The yaml file provided below contains an example YAML configuration for an IBM Application Gateway (IAG) container which:
- Specifies a server certificate;
- Configures an IBM Security Verify tenant as the identity provider using OIDC;
- Defines a single Web application which will be proxied by the IAG;
- Defines an authorization policy for the Web application.
version: "19.12" # # Configure an IAG container to proxy a single Web application, and define # an authorization policy for the Web application. This configuration will # simply define a server certificate, configure an IBM Security Verify tenant # as the identity provider, define a single application and then define some # authorization rules for this application. # # # Specify a server certificate to be used by the container. The server # certificate was created using an openssl command: # openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 \ # -out cert.pem # # The key.pem and cert.pem files were then combined into a single file: # cat cert.pem key.pem > test-iag.cer # # To remove the dependency on an external file a base-64 representation of the # test-iag.cer file can be embedded within this yaml, where the base-64 encoded # file is prefixed with 'B64:', for example: "B64:PGhy4KICAgIDxoND5...." # # If no certificate is specified a self-signed certificate will be # automatically created and used by the container. # server: ssl: front_end: certificate: "@test-iag.cer" # # Specify an IBM Security Verify tenant as the identity provider for the # container. Please note that the values provided below are for illustrative # purposes only and don't reflect a real tenant. A free tenant can be created # using the instructions found at the following URL: # https://www.ibm.com/us-en/marketplace/cloud-identity-for-consumers # # The discovery endpoint has the following format: # https://<tenant host>/oidc/endpoint/default/.well-known/openid-configuration # # The redirect URI which is used in the SSO flow is constructed from the host # header contained in the request, appended with '/pkmsoidc' (for example: # https://ibm-app-gateway.ibm.com/pkmsoidc). This redirect URI should be # specified when creating the custom application within the IBM Security # Verify administrators console. # identity: oidc: discovery_endpoint: "https://ibm_app_gw.ice.ibmcloud.com/oidc/endpoint/default/.well-known/openid-configuration" client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba" client_secret: "wPP8rM8N0d" # # Define an resource server which will be hosted at the '/static' path of the # IAG container. A single Web server, located at http://10.10.10.200:1337, # hosts the resource server. # # An authorization policy has also been defined which: # 1. Allows 'application owners' to retrieve any resource; # 2. Allows unauthenticated used to retrieve the '/unauth' resource; # 3. Allows any authenticated user to retrieve the '/everyone' resource; # 4. Denies access to everything else. # resource_servers: - path: "/static" connection_type: "tcp" servers: - host: "10.10.10.200" port: 1337 transparent_path: false policies: authorization: - name: "app_owners" methods: - "GET" paths: - "*" rule: (any groupIds = "application owners") action: "permit" - name: "any_user" methods: - "GET" paths: - "/unauth" rule: "anyuser" action: "permit" - name: "any_auth_user" methods: - "GET" paths: - "/everyone" rule: "anyauth" action: "permit" - name: "go-away" paths: - "*" rule: "()" action: "deny"