Layer7 API Management

I Have a Oauth Request coming in with a token embedded in the request to my API gateway. However the Endpoint server in my environment is returning a 401 because it doesn't recognize the parameters being inputted. 844 is being added to the request before it is routed,  I need to know how I can look out for "8433" 

Hi David,

Are you using our OAuth implementation (OAuth Toolkit)? If so, which version?

Some of the policies use hard-coded ports for the routing to the tokenstore, clientstore etc. 

Regards,

Joe

Hey Joe,

Yes I have the toolkit installed. However in this scenario I don't believe the Toolkit is necessary!? From what I understand, if a Vendor who is coming into your Gateway is providing the token, and the Gateway is simply passing it along, and on the response back from our server is sending the message back to the Vendor (who is also the identity provider) the gateway would not need to use any sort of OAuth Authentication no? I could be wrong.

Hi David,

OK, in your case it does not sound like you are using our OTK for the token generation/validation. Where do you see the 8443 being appended?

It sounds like you may have a global policy setup, can you confirm?

Global Policy Fragments - CA API Gateway - 9.3 - CA Technologies Documentation 

 If the policy is simply doing a route to the backend (passing off the token it received in the request) you can audit the ${request.mainpart} on the service to confirm it is indeed receiving the information exactly as the client app is sending it.

Regards,

Joe

Hey Joe,

Seems I found the issue.

Our internal server is setup for 8443 not 443.

The message that is being routed is sending it as 8443, which is why I am getting a response error regarding 8443.

I setup a proxy on the server for 443, and now OAuth seems to work. However this was tested in Dev.

Once we decide to move to production we will have to flip our prod server onto 443 as well, and this may cause issues for other services that communicate via 8443 to our JIRAA server. Is there a possibility from the gateway's standpoint to take the request that comes in as 443 and replace it with 8443? - This way when the request arrives at the server it sees what it is listening for (8443), and not (443)?

Because the only option I see right now for our production JIRAA Server is to change the port to 443, and this will be a big problem for all other services that we have communicating to that server.

Hey Joe,

Seems I found the issue.

Our internal server is setup for 8443 not 443.

The message that is being routed is sending it as 8443, which is why I am getting a response error regarding 8443.

I setup a proxy on the server for 443, and now OAuth seems to work. However this was tested in Dev.

Once we decide to move to production we will have to flip our prod server onto 443 as well, and this may cause issues for other services that communicate via 8443 to our JIRAA server. Is there a possibility from the gateway's standpoint to take the request that comes in as 443 and replace it with 8443? - This way when the request arrives at the server it sees what it is listening for (8443), and not (443)?

Because the only option I see right now for our production JIRAA Server is to change the port to 443, and this will be a big problem for all other services that we have communicating to that server.

Hi Joe,

Port 8443 is set up as the default. If you want to specify an alternate port, there's a topic on where to make the changes in both policy and APIs. 

Set an Alternative HTTPS Port - CA API Management OAuth Toolkit - 4.3 - CA Technologies Documentation 

Simon

Thanks crusi01!

Hi David,

To clarify, if you have a request that comes in to the Gateway over 443 you want it replaced with 443?

https://gateway.com:443 -> https://gateway.com:8443

If that is the case a firewall redirect rule may help here: 

Manage Firewall Rules - CA API Gateway - 9.3 - CA Technologies Documentation 

If I misunderstood please let me know and I will try to clear this up for you.

Regards,

Joe   

Hey Joe,

YES! That helps alot. This is exactly what I needed. I just had one last question. Is there a way where we can specify the Firewall rule he to listen to ONE specific IP for that port. I believe I would have to create a interface and specify the IP address there.

Essentially I don't want to affect any other services set up on our gateway that are set up on 8334, when I create a rule to redirect to 443.

Dear David Patel ,

Usually, you should have a load balancer in front of the gateway cluster, all you wanted should be done on the LB.

Regards,

Mark

Hi David,

I may be misunderstanding the question so please feel free to correct me here.. the dialog has an option to specify an interface for the rule. 

Hi David,

Just wanted to check in and see if this was what you were looking for.

Regards,

Joe