IBM Security Verify

  • 1.  Is IBM IAG blocking PUT and DELETE requests?

    Posted Fri October 01, 2021 07:14 AM
    Hello,

    I think IBM IAG is blocking PUT and DELETE requests? Is it possible? I didn't change anything about it in the config file. 

    Can you help me?

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------


  • 2.  RE: Is IBM IAG blocking PUT and DELETE requests?

    Posted Fri October 01, 2021 07:55 AM
    Edited by Jon Harry Fri October 01, 2021 08:01 AM
    Hi Javier,

    Yes, I think IAG is blocking PUT and DELETE by default (along with TRACE and CONNECT).  This is standard configuration for the Verify Access Reverse Proxy and has been pass over to the IAG.

    If you want to enable PUT and DELETE but leave TRACE And CONNECT disabled, you can add this advanced configuration:

    advanced:
    configuration:
    - stanza: server
    entry: http-method-disabled-local
    operation: set
    value: ["TRACE,CONNECT"]
    - stanza: server
    entry: http-method-disabled-remote
    operation: set
    value: ["TRACE,CONNECT"]

    If you want to enable all methods (i.e. disable none) then you can add this advanced configuration instead:

    advanced:
    configuration:
    - stanza: server
    entry: http-method-disabled-local
    operation: delete
    - stanza: server
    entry: http-method-disabled-remote
    operation: delete
    I hope this helps.

    Jon.



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: Is IBM IAG blocking PUT and DELETE requests?

    Posted Mon October 04, 2021 02:27 AM
    Edited by Javier Garcia Pazos Mon October 04, 2021 02:30 AM
    Hello Jon,

    I thought this was the problem, but I am not sure anymore because I am still getting the same error.  I think I should post the error that I am still receiving after enabling put and delete:

    Method: PUT
    Error code: 0x38cf0430
    Text description: Not Implemented

    And logs show a 400 http code.

    Regards

    ------------------------------
    Javier Garcia Pazos
    ------------------------------



  • 4.  RE: Is IBM IAG blocking PUT and DELETE requests?

    Posted Mon October 04, 2021 06:40 AM
    Hi Javier,

    I have tested the Advanced Configuration I suggested above.  Without this configuration I get the "Not Implemented" error.
    With it in place I am successfully able to use DELETE and PUT methods.

    I can't explain why you are still seeing "Not implemented" error after adding the suggested advanced configuration; it seems the advanced configuration is not active for some reason.

    It might be worth checking the contents for the generated configuration file within the container.  Get a shell on the iag container and review this file:
    /var/pdweb/default/etc/webseald-default.conf

    If you have left CONNECT and TRACE disabled, you should find these lines:

    http-method-disabled-local = TRACE,CONNECT
    http-method-disabled-remote = TRACE,CONNECT

    If you have used "delete" to remove this configuration you should not find these configuration items in the configuration at all.

    If you still find the PUT and DELETE methods listed in these config items, please review your YAML file and also make sure you have restarted IAG with this new configuration active.

    Jon.



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 5.  RE: Is IBM IAG blocking PUT and DELETE requests?

    Posted Mon October 04, 2021 06:55 AM
    Hello Jon,

    I checked webseald-default.conf  and it is still there. I can see this:

    # block access to the TRACE and PUT methods over local junctions the configuration entry
    # http-method-disabled-local = TRACE,PUT
    http-method-disabled-local = TRACE,PUT,DELETE,CONNECT
    http-method-disabled-remote = TRACE,PUT,DELETE,CONNECT​

    I redeploy my pod and it is still failing. So, do you see any problem in my yaml?
    ADVANCED:
      CONFIGURATION:
        - STANZA: SERVER
          ENTRY: REDIRECT-HTTP-TO-HTTPS
          OPERATION: SET
          VALUE: [ TRUE ]
        - STANZA: SERVER
          ENTRY: WEB-HTTP-PORT
          OPERATION: SET
          VALUE: ["80"]
        - STANZA: SERVER
          ENTRY: WEB-HTTPS-PORT
          OPERATION: SET
          VALUE: ["443"]
        - stanza: server
          entry: http-method-disabled-local
          operation: delete
        - stanza: server
          entry: http-method-disabled-remote
          operation: delete​

    I pasted it as I have in my file. I think the file is in the right place because I can login using the OIDC configuration  and paths are working fine, so the only things are not working are last two stanzas.

    Regards



    ------------------------------
    Javier Garcia Pazos
    ------------------------------



  • 6.  RE: Is IBM IAG blocking PUT and DELETE requests?

    Posted Mon October 04, 2021 06:57 AM
    Edited by Javier Garcia Pazos Mon October 04, 2021 06:57 AM
    ADVANCED:
      CONFIGURATION:
        - STANZA: SERVER
          ENTRY: REDIRECT-HTTP-TO-HTTPS
          OPERATION: SET
          VALUE: [ TRUE ]
        - STANZA: SERVER
          ENTRY: WEB-HTTP-PORT
          OPERATION: SET
          VALUE: ["80"]
        - STANZA: SERVER
          ENTRY: WEB-HTTPS-PORT
          OPERATION: SET
          VALUE: ["443"]
        - stanza: server
          entry: http-method-disabled-local
          operation: delete
        - stanza: server
          entry: http-method-disabled-remote
          operation: delete​


    ------------------------------
    Javier Garcia Pazos
    ------------------------------



  • 7.  RE: Is IBM IAG blocking PUT and DELETE requests?

    Posted Mon October 04, 2021 07:24 AM
    Hi Javier,

    For some reason this forum doesn't easily allow inclusion of code snippets.  I have raised this limitation internally as it is very frustrating.
    Currently I can only get it work work by creating a PRE formatted section using raw HTML editor mode.

    Anyway, I think the issue is that you are using UPPER CASE in the YAML.  When I do this the advanced configuration is not recognised.  I suggest that you use the following:

    advanced:
      configuration:
      - stanza: server
        entry: redirect-http-to-https
        operation: set
        value: [ true ]
      - stanza: server
        entry: web-http-port
        operation: set
        value: ["80"]
      - stanza: server
        entry: web-https-port
        operation: set
        value: ["443"]
      - stanza: server
        entry: http-method-disabled-local
        operation: delete
      - stanza: server
        entry: http-method-disabled-remote
        operation: delete


    Jon.



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 8.  RE: Is IBM IAG blocking PUT and DELETE requests?

    Posted Mon October 04, 2021 07:38 AM
    Hello Jon,

    you were right about capitall letters and now I realize that web-http-port and web-https-port didn't work and I really didn't need them.

    Thank you very much for your help and have a great day.

    ------------------------------
    Javier Garcia Pazos
    ------------------------------