The server node defines configuration for the gateway daemon front-end.

Specifies the protocols which will be supported by the server. The server will listen on a different port for each protocol: http/8080 and https/8443. If no protocols are specified, the server will listen for https requests only.

Additionally, the server can be configured to expect the PROXY Protocol header by using the *_proxy values.

Note that if the proxy protocol is enabled for a given protocol, all traffic for that protocol will be expected to contain the PROXY protocol headers. That is, the following entries are exclusive:

  • http and http_proxy
  • https and https_proxy
protocolPortDescription
http8080HTTP
https8443HTTPS
http_proxy8080HTTP with Proxy Protocol
https_proxy8443HTTPS with Proxy Protocol

The rules which define whether a client is allowed to connect to this server. The rule is of the format:

[+|-]<client-ip>

where:

ElementDescription
+Indicates that the client is permitted access.
-Indicates that the client is not permitted access.
<client-ip>The IP address of the client, which can also contain the pattern matching characters * and ?.

The client IP address of a request will be evaluated against each rule in sequence until a match is found. The corresponding code (+|-) will then be used to determine whether the client connection is accepted. If the client IP matches no configured rules the client connection will be accepted.

Specifies the configuration the gateway server will use when securely communicating with clients. This configuration includes:

  • The certificate to be used for secure communication with clients. If a certificate is not provided, the gateway will generate a self-signed certificate during bootstrapping.

  • The TLS protocols that are enabled for client communication.

  • Any additional server certificates which should be used for specific hosts using the server name indication (SNI) TLS extension.

Enables or disables the TLS protocols that are used for communication between the gateway daemon and the protected application.

Specifies the ciphers and cipher suites which will be permitted for all secure communications.

The following tables show the list of available ciphers.

Specifies the configuration related to failover support for the IBM Application Gateway.

Specifies the configuration for client sessions.

The number of configured worker threads specifies the number of concurrent incoming requests that can be serviced by this gateway instance. Choosing the optimal number depends on the quantity and type of traffic on your network. Modifying this value should be done carefully to ensure optimal performance.

The number of unique request buckets to hold on to for the rate limiting capability. When a request is tokenized, it gets a bucket assigned. If this limit is reached, rate limiting information about the oldest requests will be ejected. This effectively resets the rate limiting counters for this client(s). This number needs to be higher than the number of requests being rate limited across a refresh interval.

A boolean which indicates whether or not to enable support for HTTP/2 clients. HTTP/2 supports a reduced set of cipher suites. The minimum cipher is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 which should be added to the server/ssl/ciphers[] entry.

Specifies the configuration for WebSocket support.

Defines static assets which are served from the default / path of the reverse proxy. This entry must be either a zip file or a path which is relative to the /var/iag/config directory of the container. The provided contents will completely replace the default set of pages served from the / path of the IAG.

This entry overloads the server generated management response pages.
This entry must be either a zip file or a path which is relative to the /var/iag/config directory of the container.
The provided contents will completely replace the default set of management pages served by the IAG.

The pages which are provided should conform to the directory structure and file name syntax explained below.
The directory structure is:

<language_code>/<page_name>.<response_code>.<mime_type>

This entry overloads the server generated error response pages.
This entry must be either a zip file or a path which is relative to the /var/iag/config directory of the container.
The provided contents will completely replace the default set of error pages served by the IAG.

The pages which are provided should conform to the directory structure and file name syntax explained below.
The directory structure is:

<language_code>/<error_code>.<response_code>.<mime_type>

Specifies the configuration for the credential service cache. When the cache is enabled, IAG will cache the encrypted credentials received from the external credential service. If the cache is not enabled, IAG will request credentials from the credential service for every request requiring single sign-on.

Specifies the configuration information related to the embedded credential viewer application.
The credential viewer application can be used to display information about the credential associated with the current user session.

Specifies the configuration information related to the embedded authorization decision application. The authorization decision application provides a Web service for making remote authorization decisions.

Specifies the configuration information related to the embedded jwks application. The jwks application returns the public keys contained in the key database used for junction communication. The response data will conform to RFC 7517.


Did this page help you?