### IAG Configuration: Environment Variable Example (Resolved) Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Illustrates the configuration after the environment variable has been substituted. This shows the actual value used by IAG at runtime. ```yaml version: "23.10" server: ... failover: key: exampleOnlyDoNotUseThisValue cookie_name: IAG-FAILOVER-COOKIE ... ``` -------------------------------- ### Simple Rule Example Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-authorization Demonstrates a basic 'simple' rule structure, which consists of a user attribute, a relational operator, and a literal value. The literal value must be enclosed in quotes. ```plaintext name = "alice" ``` -------------------------------- ### IAG Configuration: Environment Variable Example (Set) Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Shows how an environment variable is set within the container context. This value can then be referenced in IAG's YAML configuration. ```bash MY_FAILOVER_SECRET=exampleOnlyDoNotUseThisValue ``` -------------------------------- ### Complex Rule Example Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-authorization Illustrates a 'complex' rule, formed by combining multiple 'simple' rules with logical operators (like 'not', 'or', 'and') and using parentheses to control evaluation order. This example checks user names and group memberships. ```plaintext (not ((name = "scott") or (name = "alice"))) and (any groupIds = "admin") ``` -------------------------------- ### IAG Resource Server Configuration YAML (Example 2) Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Defines an additional resource server, demonstrating how multiple resource servers can be configured across different YAML files. This modular approach simplifies management. ```yaml version: "23.10" resource_servers: - path: / servers: - host: 10.10.10.201 port: 8080 ``` -------------------------------- ### IAG Resource Server Configuration YAML (Example 1) Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Configures a single resource server with its virtual host and backend server details. This file can be managed independently to add or remove resource servers. ```yaml version: "23.10" resource_servers: - virtual_host: iag-demo.ibm.com servers: - host: 10.10.10.200 port: 80 ``` -------------------------------- ### Example Authorization Policy Definition Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-authorization Defines an ordered sequence of authorization rules for an IBM IAG system. Each rule specifies paths, methods, a rule condition, and an action (permit, deny, obligate, reauth), with support for obligations like OIDC ACR values and max age. ```yaml policies: authorization: # Alice has left the team and is no longer allowed # access to any data. - name: alice paths: - /* rule: "(user = 'alice')" action: deny # Allow unauthenticated access to /public. - name: unauth paths: - /public/* methods: - GET rule: anyuser action: permit # Allow any authenticated user to retrieve their # account information. - name: account paths: - /account/* methods: - GET rule: anyauth action: permit # Updates to account information can only be completed # after the user has completed stronger authentication. - name: account_update paths: - /account/* methods: - POST rule: "(acr = 'urn:ibm:security:policy:id:2')" action: permit # We can use and obligation to trigger a re-authentication # to prompt the client to complete strong authentication. - name: account_update_obligation paths: - /account/* methods: - POST rule: "(acr != 'urn:ibm:security:policy:id:2')" action: obligate obligation: oidc: acr_values: urn:ibm:security:policy:id:2 # A reauth action can be used to force the client to perform # re-authentication. - name: download_report_reauth paths: - /account/reports/download/* rule: "anyauth" action: "reauth" obligation: oidc: max_age: 0 # In order to be able to manage accounts you must be # an administrator. - name: manage paths: - /account/* rule: (any groupIds = "admin") action: permit # We want to deny access to every other resource. - name: deny_all paths: - /* rule: anyuser action: deny ``` -------------------------------- ### Define Kubernetes TLS Secret Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Example of a Kubernetes TLS Secret named 'iag-tls-secret' containing 'tls.crt' and 'tls.key'. This secret is of type 'kubernetes.io/tls' and holds base64 encoded certificate and key data. It's a prerequisite for configuring TLS in the IAG server. ```yaml apiVersion: v1 kind: Secret type: kubernetes.io/tls metadata: name: iag-tls-secret ... data: tls.crt: LS0t...Cg== tls.key: LS0t...LS0K ``` -------------------------------- ### Kubernetes ConfigMap for IAG Configuration Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Demonstrates how to define a Kubernetes ConfigMap with data fields and reference these fields within the IAG configuration YAML. IAG substitutes these references with actual values during bootstrapping. ```yaml apiVersion: v1 kind: ConfigMap metadata: name: verify-endpoint ... data: discovery_url: https://ibm-app-gw.