IBM Security Verify

 View Only
Expand all | Collapse all

IBM IAG: Virtual junction is not working

  • 1.  IBM IAG: Virtual junction is not working

    Posted Wed October 13, 2021 05:41 AM
    Hello,

    I always use standard junctions but  I realize virtual junctions can make things easy for me so I tried it. But it is not working and I am receiving this message:

    "Not found. Application Gateway couldn't find the resource you requested... "  (it is translated from spanish)

    When I use standard junction, it works, so it is not about the host server.

    version: 21.04
    
    identity:
      oidc:
        discovery_endpoint: "https://example.com"
        client_id: "xxxxx"
        client_secret: "xxxx"
        scopes:
          - profile
          - openid
          - groups
        mapped_identity: "{sub}"
        id_token_attrs:
          - "+sub"
    
    server:
      local_applications:
        cred_viewer:
          path_segment: credview
          enable_html: true
          attributes:
          - "-AUTHENTICATION_LEVEL"
          - "+AZN_CRED_GROUPS"
      session:
        timeout: 28800
        inactive_timeout: 0
      ssl:
        front_end:
          ciphers:
          - TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
          - TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
          - TLS_RSA_EXPORT_WITH_RC4_40_MD5
          - TLS_RSA_WITH_AES_128_CBC_SHA
          - TLS_RSA_WITH_AES_128_GCM_SHA256
          - TLS_RSA_WITH_AES_256_CBC_SHA
          - TLS_RSA_WITH_DES_CBC_SHA
      local_pages:
        content: "@healthz.zip"
        type: zip
      protocols:
        - http
        - https
    
    
    resource_servers:
      - virtual_host: "one.example.com"
        connection_type: "tcp"
        servers:
                - host: "frontend"
                  port: "9099"
        transparent_path: true
        identity_headers:
                attributes:
                        - attribute: sub
                          header: iv-user
    policies:
            authorization:
            - name: policyA
              paths:
               - /healthz/index.html
              rule: anyuser
              action: permit
            - name: policy2
              paths:
              - /example1*
              - /example2
              rule: (any AZN_CRED_GROUPS != "Example")
              action: deny
    
    advanced:
      configuration:
      - stanza: server
        entry: redirect-http-to-https
        operation: set
        value: [ true ]
      - stanza: server
        entry: http-method-disabled-local
        operation: set
        value: ["TRACE,CONNECT"]
      - stanza: server
        entry: http-method-disabled-remote
        operation: set
        value: ["TRACE,CONNECT"]​

    Can you see anything wrong? For your knowledge, I deployed it in Kubernetes behind an ingress.

    Other quick question: I use config file as configmap. It there any way to update config file and IBM IAG take this new configuration without rebooting the pod?

    Regards and thank you everybody for your help

    ------------------------------
    Javier Garcia Pazos
    ------------------------------


  • 2.  RE: IBM IAG: Virtual junction is not working

    Posted Wed October 13, 2021 05:06 PM
    Javier,
     
    A virtual host junction is identified by the host header which is supplied in the request.  If IAG is not finding the resource for the VHJ you need to check the host header which is supplied in the request to ensure that it exactly matches the virtual_host specified in the yaml.
     
    In answer to your second question, unfortunately there is no way to force IAG to reload configuration information without also restarting the container.
     
    I hope that this helps.
     
    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor