Hello,

I am working on the clustered configuration of ISAM AAC. There are multiple appliances of ISAM 9.0.7 configured in a cluster. Each appliance has its own AAC runtime enabled and running on localhost. Also, each appliance has its own reverse proxy instance configured for MMFA as per ISAM MMFA cookbook.

The OAUTH Authorization Code flow is being worked upon to generate access token. The reverse proxy running on the appliance which is acting as a primary master in the cluster is able to generate the access token successfully and we get the following response:

{
"access_token": "0dOemXttP0atl0rc7qxi",
"refresh_token": "tPTzBQwuAikKSAejl1JX47m3CRjNoEYevWp8rOjx",
"scope": "mmfaAuthn",
"authenticator_id": "uuidf221a82e-bb4b-44e5-8486-98a8d7239eff",
"token_type": "bearer",
"display_name": "username",
"expires_in": 3599
}

However, when I try to generate the access token using the reverse proxy instance on another appliance (part of the same cluster), the access token generation fails with the following response:

{
"error_description": "FBTOAU211E The [authorization_grant] received of type [authorization_code] does not exist.",
"error": "invalid_grant"
}

Please note that this reverse proxy instance on another appliance where the token generation is failing, is also configured for MMFA as per the cookbook. The AAC runtime status on all appliances shows that the changes are active across all appliances. I can also see the OAUTH configuration under API Protection on all appliances.

What could be causing this behavior?

Best regards,


------------------------------
Jahanzaib Sarwar
------------------------------

Hello,

This error is coming from the AAC Runtime and I think it would be generated when the OAuth definition does not have authorization code enabled.  Since you have this working via one Reverse Proxy but not another, the implication is that the two Reverse Proxies have their /mga junction pointing to two different runtimes and that these have different configuration.

You say you're in a cluster so the AAC Runtimes should have the same configuration.  Perhaps one of the AAC Runtimes has been reloaded since the OAuth configuration was set up but the other has not?  If that's not the case, perhaps there's an issue with the configuration being sync'd in the cluster.  I'm not an expert in that area but support should be able to help if that's the case.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Mon July 27, 2020 04:02 PM
From: Jahanzaib Sarwar
Subject: ISAM: OAUTH Access Token Generation Fails on Clustered Appliance

Hello,

I am working on the clustered configuration of ISAM AAC. There are multiple appliances of ISAM 9.0.7 configured in a cluster. Each appliance has its own AAC runtime enabled and running on localhost. Also, each appliance has its own reverse proxy instance configured for MMFA as per ISAM MMFA cookbook.

The OAUTH Authorization Code flow is being worked upon to generate access token. The reverse proxy running on the appliance which is acting as a primary master in the cluster is able to generate the access token successfully and we get the following response:

{
"access_token": "0dOemXttP0atl0rc7qxi",
"refresh_token": "tPTzBQwuAikKSAejl1JX47m3CRjNoEYevWp8rOjx",
"scope": "mmfaAuthn",
"authenticator_id": "uuidf221a82e-bb4b-44e5-8486-98a8d7239eff",
"token_type": "bearer",
"display_name": "username",
"expires_in": 3599
}

However, when I try to generate the access token using the reverse proxy instance on another appliance (part of the same cluster), the access token generation fails with the following response:

{
"error_description": "FBTOAU211E The [authorization_grant] received of type [authorization_code] does not exist.",
"error": "invalid_grant"
}

Please note that this reverse proxy instance on another appliance where the token generation is failing, is also configured for MMFA as per the cookbook. The AAC runtime status on all appliances shows that the changes are active across all appliances. I can also see the OAUTH configuration under API Protection on all appliances.

What could be causing this behavior?

Best regards,


------------------------------
Jahanzaib Sarwar
------------------------------

Hi,

The OAuth definition has authorization code enabled. Yes, the two Reverse Proxies have their /mga junction pointing to two different runtimes (localhost) of their respective appliances.

Yes we are in a cluster so the AAC Runtimes should have the same configuration, and I believe they have the same configuration, because I can see the same OAUTH definition in this appliance (which is sync'd from the master). Also, other configurations of AAC such as authentication policies, mapping rules are getting sync'd successfully. The reload of runtime is not an issue because I have also tried to manually reload it, even restart it, but no luck.

Yes I am working with support on this but unfortunately facing a delay in responses so thought to have feedback from team here.

Regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Mon August 03, 2020 05:25 AM
From: Jon Harry
Subject: ISAM: OAUTH Access Token Generation Fails on Clustered Appliance

Hello,

This error is coming from the AAC Runtime and I think it would be generated when the OAuth definition does not have authorization code enabled.  Since you have this working via one Reverse Proxy but not another, the implication is that the two Reverse Proxies have their /mga junction pointing to two different runtimes and that these have different configuration.

