Configuring Open API Security Settings

To configure Public API security settings, click Edit on the Summary tab, and set up the following options:

• SSL. Select this check box to use HTTP over SSL instead of plain HTTP. In this case, SSL will be used as the only transport for XML-RPC communications. The service controller will generate a self-signed certificate and private key files (if they do not exist). After you submit the option, the path to the certificate and private key files will be displayed on the Summary tab in the Certificate Path and Private Key Path fields.

  Warning: Do not enable this setting if you have Billing installed in your system.

• HTTP Authentication. Select this check box if you require HTTP Authentication. When HTTP Authentication is enabled, a client will authenticate itself on a server using the CloudBlue Commerce login and password.

  Note: HTTP Authentication over plain HTTP suffers from simple network sniffing. So, without SSL applied, HTTP Authentication is not considered to be fully secure.
  SSL and HTTP Authentication require client-side support. Do not enable these services if you are not sure that important clients can connect properly.

• Accept connections. Select one of the following options:

  • Only from allowed networks. Select this option to restrict clients with a set of permitted hosts or networks. The permitted hosts or networks are those specified on the Allowed Networks tab of the same Public API menu item. If the list of permitted networks is empty, nobody will be able to perform Open API requests.
  • From everywhere. Select this if you do not want to restrict the list of hosts and networks that can connect to the Open API server.

Click Submit to apply the changes.

The following security recommendations are for the CloudBlue Commerce Public API:

1. Prepare the list of hosts that require access to the CloudBlue Commerce Public API end point. This list typically includes:
   • A CloudBlue Commerce management node
   • The Billing application server
   • A Customer Active Directory Integration server
   • Hosts of CloudBlue Commerce hosting modules that use CloudBlue Commerce Public API methods for integration purposes. For example: CloudBlue Commerce Office 365 Integration, and CloudBlue Commerce BroadWorks Integration. See the guides of respective CloudBlue Commerce hosting modules for details.
   • External systems that use CloudBlue Commerce Public API methods for integration purposes.
2. Configure a firewall to allow access to the CloudBlue Commerce Public API end-point only from the required hosts. See the CloudBlue Commerce Firewall Configuration guide and the guides of the respective CloudBlue Commerce hosting modules for details.
3. Enable Only from allowed networks and add the required hosts to the Allowed Networks list.