API Connect 2018 OAuth config error

6. RE: API Connect 2018 OAuth config error

Like

Devin Richards

Posted Fri October 12, 2018 02:08 PM

One thing that is odd to me the Firewall requirements
https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.install.doc/overview_apimgmt_portreqs.html

for #7 they only list port 3000 which is for the "new" DataPower API Gateway the "old" DataPower Gateway v5 uses the XML Manager on port 5550

here is the v5 reference
https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.install.doc/overview_apimgmt_portreqs.html

maybe check your firewall rules to open more ports?

------------------------------
Devin Richards

------------------------------

Original Message

Original Message:
Sent: 10-12-2018 13:55
From: Devin Richards
Subject: API Connect 2018 OAuth config error

The native OAuth should get pushed, but not sure in v5 we had to add our custom providers to plans to get them to work.

As for the DataPowers I missed the fact that you are using the "old" DataPower Gateway v5
with that you should directly connect to the XML Manager interface and upload the config
with the "new" DataPower API Gateway there is an auto-peering that if configured requires more than 1 DataPower before it starts, but not really applicable in your case with a VM DataPower and not the docker image.

Since all of the runtime is on the DataPower and that APIC servers are not really involved, you could go to the CMC and delete the existing DataPower Gateway v5 service, and go onto the DataPower management UI and make sure the Application Domain was deleted and then add it back in, as once it is back in the APIs should get pushed out to it.

Side note I have had good luck with minikube based on JoelGauci/apicv2018 when using the --vm-driver=none option for playing with APIC locally

------------------------------
Devin Richards

Original Message:
Sent: 10-12-2018 10:28
From: Bryon Kataoka
Subject: API Connect 2018 OAuth config error

Hi - Thanks for the response A couple of questions.

How do you ensure the backing API for OAuth Native is published? I thought APIC was handling that for us and I never see a reference to the OAuth Native backing API.
Are you saying we must have multiple gateways running? Is that mentioned somewhere in the Knowledge Center?

------------------------------
Bryon Kataoka
CTO
Petaluma CA
707-773-1198

Original Message:
Sent: 10-12-2018 08:56
From: Devin Richards
Subject: API Connect 2018 OAuth config error

While not having this same issue, I offer this advice, make sure you have at least 2 DataPower API Gateway containers running (scale the xxx-dynamic-gateway-service to 2 if not 3) and make sure all APIs including the OAuth providers have been published to your runtime.

------------------------------
Devin Richards

Original Message:
Sent: 10-11-2018 08:50
From: Carlos Quiroga Quiroga
Subject: API Connect 2018 OAuth config error

Hi team
we are following the next tutorial https://www.ibm.com/support/knowledgecenter/en/SSMNED_2018/com.ibm.apic.apionprem.doc/tutorial_apionprem_oauth_passgrant.html
but when go to "Test OAuth Security" section, specifically on point "9. Obtain an OAuth token. In this case, cURL is used to obtain the token using the following command."
we receive the errorb629286.png error message

Did any have the same issue?
Ideas to test if OAuth was well configured?

------------------------------
Carlos Quiroga Quiroga Technical Solutions Architect
Technical Solutions Architect
IBM
Bogota
(571) 390-1318
------------------------------

7. RE: API Connect 2018 OAuth config error

Like

Devin Richards

Posted Wed October 17, 2018 11:59 AM
Edited by Devin Richards Wed October 17, 2018 12:00 PM

I played around a bit with this on my setup in minikube and using the DataPower API Gateway so it is not exactly like you have setup but very close, and I did get an issue similar to yours.

The problem is that when you are trying to get the token from the OAuth provider the URL you are using is not correct, by default the Developer Portal and test tool are putting in the BasePath of the API you are working on into the URL for the OAuth provider and it is not supposed to. (Needs a PMR!)

in your example you are trying to curl
curl -k https://apicapi-gateway-pt.appsptqa.ath.com.co/org-pt/sandbox/ibm-oauth-test/oauth2/token

however looking at the tutorial the BasePath for the OAuth provider MainProviderOA is empty thus the token endpoint should be:
curl -k https://apicapi-gateway-pt.appsptqa.ath.com.co/org-pt/sandbox/oauth2/token

try that and see if it helps

------------------------------
Devin Richards

------------------------------

Original Message

Original Message:
Sent: 10-12-2018 14:07
From: Devin Richards
Subject: API Connect 2018 OAuth config error

One thing that is odd to me the Firewall requirements
https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.install.doc/overview_apimgmt_portreqs.html

for #7 they only list port 3000 which is for the "new" DataPower API Gateway the "old" DataPower Gateway v5 uses the XML Manager on port 5550

here is the v5 reference
https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.install.doc/overview_apimgmt_portreqs.html

maybe check your firewall rules to open more ports?

