I have configured the Hosted Transparent Decision Services (HTDS) web application for ODM. Can I apply similar configuration changes when using the Business Rules service on Bluemix?
The Business Rules service on Bluemix does use HTDS to execute rules, however it is not possible to configure the HTDS web application for the service.
Related
we are migrating from IBM Cloud Foundry Orgs (as they are depreciated) to ibm cloud engine.
but what seems impossible is the "routes" option that was available in CF (cloud foundry). With CF we could just CNAME the custom domain to eu-de.cf.appdomain.cloud and add it to the routes of the application.
With cloud engine, the only way we can setup a custom domain is explained here, but this requires an extra service from cloudflare.
Is there a way to migrate the CF setup to IBM cloud engine without the Cloudflare worker?
At the moment that is not possible. That being said the Code Engine team is working on a solution to enable this without requiring requiring an extra service (although the proposed cloudflare service in the blog is free AFAIK)
Another option is to deploy a proxy on your own and use it to handle the domains. I have used Traefik for it, but nginx and others should work, too. I deployed the proxy to a Kubernetes cluster which worked well.
If we have two service for example
Front-end (which is consul-connect enabled)
Back-end (which is not consul-connect enabled).
Is it possible to restrict communication between then through intention. Provided we use Consul-Sync from to moved k8s service into consul catalog. Then back-end which is not consul-connect enabled will show in intention. I tried setting deny between Front-end -> Back-end. If not working Front-end is hitting Back-end. I am missing something Or its like Authorization can only happen between two consul-connect enabled service
This question was recently answered in https://stackoverflow.com/a/68432317/12384224.
Consul intentions are authorization polices that allow you to control access between applications within a service mesh. You must use a sidecar proxy, or natively integrate your application with the mesh, in order to use intentions. They are not applicable if you are only using Consul for service discovery, or your application is not part of the service mesh.
We have following structure for my application. currently we have used Any for both source and destination (on port 3389) while defining NSG rule for our Service Fabric to allow calls from mobile app. But our security team has raised concerns on Any-Any rule. Is there any way to optimize this?
Note: our mobile app is public and anyone can download from app store.
Any to Any rule open SF for attach really so you should limit the IP from your traffic manager given your current model.
Azure API management already have build in support for Service Fabric so my suggestion is to remove the traffic manager between then API management and SF. Then you can do is to limit the traffic to SF only from the API management which is much easier.
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-api-management-overview
Authentication requirement you can delegate that to the API management ie validate JWT token
I want to expose a REST-ful service as an API to the outside world on Bluemix Public. Therefore I have a liberty app, containing a REST service implemented in JAX-RS.
Additionally I leverage the "API Management Service" to secure that app, via Plans, Authentication etc. So thanks to the API Management Gateway I have a secure proxy to my service exposed.
Yet, the app that provides my service remains accessible to the outside via the Bluemix route. So, it can be called without any credentials or whatsoever.
Is there a way, to only have my API Management gateway access the service implementation app?
One approach would be to delete the route of the service implementing app, but how would you then bind the API Management to the service?
Happy to hear your thoughts or alternative solutions.
If your API is running on Bluemix Public as a Cloud Foundry application, there is currently not a way to create a route such that it is only accessible by the API management service, but not the the outside world. You should implement security within your jax-rs application (easy to with web.xml security-constraint) and add those credentials to APIm service if you still want to use APIm to get monitoring, throttling, discovery, etc.
Another option would be to deploy the application in a VM and then use Secure Gateway to connect to it:
https://github.com/IBM-Bluemix/onprem-integration-demo
My ODM application uses interceptors. I am trying to deploy my rules on the Business Rules service on Bluemix. How do I configure the Business Rules service to use interceptors?
I found that the use of interceptors is not supported by the Business Rules service on Bluemix. I redesigned my rules so that my application did not depend on interceptors.