Hardening Liberty collective endpoints for dynamic routing

When dynamic routing is enabled for one or more Liberty collective controllers, all the endpoints for both collective members and the collective controllers are available to the WebSphere® plug-in. You can apply targeted routing rules to restrict access to these endpoints.

About this task

When the dynamicRouting-1.0 feature is enabled on one or more Liberty collective controllers, all the endpoints for both the collective members and the collective controllers are available to the WebSphere plug-in. These endpoints include system services that you might not want to expose at the WebSphere plug-in tier. You can prevent access to these endpoints by applying targeted routing rules to reject requests for these endpoints.

Procedure

Apply targeted routing rules by configuring the routingRules element as a child of the dynamicRouting element in the server.xml file for one or more Liberty collective controllers.

In the following example, requests to the JMX service or the REST service endpoints are rejected with a return code of 404:

<server>
  <dynamicRouting>
     <routingRules webServers="webserver1" overrideAffinity="false">
         <routingRule order="100" matchExpression="URI LIKE '/IBMJMXConnectorREST%'">
             <rejectAction code="404" />
         </routingRule>
         <routingRule order="101" matchExpression="URI LIKE '/ibm/api%'">
             <rejectAction code="404" />
         </routingRule>
     </routingRules>
 </dynamicRouting>
</server>

In this example, the initial routingRules element specifies the web server where the rules are applied. The subsequent child routingRules elements define the routing rules. For more information, see Configuring routing rules for Liberty dynamic routing.