IBM IHS dynamic routing not working for apis exposed through features (adminCenter/openIDConnect)

Question

I have configured dynamicRounting with IHS and liberty (17.x) single collectiven(1 controller, 1 member server) & it is working fine for the applications deployed. But not for openidConnect apis which are exposed from openidConnectClient-1.0 feature.

<openidConnectClient id="H3HO4HuLimleON8UDZaMqAZXF4yZsvMX"
                     clientId="H3HO4HuLimleON8UDZaMqAZXF4yZsvMX"
                     clientSecret="-secret"
                     issuerIdentifier="https://abc/"
                     authorizationEndpointUrl="https://abc"
                     tokenEndpointUrl="https://abc/oauth/token"
                     jwkEndpointUrl="https://abc/.well-known/jwks.json"
                     userInfoEndpointUrl="https://abc/userinfo"
                     userIdentifier="https://abc/userinfo/ab"
                     groupIdentifier="https://abc/userinfo/cd"
                     redirectJunctionPath="/was"
                     accessTokenInLtpaCookie="true"
                     realmName="defaultRealm"
                     authnSessionDisabled="false"
                     mapIdentityToRegistryUser="false"
                     audiences="openid, https://abc/userinfo"
                     responseType="code"
                     scope="openid"
                     signatureAlgorithm="RS256"
                     grantType="authorization_code"
>
</openidConnectClient>

The generated plugin-cfg.xml is like this

    <?xml version="1.0" encoding="UTF-8"?>
<!--HTTP server plugin config file for webserver1 generated on 2021.10.22 at 08:05:10 GMT-->
<!--Merged HTTP server plugin config file-->
<Config ASDisableNagle="false" AcceptAllContent="false" AppServerPortPreference="HostHeader" 
    ChunkedResponse="false" FIPSEnable="false" IISDisableNagle="false" IISPluginPriority="High" 
    IgnoreDNSFailures="false" RefreshInterval="60" ResponseChunkSize="64" SSLConsolidate="false" 
    TrustedProxyEnable="false" VHostMatchingCompat="false">
   <Log LogLevel="Error" Name="/opt/IBM/WebSphere/Plugins/logs/webserver1/http_plugin.log"/>
   <Property Name="ESIEnable" Value="true"/>
   <Property Name="ESIMaxCacheSize" Value="1024"/>
   <Property Name="ESIInvalidationMonitor" Value="false"/>
   <Property Name="ESIEnableToPassCookies" Value="false"/>
   <Property Name="PluginInstallRoot" Value="/opt/IBM/WebSphere/Plugins/"/>
<!-- Configuration generated using httpEndpointRef=defaultHttpEndpoint-->
<!-- The default_host contained only aliases for endpoint defaultHttpEndpoint.
     The generated VirtualHostGroup will contain only configured web server ports:
        webserverPort=80
        webserverSecurePort=443 -->
   <Property Name="Keyfile" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb"/>
   <Property Name="Stashfile" Value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.sth"/>
   <IntelligentManagement>
      <Property name="webserverName" value="webserver1"/>
      <ConnectorCluster enabled="true" maxRetries="5" name="defaultCollective" retryInterval="10000">
         <Property name="uri" value="/ibm/api/dynamicRouting"/>
         <Connector host="was-controller" port="9443" protocol="https">
            <Property name="keyring" value="/opt/IBM/WebSphere/Plugins/config/webserver1/plugin-key.kdb"/>
         </Connector>
      </ConnectorCluster>
   <Property name="RoutingRulesConnectorClusterName" value="defaultCollective"/>
</IntelligentManagement>
</Config>

I could able to hit the openid api directly (https://localhost:9443/...), but if I try to access it through IHS (https://localhost/was-services-openid/redirect/H3HO4HuLimleON8UDZaMqAZXF4yZsvMX...) it is giving 404 not found.

Same thing happening for adminCenter url as well which is hosted on controller server.

I tried even special routingRules, but no change in plugin-cfg.xml

<dynamicRouting maxRetries="5" retryInterval="10000">
    <routingRules webServers="webserver1">
        <routingRule order="100" matchExpression="URI LIKE '/was-services-openid%'">
            <permitAction>
                <loadBalanceEndPoints>
                    <endpoint destination="cluster=defaultCollective,servicesAppCluster"/>
                </loadBalanceEndPoints>
            </permitAction>
        </routingRule>
    </routingRules>
</dynamicRouting>

What am doing wrong ?

