Connectivity Options

Bluefin supports two methods of connectivity to the Decryptx service:

1. Managed services
2. Internet

Managed Services

While the Internet has proven very reliable for decryption processing, those seeking guaranteed delivery to Bluefin’s Decryptx platform should consider a dedicated, managed service. Bluefin has partnered with Transaction Network Services (TNS) for clients requiring high transaction per second and low latency. Transactions over the managed service are sent via https. TNS offers numerous connectivity options. Additional information can be found here.

In Bluefin's recommended configuration, transport to Bluefin will be via diverse telecommunication providers. This guarantees both hardware and connectivity diversity for the Decryptx service.

Internet Connectivity

Clients may also connect to Bluefin over the Internet via HTTPS. The Internet connectivity option is intended for the following types of clients:

1. Clients who do not require a communications SLA since packet delivery over the Internet cannot be guaranteed.
2. Clients who do not have the infrastructure to support dedicated hardware. For example, clients who use AWS or other "cloud" based infrastructure for their service delivery.
3. Clients who are not sensitive to the inherent latency of the Internet.

Clients connecting to either the Decryptx certification or production environments must provide their source IP addresses to Bluefin. Client IP addresses must be whitelisted for connectivity to the Decryptx environment.

🚧

Important

For maintenance and processing availability purposes, clients connecting over the Internet are REQUIRED to support DNS resolution for the processing URL https://secure-prod.decryptx.com/api

Best Practices for Persistent HTTP Connections

Overview

Persistent HTTP connections, also known as HTTP keep-alive, are a mechanism that allows the same TCP connection to send and receive multiple HTTP requests and responses. This can significantly reduce latency for consecutive requests, as well as lower CPU and memory use, since there's no need to set up a new connection for each request.

However, we strongly recommend against setting up persistent HTTP connections to our platform with an indefinite keep-alive timeout.

Why Not to Use Indefinite Keep-Alive Connections

DNS-based Traffic Routing

Our platform uses DNS-based traffic routing for maintenance, vulnerability scans, and code deployments. An indefinite keep-alive connection can interfere with this routing strategy, causing your application to miss real-time updates and possibly send requests to retired or less optimal endpoints.

Latency

While persistent connections can initially be advantageous for reducing latency, they can become less efficient over time. Your initially optimal network path might become suboptimal, increasing the latency of the http requests.

Security Risks

Longer-lived connections offer an extended window for potential attackers to exploit vulnerabilities, leading to unauthorized access or data breaches.

Our Recommendations

5-Minute Timeout

Please set a 5-minute timeout on all persistent connections to our platform.

Stagger Connection Pooling

If your application uses connection pooling, stagger your persistent connections. This helps ensure that you always have some connections that are "fresh" and more likely to be routed optimally.

Sample Request with 5-minute Timeout

Here is how you can configure your HTTP request to have a 5-minute keep-alive timeout:

POST /api/device/validate HTTP/1.1
Host: secure-prod.decryptx.com
Connection: keep-alive
Keep-Alive: timeout=300
Content-Type: application/json
Content-Length: 86

{
    "partnerId" : "bluefin",
    "partnerKey" : “<REDACTED>"
}

By setting the Connection header to keep-alive and specifying a Keep-Alive: timeout=300 (300 seconds is equivalent to 5 minutes), you can maintain a persistent connection while adhering to our platform's guidelines.

Inactivity Termination

Note that all connections to our platform will be terminated after 5 minutes of inactivity. Please design your applications to handle this gracefully.

By following these guidelines, you help ensure that your interactions with our platform are efficient, secure, and reliable.

Decryptx Internet IP Addresses

Decryptx clients processing over the Internet who wish to whitelist the Decryptx IP addresses in their firewalls should contact Bluefin Bluefin support for a list of IP addresses that should be included in their firewall's configuration.