IC5Notice: We have upgraded developerWorks Community to the latest version of IBM Connections. For more information, read our upgrade FAQ.
Topic
  • 4 replies
  • Latest Post - ‏2013-04-26T00:10:32Z by Rohit-Goyal
Rohit-Goyal
Rohit-Goyal
128 Posts

Pinned topic ACL not working

‏2013-04-25T12:01:58Z |

We have 2 MPG setup serially to complete a transaction. MPG1 takes traffic from outside and then forwards to MPG2.

ACL (Access Control List) has attached to FSH of MPG1 and its working fine. IT makes sure that request is coming from a consumer with particular IP address. But we also want to put a control ensuring that MPG2 only receives request from MPG1. For that we created one more ACL and setup on MPG2. But it's not working fine.

We suspect that ACL doesn't work when request is coming from another MPG or any other service within DataPower. Can someone confirm this?

 

Thanks

Rohit Goyal

  • kenhygh
    kenhygh
    1481 Posts

    Re: ACL not working

    ‏2013-04-25T12:07:40Z  

    Rohit,

    Have your mpg2 just listen on 127.0.0.1. That way nothing off-box can get to it. It's a lot simpler than setting up a second ACL.

    But if you'd rather do an ACL on mpg2, it should work fine. How is it configured?

    Ken

  • Rohit-Goyal
    Rohit-Goyal
    128 Posts

    Re: ACL not working

    ‏2013-04-25T12:17:47Z  
    • kenhygh
    • ‏2013-04-25T12:07:40Z

    Rohit,

    Have your mpg2 just listen on 127.0.0.1. That way nothing off-box can get to it. It's a lot simpler than setting up a second ACL.

    But if you'd rather do an ACL on mpg2, it should work fine. How is it configured?

    Ken

    We have few more MPGs running in another domain (Domain2). We dont want those services to hit MPG2 which is in Domain1. Thats why we are looking for ACL option.

    Some more information, We have 2 domain, and we have allocated different IP to each one of those. Each domain has a Gateway which internally forwards the request to other concrete MPGs. But in both domain whenever a MPG calls another MPG, probe shows that client-ip is 127.0.0.1. Actually we are not sure how should we make sure that in a particular domain, MPG2 listen from MPG1 only from same domain.

     

    Rohit

  • kenhygh
    kenhygh
    1481 Posts

    Re: ACL not working

    ‏2013-04-25T12:40:08Z  

    We have few more MPGs running in another domain (Domain2). We dont want those services to hit MPG2 which is in Domain1. Thats why we are looking for ACL option.

    Some more information, We have 2 domain, and we have allocated different IP to each one of those. Each domain has a Gateway which internally forwards the request to other concrete MPGs. But in both domain whenever a MPG calls another MPG, probe shows that client-ip is 127.0.0.1. Actually we are not sure how should we make sure that in a particular domain, MPG2 listen from MPG1 only from same domain.

     

    Rohit

    Well in that case, you're going to have to pass something from MPG1 to MPG2. Given the specifics of your setup, you could set an HTTP header containing the domain name, and have MPG2 check this header against its own domain.

    This assumes of course that you trust the other domains not to fake this. If you can't trust the other services, then you'll need to use encryption of some sort. You can always setup mutual-auth SSL between services, though that's usually 'way overkill. Or, you could do like we did on that customer engagement we did together, where we used a shared key to encrypt/decrypt a header.

    Regards,

    Ken

  • Rohit-Goyal
    Rohit-Goyal
    128 Posts

    Re: ACL not working

    ‏2013-04-26T00:10:32Z  
    • kenhygh
    • ‏2013-04-25T12:40:08Z

    Well in that case, you're going to have to pass something from MPG1 to MPG2. Given the specifics of your setup, you could set an HTTP header containing the domain name, and have MPG2 check this header against its own domain.

    This assumes of course that you trust the other domains not to fake this. If you can't trust the other services, then you'll need to use encryption of some sort. You can always setup mutual-auth SSL between services, though that's usually 'way overkill. Or, you could do like we did on that customer engagement we did together, where we used a shared key to encrypt/decrypt a header.

    Regards,

    Ken

    Thanks Ken. 

    I remember that shared key idea. I put that through for discussion in team.

    Rohit