UPDATE:

from IHS server-status I can see this

{
   "applications": {
      "/cell/defaultCollective/application/was-home": {
         "editions": {
            "": {
               "webModules": {
                  "/cell/defaultCollective/application/was-home/webModule/was-home.war": {
                     "contextRoot": "/was-home"
                  }
               }
            }
         }
      },
      "/cell/defaultCollective/application/was-services": {
         "editions": {
            "": {
               "webModules": {
                  "/cell/defaultCollective/application/was-services/webModule/was-services.war": {
                     "contextRoot": "/was-services"
                  }
               }
            }
         }
      }
   },
   "clusters": {
      "/cell/defaultCollective/cluster/was-controller,%2Fwlp%2Fusr:defaultServer": {
         "servers": {
            "/cell/defaultCollective/node/was-controller,%2Fwlp%2Fusr/server/defaultServer": {
               "state": "STARTED",
               "weight": 2,
               "maintenanceMode": "normal",
               "cloneID": "e8c43d41-38fa-4123-8b63-e89d5b913368",
               "averageResponseTimeInMillis": 0,
               "sessionAffinityCookies": "JSESSIONID",
               "outstandingRequests": 0,
               "applications": {}
            }
         }
      },
      "/cell/defaultCollective/cluster/servicesAppCluster": {
         "servers": {
            "/cell/defaultCollective/node/e60fc3f43af6,%2Fwlp%2Fusr/server/services-app": {
               "state": "STARTED",
               "weight": 2,
               "maintenanceMode": "normal",
               "cloneID": "2b69c058-3953-4cea-a6ca-6f19db78e9de",
               "averageResponseTimeInMillis": 0,
               "sessionAffinityCookies": "JSESSIONID",
               "outstandingRequests": 0,
               "applications": {
                  "was-services": {
                     "state": "STARTED",
                     "outstandingRequests": 0
                  }
               }
            }
         }
      },
      "/cell/defaultCollective/cluster/homeAppCluster": {
         "servers": {
            "/cell/defaultCollective/node/ebf4858d8306,%2Fwlp%2Fusr/server/home-app": {
               "state": "STARTED",
               "weight": 2,
               "maintenanceMode": "normal",
               "cloneID": "d240a3db-e107-44ed-9640-1084ccc23ea7",
               "averageResponseTimeInMillis": 0,
               "sessionAffinityCookies": "JSESSIONID",
               "outstandingRequests": 0,
               "applications": {
                  "was-home": {
                     "state": "STARTED",
                     "outstandingRequests": 0
                  }
               }
            }
         }
      }
   },
   "version": "ODRLIBX.ODRLIB_a1646.02",
   "connectorGroups": {
      "defaultCollective": {
         "state": "STARTED",
         "failures": 0,
         "connectors": {
            "https://was-controller:9443": {
               "state": "STARTED",
               "failures": 0
            }
         }
      }
   }
}

There are no contextRoots/applications exposed from features, even though this documentation saying that it will expose all the endpoints through dynamic routing - IHS, its just working for deployed application urls.

score 1 · Answer 1 · answered Oct 26 '21 at 17:09

Without seeing your whole configuration, we can only guess on some aspects. The only two required elements are that you have the openidConnectClient-1.0 feature installed on one or more of your servers and the dynamicRouting-1.0 feature installed on your controller(s). If that is the case and you are still having issues, you could try and look at the server-status page of IHS to get a picture of what IHS knows about your collective. You can find details on how to configure the server-status page here:

https://www.ibm.com/support/pages/monitoring-ibm-http-server-connections

Once you've configured things, you will need to restart IHS. You should then see a server-status page at:

http://myihs:port/server-status

In the server-status page look toward the bottom of the page for the Intelligent Management status section. In this section you will see a json dump of the collective as viewed by IHS and the plugin. You should be able to find /cell/defaultCollective/application/com.ibm.ws.security.openidconnect.client in the applications section. Inside of that will be the contextRoot element for your oidc connect client.

This would be first pass on isolating the issue.

thanks for your reply, I have provided the server-status info above & it only contains application urls, but not any other urls like adminCenter, openIdConnect features exposed endpoints — Dyapa Srikanth, Nov 02 '21 at 05:55

score 0 · Answer 2 · answered Nov 03 '21 at 01:53

0

I think there is an issue with the version that I am using 17.0.0.4, after moving to 20.x all working as expected.

answered Nov 03 '21 at 01:53

Dyapa Srikanth

1,231
2
22
60

IBM IHS dynamic routing not working for apis exposed through features (adminCenter/openIDConnect)

2 Answers2