Client Network Connectivity
Data Protection on Demand is offered from two isolated regions, Europe and North America. No data is shared between European and North American DPoD instances. Customers are required to configure any connection requirements for their system, such as: opening ports, configuring proxies, and allowing access through firewalls.
This document outlines the required communication paths for each instance by use case. When configuring your connection we recommend the following:
- Use the fully qualified domain names (FQDNs) provided in the client package, do not use IP addresses. Any variations to the configuration will forfeit all guarantees provided by the DPoD SLA.
- Do not use a
hosts
file to override the DNS resolution of the DPoD identity provider (IDP), user interface, API interface, service dashboards or cryptographic endpoints. - Ensure that Windows operating systems hosting the client are able to validate the server certificate status (OCSP/CRL) using port 80. If you are unable to open port 80 to all traffic please ensure that the certificate revocation lists (CRLs) and online certificate status protocols (OCSPs) documented in the Certificate Authority CRLs and OCSPs section are specified in an include list for traffic over port 80.
- Subscribe to the DPoD status page and the Changelog to receive email updates about the latest changes and impacts to client network connectivity.
Tip
Refer to the proxy configuration instructions for more information about configuring your Luna Cloud HSM Service Client to use your network proxy configuration.
Note
Thales is changing the Identity Provider (IDP) used in the DPoD platform to Thales OneWelcome. This update enables the platform to provide modern authentication options as well as simplifying logins for users that manage multiple tenants on the platform. For more information about this upcoming change see the DPoD IDP Migration FAQ.
Europe region
Use Case | FQDN | Port |
---|---|---|
DPoD Management Console | Platform: - https://<tenant>.eu.market.dpondemand.io - https://thales.eu.market.dpondemand.io User authentication: - https://<tenant>.uaa.system.pegasus.dpsas.io - https://welcome.dpondemand.io/dpod/login |
443 TCP |
Luna Cloud HSM | Openid discovery url: - https://<tenant>.uaa.system.pegasus.dpsas.io/.well-known/openid-configuration - https://access.dpondemand.io/oauth/.well-known/openid-configuration Client credentials grant url: - https://<tenant>.uaa.system.pegasus.dpsas.io/oauth/authorize - https://access.dpondemand.io/oauth/v1/token Client XTC connection: - https://eu.hsm.dpondemand.io |
443 TCP |
CipherTrust Key Management | Service access: -https://<tenant>.eu.market.dpondemand.io - https://thales.eu.market.dpondemand.io |
443 TCP |
Platform APIs | API endpoint: - https://<tenant>.eu.market.dpondemand.io/v1/<api> - https://thales.eu.market.dpondemand.io/v1/<api> Authentication: - https://<tenant>.uaa.system.pegasus.dpsas.io/oauth/token - https://access.dpondemand.io/oauth/v1/token |
443 TCP |
North America region
Use Case | FQDN | Port |
---|---|---|
DPoD Management Console | Platform: - https://<tenant>.na.market.dpondemand.io - https://thales.na.market.dpondemand.io User authentication: - https://<tenant>.uaa.system.snakefly.dpsas.io - https://welcome.dpondemand.io/dpod/login |
443 TCP |
Luna Cloud HSM | Openid discovery url: - https://<tenant>.uaa.system.snakefly.dpsas.io/.well-known/openid-configuration - https://access.dpondemand.io/oauth/.well-known/openid-configuration Client credentials grant url: - https://<tenant>.uaa.system.snakefly.dpsas.io/oauth/authorize - https://access.dpondemand.io/oauth/v1/token Client XTC connection: - https://na.hsm.dpondemand.io |
443 TCP |
CipherTrust Key Management | Service access: - https://<tenant>.na.market.dpondemand.io - https://thales.na.market.dpondemand.io |
443 TCP |
Platform APIs | API endpoint: - https://<tenant>.na.market.dpondemand.io/v1/<api> - https://thales.na.market.dpondemand.io/v1/<api> Authentication: - https://<tenant>.uaa.system.snakefly.dpsas.io/oauth/token - https://access.dpondemand.io/oauth/v1/token |
443 TCP |
Data center IPs
For availability and resiliency of the service, the Luna Cloud HSM data centers are configured with a floating IP address. Due to this configuration we do not recommend configuring firewall rules to filter on a static IP address. Instead, we recommend configuring firewall rules to filter using the FQDNs mentioned above.
If static IP filtering is required for your network configuration see Allowlisting Imperva IP addresses & Setting IP restriction rules for a complete list of Luna Cloud HSM data center IP address ranges. We recommend monitoring the page as the IP addresses are subject to change. If you encounter issues with your IP address configuration we recommend using a tool, such as nslookup, to revalidate IPs using a separate system.
Certificate Authority CRLs and OCSPs
If you are unable to open port 80 to all traffic please ensure that the following CRLs and OCSPs are specified in an include list for traffic over port 80.
Certificate Authority | |
---|---|
Sectigo | CRL: http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl OCSP: http://ocsp.sectigo.com/ Certificates: Sectigo Root Certificates |
ComodoCA | CRL: http://crl.comodoca.com/ OCSP: http://ocsp.comodoca.com/ Certificates: Subordinate CA Certificates |
USERtrust | CRL: http://crl.usertrust.com/ OCSP: http://ocsp.usertrust.com/ Certificates: Subordinate CA Certificates |
CRL: http://c.pki.goog/wr1/eOb3OfCtrhU.crl OCSP: http://o.pki.goog/s/wr1/o6k Certificates: Google Trust Services |