------------------------------
Devin Richards

Original Message:
Sent: 10-12-2018 13:55
From: Devin Richards
Subject: API Connect 2018 OAuth config error

The native OAuth should get pushed, but not sure in v5 we had to add our custom providers to plans to get them to work.

As for the DataPowers I missed the fact that you are using the "old" DataPower Gateway v5
with that you should directly connect to the XML Manager interface and upload the config
with the "new" DataPower API Gateway there is an auto-peering that if configured requires more than 1 DataPower before it starts, but not really applicable in your case with a VM DataPower and not the docker image.

Since all of the runtime is on the DataPower and that APIC servers are not really involved, you could go to the CMC and delete the existing DataPower Gateway v5 service, and go onto the DataPower management UI and make sure the Application Domain was deleted and then add it back in, as once it is back in the APIs should get pushed out to it.

Side note I have had good luck with minikube based on JoelGauci/apicv2018 when using the --vm-driver=none option for playing with APIC locally

------------------------------
Devin Richards

Original Message:
Sent: 10-12-2018 10:28
From: Bryon Kataoka
Subject: API Connect 2018 OAuth config error

Hi - Thanks for the response A couple of questions.

How do you ensure the backing API for OAuth Native is published? I thought APIC was handling that for us and I never see a reference to the OAuth Native backing API.
Are you saying we must have multiple gateways running? Is that mentioned somewhere in the Knowledge Center?

------------------------------
Bryon Kataoka
CTO
Petaluma CA
707-773-1198

Original Message:
Sent: 10-12-2018 08:56
From: Devin Richards
Subject: API Connect 2018 OAuth config error

While not having this same issue, I offer this advice, make sure you have at least 2 DataPower API Gateway containers running (scale the xxx-dynamic-gateway-service to 2 if not 3) and make sure all APIs including the OAuth providers have been published to your runtime.

------------------------------
Devin Richards

Original Message:
Sent: 10-11-2018 08:50
From: Carlos Quiroga Quiroga
Subject: API Connect 2018 OAuth config error

Hi team
we are following the next tutorial https://www.ibm.com/support/knowledgecenter/en/SSMNED_2018/com.ibm.apic.apionprem.doc/tutorial_apionprem_oauth_passgrant.html
but when go to "Test OAuth Security" section, specifically on point "9. Obtain an OAuth token. In this case, cURL is used to obtain the token using the following command."
we receive the errorb629286.png error message

Did any have the same issue?
Ideas to test if OAuth was well configured?

------------------------------
Carlos Quiroga Quiroga Technical Solutions Architect
Technical Solutions Architect
IBM
Bogota
(571) 390-1318
------------------------------

8. RE: API Connect 2018 OAuth config error

Like

Bryon Kataoka

IBM Champion

Posted Wed October 17, 2018 06:44 PM

Hi - we are about to open a PMR but I will give this a shot and then open the PMR.

9. RE: API Connect 2018 OAuth config error

Like

Devin Richards

Posted Thu October 18, 2018 10:19 AM

FYI I opened TS001498237 for the "Try it" button having the wrong OAuth endpoint

------------------------------
Devin Richards

------------------------------

Original Message

Original Message:
Sent: 10-17-2018 18:44
From: Bryon Kataoka
Subject: API Connect 2018 OAuth config error

Hi - we are about to open a PMR but I will give this a shot and then open the PMR.

------------------------------
Bryon Kataoka
CTO
Petaluma CA
707-773-1198

Original Message:
Sent: 10-17-2018 11:58
From: Devin Richards
Subject: API Connect 2018 OAuth config error

I played around a bit with this on my setup in minikube and using the DataPower API Gateway so it is not exactly like you have setup but very close, and I did get an issue similar to yours.

