Hi Javier,
For some reason this forum doesn't easily allow inclusion of code snippets. I have raised this limitation internally as it is very frustrating.
Currently I can only get it work work by creating a PRE formatted section using raw HTML editor mode.
Anyway, I think the issue is that you are using UPPER CASE in the YAML. When I do this the advanced configuration is not recognised. I suggest that you use the following:
advanced:
configuration:
- stanza: server
entry: redirect-http-to-https
operation: set
value: [ true ]
- stanza: server
entry: web-http-port
operation: set
value: ["80"]
- stanza: server
entry: web-https-port
operation: set
value: ["443"]
- stanza: server
entry: http-method-disabled-local
operation: delete
- stanza: server
entry: http-method-disabled-remote
operation: delete
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------
Original Message:
Sent: Mon October 04, 2021 06:56 AM
From: Javier Garcia Pazos
Subject: Is IBM IAG blocking PUT and DELETE requests?
ADVANCED: CONFIGURATION: - STANZA: SERVER ENTRY: REDIRECT-HTTP-TO-HTTPS OPERATION: SET VALUE: [ TRUE ] - STANZA: SERVER ENTRY: WEB-HTTP-PORT OPERATION: SET VALUE: ["80"] - STANZA: SERVER ENTRY: WEB-HTTPS-PORT OPERATION: SET VALUE: ["443"] - stanza: server entry: http-method-disabled-local operation: delete - stanza: server entry: http-method-disabled-remote operation: delete
------------------------------
Javier Garcia Pazos
Original Message:
Sent: Mon October 04, 2021 06:55 AM
From: Javier Garcia Pazos
Subject: Is IBM IAG blocking PUT and DELETE requests?
Hello Jon,
I checked webseald-default.conf and it is still there. I can see this:
# block access to the TRACE and PUT methods over local junctions the configuration entry# http-method-disabled-local = TRACE,PUThttp-method-disabled-local = TRACE,PUT,DELETE,CONNECThttp-method-disabled-remote = TRACE,PUT,DELETE,CONNECT
I redeploy my pod and it is still failing. So, do you see any problem in my yaml?
ADVANCED: CONFIGURATION: - STANZA: SERVER ENTRY: REDIRECT-HTTP-TO-HTTPS OPERATION: SET VALUE: [ TRUE ] - STANZA: SERVER ENTRY: WEB-HTTP-PORT OPERATION: SET VALUE: ["80"] - STANZA: SERVER ENTRY: WEB-HTTPS-PORT OPERATION: SET VALUE: ["443"] - stanza: server entry: http-method-disabled-local operation: delete - stanza: server entry: http-method-disabled-remote operation: delete
I pasted it as I have in my file. I think the file is in the right place because I can login using the OIDC configuration and paths are working fine, so the only things are not working are last two stanzas.
Regards
------------------------------
Javier Garcia Pazos
Original Message:
Sent: Mon October 04, 2021 06:40 AM
From: Jon Harry
Subject: Is IBM IAG blocking PUT and DELETE requests?
Hi Javier,
I have tested the Advanced Configuration I suggested above. Without this configuration I get the "Not Implemented" error.
With it in place I am successfully able to use DELETE and PUT methods.
I can't explain why you are still seeing "Not implemented" error after adding the suggested advanced configuration; it seems the advanced configuration is not active for some reason.
It might be worth checking the contents for the generated configuration file within the container. Get a shell on the iag container and review this file:
/var/pdweb/default/etc/webseald-default.conf
If you have left CONNECT and TRACE disabled, you should find these lines:
http-method-disabled-local = TRACE,CONNECT
http-method-disabled-remote = TRACE,CONNECT
If you have used "delete" to remove this configuration you should not find these configuration items in the configuration at all.
If you still find the PUT and DELETE methods listed in these config items, please review your YAML file and also make sure you have restarted IAG with this new configuration active.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Mon October 04, 2021 02:27 AM
From: Javier Garcia Pazos
Subject: Is IBM IAG blocking PUT and DELETE requests?
Hello Jon,
I thought this was the problem, but I am not sure anymore because I am still getting the same error. I think I should post the error that I am still receiving after enabling put and delete:
Method: PUT
Error code: 0x38cf0430
Text description: Not Implemented
And logs show a 400 http code.
Regards
------------------------------
Javier Garcia Pazos
Original Message:
Sent: Fri October 01, 2021 07:55 AM
From: Jon Harry
Subject: Is IBM IAG blocking PUT and DELETE requests?
Hi Javier,
Yes, I think IAG is blocking PUT and DELETE by default (along with TRACE and CONNECT). This is standard configuration for the Verify Access Reverse Proxy and has been pass over to the IAG.
If you want to enable PUT and DELETE but leave TRACE And CONNECT disabled, you can add this advanced configuration:
advanced:
configuration:
- stanza: server
entry: http-method-disabled-local
operation: set
value: ["TRACE,CONNECT"]
- stanza: server
entry: http-method-disabled-remote
operation: set
value: ["TRACE,CONNECT"]
If you want to enable all methods (i.e. disable none) then you can add this advanced configuration instead:
advanced:
configuration:
- stanza: server
entry: http-method-disabled-local
operation: delete
- stanza: server
entry: http-method-disabled-remote
operation: delete
I hope this helps.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Fri October 01, 2021 07:13 AM
From: Javier Garcia Pazos
Subject: Is IBM IAG blocking PUT and DELETE requests?
Hello,
I think IBM IAG is blocking PUT and DELETE requests? Is it possible? I didn't change anything about it in the config file.
Can you help me?
Regards
------------------------------
Javier Garcia Pazos
------------------------------