Hi,

I made a mocked api which you can send in a parameter with https status code you wish to get back
for example https://isam.example.com/api/503

For some reason the 503  gets translated by webseal to 500 internal server error. 

Does anyone now the design decision behind that rule?

------------------------------
Regards Mikael
------------------------------

We ran exactly into the same issue than you, being unable to have an api return a proper 503.

I hope that in 9.0.6 or 9.0.7 they will allow us to have more control on this because at the moment, the only workaround we found is to stop using ISAM for pure API exposition.

------------------------------
André Leruitte
------------------------------

Original Message:
Sent: 01-23-2019 04:23 AM
From: Mikael Lindblad
Subject: IAM translates 503 to a 500

Hi,

I made a mocked api which you can send in a parameter with https status code you wish to get back
for example https://isam.example.com/api/503

For some reason the 503  gets translated by webseal to 500 internal server error. 

Does anyone now the design decision behind that rule?

------------------------------
Regards Mikael
------------------------------

Hi,

First off: did you open a case at IBM Support for this? If not: you should have - instead of stopping using ISAM ;-)

With some googling around and the great help from my colleague Hans, it seems that the parameter no-remote-jct-error-status-codes might work for such cases.
This option was offered ages ago in a TAM 5.1 fixpack. See here:
ftp://ftp.software.ibm.com/software/tivoli_support/patches/patches_5.1.0/5.1.0-TIV-AWS-FP0032/5.1.0-TIV-AWS-FP0032.README
The readme says:

The customer upgraded from 4.1 to 5.1, and noticed that when a junctioned
server returned an HTTP 503 error code that it was returned to the client as
an HTTP 500. This was intentional behavior added in 5.1. There is now a
descriptive error message returned (which describes the 503 error
condition) with the HTTP 500 error. If this is not enough information to
show what error occurred, there is a backward compatibility flag to enable the
old behavior (sending the 503 error to the client):

[junction]
no-remote-jct-error-status-codes = yes

Please go ahead and try that. Don't panic if you don't find any documentation on this, it's a so-called hidden config.
If it doesn't work or if you are unsure about the support, then please open a case.

Cheers, Peter.



------------------------------
Peter Volckaert
Sales Engineer
IBM Security
------------------------------

Original Message:
Sent: 01-24-2019 01:58 AM
From: André Leruitte
Subject: IAM translates 503 to a 500

We ran exactly into the same issue than you, being unable to have an api return a proper 503.

I hope that in 9.0.6 or 9.0.7 they will allow us to have more control on this because at the moment, the only workaround we found is to stop using ISAM for pure API exposition.

------------------------------
André Leruitte

Original Message:
Sent: 01-23-2019 04:23 AM
From: Mikael Lindblad
Subject: IAM translates 503 to a 500

Hi,

I made a mocked api which you can send in a parameter with https status code you wish to get back
for example https://isam.example.com/api/503

For some reason the 503  gets translated by webseal to 500 internal server error. 

Does anyone now the design decision behind that rule?

------------------------------
Regards Mikael
------------------------------

Hi,

After some extra discussions about this I found out that this WebSEAL setting does not forward the actual content from the API service. Typical content is e.g. a JSON that explains what exactly is going wrong. Instead WebSEAL only forwards the HTTP status code 503, but replies with a static HTML page stating "service unavailable".
There is an RFE, request for enhancement, open for this with id 124474. Here's the direct link: https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=124474
Consider to vote and/or put this to your "watchlist".

Cheers, Peter.

