Question

Identify a specific, non-obvious item that should be included on a pre-integration checklist for clients regarding their network configuration for outbound OTP API calls.

Accepted Answer

A specific, non-obvious item that should be included on a pre-integration checklist for clients regarding their network configuration for outbound OTP API calls is the precise identification of the public egress IP address or addresses that their outbound traffic will use. When a client&#x27;s internal server initiates an outbound OTP API call, the source IP address that the external OTP service provider observes is not typically the server&#x27;s private internal IP address. Instead, in most corporate networks, the server&#x27;s traffic first passes through a network device such as a firewall or router that performs Network Address Translation (NAT) or Port Address Translation (PAT). Network Address Translation is a method of remapping an IP address space into another, allowing multiple devices on a private network to share a single public IP address for internet access by modifying the source IP address in the packet header. Port Address Translation is a specific form of NAT that also uses port numbers to distinguish between connections from different internal devices sharing the same public IP. This process translates the server&#x27;s private IP address (e.g., 10.0.0.5) into a public, externally routable IP address (e.g., 203.0.113.42) before the packet leaves the client&#x27;s network and enters the public internet. This public IP address is known as the egress IP address. The OTP API provider, particularly if it employs IP whitelisting as a security measure, will only permit connections originating from a pre-approved list of public IP addresses. IP whitelisting is a security mechanism where access to a system or resource is restricted to only those IP addresses explicitly defined as trustworthy. Clients often mistakenly provide their internal server&#x27;s private IP address for whitelisting or are unaware of the specific public egress IP address their API calls will present. This oversight leads to connection failures because the OTP API provider&#x27;s firewall will block traffic from an unrecognized public source IP address, even if local client firewalls are configured to allow outbound access. Therefore, it is critical to confirm the exact public egress IP address(es) that the client&#x27;s server will use for outbound OTP API calls, as these are the addresses that need to be provided for IP whitelisting on the OTP service provider&#x27;s side. For instance, if an internal server with a private IP of 192.168.1.10 makes an outbound call, and the network&#x27;s NAT device translates this to a public egress IP of 203.0.113.50, then 203.0.113.50 is the IP that must be whitelisted, not 192.168.1.10.

Home → All Courses → Engineering and Technology Courses → Documenting OTP Token Integration for Digital Banking → Flashcard

Identify a specific, non-obvious item that should be included on a pre-integration checklist for clients regarding their network configuration for outbound OTP API calls.