Hi Javier,
I don't see anything obvious wrong with your IAG service definition or your configuraiton. Both are pretty straightforward.
Looking at the timing trace, the delay seems to be before SSL negotiation which means it is quite low level - no request processing in IAG has started at this point.. no HTTP request has even been sent.
You mention you see this on first connection. Does that mean that subsequent connections are OK?
What if you connect from a new browser; do you see the delay again?
What if you connect from a different machine; do you see the delay again on first connection from new source?
Just trying to narrow down on what part of processing is causing the issue.
It's interesting that there is a "stalled" for 20 seconds even before DNS is exchanged - and then another 20 seconds when connection to IAG is made. If that first "stalled" is related to the DNS lookup, I wonder if there is something bad on the source machine/browser which is causing all TCP sessions to take a long time to start?
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Tue February 09, 2021 10:39 AM
From: Javier Garcia Pazos
Subject: IBM IAG first connection takes more than 20 seconds
Hello,
I am using IBM IAG in Google Cloud Kubernetes. IBM IAG has an OpenID configuration to login using Security Verify Access stored in our systems.
But, when I try to access, before the OIDC redirection, IAG takes more than 20 seconds to answer. I add a picture with the timing, the config file for IAG and the yaml for the deployment.
deployment
apiVersion: apps/v1kind: Deploymentmetadata: name: iag labels: app: iagspec: selector: matchLabels: app: iag replicas: 1 template: metadata: labels: app: iag spec: serviceAccountName: iag volumes: - name: iag-config configMap: name: iag-config - name: iag-certs configMap: name: iag-certs containers: - name: iag image: ibmcom/ibm-application-gateway:20.09 env: - name: LANG value: C volumeMounts: - name: iag-config mountPath: /var/iag/config - name: iag-certs mountPath: /var/iag/certs---apiVersion: v1kind: Servicemetadata: name: iagspec: ports: - port: 80 name: iag-http protocol: TCP targetPort: 8080 - port: 443 name: iag-https protocol: TCP targetPort: 8443 sessionAffinity: ClientIP sessionAffinityConfig: clientIP: timeoutSeconds: 28800 selector: app: iag type: LoadBalancer
config,yml
version: 20.07identity: oidc: discovery_endpoint: "https://xxxxxxxxxxxxxxxx" client_id: "xxxxxxxxx" client_secret: "xxxxxxxxxxxxxxx" scopes: - profile - openid - groups mapped_identity: "{sub}" id_token_attrs: - "+sub"server: local_applications: cred_viewer: path_segment: credview enable_html: true attributes: - "-AUTHENTICATION_LEVEL" - "+AZN_CRED_GROUPS" session: timeout: 28800 inactive_timeout: 0 local_pages: content: "" type: path protocols: - http - httpsresource_servers: - path: "/app" connection_type: "tcp" servers: - host: "app" port: 9067 transparent_path: true identity_headers: attributes: - attribute: sub header: iv-userpolicies: authorization: - name: app paths: - /app* rule: (any AZN_CRED_GROUPS != "group") action: denyADVANCED: CONFIGURATION: - STANZA: SERVER ENTRY: REDIRECT-HTTP-TO-HTTPS OPERATION: SET VALUE: [ TRUE ] - STANZA: SERVER ENTRY: WEB-HTTP-PORT OPERATION: SET VALUE: ["80"] - STANZA: SERVER ENTRY: WEB-HTTPS-PORT OPERATION: SET VALUE: ["443"]
Regards
------------------------------
Javier Garcia Pazos
------------------------------