------------------------------
Peter Volckaert
Sales Engineer
IBM Security
------------------------------

Original Message:
Sent: 01-24-2019 05:17 AM
From: Peter Volckaert
Subject: IAM translates 503 to a 500

Hi,

First off: did you open a case at IBM Support for this? If not: you should have - instead of stopping using ISAM ;-)

With some googling around and the great help from my colleague Hans, it seems that the parameter no-remote-jct-error-status-codes might work for such cases.
This option was offered ages ago in a TAM 5.1 fixpack. See here:
ftp://ftp.software.ibm.com/software/tivoli_support/patches/patches_5.1.0/5.1.0-TIV-AWS-FP0032/5.1.0-TIV-AWS-FP0032.README
The readme says:

The customer upgraded from 4.1 to 5.1, and noticed that when a junctioned
server returned an HTTP 503 error code that it was returned to the client as
an HTTP 500. This was intentional behavior added in 5.1. There is now a
descriptive error message returned (which describes the 503 error
condition) with the HTTP 500 error. If this is not enough information to
show what error occurred, there is a backward compatibility flag to enable the
old behavior (sending the 503 error to the client):

[junction]
no-remote-jct-error-status-codes = yes

Please go ahead and try that. Don't panic if you don't find any documentation on this, it's a so-called hidden config.
If it doesn't work or if you are unsure about the support, then please open a case.

Cheers, Peter.



------------------------------
Peter Volckaert
Sales Engineer
IBM Security

Original Message:
Sent: 01-24-2019 01:58 AM
From: André Leruitte
Subject: IAM translates 503 to a 500

We ran exactly into the same issue than you, being unable to have an api return a proper 503.

I hope that in 9.0.6 or 9.0.7 they will allow us to have more control on this because at the moment, the only workaround we found is to stop using ISAM for pure API exposition.

------------------------------
André Leruitte

Original Message:
Sent: 01-23-2019 04:23 AM
From: Mikael Lindblad
Subject: IAM translates 503 to a 500

Hi,

I made a mocked api which you can send in a parameter with https status code you wish to get back
for example https://isam.example.com/api/503

For some reason the 503  gets translated by webseal to 500 internal server error. 

Does anyone now the design decision behind that rule?

------------------------------
Regards Mikael
------------------------------

Thanks for the update Peter!

I tried to go in an vote for it but i get.
You cannot access this page because you do not have the proper authority.​


------------------------------
Regards Mikael
------------------------------

Original Message:
Sent: 01-25-2019 10:05 AM
From: Peter Volckaert
Subject: IAM translates 503 to a 500

Hi,

After some extra discussions about this I found out that this WebSEAL setting does not forward the actual content from the API service. Typical content is e.g. a JSON that explains what exactly is going wrong. Instead WebSEAL only forwards the HTTP status code 503, but replies with a static HTML page stating "service unavailable".
There is an RFE, request for enhancement, open for this with id 124474. Here's the direct link: https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=124474
Consider to vote and/or put this to your "watchlist".

Cheers, Peter.

------------------------------
Peter Volckaert
Sales Engineer
IBM Security

Original Message:
Sent: 01-24-2019 05:17 AM
From: Peter Volckaert
Subject: IAM translates 503 to a 500

Hi,

First off: did you open a case at IBM Support for this? If not: you should have - instead of stopping using ISAM ;-)

With some googling around and the great help from my colleague Hans, it seems that the parameter no-remote-jct-error-status-codes might work for such cases.
This option was offered ages ago in a TAM 5.1 fixpack. See here:
ftp://ftp.software.ibm.com/software/tivoli_support/patches/patches_5.1.0/5.1.0-TIV-AWS-FP0032/5.1.0-TIV-AWS-FP0032.README
The readme says:

The customer upgraded from 4.1 to 5.1, and noticed that when a junctioned
server returned an HTTP 503 error code that it was returned to the client as
an HTTP 500. This was intentional behavior added in 5.1. There is now a
descriptive error message returned (which describes the 503 error
condition) with the HTTP 500 error. If this is not enough information to
show what error occurred, there is a backward compatibility flag to enable the
old behavior (sending the 503 error to the client):

[junction]
no-remote-jct-error-status-codes = yes

Please go ahead and try that. Don't panic if you don't find any documentation on this, it's a so-called hidden config.
If it doesn't work or if you are unsure about the support, then please open a case.

