IP access control
In Container Mode, the system supports both allowed IP and denied IP addresses on the container level.
For some on-premise customers, vault-level specification provides efficient configuration when all containers belong to the same organization; on the other hand, the container-level IP specification offers flexibility when each container requires different client IP.
When the allowed IP addresses are specified on both vaults and containers, the system denies S3
operations for all users and applications if the client IP is outside the allowedIp
for either vault or container.
IBM COS supports the enforcement of the container IP whitelisting or blacklisting when the client connects to the Accesser© device directly, or through a proxy server. Please refer to IBM COS Manager Web interface -> Administration -> Network Transport Layer Configuration to set proper connection type and the client originating IP address.
The system also allows a Service Administrator to create lists of denied IP addresses for a
container to block user to access the container from these IP addresses, such as those suspected to
be malware or spam, or allow access from the wider allowedIp list except the narrow
sub-ranges specified in deniedIp. There is no denied IP support at the vault level.
Transfer IP access control during conversion
Prior to conversion to Container Mode, a System Administrator must determine and configure whether to transfer IP access control from standard vault to a container vault or to the first container. For more information, see Enabling Container Mode with an existing system or set corresponding “transferAllowedIpsToContainer” value using “editContainerModeSettings.adm” Manager REST API. IP access control is enforced during the conversion to Container Mode.