Network security and OpenPages

By default, the OpenPages® service allows ingress connections from outside the cluster.

The OpenPages service exposes specific network communication ports to allow ingress connections from outside of the Cloud Pak for Data cluster. The ingress ports are controlled by Cloud Pak for Data and Red Hat® OpenShift®.

In addition, you can configure the OpenPages service to allow egress traffic to external services outside of Cloud Pak for Data. This task is optional. The egress ports are not restricted. To allow egress connections, you must configure egress network traffic rules on the host cluster’s network infrastructure.

Ingress ports

The following table lists the ingress ports that are exposed by OpenPages by default.
Table 1. Ingress ports for OpenPages
Port usage External port Internal port Protocol
External client traffic over HTTPS including client browsers and REST API clients. 443 10111 HTTPS

Restricting egress to known ports

The following table lists the ports that you can configure for egress traffic from the OpenPages service to external hosts.

Cloud Pak for Data on Red Hat OpenShift does not restrict egress traffic from the OpenPages service to external destinations. Create Deny All firewall rules in your host network infrastructure and expose only the services that are necessary, using allow lists as needed.

If an external service uses a nonstandard port number, contact your service provider.

By default, in OpenPages, these integrations are not enabled.

Table 2. External connections
Port usage External port Protocol
Watson™ APIs for Natural Language Classifier, Watson Assistant, and Watson Discovery 443 HTTPS
Email Service for system notifications 25/465/587 SMTP
Thomson Reuters feed via SFTP 22 SFTP
Other feeds via API (for example, Ascent, RegTrack, SecurityScorecard, Supply Wisdom, and Wolters Kluwer.) 443 HTTPS

GRC REST API

When you call the OpenPages GRC REST API from inside the cluster you might need to access OpenPages by using its internal service name and port, instead of the external URL. Use the internal URL, for example, if your environment has network restrictions that prevent the use of the external URL.

The internal service URL uses the format: https://openpages-<instance_name>-svc:10111.

For example, if the external URL for OpenPages is https://cpd-zen.apps.op-abc-test-10.xyz.company.com/openpages-openpagesinstance1/, the internal service URL is https://openpages-openpagesinstance1-svc:10111/.

Example URI paths

The following URI paths are examples of URIs for the GRC REST API that use the internal URL for OpenPages:
https://openpages-openpagesinstance1-svc:10111/openpages-openpagesinstance1-grc/api
https://openpages-openpagesinstance1-svc:10111/openpages-openpagesinstance1-grc/api/types