Cheers, Peter.



------------------------------
Peter Volckaert
Sales Engineer
IBM Security

Original Message:
Sent: 01-24-2019 01:58 AM
From: André Leruitte
Subject: IAM translates 503 to a 500

We ran exactly into the same issue than you, being unable to have an api return a proper 503.

I hope that in 9.0.6 or 9.0.7 they will allow us to have more control on this because at the moment, the only workaround we found is to stop using ISAM for pure API exposition.

------------------------------
André Leruitte

Original Message:
Sent: 01-23-2019 04:23 AM
From: Mikael Lindblad
Subject: IAM translates 503 to a 500

Hi,

I made a mocked api which you can send in a parameter with https status code you wish to get back
for example https://isam.example.com/api/503

For some reason the 503  gets translated by webseal to 500 internal server error. 

Does anyone now the design decision behind that rule?

------------------------------
Regards Mikael
------------------------------

Same here Peter. I will gladly upvote the RFE if only I had the permission :)

Otherwise you perfectly described the limitation we ran into : there is no way to tell ISAM to forward the (JSON) response from the api.

In our case it was really an issue because a particular api (exposed to external partners) could be partly unavailable, so the 503 answer from the api contained additional information about the parts of the api unavailable, why and how long.

------------------------------
André Leruitte
------------------------------

Original Message:
Sent: 01-25-2019 10:05 AM
From: Peter Volckaert
Subject: IAM translates 503 to a 500

Hi,

After some extra discussions about this I found out that this WebSEAL setting does not forward the actual content from the API service. Typical content is e.g. a JSON that explains what exactly is going wrong. Instead WebSEAL only forwards the HTTP status code 503, but replies with a static HTML page stating "service unavailable".
There is an RFE, request for enhancement, open for this with id 124474. Here's the direct link: https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=124474
Consider to vote and/or put this to your "watchlist".

Cheers, Peter.

------------------------------
Peter Volckaert
Sales Engineer
IBM Security

Original Message:
Sent: 01-24-2019 05:17 AM
From: Peter Volckaert
Subject: IAM translates 503 to a 500

Hi,

First off: did you open a case at IBM Support for this? If not: you should have - instead of stopping using ISAM ;-)

With some googling around and the great help from my colleague Hans, it seems that the parameter no-remote-jct-error-status-codes might work for such cases.
This option was offered ages ago in a TAM 5.1 fixpack. See here:
ftp://ftp.software.ibm.com/software/tivoli_support/patches/patches_5.1.0/5.1.0-TIV-AWS-FP0032/5.1.0-TIV-AWS-FP0032.README
The readme says:

The customer upgraded from 4.1 to 5.1, and noticed that when a junctioned
server returned an HTTP 503 error code that it was returned to the client as
an HTTP 500. This was intentional behavior added in 5.1. There is now a
descriptive error message returned (which describes the 503 error
condition) with the HTTP 500 error. If this is not enough information to
show what error occurred, there is a backward compatibility flag to enable the
old behavior (sending the 503 error to the client):

[junction]
no-remote-jct-error-status-codes = yes

Please go ahead and try that. Don't panic if you don't find any documentation on this, it's a so-called hidden config.
If it doesn't work or if you are unsure about the support, then please open a case.

Cheers, Peter.



------------------------------
Peter Volckaert
Sales Engineer
IBM Security

Original Message:
Sent: 01-24-2019 01:58 AM
From: André Leruitte
Subject: IAM translates 503 to a 500

We ran exactly into the same issue than you, being unable to have an api return a proper 503.

I hope that in 9.0.6 or 9.0.7 they will allow us to have more control on this because at the moment, the only workaround we found is to stop using ISAM for pure API exposition.

------------------------------
André Leruitte

Original Message:
Sent: 01-23-2019 04:23 AM
From: Mikael Lindblad
Subject: IAM translates 503 to a 500

Hi,

I made a mocked api which you can send in a parameter with https status code you wish to get back
for example https://isam.example.com/api/503

For some reason the 503  gets translated by webseal to 500 internal server error. 