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration proxy_server: https://proxy.ibm.com:3128 ``` ```yaml version: "23.10" identity: oidc: discovery_endpoint: "configmap:verify-endpoint/discovery_url" proxy: "configmap:verify-endpoint/proxy_server" ... ``` ```yaml version: "23.10" identity: oidc: discovery_endpoint: https://ibm-app-gw.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration proxy: https://proxy.ibm.com:3128 ... ``` -------------------------------- ### IAG Configuration: Environment Variable Substitution Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Demonstrates using an environment variable to set sensitive configuration values, such as a failover key. This enhances security by avoiding hardcoding secrets. ```yaml version: "23.10" server: ... failover: key: $MY_FAILOVER_SECRET cookie_name: IAG-FAILOVER-COOKIE ... ``` -------------------------------- ### IAG Logging Configuration YAML Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Sets up logging and tracing for IAG, useful for debugging. This file can be removed after debugging to disable tracing and reduce resource usage. ```yaml version: "23.10" logging: json_logging: false tracing: - file_name: /var/tmp/snoop.log component: pdweb.snoop level: 9 ``` -------------------------------- ### IAG Server Configuration YAML Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Defines the top-level server and identity settings for IAG, including SSL certificates and OIDC client details. This is a core configuration file for IAG. ```yaml version: "23.10" server: ssl: front_end: certificate: - $CERT_PEM - $KEY_PEM identity: oidc: client_id: $CLIENT_ID client_secret: $CLIENT_SECRET discovery_endpoint: "https://ibm-app-gw.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration" ``` -------------------------------- ### Encrypt String with RSA Public Key and Base64 Encode Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Encrypts a given string using an RSA public key and then base64 encodes the result. The input string is piped to openssl for encryption, and the output is piped to base64. ```bash echo -n "wPP8rM8N0d" | openssl rsautl -encrypt -inkey public.pem -pubin | base64 ``` -------------------------------- ### Combined IAG Configuration YAML Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Represents the consolidated configuration from multiple YAML files into a single document. This shows the equivalent structure when all configurations are merged. ```yaml version: "23.10" server: ssl: front_end: certificate: - $CERT_PEM - $KEY_PEM identity: oidc: client_id: $CLIENT_ID client_secret: $CLIENT_SECRET redirect_uri_host: iag-demo.ibm.com discovery_endpoint: "https://ibm-app-gw.verify.ibm.com/oidc/endpoint/default/.well-known/openid-configuration" resource_servers: - virtual_host: iag-demo.ibm.com servers: - host: 10.10.10.200 port: 80 - path: / servers: - host: 10.10.10.201 port: 8080 logging: json_logging: false tracing: - file_name: /var/tmp/snoop.log component: pdweb.snoop level: 9 ``` -------------------------------- ### Embed Base64 Encoded Data in Configuration Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Shows how to embed data, such as transformation rules, directly into the IAG configuration YAML by base64 encoding it. The `B64:` prefix indicates that the following string is a base64 encoded value. This is useful for embedding binary data or large text blocks without direct file inclusion. ```bash $ base64 Req-AddStaticHeader.xsl PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHhzbDpzdHlsZXNoZWV0IHht ... ``` ```yaml version: "23.10" policies: ... http_transformations: request: - name: req-static-headers method: GET url: "*" rule: B64:PD94bWwgdmVyc2lvbj0i... ... ``` ```yaml version: "23.10" policies: ... http_transformations: request: - name: req-static-headers method: GET url: "*" rule: | ... ... ``` -------------------------------- ### Generate RSA Private Key with OpenSSL Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Creates a 2048-bit RSA private key file named 'private.pem'. This key is essential for decrypting data that has been encrypted using the corresponding public key. ```bash openssl genrsa -out private.pem 2048 ``` -------------------------------- ### Include External YAML Content with File Reference Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Demonstrates how to reference content from an external YAML file within the main configuration file. File references are indicated by '@' followed by the filename. This method is not supported when using Kubernetes custom objects for configuration. The external file's content is directly substituted at the reference point. ```yaml version: "23.10" policies: ... rate_limiting: - name: "limited_by_ip" methods: - "*" paths: - "/my_app*" rule: "@rate_limiting.yaml" ... ``` ```yaml ip: true capacity: 3 interval: 