Network security and OpenPages

By default, the OpenPages service allows ingress connections from outside the cluster.

The OpenPages service exposes specific network communication ports to allow ingress connections from outside of the IBM® Software Hub cluster. The ingress ports are controlled by IBM Software Hub and Red Hat® OpenShift®.

In addition, you can configure the OpenPages service to allow egress traffic to external services outside of IBM Software Hub. This task is optional. The egress ports are not restricted. To allow egress connections, you must configure egress network traffic rules on the host cluster’s network infrastructure.

Ingress ports

The following table lists the ingress ports that are exposed by OpenPages by default.

Table 1. Ingress ports for OpenPages
Port usage	External port	Internal port	Protocol
External client traffic over HTTPS including client browsers and REST API clients.	`443`	10111	HTTPS

Restricting egress to known ports

The following table lists the ports that you can configure for egress traffic from the OpenPages service to external hosts.

IBM Software Hub on Red Hat OpenShift does not restrict egress traffic from the OpenPages service to external destinations. Create Deny All firewall rules in your host network infrastructure and expose only the services that are necessary, using allow lists as needed.

If an external service uses a nonstandard port number, contact your service provider.

By default, in OpenPages, these integrations are not enabled.

Table 2. External connections
Port usage	External port	Protocol
Watson Natural Language Understanding, watsonx Assistant, and Watson Discovery.	`443`	HTTPS
Email Service for system notifications	`25/465/587`	SMTP
Thomson Reuters feed via SFTP	`22`	SFTP
Other feeds via API (for example, Ascent, RegTrack, SecurityScorecard, and Wolters Kluwer.)	`443`	HTTPS

GRC REST API

When you call the OpenPages GRC REST API from inside the cluster you might need to access OpenPages by using its internal service name and port, instead of the external URL. Use the internal URL, for example, if your environment has network restrictions that prevent the use of the external URL.

The internal service URL uses the format: https://openpages-<instance_name>-svc:10111.

For example, if the external URL for OpenPages is https://cpd-zen.apps.op-abc-test-10.xyz.company.com/openpages-openpagesinstance1/, the internal service URL is https://openpages-openpagesinstance1-svc:10111/.

Example URI paths

The URI you use depends on the version of the OpenPages GRC REST API that you use.

In all versions of IBM Software Hub, you can use the OpenPages GRC REST API V1. In IBM Software Hub version 4.8.3 or later, you can use the OpenPages GRC REST API V2.

The following URI paths are examples of URIs for the GRC REST API V1 that use the internal URL for OpenPages:

https://openpages-openpagesinstance1-svc:10111/openpages-openpagesinstance1-grc/api
https://openpages-openpagesinstance1-svc:10111/openpages-openpagesinstance1-grc/api/types

The following URI paths are examples of URIs for the GRC REST API V2 that use the internal URL for OpenPages:

https://openpages-openpagesinstance1-svc:10111/openpages-openpagesinstance1-opgrc/api/v2
https://openpages-openpagesinstance1-svc:10111/openpages-openpagesinstance1-opgrc/api/v2/types