Securing the interoperability servlet

The Interoperability Servlet is one of the integration technologies that allow client programs to interact with Sterling™ Order Management System Software applications.

In this topic, we will discuss how you can secure access to the Interoperability Servlet through authentication, authorization, and confidentiality.

Parameters

The following parameters, at their default values, enforce authentication and authorization:

interopservlet.security.enabled=true
interopservlet.auth.container.enabled=false
interopservlet.auth.token.enabled=true
interopservlet.auth.userPassword.enabled=true

Authentication

By default, with both interopservlet.security.enabled and interopservlet.auth.token.enabled set to true, client programs must supply a userid and password for authentication. The user is defined in the Applications Manager.

Authorization

You can also configure user groups to control which users have access to APIs (for example, to create orders or to view orders) as well as to the interoperability servlet itself.

Confidentiality

Finally, you should send requests to the Interoperability Servlet under SSL to protect the confidentiality of the request when it is transiting through the network.

Reduction of attack surface

We recommend you remove the interoperability servlet from your deployment if you do not intend to use it. Doing so reduces the attack surface of the application.