Security Options

There are several different mechanisms that can be used to provide security for your API and portal. Below are the options for security relating to the Proxy.

  • SSL – client/server
  • Whitelist
  • Shared secret
  • OAuth 1.0a / OAuth 2.0
  • HTTP-Auth

SSL

Secure Socket Layers can be utilized to encrypt traffic over the internet.  There are two different use cases for SSL with regard to your API. 

  • Client facing SSL, allowing users to submit via HTTPS rather than HTTP is available though not included in any of the offerings. Client side SSL will result in a recurring monthly fee. In order to do client side SSL you will need to provide us with the SSL key and SSL certificate and all intermediate certificates.
  • Origin based SSL for the segment of the API call between the Mashery Proxy and your origin server. Standard one-way SSL, where you have installed an SSL cert on your server is enabled via dashbaord configuration, whereas Mutual SSL is more complex and a recurring fee will be charged.

Whitelist

If you choose to allow only Mashery Proxied traffic through to your servers, we recommend an IP whitelist as a simple solution.  The following list contains the Mashery Traffic Manager IP addresses for all regions. Mashery OnPrem Manager aka MoM (api-mom.mashery.com), also uses the same IP addresses. The list also has monitoring IP addresses/regions that Mashery uses to monitor your direct API.

If IP whitelisting will be enforced on the API backend, please whitelist the IP addresses for the Traffic Manager and selected regions for the monitoring service. If you wish statis IP address for MoM (api-mom.mashery.com) over the best practice of using DNS or using a proxy, you can use the traffic manager IP address block for your Mashery Local install.

Please Note: The whitelist information is subject to change. When such changes occur, Mashery Support will notify and work with you to get your whitelist updated. Previous versions of the IP List can be found at http://support.mashery.com/docs/proxy_information/Archived_IP_Whitlisting_Information/.

IP Whitelist Version 7.0 (Effective Date: 4/14/2018)

 Notes: Includes updates to core Outbound Traffic manager IP addresses and well as monitoring hosts.  Please include all Traffic Manager IP address, and Monitoring IP addresses for your selected region.

Additional IPs are for:

•          New Data Centers
•          The new monitoring platform

The list below is a combination of Ranges and Individual IP Addresses.

A text version of this list can be found: https://support.mashery.com/files/TIBCOMasheryIPs.txt

#
#Traffic Manager IPs Please whitelist all
#
64.94.14.0/27
64.94.228.128/28
216.52.39.0/24
216.52.244.96/27
216.133.249.0/24
23.23.79.128/25
107.22.159.192/28
54.82.131.0/25
75.101.137.168
75.101.142.168
75.101.146.168
75.101.141.43
75.101.129.141
174.129.251.74
174.129.251.80
50.18.151.192/28
50.112.119.192/28
54.193.255.0/25
204.236.130.149
204.236.130.201
204.236.130.207
176.34.239.192/28
54.247.111.192/26
54.93.255.128/27
54.252.79.192/27
54.251.88.0/27
18.231.105.96/28 #new
#
#Monitoring Server regions (please whitelist all IPs within a selected region):
#
#North America
#
69.71.111.140
69.71.111.141
207.126.59.91
207.126.59.94
165.254.103.205
165.254.103.203
70.34.228.92
70.34.228.93
4.53.108.203
4.53.108.205
208.72.116.130
208.72.116.131
38.104.3.42 #new
38.122.138.22 #new
75.149.229.162 #new
173.205.4.198 #new
74.202.23.214 #new
75.149.229.118 #new
201.131.127.138 #new
63.237.255.222 #new
209.249.94.34 #new
205.204.93.122 #new
75.149.229.82 #new
152.179.93.94 #new
129.250.199.94 #new
129.250.199.90 #new
75.149.228.230 #new
#
#South/Central America
#
200.85.152.87
200.85.152.89
200.155.158.42
200.155.158.43
187.45.223.91
187.45.223.93
165.254.103.205
165.254.103.203
186.250.242.26 #new
200.55.243.124 #new
200.55.243.125 #new
201.216.249.66 #new
187.45.179.28 #new
190.117.62.122 #new
185.31.158.244 #new
177.52.180.125 #new
190.112.220.162 #new
200.6.122.211 #new
191.235.90.217 #new
#
#Europe
#
213.130.49.203
213.130.49.205
213.198.94.38
213.198.94.39
212.72.53.203
212.72.53.205
87.236.193.132
87.236.193.137
93.94.105.60
93.94.105.75
185.10.229.160/28 #new
62.103.152.167 #new
195.93.242.2 #new
195.93.242.3 #new
93.17.191.204 #new
93.115.86.209 #new
185.212.169.67 #new
185.206.224.89 #new
37.29.2.10 #new
52.57.11.200 #new
52.57.155.186 #new
52.56.71.32 #new
93.189.33.16 #new
93.189.33.18 #new
159.122.189.182/31 #new
94.180.111.234 #new
159.8.89.144/28 #new
94.72.18.106 #new
212.69.167.117 #new
212.69.167.122 #new
#
#Asia-Pacific
#
103.19.90.28
103.19.90.29
103.15.105.253
103.15.105.254
103.248.191.19
123.100.230.144
123.100.230.146
123.100.230.148
123.100.230.150
110.50.254.174
110.50.254.177
210.48.32.17 #new
210.48.32.18 #new
122.155.166.196 #new
122.155.166.197 #new
123.103.13.84 #new
14.140.39.202 #new
86.96.201.100 #new
86.96.201.103 #new
23.99.122.185 #new
213.74.78.220 #new
213.74.76.132 #new
202.76.226.4 #new
202.76.226.5 #new
83.222.220.129 #new
52.66.74.180 #new
211.175.216.2 #new
140.206.200.66 #new
140.206.200.68 #new
117.18.236.184 #new
54.252.112.123 #new
175.41.253.70 #new
#

 

Shared Secret

Mashery supports Shared Secrets.  Shared secrets can be set to be automatically assigned to users receiving keys via the Mashery service.  By default the shared secret is hashed with the current time (GMT) allowing for 5 minutes of clock drift.  Through the use of Custom Adapters which we have built in to the system Mashery can support virtually any kind of authentication request utilizing Shared Secrets and signatures.

OAuth 2.0

We offer an OAuth accelerator so you can add OAuth to your API with very little effort or cost.  OAuth allows a user to designate access to his data to a third party while protecting his credentials.  The authorization token can be revoked at any time.

Mashery can handle two different approaches to OAuth.

  1. Mashery OAuth Accelerator.  Mashery acts as the token provider.  Our Client creates a page on their system which allows a user to allow or revoke access to their data.  Our Client then uses Mashery's API to create or revoke access for a particular site.  Mashery handles the authentication of calls.  This path requires that the Client do very little to implement OAuth and can focus on their core business.
  2. Client implemented OAuth.  Some clients may wish to handle OAuth on their own, in this case the OAuth call looks just like any other API call being made through the proxy.  The client must create the system to create and manage OAuth tokens as well as authenticate calls.

HTTP-Auth

Some clients prefer to not shut off access at the edge of their network using whitelists, but would rather control access on a call by call basis.  By adding an http challenge to your application/webserver you will be able to allow access to users with the correct credentials.  Mashery can easily add the appropriate username/password pair to all calls made to your Direct API. 

Docs Navigation