Validate the URL host and port for cloud access

In a cloud environment, there are many things to consider when accessing URLs from your application.

1. Does the host name or IP address need to change?
• If the target service moved with the application, then the host name or IP address needs to change.
2. Can the host be accessed from the cloud environment?
• If the target host is not on the public internet, you need to configure a secure connection using a VPN tunnel. See Create a Secure Connection for more information.
3. Can the port be accessed from the cloud environment?
• If the target host is on the public cloud, you might need to open the port when using non-default ports. See Open a Port for more information.
4. Can the host name or IP address change dynamically in the cloud environment after deployment?
• In a cloud environment, services or peers can be relocated or regenerated, which shifts them to new host names and IP addresses. When these shifts occur, application calls to particular host names or IP addresses can break.
• Instead of using host names or IP addresses, consult an external service registry to resolve service endpoints, or delegate the entire routing function to a service bus or a load balancer with a virtual name instead.
5. If the host name is localhost, did the target service move with the application?
• If it did not move, you need to configure a secure connection using a VPN tunnel. See Create a Secure Connection for more information.

This rule flags references to the following in Java string literals and in property values in .properties files:

• corbaloc:<protocol>:<host>:<port>/ (protocol and port are optional)
• corbaname:<protocol>:<host>:<port>/ (protocol and port are optional)
• http://
• https://
• iiop://
• imap://
• jdbc:<database type>://
• ldap://
• ldaps://
• pop2://
• smtp://
• ssl://
• tcp://

If the target cloud runtime environment is IBM Cloud or Third-party PaaS, the following protocols are not flagged by this rule because they are flagged by the Do not use older or non-standard protocols rule.

• corbaloc
• iiop
• ssl
• tcp

This rule also flags references to "http://" or "https://" in the location attribute on the <address> element in WSDL files.

Note: References to "http://www.w3.org/" and "http://schemas.xmlsoap.org/" are not flagged because they identify defined namespaces in the Web Services Addressing specification.

How to Resolve

If your application is able to directly access the service endpoint or peer, no further action is required. Otherwise, there are two potential solutions:

Create a Secure Connection

You can use a VPN tunnel, such as the IBM Secure Gateway for IBM Cloud, to create a secure connection to your service endpoint or peer. For more information about configuring a secure connection, see Configuring a VPN. After configuring your gateway, connect your application to the new destination by using the cloud host and port number that is provided when you created the destination.

Open a Port

Only certain ports are open by default in a cloud environment. For information on how to open additional ports, see the Firewall Ports section in WebSphere Application Server in IBM Cloud System access.

For more information, see Top 9 rules for cloud applications.