Skip to main content

We Have Moved

The IBM Application Gateway has a new home - docs.verify.ibm.com/gateway

The documentation on this site will no longer be maintained after v21.02, please update your bookmarks.


Description

The yaml file provided below contains an example YAML configuration for an IBM Application Gateway (IAG) container which:

  1. Specifies a server certificate;
  2. Configures an IBM Security Verify tenant as the identity provider using OIDC;
  3. Defines a single Web application which will be proxied by the IAG;
  4. Enables tracing within the IAG process.

Example Yaml File

version: "21.02"

#
# Configure an IAG container to proxy a single Web application, and activate
# tracing within the container.  This configuration will simply define a 
# server certificate, configure an IBM Security Verify tenant as the identity 
# provider, define a single application and then enable the iag.azn and
# pdweb.snoop trace points.
#

#
# Specify a server certificate to be used by the container.  The server 
# certificate was created using an openssl command:
#  openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 \
#        -out cert.pem
#
# To remove the dependency on external files a base-64 representation of the
# key.pem and cert.pem files can be embedded within this yaml, where the 
# base-64 encoded file is prefixed with 'B64:', for example: 
#   "B64:PGhy4KICAgIDxoND5...."
# 
# If no certificate is specified a self-signed certificate will be 
# automatically created and used by the container.
#

server:
  ssl:
    front_end:
      certificate: 
        - "@cert.pem"
        - "@key.pem"

#
# Specify an IBM Security Verify tenant as the identity provider for the 
# container.  Please note that the values provided below are for illustrative
# purposes only and don't reflect a real tenant.  A free tenant can be created 
# using the instructions found at the following URL:
#    https://www.ibm.com/us-en/marketplace/cloud-identity-for-consumers
#
# The discovery endpoint has the following format:
#    https://<tenant host>/oidc/endpoint/default/.well-known/openid-configuration
#
# The redirect URI which is used in the SSO flow is constructed from the host 
# header contained in the request, appended with '/pkmsoidc' (for example: 
# https://ibm-app-gateway.ibm.com/pkmsoidc).  This redirect URI should be
# specified when creating the custom application within the IBM Security Verify
# administrators console.
#

identity:
  oidc:
    discovery_endpoint: "https://ibm-app-gw.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration"
    client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba"
    client_secret: "wPP8rM8N0d"

#
# Define a resource server which will be hosted at the '/static' path of the
# IAG container.  A single Web server, located at http://10.10.10.200:1337, 
# hosts the resource.
#

resource_servers:
  - path: "/static"
    connection_type: "tcp"
    servers:
      - host: "10.10.10.200"
        port: 1337
    transparent_path: false

#
# Enable tracing of the iag.azn and pdweb.snoop tracing components.  The
# output of each tracing component will be sent to the configured trace
# file.
#

logging:
  tracing:
    - file_name: /var/tmp/iag-azn.log
      component: iag.azn
      level: 9
    - file_name: /var/tmp/snoop.log
      component: pdweb.snoop
      level: 9