SAP Knowledge Base Article - Public

3373597 - BTP IP range - Workzone to Successfactors

Symptom

401 error in Workzone when an unknown IP range is removed from IP Restriction Tool in Admin Center

Environment

SAP SuccessFactors Integration

Reproducing the Issue

You are activating SF cards in your Workzone instance and in the developer console of our web browser, you were getting errors.

Those error messages contained a notification that there was an issue reaching an IP address. For instance 10.60.165.69 was one of them, you then allow-listed that IP address but you then got another error in the developer console asking you to open 10.60.165.70,10.60.165.71 etc.

You then checked Regions and API Endpoints Available for the Cloud Foundry Environment. However, the IP addresses that are problematic (10.60.165.0-10.60.165.99.) are nowhere to be found in that documentation.

Cause

For the API Requests to microservices with external OAuth. API Gateway will trigger an internal API /rest/internal/platform/asapi/v1/JWTToken to get the JWT token and then access the microservice with the JWT token.

That's why our internal Server IP 10.60.165.x is used for authentication and gets 401 due to IP Restriction.

Resolution

The workaround is to retrieve these IP range configurations in the IP Restriction tool in Admin Center. 

Keywords

401 error, BTP, Workzone, IP Restriction Tool, JWTToken, JWT Token, Regions and API Endpoints Available for the Cloud Foundry Environment , KBA , LOD-SF-INT-API , API & Adhoc API Framework , Problem

Product

SAP SuccessFactors HCM suite all versions