Thursday 10 November 2016

Cumulative Statistics with Identity Gateway

How healthy is your Identity Gateway? How healthy are the downstream applications it protects. Cough, cough - one might think.
IG Studio allows to easily enable statistics collection. Data is cumulative since server startup or over recent time intervals. Statistics-based health checking is not just if endpoints are alive or dead, but how they are serving clients. 

 So, bring up IG Studio and configure the /rocksock application (route) and enable statistics for it. 


Turning statistics on and providing the percentiles sets the "monitor" object in the configuration.
  "monitor" : {
    "enabled" : true,
    "percentiles" : [ 0.25, 0.5, 0.9, 0.99, 0.999, 0.9999 ]

  }

The cumulative statistics can be retrieved with a simple curl command :
curl http://openig.example.com:8080/openig/api/system/objects/_router/routes/rocksock/monitoring?_prettyPrint=true

{
  "requests" : {
    "total" : 1590742,
    "active" : 0
  },
  "responses" : {
    "total" : 1590742,
    "info" : 0,
    "success" : 1590742,
    "redirect" : 0,
    "clientError" : 0,
    "serverError" : 0,
    "other" : 0,
    "errors" : 0,
    "null" : 0
  },
  "throughput" : {
    "mean" : 3060.6,
    "lastMinute" : 3206.0,
    "last5Minutes" : 2584.7,
    "last15Minutes" : 1349.9
  },
  "responseTime" : {
    "mean" : 0.017,
    "median" : 0.009,
    "standardDeviation" : 0.042,
    "total" : 31727,
    "percentiles" : {
      "0.25" : 0.007,
      "0.5" : 0.009,
      "0.9" : 0.022,
      "0.99" : 0.206,
      "0.999" : 0.504,
      "0.9999" : 0.995
    }
  }

}

 The allows allows to read out characteristics which help to determine the actual health of the system:
  • IG is up and this application protection (route) is deployed
  • IG treated 1590742 requests since startup for /rocksock of which all received a success response
  • The throughput over that last minute was 3206 requests per second, 2584 requests/sec over the last 5 minutes and 1349.9 requests over the last 15 minutes
  • 99.99 % of the requests were responded to in 0.995 milliseconds or less
For further details on configuring statistics and analysing the result, see the Configuration ReferenceNote that the absolute response times depend a lot on the response times of the downstream applications.

The Identity Gateway Studio will be shipped with ForgeRock Identity Gateway 5.0.

 For more, see the Identity Gateway Studio introduction or the blog post on message capture.

Posted by at No comments:
Labels: , ,

Thursday 3 November 2016

Message Capture with OpenIG

Setting up protection for a web application or API is much easier if you know what is actually going on between client and server.
OpenIG functions by the concept of a reverse web proxy, primarily with the objective to enforce authentication and authorization. However it also allows to simply log inbound and outbound messages to a file.

The OpenIG Studio provides a straightforward way to configure capture inbound and outbound messages.



















The capture is logged by default in the route-rocksock.log file. In this example, openig.example.com is the external hostname which hits OpenIG. The internal hostname is internal.company.com. This is not know to the client but configured in the route configuration for /rocksock in OpenIG.
The route-rocksock.log file from the example :

--- (request) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 --->   

GET http://openig.example.com:8080/rocksock/ HTTP/1.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-encoding: gzip, deflate
accept-language: en;q=1,de;q=0.9,en-US;q=0.8,fr-FR;q=0.7,it;q=0.6
connection: keep-alive
host: openig.example.com:8080
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1

--- (request) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 --->

GET http://internal.company.com:9080/rocksock/ HTTP/1.1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
accept-encoding: gzip, deflate
accept-language: en;q=1,de;q=0.9,en-US;q=0.8,fr-FR;q=0.7,it;q=0.6
connection: keep-alive
host: openig.example.com:8080
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0 SeaMonkey/2.33.1

<--- (response) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 ---

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 42
Content-Type: text/html
Date: Tue, 25 Oct 2016 16:13:48 GMT
ETag: W/"42-1477411512000"
Last-Modified: Tue, 25 Oct 2016 16:05:12 GMT

[entity]

<--- (response) id:0307be7f-3166-4dde-bf08-698dd82c2c5b-178 ---

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 42
Content-Type: text/html
Date: Tue, 25 Oct 2016 16:13:48 GMT
ETag: W/"42-1477411512000"
Last-Modified: Tue, 25 Oct 2016 16:05:12 GMT

[entity]

The route configuration as produced by the OpenIG Studio looks as follows :
{
  "name": "rocksock",
  "baseURI": "http://internal.company.com:9080",
  "condition": "${matches(request.uri.path, '^/rocksock')}",
  "monitor": false,
  "capture": [
    "request",
    "response"
  ],
  "heap": [
    {
      "type": "ClientHandler",
      "name": "ClientHandler",
      "capture": [
        "request",
        "response"
      ]
    }
  ],
  "handler": "ClientHandler"
}

The IG studio will be shipped with ForgeRock Identity Gateway 5.0. For more, see the OpenIG Studio introduction .


Posted by at No comments:
Subscribe to: Posts (Atom)