The problem is that when you are trying to get the token from the OAuth provider the URL you are using is not correct, by default the Developer Portal and test tool are putting in the BasePath of the API you are working on into the URL for the OAuth provider and it is not supposed to. (Needs a PMR!)

in your example you are trying to curl
curl -k https://apicapi-gateway-pt.appsptqa.ath.com.co/org-pt/sandbox/ibm-oauth-test/oauth2/token

however looking at the tutorial the BasePath for the OAuth provider MainProviderOA is empty thus the token endpoint should be:
curl -k https://apicapi-gateway-pt.appsptqa.ath.com.co/org-pt/sandbox/oauth2/token

try that and see if it helps

------------------------------
Devin Richards

Original Message:
Sent: 10-12-2018 14:07
From: Devin Richards
Subject: API Connect 2018 OAuth config error

One thing that is odd to me the Firewall requirements
https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.install.doc/overview_apimgmt_portreqs.html

for #7 they only list port 3000 which is for the "new" DataPower API Gateway the "old" DataPower Gateway v5 uses the XML Manager on port 5550

here is the v5 reference
https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.install.doc/overview_apimgmt_portreqs.html

maybe check your firewall rules to open more ports?

------------------------------
Devin Richards

Original Message:
Sent: 10-12-2018 13:55
From: Devin Richards
Subject: API Connect 2018 OAuth config error

The native OAuth should get pushed, but not sure in v5 we had to add our custom providers to plans to get them to work.

As for the DataPowers I missed the fact that you are using the "old" DataPower Gateway v5
with that you should directly connect to the XML Manager interface and upload the config
with the "new" DataPower API Gateway there is an auto-peering that if configured requires more than 1 DataPower before it starts, but not really applicable in your case with a VM DataPower and not the docker image.

Since all of the runtime is on the DataPower and that APIC servers are not really involved, you could go to the CMC and delete the existing DataPower Gateway v5 service, and go onto the DataPower management UI and make sure the Application Domain was deleted and then add it back in, as once it is back in the APIs should get pushed out to it.

Side note I have had good luck with minikube based on JoelGauci/apicv2018 when using the --vm-driver=none option for playing with APIC locally

------------------------------
Devin Richards

Original Message:
Sent: 10-12-2018 10:28
From: Bryon Kataoka
Subject: API Connect 2018 OAuth config error

Hi - Thanks for the response A couple of questions.

How do you ensure the backing API for OAuth Native is published? I thought APIC was handling that for us and I never see a reference to the OAuth Native backing API.
Are you saying we must have multiple gateways running? Is that mentioned somewhere in the Knowledge Center?

------------------------------
Bryon Kataoka
CTO
Petaluma CA
707-773-1198

Original Message:
Sent: 10-12-2018 08:56
From: Devin Richards
Subject: API Connect 2018 OAuth config error

While not having this same issue, I offer this advice, make sure you have at least 2 DataPower API Gateway containers running (scale the xxx-dynamic-gateway-service to 2 if not 3) and make sure all APIs including the OAuth providers have been published to your runtime.

------------------------------
Devin Richards

Original Message:
Sent: 10-11-2018 08:50
From: Carlos Quiroga Quiroga
Subject: API Connect 2018 OAuth config error

Hi team
we are following the next tutorial https://www.ibm.com/support/knowledgecenter/en/SSMNED_2018/com.ibm.apic.apionprem.doc/tutorial_apionprem_oauth_passgrant.html
but when go to "Test OAuth Security" section, specifically on point "9. Obtain an OAuth token. In this case, cURL is used to obtain the token using the following command."
we receive the errorb629286.png error message

Did any have the same issue?
Ideas to test if OAuth was well configured?

------------------------------
Carlos Quiroga Quiroga Technical Solutions Architect
Technical Solutions Architect
IBM
Bogota
(571) 390-1318
------------------------------

10. RE: API Connect 2018 OAuth config error

Like

Sebastian Sutter

Posted Tue October 23, 2018 04:03 AM

Coming back to your issue with receiving a 404 when deploying the OAuth Provider. I had the same issue. There is a small bug that prevents deploying the OAuth Provider with an API when the API has been deployed without OAuth Security Definition before. If you increase the version number of your API and re-publish, the OAuth Provider should be deployed as well.
This bug will be resolved in the upcoming LTS release.

------------------------------
Sebastian Sutter
------------------------------

Original Message

Original Message:
Sent: 10-17-2018 18:44
From: Bryon Kataoka
Subject: API Connect 2018 OAuth config error

Hi - we are about to open a PMR but I will give this a shot and then open the PMR.

