Skip to main content

We Have Moved

The IBM Application Gateway has a new home -

The documentation on this site will no longer be maintained after v21.02, please update your bookmarks.


The yaml file provided below contains an example YAML configuration for an IBM Application Gateway (IAG) container which:

  1. Specifies a server certificate;
  2. Configures an IBM Security Verify tenant as the identity provider using OIDC;
  3. Defines a single Web application which will be proxied by the IAG;
  4. Defines an authorization policy for the Web application.

Example Yaml File

version: "21.02"

# Configure an IAG container to proxy a single Web application, and define
# an authorization policy for the Web application.  This configuration will 
# simply define a server certificate, configure an IBM Security Verify tenant 
# as the identity provider, define a single application and then define some
# authorization rules for this application.

# Specify a server certificate to be used by the container.  The server 
# certificate was created using an openssl command:
#  openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 \
#        -out cert.pem
# To remove the dependency on external files a base-64 representation of the
# key.pem and cert.pem files can be embedded within this yaml, where the 
# base-64 encoded file is prefixed with 'B64:', for example: 
#   "B64:PGhy4KICAgIDxoND5...."
# If no certificate is specified a self-signed certificate will be 
# automatically created and used by the container.

        - "@cert.pem"
        - "@key.pem"

# Specify an IBM Security Verify tenant as the identity provider for the 
# container.  Please note that the values provided below are for illustrative
# purposes only and don't reflect a real tenant.  A free tenant can be created 
# using the instructions found at the following URL:
# The discovery endpoint has the following format:
#    https://<tenant host>/oidc/endpoint/default/.well-known/openid-configuration
# The redirect URI which is used in the SSO flow is constructed from the host 
# header contained in the request, appended with '/pkmsoidc' (for example: 
#  This redirect URI should be
# specified when creating the custom application within the IBM Security
# Verify administrators console.

    discovery_endpoint: ""
    client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba"
    client_secret: "wPP8rM8N0d"

# Define an resource server which will be hosted at the '/static' path of the
# IAG container.  A single Web server, located at, 
# hosts the resource server.
# An authorization policy has also been defined which:
#   1. Allows 'application owners' to retrieve any resource;
#   2. Allows unauthenticated used to retrieve the '/unauth' resource;
#   3. Allows any authenticated user to retrieve the '/everyone' resource;
#   4. Denies access to everything else.

  - path: "/static"
    connection_type: "tcp"
      - host: ""
        port: 1337
    transparent_path: false

    - name: "app_owners"
        - "GET"
        - "*"
      rule: (any groupIds = "application owners")
      action: "permit"

    - name: "any_user"
        - "GET"
        - "/unauth"
      rule: "anyuser"
      action: "permit"

    - name: "any_auth_user"
        - "GET"
        - "/everyone"
      rule: "anyauth"
      action: "permit"

    - name: "go-away"
        - "*"
      rule: "()"
      action: "deny"