App Gateway
Learn how to troubleshoot common App Gateway issues.
My Response Error Message Contains: 400 Bad Request: invalid header value
Learn the common cause when a response error message contains: 400 Bad Request: invalid header value
.
App Gateway adds headers to the requests that are proxied to an upstream Application Server. One of these headers, idcs_user_display_name
, might have invalid characters as defined by the newer RFC - depending on the values set for the First Name and Last Name of the identity domain user. This new RFC limits the allowed characters to printable US-ASCII characters (that is, 0x21 - 0x7E and the space and horizontal tab characters). See RFC 7230 HTTP/1.1 Message Syntax and Routing.
Application Servers that enforce the newer RFC will reject the request with the response: 400 Bad Request: invalid header value. Note: The exact response depends on the Application Server being used.
App Gateway Server Doesn't Reflect Changes
When you can't see the changes you've made in IAM in the App Gateway server, try the following.
Changes you make to enterprise applications and App Gateway definitions in Identity Domains might not be reflected immediately on App Gateway because App Gateway caches Identity Domains information, such as resources, authentication policies, and header values of enterprise applications.
App Gateway contacts IAM using agents to collect host and port information. When you start App Gateway, its NGINX server is automatically configured with this information. Any changes to IAM are periodically polled by the agents.
/usr/local/nginx/conf/cloudgate.config
file. Change the ttl
value for policy
and headers
in the caching
section as per the following example, and then restart both App Gateway server and the agent."caching" : {
"minimumTtl" : 300,
"headers" : { "ttl": 3600 },
"discovery" : { "ttl": 3600 },
"policy" : { "ttl": 3600},
"tenantKeys" : { "ttl": 86400 }
}
/usr/local/nginx/conf/cloudgate.config
file, change the pollIntervalSecs
value in the agentConfig
section as in the example:"agentConfig": {
"pollIntervalSecs" : 60,
"daemon" : true,
"logLevel" : "warn",
"logFolder" : ""
}
/scratch/oracle/cloudgate/home/bin/cg-stop
/scratch/oracle/cloudgate/home/bin/cg-start
/scratch/oracle/cloudgate/home/bin/agent-stop
/scratch/oracle/cloudgate/home/bin/agent-start
Invalid_session Message
When App Gateway can't communicate correctly with IAM, you find invalid_session
messages in the App Gateway error log files.
The following is an example of a messageinvalid_session
in error.log
file:
www-authenticate: Bearer error="invalid_session", error_description="Authentication Failure
This can be because of the way App Gateway processes a client request to a protected resource. App Gateway uses NGINX
sub requests to make requests to IAM, and then App Gateway requires Linux NGINX
resolver to be configured appropriately to allow these sub requests to function correctly.
-
Verify that the resolver setting in the file
/usr/local/nginx/conf/nginx-cg-sub.conf
is set to the correct IP. -
Verify that the tenant name in
/usr/local/nginx/conf/cloudgate.config
file is configured correctly.
GET 127.0.0.1:53 Command Error
The error log files contain GET 127.0.0.1:53 command responding to error number 500.
Because App Gateway makes sub requests to an internal servlet, App Gateway requires your virtual machine to listen to port 53
.
The App Gateway server must communicate to itself through IP address 127.0.0.1
and port 53
.
If you're running App Gateway in a virtual machine software, configure port forward for this port from the host to the guest. See Configuring Port Forwarding Rules.
App Gateway Server Can't Communicate With IAM
When your A[[ Gateway server can't communicate with IAM, follow these steps to use an SSH client such as PuTTY
and the following credentials to sign in to the App Gateway server.