Forum Discussion

dehinde_21599's avatar
dehinde_21599
Icon for Nimbostratus rankNimbostratus
Feb 16, 2011

Multiple APM's AAA server of the Type Oracle Access Manager

We have deployed LTM (10.2.1) including APM in our environment. The intention was to use APM with Oracle Access Manager as an External Authentication agent. This requires setting up an AAA server of the Type Oracle Access Manager (OAM) in the APM module.

 

 

 

However only one AAA server of the type Oracle Access Manager (OAM) is allowed by LTM. In order to maintain the existing High Availability of backend Oracle OAM servers, we have configured a Virtual Server (called OAM_VS) which listens on a self-IP of LTM (and an unused port) as our Oracle AAA server. This Virtual Server has a default pool which contains our two test_ OAM servers as resources.

 

 

 

So far so good, this approach appears to work till now. To the best of my knowledge, it works as follows: when a client tries to reach a backend service which is protected by Oracle Access Manager, It sends an HTTP request to a publicly available IP/Port (which in our case is mapped to to an APM-enabled Virtual Server called Public_VS), APM intercepts the traffic and connects to our Virtual Server (OAM_VS) i.e the AAA server which verifies the credentials.

 

 

Now, the connection between APM and the AAA server appears not to be HTTP and may be encrypted (if configured). What we are trying to achieve is as follows:

 

In addition to the existing test_ OAM server pool , to configure another pool which contains our two production_ OAM servers as resources.

 

 

 

Depending on the incoming URL to Public_VS , change the default pool of our OAM_VS such that:-

 

for urls belonging to test servers APM will make the Authentication request to the test_ OAM server pool

 

for urls belonging to production servers APM will make the Authentication request to the production_ OAM server pool

 

Ensure that the traffic related to a particular URL is persisted to the correct back-end pool of the AAA server (OAM_VS)

 

We cannot generate an I-rule that works in APM to achieve the above since the process paths on both Virtual servers appear to be unrelated.

 

An approach which seems promising is to use the TCP function CLIENT_DATA and parse the first few lines to see if the request coming from APM to our OAM_VS contains a particular url and change the pool using LB:: reselect or similar command to change the default pool on the fly.

 

However until now I couldn’t get this to work, I would greatly appreciate any help in this regard.

 

 

APM
app sec
security

3 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 17, 2011
    Can you post the iRule you're testing and some sample TCP data for requests you want to go to each pool?

     

     

    Do any APM experts out there have a cleaner solution?

     

     

    Aaron
  • dehinde_21599's avatar
    dehinde_21599
    Icon for Nimbostratus rankNimbostratus
    Feb 17, 2011
    Here is the irule (OAM_MUX):

     

     

    when CLIENT_ACCEPTED {

     

     

    log "Client access from [IP::client_addr]"

     

    TCP::collect 300

     

    }

     

    when CLIENT_DATA {

     

    log "OAM request received [TCP::payload 300]"

     

     

    if { [TCP::payload 300] contains "testService.mycompany.com" } {

     

    log "OAM request contains testService. mycompany.com - using oam_test_pool"

     

    pool OAM_TEST_POOL

     

    } elseif {

     

    [TCP::payload 300] contains "prodService. mycompany.com " } {

     

    log "OAM request contains prodService. mycompany.com - using oam_prod_pool"

     

    pool OAM_PROD_POOL

     

    }

     

     

    TCP::release

     

    }

     

     

     

    Here is a sample TCP stream:

     

     

    Ngrep port 6021

     

     

    T 192.168.17.14:42506 -> 172.29.48.102:6021 [AP]

     

    .......L..ro=t%3d0%20o%3d%20no%3d%20r%3d%20nr%3d%20wu%3d/kpi/%20wh%3dprodService.mycompany.com%20wo%3d1%20wa%3d0%20ws%3d st=ma%3d2%20mi%3d2%20sg%3d0%20sm%3d version=3 pd=

     

     

    T 172.29.48.102:6021 -> 192.168.17.14:42506 [AP]

     

    .......L..ro=t%3d0%20o%3d%20no%3d%20r%3d%20nr%3d%20wu%3d/kpi/%20wh%3dprodService.mycompany.com %20wo%3d1%20wa%3d10%20ws%3d20100518T16372370920 ri=SDID%3d20144909T11535290825%20WRORID%3d%20AUTHENTSCHEMEID%3d20200558T16f72370920 st=ma%3d

     

    4%20mi%3d2%20sg%3d1750%20sm%3d rt=1

     

     

    T 192.168.17.14:42506 -> 172.29.48.102:6021 [AP]

     

    ..."...M..ri=SDID%3d20100909T11235990825%20WRORID%3d%20AUTHENTSCHEMEID%3d20100518T16372370920%20AGID%3dtest au=ACL%3d1%20AuthId%3dDn%253duid%25253dUSERNAME,ou%25253dmycompany,dc%25253dusers,dc%25253dmycompany,dc%25253dcom%20Ip%3d%20SS

     

