Creating an application gateway

Edit online

An Application Gateway is a web reverse proxy that you can configure to act as an entry-point for your existing applications. It provides authentication and authorization capabilities without requiring expensive changes or extensions to the applications that you want to protect.

Before you begin

  • You must have administrative permission to complete this task.

About this task

In draft mode, you can change any of the modifiable settings. After you deploy the gateway to change any settings, click Applications > Application gateway > Application name > Configuration and scroll down to Edit.

Procedure

  1. Log in as an administrator in IBM® Verify and navigate to Applications > Application Gateway.
  2. Click Create application gateway and provide the general details.
    Tip: The name cannot contain spaces or special characters. You can use hyphens and underscores.

    The primary hostname corresponds to the DNS-resolvable name that is used to reach the gateway. For example, myapp-gateway.com.

  3. Optional: Select Yes to enable agent health reporting.
    With this option, IBM Verify becomes the central management and monitoring point for the on-prem IAG runtime.
  4. Click Next.
  5. Configure security
    Sensitive data within the configuration is encrypted. If an encryption key is not supplied, one is automatically generated.
    • When an encryption key is automatically generated, the public key is stored with the Application Gateway configuration. The private key is generated after you click Create. The private key is not stored and is available for a one-time download only. The private key must be stored separately and made available in the environment that runs the gateway.
    • If you want to provide your own encryption keys, select Upload key and follow the instructions.
  6. Click Next.
  7. Select the Server protocols that you want to use and click Next.
  8. Choose what type of transport layer security (TLS) certificates that you want to use, either front end or trusted certificates.
    Front-end certificates secure communication between a user's browser and a website's server.
    • Select Generate certificates to use the self-signed certificates that are generated by the application gateway.
    • Select Upload certificates and provide the private key file name. Then upload the public certificate. Both must be in .pem format.
    Trusted certificates require a signer certificate. Upload a public certificate in .pem format.
  9. Enable Advanced hostname settings and follow the instructions.
  10. Click Create.
  11. Download and save the private key.
    The private key is not stored and is available for a one-time download only.
  12. Optional: Edit the container settings.
  13. Add an OpenID connect provider.
    Provide the configuration settings and continue through the wizard.
    Note: If you select IBM Verify as the provider, an application is automatically created and the Basic details are prefilled. You can still set scopes and query strings. You also need to set the entitlements for the OIDC provider. For more information, see Managing application entitlements (by administrator or application owner).
  14. Add a resource
    A resource is used to define an application or service that you want to protect.
    1. Provide the resource information.
      • For a server path, you can also select to use the transparent path, which passes the full path to the resource server. For a virtual host, you must specify the hostname and a port.
      • Select the connection type. If you select HTTPS, you can optionally provide the server name indicator (SNI). The SNI is a TLS security protocol that identifies the server that you want to connect to.
      • A stateful resource maintains information about the connections the gateway established. When Stateful is enabled, all requests that are made during the user session are sent to the same resource server.
      • HTTP/2 is an update of the Hypertext Transfer Protocol (HTTP) that is designed to improve the performance and efficiency of web browsing.
    2. Select the method for single sign-on.
      JSON Web Token (JWT)
      A JSON Web Token secures communication between a user's browser and a website's server. It can be used to authenticate a user, provide information about the user, and protect access to resources.
      HTTP headers
      An HTTP header is metadata that is included in HTTP requests and responses. It provides additional information about the request or response, such as the content type, encoding, or authentication credentials. It improves communication between a web server and a client.
      Basic authentication
      Basic authentication requires the user to provide their username and password in plain text.
    3. Select or configure the resource servers that you want to protect.
  15. Click Create.
  16. Optional: Add an authorization policy.
    This policy defines who can access specific resources.

    Specify the basic details, the paths that the policy is applied to, any rules for the policy, and click Add.

  17. Publish your gateway.
    1. Click Export to deploy.
      Select the type of configuration files that you want to export.
    2. Follow the gateway deployment instructions.
    3. Click Done.

Results

Your application gateway is available and can be managed through your IBM Verify tenant. If you modify your gateway settings, an incremental version number is assigned to the gateway configuration.

What to do next

Click Applications > Application gateway > Application name > Runtime to monitor the health of your gateway and its instances.