Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IP Allowlisting in SAP Cloud Integration

appalanaidu_uppada
Advisor
Advisor
‎01-23-2018 2:35 AM

Introduction


This blog proposes a stop-gap solution for all the customers, who wish to do the IP Allowlisting for all the incoming requests into SAP Cloud Integration.

This is a short-term solution from SAP Cloud Integration and I recommend all the customers to switch to Platform level IP Allowlisting as soon as it is available for consumption.

In this blog, I would explain the necessary steps needed to handle IP Allowlisting for an integration flow that accepts incoming requests through HTTP Sender adapter.  The scenario mentioned here is an example for blocking an incoming request from a suspected IP address. You can apply the same approach for any other integration flows having SOAP,IDoc,AS2,OData sender adapters.

 NOTE:  Since it is easy to forge an x-forwarded-for header, the information provided below should be used with care.

 

Scenario: Block requests from a particular IP address using script:



  • Add the x-forwarded-for header in Allowed header(s) of the integration flow Run time configuration.




 

  • Write the  below sample script immediately after the sender adapter(applicable for HTTPS, AS2 and OData ) to block incoming requests from suspected client IP.


Neo Environment:


Sample Script for Allow listing in Neo



Sample Script for Allow listing in CF


 

Neo Environment: If there are multiple x-forwarded-for headers in the incoming request, then all the headers are consolidated into a single x-forwarded-for header with comma separated values( e. g: 100.100.100,100,  xxx.xxx.xxx.xxx ).

CF Environment: The value is last but one in the list as shown in the previous scripts

 

For CXF-based Adapters ( IDoc and SOAP) ,the header values are returned as List of strings, hence the sample script looks slightly different than the above mentioned script.

import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
def Message processData(Message message) {
//body
def body = message.getBody()

//headers
def map = message.getHeaders()
def value = map.get("x-forwarded-for");

boolean isContainingListOfIPs = value instanceof Collection

def clientActualIP = null
if(isContainingListOfIPs){
  //Get the last value from List
   clientActualIP = value.last()
   }else {
   clientActualIP = value
 }

if(clientActualIP != null){
     if("xxx.xxx.xxx.xxx" == clientActualIP.trim()){
     throw new RuntimeException("Request not allowed from IP address:" + clientActualIP)
     }
  }
  return message
}

 

Always remember to adjust and redeploy the Integration flow (Script) whenever there are network /IP address changes on the sender side.
15 Comments
svenhuberti
Product and Topic Expert
Product and Topic Expert
‎01-29-2018 8:44 AM
Thanks Appala! Very usefull!

Just one remark: for the sake of usability, could you paste your code as text (instead of screenshots) for other developers to re-use it easily? This is exactly where the power of your blog entry resides: in the scripts! 😉

Cheers,
Sven
appalanaidu_uppada
Advisor
Advisor
‎01-29-2018 12:18 PM
Hello Sven,

Thanks for your feedback. Replaced the screenshots with the scripts.

Thanks,

Appala
former_member565059
Explorer
‎03-23-2018 6:23 AM
0 Kudos
Cut and Paste coding should always be discouraged, +1 for screen shots. Who knows what malicious code will be the in your next cut and paste.
former_member582531
Discoverer
‎11-15-2019 7:02 AM
0 Kudos
Hello Appala/Experts,

 

I have gone through this blog and it was nice.

But here my requirement is to while list IP RANGE in CPI, where I have IP ranges more than 50.

Below are the sample IP ranges:

10.33.55.01 - 10.33.78.255

55.22.48.04 - 55. 38.22.255

Like the above i have multiple IP ranges to white list in CPI.

Let me know how to handle this. It will be very helpful and this is bit urgent.

 

Regards,

Krishna
vrchundi
Newcomer
‎12-10-2019 9:29 AM
0 Kudos
Hi Ravi,

 

You can use expression on your code to handle it.

 

Thanks

Venkat
ShivaPrasad
Explorer
‎12-24-2020 11:04 AM
0 Kudos
Hi Ravi,

Good Day!!

My requirement is similar to yours , did you achieve IP Range white list through CPI

 

Regards

Shiva
former_member603584
Explorer
‎06-04-2021 6:46 PM
0 Kudos
Thanks Appala for an amazing blog

Is there any alternative to extract the source system IP other than x-forwarded-for?

Many Thanks ,

Ruchita
acmebcn
Participant
‎05-03-2022 11:50 AM
0 Kudos
Hi Appala,

On the second paragraph you mention that, when possible, wait for a new functionality addressing exactly this issue. Can you share any link where it's mentioned this new feature? I have a customer looking for this functionality and I would like to asses with him if it's worth to wait for it or implement a workaround as the one suggested by you.

Thx,

David R.
Paul_Ka
Participant
‎05-18-2022 8:26 AM
Hi David,

 

I'm also interested in this topic but as far as i know there is no other way of filtering IPs in SCI. The x-forwarded-for header can be spoofed, so it's not an ideal solution.

Another option is API Management service. You could use the SAP API Management and leverage the access control policies. In this setup, your endpoints will be exposed via API proxy which then forwards to SCI. Please note that the actual SCI endpoint is still publicly reachable, the API proxy only adds a level of abstraction here, thus helping you to hide the actual SCI endpoint.

 

Thanks

Paul
acmebcn
Participant
‎05-18-2022 8:40 AM
Hi Paul,

If customer is really into security topics, another option that will be available EOY (Beta) is to have a "local" SCI appliance. That's it, a k8s container running on your network. It's called Hybrid deployment option ( https://roadmaps.sap.com/board?q=integration suite&range=CURRENT-LAST#;INNO=901B0ED1A0641EDABE80AF561BFAC0F8 )

Cheers,

David R.
Paul_Ka
Participant
‎05-18-2022 8:55 AM
0 Kudos
 

That's a great find, thanks David.

For "sensitive" integrations scenarios this could definitely be an option to explore. Looking forward to the release of this feature.

 

Cheers

Paul
philippeaddor
Active Participant
‎07-15-2022 11:42 AM
0 Kudos
+1 for text listings. See Stackoverflow. Screenshots are a no-go! 🙂 Devs are responsible to copy with discernment.
former_member822859
Explorer
‎03-14-2023 8:59 AM
0 Kudos
Thank you Appala for the blog, Very useful, Can someone help me how we can give IP range?
Akash
Participant
‎07-25-2023 1:18 PM
0 Kudos
when i calling endpoint url it is 403.

surekhagenji
Explorer
‎08-16-2023 11:30 AM
0 Kudos
Hi Appala Naidu,

Thanks for this blog.

IP Allowlisting is working fine for single IP address as mentioned in this blog.

But we want to whitelist more than 5 IPs, Could you please help on this?

Thanks & Regards,

Surekha G

 

 
Labels in this area
Popular Blog Posts