60 reaction: TEMPLATE ``` ```yaml version: "23.10" policies: ... rate_limiting: - name: "limited_by_ip" methods: - "*" paths: - "/my_app*" rule: | ip: true capacity: 3 interval: 60 reaction: TEMPLATE ... ``` -------------------------------- ### Specify IAG Configuration Version Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-versioning This snippet demonstrates the basic structure for specifying the version in an IAG YAML configuration file. The 'version' field is mandatory and uses the YY.MM format to indicate the IAG container version the configuration was authored for. ```yaml version: "23.10" ... ``` -------------------------------- ### Generate RSA Public Key from Private Key with OpenSSL Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Extracts the public key from an existing RSA private key file ('private.pem') and saves it to 'public.pem'. The public key is used for encrypting data. ```bash openssl rsa -pubout -in private.pem -out public.pem ``` -------------------------------- ### OIDC Obligation Parameters Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-authorization Shows the structure for defining obligation parameters specifically for OIDC scenarios. These parameters are appended to the authorization request during authentication or re-authentication. ```yaml obligation: oidc: : ``` -------------------------------- ### Configure IAG Server with Kubernetes TLS Secret Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Configuration snippet for the IAG server's SSL settings, referencing a Kubernetes TLS Secret. It shows how to specify the certificate and key from a secret named 'iag-tls-secret' using the 'secret:' prefix. This allows the IAG server to use the provided TLS certificate and key for secure connections. ```yaml version: "23.10" server: ssl: certificate: - "secret:iag-tls-secret/tls.key" - "secret:iag-tls-secret/tls.crt" ... ``` -------------------------------- ### Obfuscate Sensitive Data with Shared Secret Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Illustrates how to encrypt sensitive configuration values using OpenSSL and a shared secret. The encrypted data is prefixed with `OBF:` in the YAML. A single shared secret (`obf_key`) is defined in the `secrets` section and used to decrypt all `OBF:` prefixed values. This method is suitable for client secrets, API keys, and other sensitive information. ```bash echo -n "wPP8rM8N0d" | openssl enc -aes256 \ -pbkdf2 -md sha512 -pass pass:"myIAGExampleSecret" \ -base64 ``` ```bash openssl enc -aes256 -pbkdf2 -md sha512 -pass pass:"myIAGExampleSecret" \ -base64 -in myLocalPages.zip ``` ```yaml version: "23.10" secrets: obf_key: "myIAGExampleSecret" ... identity: oidc: client_secret: "OBF:U2FsdGVkX1+UHIKgqQOgjyqY2ANixZs2sW+b1Nr7fcg=" ``` ```yaml version: "23.10" secrets: obf_key: "myIAGExampleSecret" ... identity: oidc: client_secret: "OBF:U2FsdGVkX1+UHIKgqQOgjyqY2ANixZs2sW+b1Nr7fcg=" client_id: "OBF:U2FsdGVkX1/OHj8jarx2+yzaFICy+z5ZDIDFXEMtVR/oLaafLtjVi9u+huCwZhnD5/aMWEm7h1G1cgtJE/yu3w==" ... server: local_pages: content: "OBF:U2FsdGVkX19nCQVvJZtKatPZE/TEDEYlYMpak7hAZJoC..." type: zip ``` -------------------------------- ### Decrypt AES-256 Obfuscated String with OpenSSL Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Reverses a string obfuscated using AES-256 encryption with OpenSSL. Requires the obfuscated string, the encryption algorithm (aes-256), derivation method (pbkdf2), digest (sha512), and the secret passphrase. The input is base64 encoded and piped to openssl for decryption. ```bash echo "U2FsdGVkX1+UHIKgqQOgjyqY2ANixZs2sW+b1Nr7fcg=" | openssl enc -d -aes256 \ -pbkdf2 -md sha512 -pass pass:"myIAGExampleSecret" \ -base64 ``` -------------------------------- ### Kubernetes Secret for IAG Configuration Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Illustrates how to define a Kubernetes Secret with sensitive data fields and reference these fields in the IAG configuration YAML. IAG retrieves, base64 decodes, and substitutes these secret values during bootstrapping. ```yaml apiVersion: v1 kind: Secret type: Opaque metadata: name: verify-oidc ... data: client_id: ZTdiMzA0ZWItYTU1NC00MzQ5LTlhODAtNTA1Y2IzZGRmMTBi client_secret: Z2VSVEY0RldSWA== ``` ```yaml version: "23.10" identity: oidc: client_id: "secret:verify-oidc/client_id" client_secret: "secret:verify-oidc/client_secret" ... ``` ```yaml version: "23.10" identity: oidc: client_id: e7b304eb-a554-4349-9a80-505cb3ddf10b client_secret: geRTF4FWRX ... ``` -------------------------------- ### Decrypt RSA Encrypted String with Private Key Source: https://www.ibm.com/docs/en/iag/23.10_topic=concepts-configuration Decrypts a base64 encoded string that was encrypted using RSA. It first base64 decodes the input and then uses openssl rsautl to decrypt it with the provided private key. ```bash echo -n "PS56fPQGSg/LPT2mgktLw1T2YMuBxaaQMM5AZMq06xEs..." \ | base64 -d | openssl rsautl -decrypt -inkey private.pem ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.