Upgrade from IG(pingGateway) from 7.2 to 2024.3

Hi folks,
good day!

Anybody tried to upgrade IG 7.2 to 2024.3 recently? How did you take care of HTTP connector attributes and other performance tuning parameters as part of upgrade 2024.3. Thanks!

There are just a few vert.x property changes. And I can’t see those as being problematic, for most. To which are you referring @Akhil.Gorla ?

Here are my queries regarding standalone mode IG: 1) Some of the HTTP1.1 spec disallowed characters needs to allow/tolerated using relaxedPathChars and relaxedQueryChars in tomcat Connector attributes in Webcontainer IG. As I understand, Out of the box, IG standalone mode will ONLY HTTP1.1 spec characters. Some of the our internal applications not comply with HTTP1.1 so how to allow those chars. How to deal this situation in standalone ? Is there any workaround to allow HTTP1.1 disallowed chars ?

  1. we used to get tomcat localhost access logs in web container mode IG and filtered few url patterns in web.xml as they were causing disk spaces issues. In standalone mode IG, do we get any other logs other than $HOME/.openig/logs ?? As standalone mode backed by vert.x core instance so vert.x local logs ?? Appreciated any feedback or comments on standalone mode logging.

Thanks!

Thank you for exposing your situation.

In regards to your first point: Non compliant HTTP1.1 character sets. This is discussed at vert-x3.github.io . And comes with many warnings as well.

Additionally, there is some character set encoding configuration handled by IG. Be forewarned that much of the application supports strictly UTF-8. But, for example see: Transformations :: ForgeRock Identity Gateway and
FileAttributesFilter :: ForgeRock Identity Gateway

In regards to your second point: the logging of IG is maintained in the specified logs directory. Levels of verbosity for the Route audit logs and, the Gateway and the Administrative application are completely configurable and can be configured to be exceptionally verbose.

For Auditing, please see: Audit the deployment :: ForgeRock Identity Gateway
And for the administrative and the gateway application, please see the section: Manage logs :: ForgeRock Identity Gateway

Lastly, URL rewriting is a core feature of IG (as with most http proxy applications) The rewriting can be accomplished in the configuration of your route. Can you provide an example of a problematic situation please?

From a gateway perspective, I can’t imagine what data you would be seeking that would not be found in any of these log files.

Cheers.
Guy.

1 Like

Hi, Apologize for delayed response.

Here is the probelemetic application which needs below disallowed character after query parameter to process the request at IG

abc.com/api/properties?users=names|Status|Priority

After removing relaxedPathChars and relaxedQueryChars in tomcat server.xml, we see this error
java.lang.IllegalArgumentException: Invalid character found in the request target [/api/properties?users=names|Status|Priority]. The valid characters are defined in RFC 7230 and RFC 3986

Do you think URL rewriting would be correct approach for this use case or any other better solution ? Thank you

Hi @Akhil.Gorla

The issue here is that the query string parameters are using a character (|) that is not valid. The API that the request is being sent to should not use that as a delimiter, or if it is absolutely required the character should be escaped as %7C. Try changing the request to escape that character and see if that helps you.

1 Like

Sure @mwtech . Will try. Thank you

2 Likes