IBM Cloudant Security Update: TLS 1.2+ and Service Endpoints
The IBM Cloudant team wants to share some very important updates that will bring enhanced security to the service. These updates will change the way you engage with Cloudant, so please review to ensure that your applications can take advantage and continue uninterrupted.
TLS 1.2+ required starting on June 1, 2019
Starting on June 1, 2019, the IBM Cloudant API will require Transport Layer Security (TLS) 1.2 and above. The IBM Cloudant API requires HTTPS and currently supports TLS 1.0 and above. The IBM Cloud withdrew support for TLS 1.0 and 1.1 for many services in March 2018 and IBM Cloudant is following suit. If your applications are still using TLS 1.0 or 1.1, please update them immediately to TLS 1.2 or above to avoid any impact. If you are unsure what TLS version your application is using to connect to Cloudant or have any questions, open a support ticket. See the IBM Cloudant security docs for more detail.
IBM Cloud service endpoints
IBM Cloudant is accessed through HTTP API endpoints. The endpoints for an instance are shown in both the URL field of the Service Credentials generated for the instance and in the Account > Settings tab of the IBM Cloudant Dashboard.
The publicly-facing external endpoint is:
IBM Cloud has introduced new two endpoints for Cloudant instances provisioned 2019 or later.
The new publicly-facing external endpoint is:
For instances deployed on Dedicated Hardware environments, an additional endpoint that is only accessible through the internal IBM Cloud Private network is provided. Leveraging this endpoint allows users to avoid outbound bandwidth costs and public network connectivity. The format of the endpoint is:
The USERNAME is the service name of the service instance user in the URL. This field also serves as the admin user name when using IBM Cloudant legacy authentication. An example USERNAME is de810d0e-763f-46a6-ae88-50823dc85581-bluemix, and the resulting example external endpoint would be de810d0e-763f-46a6-ae88-50823dc85581-bluemix.cloudantnosqldb.appdomain.cloud. See the endpoints documentation for more details.
Dedicated Hardware environments offer enhanced networking and encryption options
The IBM Cloudant Dedicated Hardware plan in the IBM Cloud catalog is for customers who require additional security and compliance benefits. IBM Cloudant Dedicated Hardware instances are isolated environments for the sole use of a customer to run one or more IBM Cloudant Standard plan instances. We have added the ability to connect via IBM’s internal network, meaning customers can avoid public network and outbound bandwidth costs when connecting to Cloudant from their applications. With that, the Dedicated Hardware environment now offers the following benefits:
Isolation at the database compute and storage layers for a single customer
Choice of any IBM Cloud location
Optional HIPAA readiness in US locations
Both external and internal service endpoints
Bring your own encryption key (BYOK) with Key Protect
See the documentation on the IBM Cloudant Dedicated Hardware plan for more details.