Home
Secure API Access with IP Whitelisting
Secure connectivity for Innovapptive-hosted applications is enforced by restricting inbound traffic to trusted client IPs and permitting outbound traffic only to approved Innovapptive domains. This ensures that only authorized systems can exchange data with iMaintenance while preventing unauthorized access.
Domain Allowlisting at Customer Firewall
Customers must configure their network firewalls to allow outbound access from corporate networks to specific Innovapptive domains. This ensures iMaintenance services can connect seamlessly to required cloud endpoints.

Title and Copyright
Copyright and Terms of Use page for iMaintenance Installation.
Preface
Understand audience, know related documents and products and conventions followed in this document.
Introduction
The iMaintenance Deployment & Setup Guide gets iMaintenance running safely in your enterprise landscape.
Foundation Setup for iMaintenance Deployment
Before iMaintenance can connect to SAP and expose APIs, the core environment must be initialized. This setup includes seeding MongoDB with configuration data, enabling SAP inbound services, mapping dependencies, and starting the microservices that power the application.
Configure SAP iMaintenance Roles and Authorizations
Before iMaintenance can integrate with SAP, specific roles and authorizations must be configured. These roles control access to master data, transactional posting, and integration endpoints.
Secure API Access with IP Whitelisting
Secure connectivity for Innovapptive-hosted applications is enforced by restricting inbound traffic to trusted client IPs and permitting outbound traffic only to approved Innovapptive domains. This ensures that only authorized systems can exchange data with iMaintenance while preventing unauthorized access.
- IP Allowlisting Through AWS WAF
  Innovapptive manages inbound access to iMaintenance services through AWS Web Application Firewall (WAF). Only customer-approved IPs are allowed, while all others are blocked
- Domain Allowlisting at Customer Firewall
  Customers must configure their network firewalls to allow outbound access from corporate networks to specific Innovapptive domains. This ensures iMaintenance services can connect seamlessly to required cloud endpoints.
- Verify Secure API Access and Maintain
  After configuring IP allowlisting, it’s critical to confirm that only trusted systems can reach iMaintenance services and to keep the rules updated as environments evolve. Verification ensures the setup is working as intended, while regular maintenance keeps access aligned with changing business and IT requirements.
- Configure the Access Control Policy
  Use SAP API Management’s Access Control policy to enforce IP allowlisting at the API-proxy layer as an additional defense-in-depth control.
Install Supporting Systems and iCWP Integration Suite
Enable SAP NetWeaver Gateway and configure virus scan handling so iCWP OData services can run securely.
SAP BTP and On-Premise Integration via Cloud Connector
Set up secure connectivity between SAP BTP and your on-premise SAP systems with the SAP Cloud Connector. This enables iCWP OData services to be consumed on BTP without exposing inbound firewall ports.
Configure API Management in SAP BTP
Create an API Proxy in SAP BTP to expose iCWP OData services from your connected SAP system. The proxy uses the API Provider details from Cloud Connector and makes the service available for policy enforcement and external consumption.
Configure OAuth 2.0 Authentication
Enable OAuth 2.0 authentication in SAP API Management so external consumers can securely obtain and use access tokens when calling iCWP APIs.
Handle CSRF Tokens in API Management
Enable server-to-server authentication between SAP API Management and the backend system, so API consumers don’t need direct backend credentials.
Troubleshoot API Errors and Metadata Issues

Domain Allowlisting at Customer Firewall

Customers must configure their network firewalls to allow outbound access from corporate networks to specific Innovapptive domains. This ensures iMaintenance services can connect seamlessly to required cloud endpoints.

Required Domains for Outbound Access

Table 1. File Access (S3 Resources)
Description	Domain
Innovapptive file access	innoresources.s3.amazonaws.com

Table 2. Authentication (Azure Active Directory)
Description	Domain
Azure AD login	login.microsoftonline.com
Legacy Azure login	login.windows.net
Microsoft auth CDN	aadcdn.msauth.net
Microsoft branding assets	aadcdn.msauthimages.net
Microsoft token service	aadcdn.msftauth.net

Table 3. DynamoDB Table Synchronization (AppSync)
Description	Domain
AWS AppSync endpoint	appsync-api.us-east-1.amazonaws.com
AppSync WebSocket sync	hyufofsc35b67j4grrbfmjuqv4.appsync-realtime-api.us-east-1.amazonaws.com

Table 4. MongoDB Realm Sync
Description	Domain
MongoDB Realm WebSocket	https://ws.realm.mongodb.com
MongoDB Data API	https://data.mongodb-api.com
MongoDB Realm wildcard	*.realm.mongodb.com
MongoDB API wildcard	*.mongodb-api.com

Configuration Notes

Outbound traffic to the above domains must be allowed on TCP port 443 (HTTPS).
Bypass SSL inspection for these domains to prevent certificate errors or service disruptions.
Ensure DNS resolution is not restricted for these domains.
If your firewall or proxy does not support wildcards, the wildcard entries may need to be expanded into individual domain rules.

Note:

This list may be updated based on service expansion or region-specific deployments.

Summary of Responsibilities and Actions


Component	Allowlisting Type	Owner	Action Required
AWS WAF	IP-based (Ingress)	Innovapptive	Customer must share static public IPs or CIDRs
Customer Firewall	Domain-based (Egress)	Customer	Allow outbound access to specified domains on TCP 443