[OPENIG-4573] Expose new state tracking option from COMMONS-575 in ClientHandler Created: 12/May/20  Updated: 19/Aug/20  Resolved: 04/Jun/20

Status: Closed
Project: Identity Gateway
Component/s: CHF
Affects Version/s: 5.0.0, 5.5.0, 5.5.1, 5.5.2, 6.0.0, 6.1.0, 6.5.0, 6.5.1, 6.5.2
Fix Version/s: 6.5.3, 7.0.0, 7.0.0-micsvc-1.0.3

Type: Improvement Priority: Major
Reporter: Mark de Reeper Assignee: Mark de Reeper
Resolution: Fixed Votes: 0
Labels: CustomerRFE, PICKERING
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

OpenIG being used with connection reuse enabled and Client certificates when talking to downstream applications

Issue Links:
depends on COMMONS-575 Make Apache Client connection state c... Resolved
is documented by OPENIG-4609 Doc: Expose new state tracking option... Resolved
Support Ticket IDs:
Epic Link: 7.0 - Stability
Sprint: 2020.07 - IG / Microservices, 2020.08 - IG / Microservices
Story Points: 1


This Jira is to expose the new option provided in COMMONS-575 via the ClientHandler.

When this option is enabled it can help with performance in the case where a client certificate is being used as it will change the Apache HTTP Client default behaviour which is to not allow connection reuse when a client certificate is being used for authentication.

Since the client certificate is defined at the client level, all requests to the same target will be sharing the same client certificate so enabling this should not be an issue. This option should not enabled by default to ensure that there is still control over when it is applied.

Comment by Jean-Charles Deville [ 10/Jun/20 ]

Mark de Reeper: could you also please describe the benefits / improvements brought by this issue, from a user POV ?
As usual, goal is to know what / how we can check this feature is working fine

Comment by Mark de Reeper [ 10/Jun/20 ]

Jean-Charles Deville The way I understand it, IG would need to be configured to present a client certificate to the downstream app that is listening on HTTPS. In this configuration, along with leaving connection reuse enabled, you should see that IG isn't reusing connections when making requests to the downstream app.

Switching off state tracking via 

"stateTrackingEnabled": false 

in the ClientHandler/ReverseProxyHandler should change this behaviour and IG will be able to reuse connections in all cases.
Some references from customer case/COMMONS-575:

Comment by Jean-Charles Deville [ 10/Jun/20 ]

OK thx for explanations (again) Mark de Reeper.
Will probably be hard to test (or at least to automate) before releasing 7.0.0.

Comment by Jean-Charles Deville [ 19/Aug/20 ]

Closing issue after Release 7.0.0

Generated at Sun May 09 08:21:35 UTC 2021 using Jira 8.16.0#816000-sha1:a455b91378454416b49bbc88d03e653cb9815ed5.