IBM API Connect Failed Login to Developer Portal UI — 502 Bad Gateway

The fix for this issue will be delivered ASAP.

If you are using the IBM API Connect with the version 10.0.8.0–258, may be you will get the same issue. The version 10.0.8 is released few weeks ago since this article is written.

What’s new in the latest release (version 10.0.8.0)

In this article I tried to share the issue that we found on first released of IBM API Connect. This isn’t a permanent solution, as the configuration would revert to its original state if the UI pod were restarted, but it may alleviate the problem while we deliver a fix.

We will try to update the running UI container and modify the configuration then overcome the issue temporarily.

From the first released of the product, we personally tried to using the latest version. We are implementing it on VMWare, we found that when we tried login to the apiconnect UI manager, the Keycloak redirect is failed with 502 Bad Gateway.

Check logs of related pods

First step we use the oc get pods command to find the name of the UI pod:

[root@OCPBASTIONDC ~]# oc get po -n cp4i | grep ui
apiconnect-5019c580-ui-588cd66b7-79c9q                            2/2     Running     0          79s

If you are using standalone installation

[root@OCPBASTIONDC ~]# oc get po -n cp4i | grep ui
management-f20a7476-ui-7f4d5c4f44-jth97                        2/2     Running     0          21h

From the UI Pods logs we found this, the error that said, “localhost could not be resolved”. This is the root cause of our issue.

[root@OCPBASTIONDC ~]# oc logs -f apiconnect-5019c580-ui-588cd66b7-79c9q -n cp4i
2024/07/22 05:05:46 [error] 17#17: *144 localhost could not be resolved (2: Server failure), client: 10.123.17.43, server: _, request: "GET /admin/uia/oauth2/redirect?code=16e876e7-2491-4ce9-bc23-59768810b087&state=e9216525-7cf3-4ea4-835c-9b717f06391f HTTP/1.0", host: "apiconnect-5019c580-admin-cp4i.apps.drc.ocp.bankabc.co.id"
10.123.17.43 - - [22/Jul/2024:05:05:46 +0000] "GET /admin/uia/oauth2/redirect?code=16e876e7-2491-4ce9-bc23-59768810b087&state=e9216525-7cf3-4ea4-835c-9b717f06391f HTTP/1.0" 502 556 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "192.168.121.4"

Before we start the temporary fixing, we need to find the local IP of pods

[root@OCPBASTIONDC ~]# oc get po apiconnect-5019c580-ui-588cd66b7-79c9q --template '{{.status.podIP}}'
10.123.22.106

Use the oc exec command to open a shell in the ui container of the pod:

[root@OCPBASTIONDC ~]# oc exec -ti apiconnect-5019c580-ui-588cd66b7-79c9q -c ui -- bash

Once in the ui container shell, navigate to the /usr/local/openresty/nginx/conf directory, and take a copy of the nginx.conf file.

This file contains the configuration of the nginx server that listens for incoming traffic and controls the routing to the UI authentication container.

 cd /usr/local/openresty/nginx/conf
 cp nginx.conf nginx.conf.orig

Export the IP_POD

export IP_POD=10.123.22.106
echo $IP_POD

Use the sed command to replace the localhost value with the value of the POD_IP environment variable and overwrite the nginx.conf file:

You can check the new value with this command:

grep uia_service nginx.conf

Before

bash-5.1$ grep uia_service nginx.conf
        set $uia_service https://localhost:3000;
        proxy_pass $uia_service;
        set $uia_service https://localhost:3000;
        proxy_pass $uia_service;
bash-5.1$

After

sed s/localhost/$IP_POD/g < nginx.conf.orig > nginx.conf

bash-5.1$ grep uia_service nginx.conf
        set $uia_service https://10.123.22.106:3000;
        proxy_pass $uia_service;
        set $uia_service https://10.123.22.106:3000;
        proxy_pass $uia_service;
bash-5.1$

Check the process ID of the running nginx process by looking at the file /run/nginx/nginx.pid:

This file contains a single line with the process number, which should be 1

bash-5.1$  cat /run/nginx/nginx.pid
1

Having confirmed the process ID, use the kill command to send a HUP signal to the process. This causes nginx to reload its configuration. Assuming the process number is 1, the command is:

kill -HUP 1

After running this command, the nginx server should now be able to successfully forward requests to the UI authentication container, and logging in to the Cloud Manager or API Manager UI should be successful.

Log out of the ui container shell by typing exit:

bash-5.1$ exit
exit

Re-access the developer portal

10.123.17.43 - - [22/Jul/2024:05:10:08 +0000] "GET /ui/credentials HTTP/1.0" 200 111 "https://apiconnect-5019c580-admin-cp4i.apps.drc.ocp.bankabc.co.id/auth/admin/sign-in/?error=Invalid%20state" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "192.168.121.4"
10.123.17.43 - - [22/Jul/2024:05:10:09 +0000] "GET /admin/uia/oauth2/redirect?code=850931ba-8077-4f2b-96a5-f3a7ceabbf4c&state=65e4bd27-17d1-4c67-a6e9-b5e3cb65fcf1 HTTP/1.0" 302 56 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36" "192.168.121.4"