Starting in Gateway v25.3, you can enable Gateway in read-only mode, allowing it to operate in a read-only state. When enabled, Gateway connects to Secondary or Tertiary Address Manager servers and only uses read-only sessions when authenticating with Address Manager, ensuring that no write operations or configuration changes are made.
Enabling Gateway in read-only mode allows you to offload reporting, analytics, and inventory workflows that only make use of read-only BAM APIs to this Gateway instance that authenticates against a Secondary or Tertiary Address Manager. This reduces the load on Primary Address Manager servers and minimizes performance impact in active environments.
Limitations
- In read-only mode, Gateway only allows authentication against a Secondary or Tertiary Address Manager.
- In read-only mode, Gateway always authenticates against Address Manager in
read-only mode, regardless of whether you log in using the REST login API
/rest_loginor the login UI page. Any Gateway workflows that use non-read only Address Manager APIs will not function correctly in this mode. - In read-only mode, Gateway authenticates against Address Manager using the Address Manager v2 RESTful API and is therefore only supported on Address Manager running software version 9.5.x or greater. When configuring Gateway in read-only mode, you must also set the Address Manager REST API client version to REST v2. For more information, refer to Setting the Address Manager REST API client version.
- Since Gateway in read-only mode only connects to Secondary or Tertiary Address Manager servers, the Failover Monitoring (FM) workflow is not supported. When read-only mode is enabled, the Failover Monitoring workflow is not loaded in Gateway and the Failover Monitoring page will not appear in the Gateway UI.
Running Gateway in read-only mode
You can configure Gateway in read-only mode using one of the following methods:
-
Using the
BAM_READ_ONLYenvironment variableWhen you run the docker container, specify the value of
BAM_READ_ONLYas a parameter with the-eoption. For example:docker run -e BAM_IP=<bam_URL> -e BAM_READ_ONLY=True <other options> quay.io/bluecat/gateway:25.3.0 -
In the
config.jsonfile in the built-in or custom workspace.Before starting Gateway, edit the
config.jsonfile to change the value ofbam_read_onlyto true.
Gateway in read-only mode with SSO authentication
You can configure Gateway in read-only mode with SSO login support, as Gateway can obtain a read-only OAuth token from the authorization server; however, you can only establish a read-only session using an OAuth token when the OAuth validation method in Address Manager is set to Authorization Server. You cannot establish read-only sessions when the OAuth validation method in Address Manager is set to Local.
Configuring SSO login with Gateway in read-only mode
- On Address Manager, set the Validation method in the SSO OAuth settings to Authorization. For more information on configuring SSO OAuth settings in Address Manager, refer to the Configuring the Authorization Server section of the Address Manager Administration Guide.
- On Gateway, set the following SSO OAuth settings:
- Configure the Authentication method setting to Authorization Server.
- Configure the Scope setting by adding
secondary_localas a scope.