Troubleshoot App Gateway
Learn about common problems that you might encounter when setting up App Gateway and how to solve them:
I Made Changes in Oracle Identity Cloud Service but the App Gateway Server Doesn't Reflect the Changes
Changes you make to enterprise applications and App Gateway definitions in Oracle Identity Cloud Service may not be reflected immediately on App Gateway because App Gateway caches Oracle Identity Cloud Service information, such as resources, authentication policies, and header values of enterprise applications.
Explanation: App Gateway contacts Oracle Identity Cloud Service using agents to collect host and port information. When you start App Gateway, its NGINX server is automatically configured with this information. Any changes to Oracle Identity Cloud Service is periodically polled by the agents.
/usr/local/nginx/conf/cloudgate.config
file. Change the ttl
value for policy
and headers
in the caching
section as per the following example, and then restart both App Gateway server and the agent."caching" : {
"minimumTtl" : 300,
"headers" : { "ttl": 3600 },
"discovery" : { "ttl": 3600 },
"policy" : { "ttl": 3600},
"tenantKeys" : { "ttl": 86400 }
}
/usr/local/nginx/conf/cloudgate.config
file, change the pollIntervalSecs
value in the agentConfig
section as per the example:"agentConfig": {
"pollIntervalSecs" : 60,
"daemon" : true,
"logLevel" : "warn",
"logFolder" : ""
}
/scratch/oracle/cloudgate/home/bin/cg-stop
/scratch/oracle/cloudgate/home/bin/cg-start
/scratch/oracle/cloudgate/home/bin/agent-stop
/scratch/oracle/cloudgate/home/bin/agent-start
Error Log Files Contain Invalid_session Message
When App Gateway can't communicate correctly with Oracle Identity Cloud
Service, you'll find invalid_session
messages in the App Gateway error log
files.
The following is an example of an invalid_session
messages in
error.log
file:
www-authenticate: Bearer error="invalid_session", error_description="Authentication Failure
This can be because of the way App Gateway processes a client request to
a protected resource. App Gateway uses NGINX
sub requests to make
requests to Oracle Identity Cloud
Service, and then App Gateway requires Linux NGINX
resolver to be
configured appropriately to allow these sub requests to function correctly.
- Verify that the resolver setting in the file
/usr/local/nginx/conf/nginx-cg-sub.conf
is set to the correct IP. - Verify that the tenant name in
/usr/local/nginx/conf/cloudgate.config
file is configured correctly.
Error Log Files Contain GET 127.0.0.1:53 Command Responding Error Number 500
Because App Gateway makes sub requests to an internal servlet, App Gateway requires your virtual machine to listen to port 53
.
The App Gateway server must communicate to itself through IP address
127.0.0.1
and port 53
.
If you're running App Gateway in a virtual machine software, configure port forward for this port from the host to the guest. See Configure Port Forwarding Rules
App Gateway Server Can't Communicate With Oracle Identity Cloud Service
Use a SSH client such as PuTTY
and the following credentials to log in to the App Gateway server:
-
Execute the
sudo su -
command to login asroot
, and when prompted provide the oracle password. -
Install telnet by running the following command:
yum install telnet
-
Run the following telnet command and try to establish a connection to your Oracle Identity Cloud Service instance and your application from the App Gateway server.
telnet <idcs-tenant>.identity.oraclecloud.com 443
If telnet can't connect to your Oracle Identity Cloud Service, then contact your network administrator to apply any other network configuration to enable the App Gateway server to establish connection with your Oracle Identity Cloud Service instance.
- Execute the
exit
command, to log out from root account.