IBM Verify

 View Only
  • 1.  Webseal junction on Kubernetes openshift

    Posted Wed October 09, 2024 07:42 AM

    Hello,
    I have set up a junction to my openshift platform.
    I have a strange behaviour, the junction results down but if I call the junction the application behind work fine and at that moment the junction is up, only to come back down after some time.

    before invoking the junction 

    After invoking the junction 

    what do i need to configure to have the junction always up and running?



    ------------------------------
    Fabio Morziello
    ------------------------------


  • 2.  RE: Webseal junction on Kubernetes openshift

    Posted Wed October 09, 2024 04:51 PM

    Fabio,

     

    Are you able to provide some further clarification on what you mean when you say the junction is up or down.  You have shown screenshots of the UI, but in a containerised environment the configuration container does not directly communicate with the junction and so it won't show the status of the junction. 

     

    Are you saying that in the WRP container you are seeing log messages stating that the junction is cycling between available and unavailable?

     

    Thanks.

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 3.  RE: Webseal junction on Kubernetes openshift

    Posted Thu October 10, 2024 05:08 AM

    Hi Scott,

    Thank you for your answer,
    I have an application exposed by RH Openshift via a route like http://myapp.myopenshit.com/myapp.

    I created a trasparent junction like this:
    Server task mywebseal create -t tcp -h myapp.myopenshit.com -p 80 -v myapp.myopenshit.com -x /myapp

    If I try to see the status of this new junction via the command:
    Server task mywebseal show /myapp
    I can see that the resource is online but the server status is not running as you can see from the following image.

    If I then call my junction from my portal (https://my.websealdomain.it/myapp) it works fine and the server status goes from 'not running' to 'running' and then returns to a 'not running' status after some time.

    If I may add one more piece of information if I try to connect to the same endpoint configured on the junction it responds correctly.

    What do i have to configure on  webseal side or on RH Openshift side to make the junction always running?

    where is my error?

    Regards,

    Fabio



    ------------------------------
    Fabio Morziello
    ------------------------------



  • 4.  RE: Webseal junction on Kubernetes openshift

    Posted Thu October 10, 2024 05:23 AM

    It sounds like the junction is always running OK, but the status is not being reported correctly.  I assume that you are running the server task to show the junction status on the WebSEAL instance itself?  Have you checked the container console for any error messages?

     

     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">

     

     

     






  • 5.  RE: Webseal junction on Kubernetes openshift

    Posted Fri October 11, 2024 12:40 AM

    Hi Fabio,

    I just helped a customer with this exact same issue.  Check the ping-uri in the WRP config file.  For example,

    [junction]
    ping-method = HEAD
    ping-uri = /
    ping-response-code-rules = +2??

    We used the curl command built-in to the admin CLI to run the above to the junction server.  For example,

    isva> tools
    isva:tools> curl -v -s -k -X HEAD https://backendserver:port

    We saw that a 500 was returned.  The backend did not like the HEAD command or accessing using /.  We added a one-off health check like,

    [junction:/jct]
    ping-method = GET
    ping-uri = /appname
    ping-response-code-rules = +2??

    This resolved the issue and the server always shows running as it should be.

    Given your problem description this sounds like the exact same issue and you'll need to figure out a proper health check.



    ------------------------------
    Nick
    IBM Security Verify Customer Support
    ------------------------------



  • 6.  RE: Webseal junction on Kubernetes openshift

    Posted Fri October 11, 2024 10:27 AM

    Thank you for your answer Nick.
    I tried applying your solution on one of my webseals, but now it no longer starts even though I removed the configuration you recommended.
    In the message log of the webseal I have this error:
    HPDCO0156E Configuration item missing (junction, basicauth-dummy-passwd).

    any ideas?



    ------------------------------
    Fabio Morziello
    ------------------------------



  • 7.  RE: Webseal junction on Kubernetes openshift

    Posted Fri October 11, 2024 11:44 AM

    Mean you cut the [junction] stanza in half so to speak.  Usually the last two lines in the junction stanza are


    [junction]
    .... other options ...
    server-hostname-validation = disabled
    basicauth-dummy-passwd = obfuscated

    [query-contents]

    The error is being thrown because basicauth-dummy-passwd is now outside of the junction stanza.



    ------------------------------
    Nick
    IBM Security Verify Customer Support
    ------------------------------