears then that the IP whitelisting/blacklisting is not possible in the base edition.

    However, in the Advance Edition, XSLT, GatewayScript and User Defined Policies are available. 

    Thanks,
    Paul







  • 4.  RE: IP WhiteListing / BlackListing

    Posted Fri February 23, 2024 04:47 AM

    Hi Paul, 


    Whilst this will be a lot easier to achieve in the Advanced plan using the clientIP sample policy - you may be able to achieve what you are looking for using logic in a switch (https://www.ibm.com/docs/en/api-connect/saas?topic=constructs-switch)  - the client IP is available in the context variable `session.clientAddress`

    Thanks

    Ricky



    ------------------------------
    Ricky Moorhouse
    IBM API Connect Cloud Architect
    ------------------------------



  • 5.  RE: IP WhiteListing / BlackListing

    Posted Wed February 28, 2024 12:34 PM

    HI Ricky,

    How do we check in  the switch policy that an IP Address is within an IP Range? The client has provided a range  of CIDR  /17.  This can be a lot of address to configure in the switch policy?

    Thanks,

    Paul



    ------------------------------
    Paul Dango
    ------------------------------



  • 6.  RE: IP WhiteListing / BlackListing

    Posted Wed February 28, 2024 04:35 PM

    Hi Paul, 

    The JSONata for a switch condition handles a regex match https://www.ibm.com/docs/en/api-connect/saas?topic=switch-using-policy-condition-editor using the following, although I have no idea how the optional limit argument would be used for a match, so I'd just omit that argument

    • $match(str, pattern [, limit])

    Here's some general regex patterns for a particular CIDR limits

    Any IP, ie a CIDR of /0

    ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$
    a /15 example, say 192.168|169.0-255.0-255 or 192.168.0.0/15
     
    ^192.16([8|9])\.(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.)([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]){2}$
     
    a /16 example, say 192.168.0-255.0-255 or 192.168.0.0/16

    ^192.168\.(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.)([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]){2}$
     
    a /17 example, say 192.168.124|125.0-255 or 192.168.124.0/17
    ^192\.168\.12([4|5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$
    so the regular expression would simplify your JSONata instead of checking for many different individual IP values.
    Regards,
    Steve


    ------------------------------
    Steve Linn
    Senior Consulting I/T Specialist
    IBM
    ------------------------------