APAR status
Closed as program error.
Error description
A new security check been added in v10.0.1.4 to prevent The user from sending the client id in multiple places. The security check checks the message body and header. If the request body contain "client_id" APIGW will return the following error if the client id already provided in the header or query parameter: {"httpCode":"403","httpMessage":"Forbidden","moreInformation":" APIsecurity action found multiple references to the client ID in the request."} In this case the client_id in message body is not for APIC security check but only for use in the main assembly flow (for example, pass to a backend server).
Local fix
1. Use a different name rather than ?cliend_id? in the body, and then rename in by using gatewayscript or xslt policy before invoke to the backend 2. Send the client id in request header with a different header name, and then use set-variable, gatewayscript, or xslt policy to copy it to somewhere else after APIGW's security check and before invoke to the backend
Problem summary
APIGW returns 403 forbidden error if secondary client_id is in the request body
Problem conclusion
Fix is available in 10.0.4.0 and 10.0.1.6 For a list of the latest fix packs available, please see: https://www.ibm.com/support/pages/node/83105
Temporary fix
Comments
APAR Information
APAR number
IT38371
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
A0X
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-09-14
Closed date
2021-12-01
Last modified date
2022-02-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateways"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A0X"}]
Document Information
Modified date:
18 February 2022