Thank you Scott,
I think I didn't explain myself but credview is a local application so the configuration is:
server:
local_applications:
cred_viewer:
path_segment: credview
enable_html: true
attributes:
- "-AUTHENTICATION_LEVEL"
and then
policies:
authorization:
- name: policyA
paths:
- /credview
rule: anyuser
action: permit
And when I request
https://localhost:8443/credview from inside the container, I get:
curl -vk https://localhost:8443/credview
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=iag-crpr-b96b65597-mwm4f
* start date: Aug 29 23:51:51 2021 GMT
* expire date: Dec 2 23:51:51 2023 GMT
* issuer: CN=iag-crpr-b96b65597-mwm4f
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /credview HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< content-length: 3469
< content-type: text/html
< date: Tue, 31 Aug 2021 06:35:11 GMT
< p3p: CP="NON CUR OTPi OUR NOR UNI"
< x-frame-options: DENY
< x-content-type-options: nosniff
< cache-control: no-store
< x-xss-protection: 1
< content-security-policy: frame-ancestors 'none'
< strict-transport-security: max-age=31536000; includeSubDomains
< pragma: no-cache
<
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Application Gateway</title>
<style>
*{font-family:'IBM Plex Sans','Helvetica Neue',Arial,sans-serif;letter-spacing:normal;text-rendering:optimizelegibility;user-select:none;-webkit-font-smoothing:antialiased -moz-font-smoothing:antialiased;-ms-font-smoothing:antialiased;-o-font-smoothing:antialiased;}
em{font-style:inherit;font-weight:700;}
body{margin:0;padding:0;}
html{height:100%;min-height:400px;background-color:#f3f3f3;}
a{color:inherit;text-decoration:inherit;}
h2{font-size:20px;margin-left:176px;}
h4{clear:both;padding-top:32px;}
p{font-size:14px;font-weight:400;margin-left:176px;}
.container{background-color:#fff;width:50%;max-width:720px;position:absolute;top:50%;left:50%;transform:translate(-50%,-50%);padding:48px 48px 0px 48px;min-height:300px;}
.container-short{min-height:240px;}
.message-box{font-size:1rem;color:#000000;padding:16px;}
.header{background-color:#161616;border-bottom:1px solid #393939;z-index:10000;height:3rem;color:#fff;padding:0 1rem;font-size:1rem;vertical-align:baseline;line-height:48px;font-weight:600;font-size:16px;}
.button{line-height:64px;width:50%;height:64px;color:#FFF;background-color:rgb(80,80,80);margin-bottom:-16px;text-align:left;border-style:none;padding-left:12px;font-size:14px;background-color:#4c4c4c;position:absolute;}
.button-other{left:0;}
.button-primary{background-color:rgb(15,98,254);position:absolute;right:0;}
.button-primary:hover{background-color:#0353e9;}
table{border-collapse:collapse;width:100%;margin-bottom:64px;}
th{background-color:rgb(224,224,224);width:30%;font-weight:600;}
td{width:70%;font-weight:400;background-color:rgb(244,244,244);font-weight:400;}
th,td{border-top:1px solid #f4f4f4;border-bottom:1px solid #e0e0e0;font-size:12px;padding-bottom:0px;padding-right:12px;padding-top:12px;padding-bottom:12px;padding-left:16px;text-align:left;word-break:break-word;}
.button-container{width:100%;height:64px;background-color:#c6c6c6;margin-left:-48px;margin-right:-48px;border-style:none;position:absolute;bottom:-32px;}
svg{height:128px;width:128px;float:left;padding-right:48px;}
</style>
</head>
<body>
<div class="header">
<span>Application Gateway</span>
</div>
<div class="container">
<div class="message-box">
<svg focusable="false" preserveAspectRatio="xMidYMid meet" xmlns="http://www.w3.org/2000/svg" width="35%" height="35%" viewBox="0 0 48 48" aria-hidden="true" style="will-change: transform;"><path fill="none" stroke="#000" stroke-linejoin="round" stroke-miterlimit="10" stroke-width=".72" d="M39,37H9l15-26L39,37z M24,28V18"></path><circle cx="24" cy="32" r="1"></circle></svg> <h2>Error</h2>
<p>The Application Gateway could not complete your request due to an unexpected error.</p>
<H4>Diagnostic Information</H4>
<table>
<tr>
<th>Method</th>
<td>GET</td>
</tr>
<tr>
<th>URL</th>
<td>/credview</td>
</tr>
<tr>
<th>Error Code</th>
<td>0x38cf04c2</td>
</tr>
<tr>
<th>Error Text</th>
<td>DPWWA1218E Unknown junction server host</td>
</tr>
</table>
</div>
<div class="button-container">
<a class="button button-primary" href="/">Go Back</a>
</div>
</div>
</body>
* Connection #0 to host localhost left intact
Thank you for your help.
Regards
------------------------------
Javier Garcia Pazos
------------------------------
Original Message:
Sent: Mon August 30, 2021 03:40 PM
From: Scott Exton
Subject: IBM IAG: Best way of health check in Kubernetes
Javier,
You will get the 'DPWWA1218E Unknown junction server host' error when the host name configured for the junctioned server is not resolving to an IP address. SO, I would check the definition of the credview junction and ensure that the server name included in the junction definition can resolve to an IP address.
Scott A. Exton
Senior Software Engineer
Chief Programmer - IBM Security Verify Access
IBM Master Inventor
Original Message:
Sent: 8/30/2021 10:58:00 AM
From: Javier Garcia Pazos
Subject: RE: IBM IAG: Best way of health check in Kubernetes
Hello Jon
it is a healthcheck at ingress. I saw logs as you told me and I could see that a 302 was the response to the healthcheck. But I allow any user to the healthcheck url (it is a local page I uploaded) but it is giving 400 now. I connected to the pod and when I try https://localhost:8443/credview (for example) that it is allowed for everyone, I receive a "DPWWA1218E Unknown junction server host".
Do you know what is happening?
Regards
------------------------------
Javier Garcia Pazos
Original Message:
Sent: Fri August 27, 2021 07:09 AM
From: Jon Harry
Subject: IBM IAG: Best way of health check in Kubernetes
Hi Javier,
What kind of healthcheck is this? If it's the healthcheck performed at the pod level, I wouldn't expect this to connect via the NodePort... usually it would be a direct communication to the pod listening port to check for active TCP connection or for a specific HTTP request.
Maybe you're talking about a healthcheck at the Ingress? I'm not so familiar with that. One guess might be that the healthcheck expects to get back a 200 response code and maybe the (unauthenticated) request for index.html is returning a 302 to your identity provider for authentication? If this is the case then you'll either need to make the page that you check for health available to unauthenticated connections or you'll need to change the healthcheck definition so that 302 is an acceptable response.
Do you see the healthcheck request in the request log of the IAG? That would let you know that the request is reaching IAG and what response is being returned.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Mon August 23, 2021 08:30 AM
From: Javier Garcia Pazos
Subject: IBM IAG: Best way of health check in Kubernetes
Hello,
I am using IBM IAG as Relying Party in Kubernetes, but I am getting errors when I create the service as NodePort and use it through GCE Ingress. Health check is failing and I don't know why.
I created a local page in config.yaml using a zip file with a folder and a index.html file. The health check points to this index.html using HTTPS and towards the node port.
Do you know how to solve it? Do you know any other way to verify the health status?
Regards
------------------------------
Javier Garcia Pazos
------------------------------