Publishing events from the Inventory service to webhooks

You must complete the following prerequisites to publish events to webhooks.

For each configurable event, you must provide the following details in the IBM® support case requesting to set up a webhook endpoint and configure the event subscriptions:

  • Sterling Inventory Visibility tenant ID.
  • Event name.
  • Event delivery URL
    A URL where webhook events are posted (The URL must be an HTTPS URL).
  • Access token URL
    A URL where oauth2 tokens are made available (The URL must be an HTTPS URL).
  • OAuth2 client IDand OAuth2 client secret
    Credentials to authenticate the webhook.
  • Token duration in hours.

IBM Support takes approximately two weeks to revert with the necessary information. For more information about opening a case with IBM Support, see Contacting IBM Support.

WebHooks configuration guidelines

You must adhere to the webhook configuration guidelines as follows:
  • You must implement webhooks with the Oauth2 client credentials grant type authentication flow.
    The instructions for the OAuth2 request are the same as Retrieving a token. The only difference is that you host the OAuth2 server and IBM makes token requests to the server by using the credentials that you provide.
  • Ensure that the SSL certificates for both URLs are root CA signed certificates. By default, IBM trusts the certificates that are provided by OpenJDK 11.
  • The HTTPS port that is supported for outbound calls from IBM is only 443. IBM does not support any custom port specification for allowlisting.
  • IBM does not support mTLS.
  • If your security policy requires allowlisting incoming IBM Prerequisite Scanner, contact IBM support to get the IBM Prerequisite Scanner allowlisted.
  • The webhook implementation must return 200 as a response code.
  • In the event of authentication and authorization failures, the webhook implementation must produce standard response codes such as 401401 or 403.
  • The webhook configuration on your gateway must allow for sufficient space to accommodate the payload (1 MB is a good reference).
  • It is recommended that the generated access tokens against the webhook must be valid for at least 1 hour.