Tips & tricks for installing and running IBM products

OAuth and OpenID Connect provider configuration for reverse proxy instances - reuse acl option

Tom Bosmans  10 October 2018 10:12:04
I have multiple reverse proxy instances configured on an appliance, and recently added a new one.

I performed the "Oauth and OpenID Connect Provider configuration", and did not select the options "Reuse ACL" nor "Reuse Certificates" .

After that, I noticed that my OpenID authentication no longer worked correctly on the other instances.
The reason was that the ACL's for the objects in /mga/sps/oauth/oauth20/  disappeared .

So if you already have configured other instances on your appliance for "Oauth and OpenID connect",  always enable "Reuse ACL"  !

What actually happens is easy to follow in the autocfg__oauth.log file in the Reverse Proxy log files:

If reuse acl is not checked, it will first detach the ACL's from all objects , delete the ACL and then add it again, but only for the reverse proxy where your run the configuration .....
So you loose all configuration that uses the isam_oauth_* ACL's in the other instances .  

Moral of the story :  always enable "Reuse ACL"  when running the "Oauth and OpenID Connect Provider configuration"