Skip to main content

Description

The yaml file provided below contains an example YAML configuration for an IBM Application Gateway (IAG) container which:

  1. Specifies a server certificate;
  2. Configures an IBM Security Verify tenant as the identity provider using OIDC;
  3. Defines a single Web application which will be proxied by the IAG;
  4. Defines a HTTP transformation policy for the Web application.

Example Yaml File

version: "19.12"

#
# Configure an IAG container to proxy a single Web application.  This 
# configuration will simply define a server certificate, configure an IBM 
# Security Verify tenant as the identity provider, define a single
# application, and define a HTTP transformation policy for the application.
#

#
# Specify a server certificate to be used by the container.  The server 
# certificate was created using an openssl command:
#  openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 \
#        -out cert.pem
#
# The key.pem and cert.pem files were then combined into a single file:
#  cat cert.pem key.pem > test-iag.cer
#
# To remove the dependency on an external file a base-64 representation of the
# test-iag.cer file can be embedded within this yaml, where the base-64 encoded 
# file is prefixed with 'B64:', for example: "B64:PGhy4KICAgIDxoND5...."
# 
# If no certificate is specified a self-signed certificate will be 
# automatically created and used by the container.
#

server:
  ssl:
    front_end:
      certificate: "@test-iag.cer"

#
# Specify an IBM Security Verify tenant as the identity provider for the 
# container.  Please note that the values provided below are for illustrative
# purposes only and don't reflect a real tenant.  A free tenant can be created 
# using the instructions found at the following URL:
#    https://www.ibm.com/us-en/marketplace/cloud-identity-for-consumers
#
# The discovery endpoint has the following format:
#    https://<tenant host>/oidc/endpoint/default/.well-known/openid-configuration
#
# The redirect URI which is used in the SSO flow is constructed from the host 
# header contained in the request, appended with '/pkmsoidc' (for example: 
# https://ibm-app-gateway.ibm.com/pkmsoidc).  This redirect URI should be
# specified when creating the custom application within the IBM Security Verify
# administrators console.
#

identity:
  oidc:
    discovery_endpoint: "https://ibm_app_gw.ice.ibmcloud.com/oidc/endpoint/default/.well-known/openid-configuration"
    client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba"
    client_secret: "wPP8rM8N0d"

#
# Define a resource server which will be hosted at the '/static' path of the
# IAG container.  A single Web server, located at http://10.10.10.200:1337, 
# hosts the resource.
#

resource_servers:
  - path: "/static"
    connection_type: "tcp"
    servers:
      - host: "10.10.10.200"
        port: 1337
    transparent_path: false

#
# Define the policies for the gateway.
#

policies:
    #
    # Specify a HTTP transformation policy, applied to all 
    # resources, which will add the 'IAG_HTTP_XFORM_RESP: HELLO_WORLD' 
    # HTTP header to all responses.
    #

    http_transformations:
      response:
        - name: "ResponseHeaderInjector"
          method: "*"
          paths: 
            - "*"
          rule: |
            <?xml version="1.0" encoding="UTF-8"?>
            <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">

              <xsl:strip-space elements="*" />

              <xsl:template match="/">
                <HTTPResponseChange>
                  <xsl:apply-templates />
                </HTTPResponseChange>
              </xsl:template>

              <xsl:template match="//HTTPRequest/Headers">
                <Header action="add" name="IAG_HTTP_XFORM_RESP">HELLO_WORLD</Header>
              </xsl:template>

            </xsl:stylesheet>