Hardening Liberty collective endpoints for dynamic routing
When dynamic routing is enabled for one or more Liberty collective controllers, all the endpoints for both collective members and the collective controllers are available to the WebSphere® plug-in. You can apply targeted routing rules to restrict access to these endpoints.
About this task
When the dynamicRouting-1.0
feature is enabled on one or more Liberty collective controllers, all the endpoints
for both the collective members and the collective controllers are available to the WebSphere plug-in. These endpoints include system services
that you might not want to expose at the WebSphere
plug-in tier. You can prevent access to these endpoints by applying targeted routing rules to reject
requests for these endpoints.
Procedure
Apply targeted routing rules by configuring the
routingRules
element as a
child of the dynamicRouting
element in the server.xml
file for one
or more Liberty collective controllers.
In the following example, requests to the JMX service or the REST service endpoints are
rejected with a return code of 404:
<server>
<dynamicRouting>
<routingRules webServers="webserver1" overrideAffinity="false">
<routingRule order="100" matchExpression="URI LIKE '/IBMJMXConnectorREST%'">
<rejectAction code="404" />
</routingRule>
<routingRule order="101" matchExpression="URI LIKE '/ibm/api%'">
<rejectAction code="404" />
</routingRule>
</routingRules>
</dynamicRouting>
</server>
In this example, the initial routingRules
element
specifies the web server where the rules are applied. The subsequent child
routingRules
elements define the routing rules. For more information, see Configuring routing rules for Liberty dynamic
routing.