You say you're in a cluster so the AAC Runtimes should have the same configuration.  Perhaps one of the AAC Runtimes has been reloaded since the OAuth configuration was set up but the other has not?  If that's not the case, perhaps there's an issue with the configuration being sync'd in the cluster.  I'm not an expert in that area but support should be able to help if that's the case.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon July 27, 2020 04:02 PM
From: Jahanzaib Sarwar
Subject: ISAM: OAUTH Access Token Generation Fails on Clustered Appliance

Hello,

I am working on the clustered configuration of ISAM AAC. There are multiple appliances of ISAM 9.0.7 configured in a cluster. Each appliance has its own AAC runtime enabled and running on localhost. Also, each appliance has its own reverse proxy instance configured for MMFA as per ISAM MMFA cookbook.

The OAUTH Authorization Code flow is being worked upon to generate access token. The reverse proxy running on the appliance which is acting as a primary master in the cluster is able to generate the access token successfully and we get the following response:

{
"access_token": "0dOemXttP0atl0rc7qxi",
"refresh_token": "tPTzBQwuAikKSAejl1JX47m3CRjNoEYevWp8rOjx",
"scope": "mmfaAuthn",
"authenticator_id": "uuidf221a82e-bb4b-44e5-8486-98a8d7239eff",
"token_type": "bearer",
"display_name": "username",
"expires_in": 3599
}

However, when I try to generate the access token using the reverse proxy instance on another appliance (part of the same cluster), the access token generation fails with the following response:

{
"error_description": "FBTOAU211E The [authorization_grant] received of type [authorization_code] does not exist.",
"error": "invalid_grant"
}

Please note that this reverse proxy instance on another appliance where the token generation is failing, is also configured for MMFA as per the cookbook. The AAC runtime status on all appliances shows that the changes are active across all appliances. I can also see the OAUTH configuration under API Protection on all appliances.

What could be causing this behavior?

Best regards,


------------------------------
Jahanzaib Sarwar
------------------------------

Hello,

have you been able to solve this problem?

We are facing many FBTOAU211E error codes in our logs too, in cluster environment.

Thank you in advance,

------------------------------
Gyula Domonkos
------------------------------

Original Message:
Sent: Mon August 03, 2020 01:52 PM
From: Jahanzaib Sarwar
Subject: ISAM: OAUTH Access Token Generation Fails on Clustered Appliance

Hi,

The OAuth definition has authorization code enabled. Yes, the two Reverse Proxies have their /mga junction pointing to two different runtimes (localhost) of their respective appliances.

Yes we are in a cluster so the AAC Runtimes should have the same configuration, and I believe they have the same configuration, because I can see the same OAUTH definition in this appliance (which is sync'd from the master). Also, other configurations of AAC such as authentication policies, mapping rules are getting sync'd successfully. The reload of runtime is not an issue because I have also tried to manually reload it, even restart it, but no luck.

Yes I am working with support on this but unfortunately facing a delay in responses so thought to have feedback from team here.

Regards,

------------------------------
Jahanzaib Sarwar

Original Message:
Sent: Mon August 03, 2020 05:25 AM
From: Jon Harry
Subject: ISAM: OAUTH Access Token Generation Fails on Clustered Appliance

Hello,

This error is coming from the AAC Runtime and I think it would be generated when the OAuth definition does not have authorization code enabled.  Since you have this working via one Reverse Proxy but not another, the implication is that the two Reverse Proxies have their /mga junction pointing to two different runtimes and that these have different configuration.

You say you're in a cluster so the AAC Runtimes should have the same configuration.  Perhaps one of the AAC Runtimes has been reloaded since the OAuth configuration was set up but the other has not?  If that's not the case, perhaps there's an issue with the configuration being sync'd in the cluster.  I'm not an expert in that area but support should be able to help if that's the case.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Mon July 27, 2020 04:02 PM
From: Jahanzaib Sarwar
Subject: ISAM: OAUTH Access Token Generation Fails on Clustered Appliance

Hello,

I am working on the clustered configuration of ISAM AAC. There are multiple appliances of ISAM 9.0.7 configured in a cluster. Each appliance has its own AAC runtime enabled and running on localhost. Also, each appliance has its own reverse proxy instance configured for MMFA as per ISAM MMFA cookbook.

The OAUTH Authorization Code flow is being worked upon to generate access token. The reverse proxy running on the appliance which is acting as a primary master in the cluster is able to generate the access token successfully and we get the following response:

{
"access_token": "0dOemXttP0atl0rc7qxi",
"refresh_token": "tPTzBQwuAikKSAejl1JX47m3CRjNoEYevWp8rOjx",
"scope": "mmfaAuthn",
"authenticator_id": "uuidf221a82e-bb4b-44e5-8486-98a8d7239eff",
"token_type": "bearer",
"display_name": "username",
"expires_in": 3599
}

However, when I try to generate the access token using the reverse proxy instance on another appliance (part of the same cluster), the access token generation fails with the following response:

{
"error_description": "FBTOAU211E The [authorization_grant] received of type [authorization_code] does not exist.",
"error": "invalid_grant"
}

Please note that this reverse proxy instance on another appliance where the token generation is failing, is also configured for MMFA as per the cookbook. The AAC runtime status on all appliances shows that the changes are active across all appliances. I can also see the OAUTH configuration under API Protection on all appliances.

What could be causing this behavior?

Best regards,


------------------------------
Jahanzaib Sarwar
------------------------------