Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

APM HTTP sessionless support for web services

I have a question how to support web services authentication over APM. I have managed to get basic authentication using iRule to do ACCESS::session insertion of username and password. However, I found out that after ACCESS_POLICY_COMPLETED, APM does another HTTP redirect (302) to /my.policy in order to set MRHSession cookie. Our XML-RPC client does not support advanced redirects. Is there a way to avoid that?
0
Rate this Question
Comments on this Question
Comment made 28-Feb-2016 by John Beckmann
You could try to disable session id rotation:- # tmsh modify sys db apm.rotatesessionid value disable I believe the session id is rotated for security reasons, but this is not always compatible with clients
0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Absolutely crazy that this wasn't answered sooner. As Kunjan alludes, clientless mode would indeed be a solution for web services authentication proxy with APM. The idea behind clientless mode, which I do believe was available in v10, is to disable the APM session redirects. In a normal APM session, the first request is met with a redirect to /my.policy and a Set-Cookie with the initial MRHSession token. Subsequent requests bounce back and forth between the client and APM while the visual policy is being evaluated. At the end of that evaluation, the session is marked "allow" and a final redirect sends the client back to the originally-requested URI. Clientless mode not only disables these book-ended redirects, but also injects the session token in the first response from the server/application. This does have a few implications though. First and foremost, you cannot use any agents that interrupt the flow of traffic, like a message box or logon form. This shouldn't be an issue with web services, but something to keep in mind nonetheless. Second, APM is still going to send back a session cookie so that subsequent requests don't require VPE evaluation. If the web services agent does not support cookies, then each request will amount to a separate APM session. This can have implications in your APM concurrency limits. In a situation like this, you may want to consider lowering APM session idle time so that they don't stick around unnecessarily for the default 900 seconds. And finally, browser-based authentication is typically an interactive mechanism (logon page, credential entry, certificate selection, etc.), and APM is specifically designed to handle these types of authentication. In the absence of interaction though, like with a web services connection, you may necessarily need to alter the way APM collects identity and credential information, and that'll depend on how you're authenticating the web services agent.

1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Did anyone ever answer this question? I would like to know if APM can secure web services.
0
Comments on this Answer
Comment made 16-Apr-2014 by bothunbr 1
Still looking for an answer here
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Seems like client less mode can meet your requirement.

when HTTP_REQUEST {
    HTTP::header insert "clientless-mode" 1
}
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

We have been asked the same question at my company and we told them we would not create some hacked up, Frankenstein APM for them because no one would be able to support it. I really like having vacations so even though I could write an iRule to do that, I would be the only who could support it. Chances are that you would be in the same predicament.

If you need to protect web services I would suggest limiting firewall access to the client IPs, client cert authentication via the LTM or telling the developer to write a secure app. You would enjoy your time off much more if you did.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Well, it has been three years since the original question. At that time (I think that the actual version was 10.1), APM simply had to work with cookies. We ended up patching the client and the server side to support cookies and redirection. Then we hit the problem of performance (each login process took over 1000ms). So we simply dropped supporting web services over APM. I hope that was improved in the later versions.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I posted to this thread a year ago for a different reason, running webservice behind APM, now I'm back a year later because of a similar issue.

I need to test some applications that are gated behind APM with SoapUI. The problem is it's impossible to script with all the redirects. I'm going to digest Kevin's post above and take another stab at over the weekend.

0
Comments on this Answer
Comment made 12-May-2014 by boneyard 5579
did it work out for you?
0