IBM Cloud Docs
Managing the network access policy

Managing the network access policy

After you set up your IBM Cloud® Hyper Protect Crypto Services instance, you manage network access policy by using the Hyper Protect Crypto Services key management service API.

Before you update the network access policy, you need to initialize the service instance first. See Initializing service instances with the IBM Cloud TKE CLI plug-in or Initializing service instances by using smart cards and the Management Utilities for instructions.

For more information about how the network access differs, see Understanding the network access policy.

Updating the network access policy for your Hyper Protect Crypto Services instance with the UI

As a security administrator, if you prefer to update the network access policy for your instance by using a graphical interface, you can use the UI.

After the network access policy is set to private-only, the UI cannot be used for any Hyper Protect Crypto Services actions. Any Hyper Protect Crypto Services operations in the UI return an unauthorized error (HTTP status code 401).

After you create a Hyper Protect Crypto Services instance, complete the following steps to create a network access policy:

  1. Log in to the UI.

  2. Go to Menu > Resource list to view a list of your resources.

  3. From your IBM Cloud resource list, select your provisioned instance of Hyper Protect Crypto Services.

  4. In the UI of the selected service instance, select the Instance policies tab in the side menu.

  5. In the Allowed network section, select the network that you want traffic to come through, and click Save policy. The default network policy is public and private, which allows access from both public and private networks.

    If a private-only network is enabled, you are not able to view or manage keys with the UI. However, you can still adjust the network setting later by using the API or CLI.

Updating the network access policy for your Hyper Protect Crypto Services instance with the key management service API

As a security administrator, update the network access policy for your Hyper Protect Crypto Services instance by making a PUT call to the following endpoint. See these API references to set and list instance policies.

https://api.<region>.hs-crypto.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork

  1. Retrieve your authentication credentials to work with the API.

    To change a network access policy, you must be assigned a Manager access policy for your Hyper Protect Crypto Services instance. To learn how IAM (identity and access management) roles map to Hyper Protect Crypto Services service actions, check out Service access roles.

  2. Update the network access policy for your Hyper Protect Crypto Services instance by running the following cURL command.

    $ curl -X PUT \
    "https://api.<region>.hs-crypto.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork" \
    -H "accept: application/vnd.ibm.kms.policy+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>" \
    -H "content-type: application/vnd.ibm.kms.policy+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.policy+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "policy_type": "allowedNetwork",
                    "policy_data": {
                        "enabled": true,
                        "attributes": {
                            "allowed_network": "<access_type>"
                        }
                    }
                }
            ]
        }'

    Replace the variables in the example request according to the following table.

    Table 1. Describes the variables needed to set a network access policy at the instance level
    Variable Description
    region Required. The region abbreviation, such as us-south or eu-de, that represents the geographic area where your Hyper Protect Crypto Services instance resides. For more information, see Regional service endpoints.
    port Required. The port number of the API endpoint.
    IAM_token Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.
    instance_ID Required. The unique identifier that is assigned to your Hyper Protect Crypto Services service instance. For more information, see Retrieving an instance ID.
    enabled Required. Set to true to enable a network access policy.
    access_type Required. The network access policy to apply to your Hyper Protect Crypto Services instance. Acceptable values are public-and-private or private-only. After the network access policy is set to private-only, you cannot access your instance from the public network and cannot view or manage keys with the UI. However, you can still adjust the network setting later using the API or CLI.

    A successful request returns an HTTP 204 No Content response, which indicates that your Hyper Protect Crypto Services instance now enforces a network access policy. API requests to the service are restricted to the policy that you set.

    This policy applies to Hyper Protect Crypto Services instances only. The network access policy does not apply to specific keys.

  3. Optional: Verify that the network access policy is created by browsing the policies that are available for your Hyper Protect Crypto Services instance.

    $ curl -X GET \
    "https://api.<region>.hs-crypto.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork" \
    -H "accept: application/vnd.ibm.kms.policy+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>"

Updating the network access policy for your Hyper Protect Crypto Services instance with the CLI

You can also update the network access policy for your Hyper Protect Crypto Services instance using the CLI. For more information, see the CLI reference.

Disabling the network access policy for your Hyper Protect Crypto Services instance with the key management service API

As a security administrator, disable a network access policy for a Hyper Protect Crypto Services instance by making a PUT call to the following endpoint. See these API references to set and list instance policies.

https://api.<region>.hs-crypto.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork

  1. Retrieve your authentication credentials to work with the API.

    To change a network access policy, you must be assigned a Manager access policy for your Hyper Protect Crypto Services instance. To learn how IAM (identity and access management) roles map to Hyper Protect Crypto Services service actions, check out Service access roles.

  2. Disable a network access policy for your Hyper Protect Crypto Services instance by running the following cURL command.

    $ curl -X PUT \
    "https://api.<region>.hs-crypto.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork" \
    -H "accept: application/vnd.ibm.kms.policy+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>" \
    -H "content-type: application/vnd.ibm.kms.policy+json" \
    -d '{
            "metadata": {
                "collectionType": "application/vnd.ibm.kms.policy+json",
                "collectionTotal": 1
            },
            "resources": [
                {
                    "policy_type": "allowedNetwork",
                    "policy_data": {
                        "enabled": false,
                        "attributes": {
                            "allowed_network": "private-only"
                        }
                    }
                }
            ]
        }'

    Replace the variables in the example request according to the following table.

    Table 2. Describes the variables needed to disable a network access policy at the instance level
    Variable Description
    region Required. The region abbreviation, such as us-south or eu-de, that represents the geographic area where your Hyper Protect Crypto Services instance resides. For more information, see Regional service endpoints.
    port Required. The port number of the API endpoint.
    IAM_token Required. Your IBM Cloud access token. Include the full contents of the IAM token, including the Bearer value, in the cURL request. For more information, see Retrieving an access token.
    instance_ID Required. The unique identifier that is assigned to your Hyper Protect Crypto Services service instance. For more information, see Retrieving an instance ID.
    enabled Required. Set to false to remove the network access policy, that is, the policy is not enforced and your service instance is back to the default state where both the public and private network access are allowed.

    A successful request returns an HTTP 204 No Content response, which indicates that the network access policy of your Hyper Protect Crypto Services instance is updated.

  3. Optional: Verify that the network access policy is disabled by browsing the policies that are available for your Hyper Protect Crypto Services instance.

    $ curl -X GET \
    "https://api.<region>.hs-crypto.cloud.ibm.com/api/v2/instance/policies?policy=allowedNetwork" \
    -H "accept: application/vnd.ibm.kms.policy+json" \
    -H "authorization: Bearer <IAM_token>" \
    -H "bluemix-instance: <instance_ID>"