Reviewing SEC_PAPI_INTEG_HOSTS_SOAP Configuration

You must review the SEC_PAPI_INTEG_HOSTS_SOAP configuration option on the Oracle Service Cloud site.

The SEC_PAPI_INTEG_HOSTS_SOAP configuration defines which hosts are allowed to access the SOAP interface/APIs. Valid entries include a comma-separated list of domain names with wildcards, specific IP addresses, or IP subnet masks (for example, *.oracle.com,1.2.3.4, 10.11.12.0/255.255.255.0). Only users logging in from hosts matching entries in this list are allowed access to the SOAP interface/APIs. Default value for this configuration is blank.

If this value is blank (default), then the access is not IP restricted. From a security perspective, it is a best practice to have the IP addresses, ranges, or domains that known API calls should originate from. This limits API calls to come only from known/finite addresses, ranges, or domains thus protecting access to a customer’s data within their Oracle Service Cloud site. However, the value of this configuration is dependent on the customer’s business processes.

Use the Oracle Service Cloud Config Editor to look up the value for this configuration. If the configuration is blank, then no further action is necessary for this configuration. If and only if there is one or more value(s) in this configuration (it is not blank), then you must add either the direct IP address(s), range of addresses, or domain of the server(s) for the OBIA instance at the end of the existing values.

Valid entries to these settings include domain names with wildcards (*.mycompany.com), or specific IP addresses (216.136.229.72),  or IP subnet masks (216.136.229.0/255.255.255.0). You cannot use wildcards with IP addresses or just domain names. When specifying a subnet mask or range of hosts, the /255.255.255.0 component indicates that you mean to allow all possible values for the entire 216.136.229.x range of addresses. You cannot use wildcards (*) to specify a range of IP addresses, such as 1.2.3.* or 1.2.3*. It is also possible to specify a comma separated list of the above values, such as 216.136.229.72, 216.136.229.0/255.255.255.0. Instead of or in addition to an IP address range, you can enter a domain and should include it at the end of the list of IP addresses, such as 216.136.229.72, 216.136.229.0/255.255.255.0, *.domain.com.

Note:

When using a domain name, a network operation must execute a DNS reverse lookup. This will result in connection delays and may induce a noticeable performance degradation of the Oracle Service Cloud application. Whenever possible, please refrain from using a domain name.
To lookup the value of the configuration:
  1. Open the Configuration Settings Editor in the Oracle Service Cloud site (Click Navigation set, click Configuration (Wrench), click Site Configuration and then select Configuration Settings).
  2. Enter SEC_PAPI_INTEG_HOSTS_SOAP in the Key field in the Search window that pops up.
  3. Select Search.
  4. Look at the value in the right column of data returned. The following screen shot is the configuration with the default blank value.
  5. If a value exists in the Value column, then you must add either the IP addresses/ranges/domains for the OBIA instance at the end of the string of existing entries using a comma as a delimiter.
  6. Select Save menu option to update the configuration.