Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Client Resources

Client Network Connectivity

search
printsuggest an edit

Client Network Connectivity

Data Protection on Demand is offered from two isolated regions, Europe and North America. No data is shared between European and North American DPoD instances. Customers are required to configure any connection requirements for their system, such as: opening ports, configuring proxies, and allowing access through firewalls.

This document outlines the required communication paths for each instance by use case. When configuring your connection we recommend the following:

  • Use the fully qualified domain names (FQDNs) provided in the client package, do not use IP addresses. Any variations to the configuration will forfeit all guarantees provided by the DPoD SLA.
  • Do not use a hosts file to override the DNS resolution of the DPoD identity provider (IDP), user interface, API interface, service dashboards or cryptographic endpoints.
  • Ensure that Windows operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80. If you are unable to open port 80 to all traffic please ensure that the certificate revocation lists (CRLs) and online certificate status protocols (OCSPs) documented in the Certificate Authority CRLs and OCSPs section are specified in an include list for traffic over port 80.
  • Subscribe to the DPoD status page and the Changelog to receive email updates about the latest changes and impacts to client network connectivity.

Tip

Refer to the proxy configuration instructions for more information about configuring your Luna Cloud HSM Service Client to use your network proxy configuration.

Note

Thales is changing the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome Identity Platform. This update enables the platform to provide modern authentication options as well as simplifying logins for users that manage multiple tenants on the platform. For more information about this upcoming change see the DPoD IDP Migration FAQ.

copy link to clipboardEurope region

Use Case FQDN Port
DPoD Management Console Platform:
- https://thales.market.dpondemand.io
- https://thales.eu.market.dpondemand.io
User authentication:
- https://welcome.dpondemand.io/dpod/login		 443 TCP
Luna Cloud HSM Openid discovery url:
- https://access.dpondemand.io/oauth/.well-known/openid-configuration
Client credentials grant url:
- https://access.dpondemand.io/oauth/v1/token
Client XTC connection:
- https://eu.hsm.dpondemand.io		 443 TCP
Platform APIs API endpoint:
- https://thales.eu.market.dpondemand.io/v1/<api>
Authentication:
- https://access.dpondemand.io/oauth/v1/token		 443 TCP

copy link to clipboardNorth America region

Use Case FQDN Port
DPoD Management Console Platform:
- https://thales.market.dpondemand.io
- https://thales.na.market.dpondemand.io
User authentication:
- https://welcome.dpondemand.io/dpod/login		 443 TCP
Luna Cloud HSM Openid discovery url:
- https://access.dpondemand.io/oauth/.well-known/openid-configuration
Client credentials grant url:
- https://access.dpondemand.io/oauth/v1/token
Client XTC connection:
- https://na.hsm.dpondemand.io		 443 TCP
Platform APIs API endpoint:
- https://thales.na.market.dpondemand.io/v1/<api>
Authentication:
- https://access.dpondemand.io/oauth/v1/token		 443 TCP

copy link to clipboardData center IPs

For availability and resiliency of the service, the Luna Cloud HSM data centers are configured with a floating IP address. Due to this configuration we do not recommend configuring firewall rules to filter on a static IP address. Instead, we recommend configuring firewall rules to filter using the FQDNs mentioned above.

If static IP filtering is required for your network configuration see Allowlisting Imperva IP addresses & Setting IP restriction rules for a complete list of Luna Cloud HSM data center IP address ranges. We recommend monitoring the page as the IP addresses are subject to change. If you encounter issues with your IP address configuration we recommend using a tool, such as nslookup, to revalidate IPs using a separate system.

copy link to clipboardCertificate Authority CRLs and OCSPs

If you are unable to open port 80 to all traffic please ensure that the following CRLs and OCSPs are specified in an include list for traffic over port 80.

Certificate Authority
Sectigo CRL:
- http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl
OCSP:
- http://ocsp.sectigo.com/
Certificates:
- Sectigo Root Certificates
ComodoCA CRL:
- http://crl.comodoca.com/
OCSP:
- http://ocsp.comodoca.com/
Certificates:
- Subordinate CA Certificates
USERtrust CRL:
- http://crl.usertrust.com/
OCSP:
- http://ocsp.usertrust.com/
Certificates:
- Subordinate CA Certificates
Google CRL:
- http://c.pki.goog/wr1/eOb3OfCtrhU.crl
OCSP:
- http://o.pki.goog/s/wr1/o6k
Certificates:
- Google Trust Services
GlobalSign CRL: http://crl.globalsign.com/
OCSPs:
- http://ocsp.globalsign.com/
- http://ocsp2.globalsign.com/
Certificates:
- GlobalSign Root Certificates

On this page