Client Network Connectivity
Data Protection on Demand is offered from two isolated regions, Europe and North America. No data is shared between European and North American DPoD instances. Customers are required to configure any connection requirements for their system, such as: opening ports, configuring proxies, and allowing access through firewalls.
This document outlines the required communication paths for each instance by use case. When configuring your connection, you must:
- Use the fully qualified domain names (FQDNs) provided in the client package, we do not recommend using IP addresses. Any variations to the configuration will forfeit all guarantees provided by the DPoD SLA.
- Replace the text
<tenant>
with your tenant hostname. The tenant hostname is set during the tenant creation process, and is found in the URL that is used to access the platform. - Ensure that Windows operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80. If you are unable to open port 80 to all traffic please ensure that the certificate revocation lists (CRLs) and online certificate status protocols (OCSPs) documented in the Certificate Authority CRLs and OCSPs section are specified in an include list for traffic over port 80.
Note
The Luna Cloud HSM Service failover to the redundant datacenter uses a change to DNS to direct client traffic to a secondary datacenter. The client configuration file includes the FQDN for the Luna Cloud HSM Service datacenter in the REST = PartitionData00
section or the REST = ServerName
section after executing setenv
(eu.hsm.dpondemand.io
or na.hsm.dpondemand.io
). In the event of a failover the DNS record for FQDN is updated to point to the secondary datacenter.
Ensure that the client is configured to use the domain name for the datacenter and to not configure any filtering based on the IP addresses. Failure to use the domain name and filtering IP addresses could result in the client being unable to failover to the secondary datacenter.
Tip
Refer to the proxy configuration instructions for more information about configuring your Luna Cloud HSM Service Client to use your network proxy configuration.
Europe region
Use Case | FQDN | Port |
---|---|---|
DPoD Management Console | Platform: https://<tenant>.eu.market.dpondemand.io User authentication: https://<tenant>.uaa.system.pegasus.dpsas.io |
443 TCP |
Luna Cloud HSM | Openid discovery url: https://<tenant>.uaa.system.pegasus.dpsas.io/.well-known/openid-configuration Client credentials grant url: https://<tenant>.uaa.system.pegasus.dpsas.io/oauth/authorize Client XTC connection: https://eu.hsm.dpondemand.io |
443 TCP |
CipherTrust Key Management | Service access: https://<tenant>.eu.market.dpondemand.io | 443 TCP |
Platform APIs | API endpoint: https://<tenant>.eu.market.dpondemand.io/v1/<api> Authentication: https://<tenant>.uaa.system.pegasus.dpsas.io/oauth/token |
443 TCP |
North America region
Use Case | FQDN | Port |
---|---|---|
DPoD Management Console | Platform: https://<tenant>.na.market.dpondemand.io User authentication: https://<tenant>.uaa.system.snakefly.dpsas.io |
443 TCP |
Luna Cloud HSM | Openid discovery url: https://<tenant>.uaa.system.snakefly.dpsas.io/.well-known/openid-configuration Client credentials grant url: https://<tenant>.uaa.system.snakefly.dpsas.io/oauth/authorize Client XTC connection: https://na.hsm.dpondemand.io |
443 TCP |
CipherTrust Key Management | Service access: https://<tenant>.na.market.dpondemand.io | 443 TCP |
Platform APIs | API endpoint: https://<tenant>.na.market.dpondemand.io/v1/<api> Authentication: https://<tenant>.uaa.system.snakefly.dpsas.io/oauth/token |
443 TCP |
Datacenter IPs
For availability and resiliency of the service, the Luna Cloud HSM datacenters are configured with a floating IP address. Due to this configuration we do not recommend configuring firewall rules to filter on a static IP address. Instead, we recommend configuring firewall rules to filter using the FQDNs mentioned above.
If static IP filtering is required for your network configuration see Allowlisting Imperva IP addresses & Setting IP restriction rules for a complete list of Luna Cloud HSM datacenter IP address ranges. We recommend monitoring the page as the IP addresses are subject to change.
Certificate Authority CRLs and OCSPs
If you are unable to open port 80 to all traffic please ensure that the following CRLs and OCSPs are specified in an include list for traffic over port 80.
Certificate Authority | |
---|---|
Sectigo | CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl OCSP: http://ocsp.sectigo.com/ Certificates: Sectigo Root Certificates |
ComodoCA | CRL: http://crl.comodoca.com/ OCSP: http://ocsp.comodoca.com/ Certificates: Subordinate CA Certificates |
USERtrust | CRL: http://crl.usertrust.com/ OCSP: http://ocsp.usertrust.com/ Certificates: Subordinate CA Certificates |