Troubleshoot App Gateway

My Response Error Message Contains: 400 Bad Request: invalid header value

Learn the common cause when a response error message contains: 400 Bad Request: invalid header value.

App Gateway adds headers to the requests that are proxied to an upstream Application Server. One of these headers, idcs_user_display_name, might have invalid characters as defined by the newer RFC - depending on the values set for the First Name and Last Name of the Oracle Identity Cloud Service user. This new RFC limits the allowed characters to printable US-ASCII characters (that is, 0x21 - 0x7E and the space and horizontal tab characters). See RFC 7230 HTTP/1.1 Message Syntax and Routing.

Application Servers that enforce the newer RFC will reject the request with the response: 400 Bad Request: invalid header value. Note: The exact response depends on the Application Server being used.

To resolve this issue, remove any nonprintable characters.

I Made Changes in Oracle Identity Cloud Service but the App Gateway Server Doesn't Reflect the Changes

Changes you make to enterprise applications and App Gateway definitions in Oracle Identity Cloud Service may not be reflected immediately on App Gateway because App Gateway caches Oracle Identity Cloud Service information, such as resources, authentication policies, and header values of enterprise applications.

Explanation: App Gateway contacts Oracle Identity Cloud Service using agents to collect host and port information. When you start App Gateway, its NGINX server is automatically configured with this information. Any changes to Oracle Identity Cloud Service is periodically polled by the agents.

By default the policy and headers refresh time are 3600 seconds (1 hour) each. To change these values, log in to the App Gateway server, and edit the /usr/local/nginx/conf/cloudgate.config file. Change the ttl value for policy and headers in the caching section as per the following example, and then restart both App Gateway server and the agent.

"caching" : {
  "minimumTtl"            : 300,
  "headers"               : { "ttl": 3600 },
  "discovery"             : { "ttl": 3600 },
  "policy"                : { "ttl": 3600},
  "tenantKeys"            : { "ttl": 86400 }
}

You can also change the poll interval of the agents. By default, the agent's refresh time to get new App Gateway configuration from Oracle Identity Cloud Service is 60 seconds, which is the minimum amount of time supported. In the /usr/local/nginx/conf/cloudgate.config file, change the pollIntervalSecs value in the agentConfig section as per the example:

"agentConfig": {
    "pollIntervalSecs"    : 60,
    "daemon"         : true,
    "logLevel"        : "warn",
    "logFolder"        : "" 
}

If you want the changes in the Enterprise Application configuration to be reflected immediately, stop the App Gateway server and then start the server.

/scratch/oracle/cloudgate/home/bin/cg-stop
/scratch/oracle/cloudgate/home/bin/cg-start

If you want the changes in the App Gateway configuration to be reflected immediately, stop the agent and then start the agent.

/scratch/oracle/cloudgate/home/bin/agent-stop
/scratch/oracle/cloudgate/home/bin/agent-start

See Start and Stop App Gateway

Error Log Files Contain Invalid_session Message

When App Gateway can't communicate correctly with Oracle Identity Cloud Service, you'll find invalid_session messages in the App Gateway error log files.

The following is an example of an invalid_session messages in error.log file:

www-authenticate: Bearer error="invalid_session", error_description="Authentication Failure

This can be because of the way App Gateway processes a client request to a protected resource. App Gateway uses NGINX sub requests to make requests to Oracle Identity Cloud Service, and then App Gateway requires Linux NGINX resolver to be configured appropriately to allow these sub requests to function correctly.

Verify that the resolver setting in the file /usr/local/nginx/conf/nginx-cg-sub.conf is set to the correct IP.
Verify that the tenant name in /usr/local/nginx/conf/cloudgate.config file is configured correctly.

Error Log Files Contain GET 127.0.0.1:53 Command Responding Error Number 500

Because App Gateway makes sub requests to an internal servlet, App Gateway requires your virtual machine to listen to port 53.

The App Gateway server must communicate to itself through IP address 127.0.0.1 and port 53.

If you're running App Gateway in a virtual machine software, configure port forward for this port from the host to the guest. See Configure Port Forwarding Rules

App Gateway Server Can't Communicate With Oracle Identity Cloud Service

Use a SSH client such as PuTTY and the following credentials to log in to the App Gateway server:

Execute the sudo su - command to login as root, and when prompted provide the oracle password.
Install telnet by running the following command:
```
yum install telnet
```
Run the following telnet command and try to establish a connection to your Oracle Identity Cloud Service instance and your application from the App Gateway server.
```
telnet <idcs-tenant>.identity.oraclecloud.com 443
```
If telnet can't connect to your Oracle Identity Cloud Service, then contact your network administrator to apply any other network configuration to enable the App Gateway server to establish connection with your Oracle Identity Cloud Service instance.
Execute the exit command, to log out from root account.

Configuring Cloud Gate CORS Settings in Oracle Identity Cloud Service

Learn how to configure Cloud Gate CORS settings in Oracle Identity Cloud Service.

If you need to configure Cloud Gate CORS settings in Oracle Identity Cloud Service, then you use the Oracle Identity Cloud Service REST API. See Configuring Cloud Gate CORS Settings in Oracle Identity Cloud Service.