We Have Moved
The IBM Application Gateway has a new home - docs.verify.ibm.com/gateway
The documentation on this site will no longer be maintained after v21.02, please update your bookmarks.
The yaml file provided below contains an example YAML configuration for an IBM Application Gateway (IAG) container which:
- Specifies a server certificate;
- Configures an IBM Security Verify tenant as the identity provider using OIDC;
- Defines a single Web application which will be proxied by the IAG;
- Defines a HTTP transformation policy for the Web application.
Example Yaml File
version: "21.02" # # Configure an IAG container to proxy a single Web application. This # configuration will simply define a server certificate, configure an IBM # Security Verify tenant as the identity provider, define a single # application, and define a HTTP transformation policy for the application. # # # Specify a server certificate to be used by the container. The server # certificate was created using an openssl command: # openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 \ # -out cert.pem # # To remove the dependency on external files a base-64 representation of the # key.pem and cert.pem files can be embedded within this yaml, where the # base-64 encoded file is prefixed with 'B64:', for example: # "B64:PGhy4KICAgIDxoND5...." # # If no certificate is specified a self-signed certificate will be # automatically created and used by the container. # server: ssl: front_end: certificate: - "@cert.pem" - "@key.pem" # # Specify an IBM Security Verify tenant as the identity provider for the # container. Please note that the values provided below are for illustrative # purposes only and don't reflect a real tenant. A free tenant can be created # using the instructions found at the following URL: # https://www.ibm.com/us-en/marketplace/cloud-identity-for-consumers # # The discovery endpoint has the following format: # https://<tenant host>/oidc/endpoint/default/.well-known/openid-configuration # # The redirect URI which is used in the SSO flow is constructed from the host # header contained in the request, appended with '/pkmsoidc' (for example: # https://ibm-app-gateway.ibm.com/pkmsoidc). This redirect URI should be # specified when creating the custom application within the IBM Security Verify # administrators console. # identity: oidc: discovery_endpoint: "https://ibm-app-gw.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration" client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba" client_secret: "wPP8rM8N0d" # # Define a resource server which will be hosted at the '/static' path of the # IAG container. A single Web server, located at http://10.10.10.200:1337, # hosts the resource. # resource_servers: - path: "/static" connection_type: "tcp" servers: - host: "10.10.10.200" port: 1337 transparent_path: false # # Define the policies for the gateway. # policies: # # Specify a HTTP transformation policy, applied to all # resources, which will add the 'IAG_HTTP_XFORM_RESP: HELLO_WORLD' # HTTP header to all responses. # http_transformations: response: - name: "ResponseHeaderInjector" method: "*" paths: - "*" rule: | <?xml version="1.0" encoding="UTF-8"?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> <xsl:strip-space elements="*" /> <xsl:template match="/"> <HTTPResponseChange> <xsl:apply-templates /> </HTTPResponseChange> </xsl:template> <xsl:template match="//HTTPRequest/Headers"> <Header action="add" name="IAG_HTTP_XFORM_RESP">HELLO_WORLD</Header> </xsl:template> </xsl:stylesheet>