Skip to content

Update security instructions for API-M web portals #11249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Rami2212 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update security instructions for API-M web portals #11249

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 1 addition & 18 deletions en/docs/install-and-setup/setup/security/securing-api-m-web-portals.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,24 +32,7 @@ session_timeout = "30m"

## Restricting access to web portals

You can restrict access to the management console of the API-M runtime by binding the management console with selected IP addresses. Note that you can either restrict access to the management console only, or you can restrict access to all web portals as explained below.

- To control access only to the management console, add the following configuration to the `<API-M_HOME>/repository/conf/deployment.toml` file:

```toml
[admin_console.control_access]
enable = true
allow = ["IP1", "IP2", "IP3"]
```

This adds a `RemoteAddrValve` Tomcat valve in the `<API-M_HOME>/repository/conf/tomcat/carbon/META-INF/context.xml` file and it will only apply to the Carbon management console, and thereby all outside requests to the management console will be blocked.

<html>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>When you enable access control for the management console, only the IP addresses specified in the <code>allow</code> parameter will have access. All other IP addresses will be blocked. Make sure to include all IP addresses that require access to the management console in the whitelist.</p>
</div>
</html>
You can restrict access to the management console of the API-M runtime by binding the management console with selected IP addresses. Note that you can restrict access to all web portals as explained below.
Copy link

Copilot AI Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This introductory sentence still says access can be restricted to the management console by binding it to selected IPs, but the management-console-only mechanism ([admin_console.control_access]) was removed in this PR. As written, it’s misleading because the only remaining options shown are global web-app access control and per-servlet filtering. Reword this sentence to describe the supported mechanisms (restrict all web apps or specific servlet URLs), without implying a management-console-only binding option.

Suggested change
You can restrict access to the management console of the API-M runtime by binding the management console with selected IP addresses. Note that you can restrict access to all web portals as explained below.
You can restrict access to the web portals of the API-M runtime either by allowing only selected IP addresses to access all web applications or by applying access control filters to specific servlet URLs, as explained below.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Clarify Line 35 to avoid implying an unsupported console-only setting.

Line 35 still reads like there is a direct management-console IP-binding option. To align with the documented supported methods, rephrase to explicitly point to the configurations below.

Proposed wording update 
-You can restrict access to the management console of the API-M runtime by binding the management console with selected IP addresses. Note that you can restrict access to all web portals as explained below.
+You can restrict access to API-M web portals, including management console endpoints, using the supported access-control configurations described below.

As per coding guidelines: "Provide concise, actionable feedback focused on correctness and best practices."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
You can restrict access to the management console of the API-M runtime by binding the management console with selected IP addresses. Note that you can restrict access to all web portals as explained below.
You can restrict access to API-M web portals, including management console endpoints, using the supported access-control configurations described below.
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@en/docs/install-and-setup/setup/security/securing-api-m-web-portals.md` at
line 35, Reword the sentence that currently reads "You can restrict access to
the management console of the API-M runtime by binding the management console
with selected IP addresses." so it no longer implies a standalone
management-console-only IP-binding option; instead explicitly state that access
is controlled via the general web-portal IP-binding/configuration methods
described below (refer to the phrase "restrict access to all web portals" and
the subsequent configuration sections), e.g., replace the sentence with a clear
pointer that management console access is restricted using the same IP-binding
and portal configuration methods documented in the following sections.


- To control access to all web applications deployed in your server, add the following configuration to the `<API-M_HOME>/repository/conf/deployment.toml` file:

Expand Down
Loading