Does anyone now the design decision behind that rule?

------------------------------
Regards Mikael
------------------------------

Hi,

I assumed you were logged on before attempting to vote? If so, it's possible that you cannot vote because the RFE is "private", you cannot view the RFE's content. So it is somewhat logical that you cannot vote for it neither. 

Cheers, Peter.

------------------------------
Peter Volckaert
Sales Engineer
IBM Security
------------------------------

Original Message:
Sent: 01-25-2019 10:47 AM
From: André Leruitte
Subject: IAM translates 503 to a 500

Same here Peter. I will gladly upvote the RFE if only I had the permission :)

Otherwise you perfectly described the limitation we ran into : there is no way to tell ISAM to forward the (JSON) response from the api.

In our case it was really an issue because a particular api (exposed to external partners) could be partly unavailable, so the 503 answer from the api contained additional information about the parts of the api unavailable, why and how long.

------------------------------
André Leruitte

Original Message:
Sent: 01-25-2019 10:05 AM
From: Peter Volckaert
Subject: IAM translates 503 to a 500

Hi,

After some extra discussions about this I found out that this WebSEAL setting does not forward the actual content from the API service. Typical content is e.g. a JSON that explains what exactly is going wrong. Instead WebSEAL only forwards the HTTP status code 503, but replies with a static HTML page stating "service unavailable".
There is an RFE, request for enhancement, open for this with id 124474. Here's the direct link: https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=124474
Consider to vote and/or put this to your "watchlist".

Cheers, Peter.

------------------------------
Peter Volckaert
Sales Engineer
IBM Security

Original Message:
Sent: 01-24-2019 05:17 AM
From: Peter Volckaert
Subject: IAM translates 503 to a 500

Hi,

First off: did you open a case at IBM Support for this? If not: you should have - instead of stopping using ISAM ;-)

With some googling around and the great help from my colleague Hans, it seems that the parameter no-remote-jct-error-status-codes might work for such cases.
This option was offered ages ago in a TAM 5.1 fixpack. See here:
ftp://ftp.software.ibm.com/software/tivoli_support/patches/patches_5.1.0/5.1.0-TIV-AWS-FP0032/5.1.0-TIV-AWS-FP0032.README
The readme says:

The customer upgraded from 4.1 to 5.1, and noticed that when a junctioned
server returned an HTTP 503 error code that it was returned to the client as
an HTTP 500. This was intentional behavior added in 5.1. There is now a
descriptive error message returned (which describes the 503 error
condition) with the HTTP 500 error. If this is not enough information to
show what error occurred, there is a backward compatibility flag to enable the
old behavior (sending the 503 error to the client):

[junction]
no-remote-jct-error-status-codes = yes

Please go ahead and try that. Don't panic if you don't find any documentation on this, it's a so-called hidden config.
If it doesn't work or if you are unsure about the support, then please open a case.

Cheers, Peter.



------------------------------
Peter Volckaert
Sales Engineer
IBM Security

Original Message:
Sent: 01-24-2019 01:58 AM
From: André Leruitte
Subject: IAM translates 503 to a 500

We ran exactly into the same issue than you, being unable to have an api return a proper 503.

I hope that in 9.0.6 or 9.0.7 they will allow us to have more control on this because at the moment, the only workaround we found is to stop using ISAM for pure API exposition.

------------------------------
André Leruitte

Original Message:
Sent: 01-23-2019 04:23 AM
From: Mikael Lindblad
Subject: IAM translates 503 to a 500

Hi,

I made a mocked api which you can send in a parameter with https status code you wish to get back
for example https://isam.example.com/api/503

For some reason the 503  gets translated by webseal to 500 internal server error. 

Does anyone now the design decision behind that rule?

------------------------------
Regards Mikael
------------------------------