OTK Authorization Error in a Non-Clustered Gateway Architecture
search cancel

OTK Authorization Error in a Non-Clustered Gateway Architecture

book

Article ID: 205220

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

We upgraded the gateway from 9.2 to 9.4 and otk from 4.1 to 4.3. after that the gateways are behaving odd.

Setup: 2 individual gateways(not clustered) and we have 1 OTK DB externalized connected to these 2 gateways.

After upgrade when we keep both gateways UP all the services failing. If we keep one gateway up all the services work as expected.  Example: If 01 gateway up and 02 gateway down requests process successfully vice versa GW 02 up and GW 01 down still works

Error msg what our ads teams see when both gateways up are 

OAuth 2.0 Authorization Server

error: invalid_request
error_description: The session has expired or already been granted. The login process has to be repeated to be successful

 

 

Environment

Release : 9.4

Component : API GATEWAY

Cause

When the OTK modular is installed separate on each Gateway the “OTK Authorization Server Configuration”  encapsulation sets the otk_session_secret and otk_session_secret_encryption values which are read-only, the two different installs result in different values on both gateways.  During end-point processing the session is encrypted differently causing a failure.

Resolution

The OTK provides a customization file for certain OTK assertions in the read=only policies

For the OTK Authorization Server Configuration you modify the #OTK Authorization Server Configuration and add the two context variable

Best approach copy the two assertions from one gateway OTK Authorization Server Configuration” TO both gateways customized policy -results in them using the same value

Set Context Variable otk_session_secret as string to: VALUE
Set Context Variable otk_session_secret_encryption as string to: VALUE 

TO: OTK -> Customizations -> Authorization Server -> #OTK Authorization Server Configuration
Comment: Target Configuration Policy: "OTK Authorization Server
Comment: === Set custom values for Context Variables below ===
Comment: === Add any new Context Variables or extensions below ===
Set Context Variable otk_session_secret as string to:  VALUE
Set Context Variable otk_session_secret_encryption as string to: VALUE 

Powered by Wolken Software