IBM Security Verify

 View Only
  • 1.  IBM IAG first connection takes more than 20 seconds

    Posted Tue February 09, 2021 10:39 AM
      |   view attached
    Hello,

    I am using IBM IAG in Google Cloud Kubernetes. IBM IAG has an OpenID configuration to login using Security Verify Access stored in our systems.

    But, when I try to access, before the OIDC redirection, IAG takes more than 20 seconds to answer. I add a picture with the timing, the config file for IAG and the yaml for the deployment.

    deployment
    apiVersion: apps/v1
    kind: Deployment
    
    metadata:
      name: iag
      labels:
        app: iag
    
    spec:
      selector:
        matchLabels:
          app: iag
    
      replicas: 1
    
      template:
        metadata:
          labels:
            app: iag
    
        spec:
          serviceAccountName: iag
          volumes:
            - name: iag-config
              configMap:
                name: iag-config
            - name: iag-certs
              configMap:
                name: iag-certs
    
          containers:
            - name: iag
              image: ibmcom/ibm-application-gateway:20.09
              env:
                - name: LANG
                  value: C
              volumeMounts:
                - name: iag-config
                  mountPath: /var/iag/config
                - name: iag-certs
                  mountPath: /var/iag/certs
    
    ---
    
    apiVersion: v1
    kind: Service
    metadata:
      name: iag
    spec:
      ports:
        - port: 80
          name: iag-http
          protocol: TCP
          targetPort: 8080
        - port: 443
          name: iag-https
          protocol: TCP
          targetPort: 8443
      sessionAffinity: ClientIP
      sessionAffinityConfig:
        clientIP:
          timeoutSeconds: 28800
      selector:
        app: iag
    
      type: LoadBalancer

    config,yml

    version: 20.07
    
    identity:
      oidc:
        discovery_endpoint: "https://xxxxxxxxxxxxxxxx"
        client_id: "xxxxxxxxx"
        client_secret: "xxxxxxxxxxxxxxx"
        scopes:
          - profile
          - openid
          - groups
        mapped_identity: "{sub}"
        id_token_attrs:
          - "+sub"
    
    server:
      local_applications:
        cred_viewer:
          path_segment: credview
          enable_html: true
          attributes:
          - "-AUTHENTICATION_LEVEL"
          - "+AZN_CRED_GROUPS"
      session:
        timeout: 28800
        inactive_timeout: 0
      local_pages:
        content: ""
        type: path
      protocols:
        - http
        - https
    
    resource_servers:
      - path: "/app"
        connection_type: "tcp"
        servers:
          - host: "app"
            port: 9067
        transparent_path: true
        identity_headers:
          attributes:
            - attribute: sub
              header: iv-user
    
    policies:
            authorization:
            - name: app
              paths:
              - /app*
              rule: (any AZN_CRED_GROUPS != "group")
              action: deny
    
    ADVANCED:
      CONFIGURATION:
        - STANZA: SERVER
          ENTRY: REDIRECT-HTTP-TO-HTTPS
          OPERATION: SET
          VALUE: [ TRUE ]
        - STANZA: SERVER
          ENTRY: WEB-HTTP-PORT
          OPERATION: SET
          VALUE: ["80"]
        - STANZA: SERVER
          ENTRY: WEB-HTTPS-PORT
          OPERATION: SET
          VALUE: ["443"]


    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------


  • 2.  RE: IBM IAG first connection takes more than 20 seconds

    Posted Tue February 09, 2021 11:17 AM
    Hi Javier,

    I don't see anything obvious wrong with your IAG service definition or your configuraiton.  Both are pretty straightforward.

    Looking at the timing trace, the delay seems to be before SSL negotiation which means it is quite low level - no request processing in IAG has started at this point.. no HTTP request has even been sent.

    You mention you see this on first connection.  Does that mean that subsequent connections are OK?
    What if you connect from a new browser; do you see the delay again?
    What if you connect from a different machine; do you see the delay again on first connection from new source?

    Just trying to narrow down on what part of processing is causing the issue.

    It's interesting that there is a "stalled" for 20 seconds even before DNS is exchanged - and then another 20 seconds when connection to IAG is made.  If that first "stalled" is related to the DNS lookup, I wonder if there is something bad on the source machine/browser which is causing all TCP sessions to take a long time to start?

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: IBM IAG first connection takes more than 20 seconds

    Posted Wed February 10, 2021 04:05 AM

    Hello

    it was a mistake by my side. I am so sorry for bothering you.

    Regards



    ------------------------------
    Javier Garcia Pazos
    ------------------------------



  • 4.  RE: IBM IAG first connection takes more than 20 seconds

    Posted Wed February 10, 2021 11:22 AM
    Hello,

    one person from this forum suggested me to share the mistake I made.

    It was not related with IBM IAG so I didn't want to bother you with more info. The problem was that I have a very big hosts file with many domains. So I didn't realize I already had this domain at the beginning of the file with an address that it is not working anymore, so I supose that browser tried to resolve the first address and then the working one.

    Again, sorry.

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------