------------------------------
Bryon Kataoka
CTO
Petaluma CA
707-773-1198

Original Message:
Sent: 10-17-2018 11:58
From: Devin Richards
Subject: API Connect 2018 OAuth config error

I played around a bit with this on my setup in minikube and using the DataPower API Gateway so it is not exactly like you have setup but very close, and I did get an issue similar to yours.

The problem is that when you are trying to get the token from the OAuth provider the URL you are using is not correct, by default the Developer Portal and test tool are putting in the BasePath of the API you are working on into the URL for the OAuth provider and it is not supposed to. (Needs a PMR!)

in your example you are trying to curl
curl -k https://apicapi-gateway-pt.appsptqa.ath.com.co/org-pt/sandbox/ibm-oauth-test/oauth2/token

however looking at the tutorial the BasePath for the OAuth provider MainProviderOA is empty thus the token endpoint should be:
curl -k https://apicapi-gateway-pt.appsptqa.ath.com.co/org-pt/sandbox/oauth2/token

try that and see if it helps

------------------------------
Devin Richards

Original Message:
Sent: 10-12-2018 14:07
From: Devin Richards
Subject: API Connect 2018 OAuth config error

One thing that is odd to me the Firewall requirements
https://www.ibm.com/support/knowledgecenter/SSMNED_2018/com.ibm.apic.install.doc/overview_apimgmt_portreqs.html

for #7 they only list port 3000 which is for the "new" DataPower API Gateway the "old" DataPower Gateway v5 uses the XML Manager on port 5550

here is the v5 reference
https://www.ibm.com/support/knowledgecenter/SSMNED_5.0.0/com.ibm.apic.install.doc/overview_apimgmt_portreqs.html

maybe check your firewall rules to open more ports?

------------------------------
Devin Richards

Original Message:
Sent: 10-12-2018 13:55
From: Devin Richards
Subject: API Connect 2018 OAuth config error

The native OAuth should get pushed, but not sure in v5 we had to add our custom providers to plans to get them to work.

As for the DataPowers I missed the fact that you are using the "old" DataPower Gateway v5
with that you should directly connect to the XML Manager interface and upload the config
with the "new" DataPower API Gateway there is an auto-peering that if configured requires more than 1 DataPower before it starts, but not really applicable in your case with a VM DataPower and not the docker image.

Since all of the runtime is on the DataPower and that APIC servers are not really involved, you could go to the CMC and delete the existing DataPower Gateway v5 service, and go onto the DataPower management UI and make sure the Application Domain was deleted and then add it back in, as once it is back in the APIs should get pushed out to it.

Side note I have had good luck with minikube based on JoelGauci/apicv2018 when using the --vm-driver=none option for playing with APIC locally

------------------------------
Devin Richards

Original Message:
Sent: 10-12-2018 10:28
From: Bryon Kataoka
Subject: API Connect 2018 OAuth config error

Hi - Thanks for the response A couple of questions.

How do you ensure the backing API for OAuth Native is published? I thought APIC was handling that for us and I never see a reference to the OAuth Native backing API.
Are you saying we must have multiple gateways running? Is that mentioned somewhere in the Knowledge Center?

------------------------------
Bryon Kataoka
CTO
Petaluma CA
707-773-1198

Original Message:
Sent: 10-12-2018 08:56
From: Devin Richards
Subject: API Connect 2018 OAuth config error

While not having this same issue, I offer this advice, make sure you have at least 2 DataPower API Gateway containers running (scale the xxx-dynamic-gateway-service to 2 if not 3) and make sure all APIs including the OAuth providers have been published to your runtime.

------------------------------
Devin Richards

Original Message:
Sent: 10-11-2018 08:50
From: Carlos Quiroga Quiroga
Subject: API Connect 2018 OAuth config error

Hi team
we are following the next tutorial https://www.ibm.com/support/knowledgecenter/en/SSMNED_2018/com.ibm.apic.apionprem.doc/tutorial_apionprem_oauth_passgrant.html
but when go to "Test OAuth Security" section, specifically on point "9. Obtain an OAuth token. In this case, cURL is used to obtain the token using the following command."
we receive the errorb629286.png error message

Did any have the same issue?
Ideas to test if OAuth was well configured?

------------------------------
Carlos Quiroga Quiroga Technical Solutions Architect
Technical Solutions Architect
IBM
Bogota
(571) 390-1318
------------------------------

API Connect

API Connect