    T%3d0%20SRT%3d0%20MIST%3d3600%20LIST%3d0%20SessionToken%3dRXOQzXzzEnhXuR0IiW57Ri7LSEJuYvp0b7taow5WuxdLlvdfyf3zTvDQLytjn4Avpi43+EHXpJvrSrM5dw5/6E2auO4oMFTgUGkpMQsRK2OvWZIrCF6SCaw+l66aJy6SU+3/xxERjIXFLp5HdpyNjcl7DMf5gac2Js7S3gk6UMNyBj

     

    /kjYuG8vXC85b5bWP1O2YE+7EYRFqwSdyL+TwYCisqfDuCbUMtsbHZ+SOB4BO+T6jEUOS4G1q0CuVRfDEcrCeerfM+4LCwhZmM/Tb80g%253d%253d ro=t%3d0%20o%3d%20no%3d%20r%3d%20nr%3d%20wu%3d/kpi-0.4c/%20wh%prodService.mycompany.com%20wo%3d1%20wa%3d10%20ws%3d20100518

     

    T16372370920 rc=rl%3dsc%253d7%2520mi%253d35%2520hr%253d17%2520dy%253d17%2520mn%253d1%2520yr%253d111%2520wd%253d4%2520yd%253d47%20ru%3d1297964107%20rr%3d//prodService.mycompany.com/kpi/%20ro%3dGET%20rc%3dtest%20rt%3dhttp%20al%3d

     

    0 ai= aa=ey%3d4%20ci%3dtest%20go%3dZ%20ts%3d7%20tm%3d35%20th%3d17%20td%3d17%20to%3d1%20ty%3d111%20tw%3d4%20tx%3d47%20ti%3d0

     

     

    T 172.29.48.102:6021 -> 192.168.17.14:42506 [AP]

     

    ...Y...M..pa=APP_NAME%3dKPI%20HTTP_OBLIX_UID%3dUSERNAME%20APP_USER%3dUSERNAME au=ACL%3d1%20AuthId%3dDn%253duid%25253dUSERNAME,ou%25253dmycompany,dc%25253dusers,dc%25253dmycompany,dc%25253dorg%20Ip%3d%20SST%3d1297964107%20SRT%3d1297964107%20MIS

     

    T%3d3600%20LIST%3d0%20SessionToken%3dRXOQzXzzEnhXuR0IiW57Ri7LSEJuYvp0b7taow4Wuxdnlvdfyf3zTvDQLytjn4Avpi43+EHXpJvrSrM5dw5/6E2auO4oMFTgUGkpMQsRK2OvWZIrCF6SCaw+l66aJy6SU+3/xxERjIXFLp5HdpyNjcl7DMf5gac2Js7S3gk6UMNyBj/kjYuG8vXC85b5bWP1O2Y

     

    E+7EYRFqwSdyL+TwYCisqfDuCbUMtsbHZ+SOB4BO+T6jEUOS4G1q0CuVRfDEcrCeerfM+4LCwhZmM/Tb80g%253d%253d st=ma%3d8%20mi%3d2%20sg%3d1750%20sm%3d rt=1

     

     

     

    AND here is a sample of my bigIP conf:

     

     

     

    monitor OAM_monitors {

     

    defaults from tcp

     

    interval 30

     

    up interval 300

     

    time until up 91

     

    dest *:6021

     

    }

     

    aaa oam server OAMTEST01_AAA {

     

    accessgate name oamname

     

    access server hostname "oam01.my-company.com"

     

    access server name AS01

     

    accessgate password crypt "***********"

     

    access server retry count 1

     

    }

     

    sso config test_oam01_sso {

     

    external access mgmt oam

     

    aaa oam server OAMTEST01_AAA

     

    }

     

    profile access mycompany-oam-access {

     

    access policy name mycompany-oam-access

     

    sso config test_oam01_sso

     

    domain cookie ".mycompany.com"

     

    secure cookie disable

     

    default language "en"

     

    logout uri timeout 5

     

    }

     

    pool OAM_PROD_POOL {

     

    monitor all OAM_monitors

     

    members {

     

    172.29.48.123:6021 {}

     

    172.29.48.124:6021 {}

     

    }

     

    }

     

    pool OAM_TEST_POOL {

     

    monitor all OAM_monitors

     

    members 172.29.32.102:6021 {}

     

    }

     

    rule oam_mux_request {

     

    when CLIENT_ACCEPTED {

     

    log "Client access from [IP::client_addr]"

     

    TCP::collect 300

     

    }

     

    when CLIENT_DATA {

     

    log "OAM request received [TCP::payload 300]"

     

     

    if { [TCP::payload 300] contains "swstest.mycompany.com" } {

     

    log "OAM request contains swstest.mycompany.com - using oam_test_pool"

     

    pool OAM_TEST_POOL

     

    }

     

    TCP::release

     

    }

     

    }

     

    virtual mycomp_oam_vs {

     

    snat automap

     

    fallback persist source_addr

     

    destination xxx.xxx.xxx.101:https

     

    ip protocol tcp

     

    rules mycomp_oam_vs_https_checkaccess

     

    persist mycompany_cookie

     

    profiles {

     

    client_https_mycompany_org_profile {

     

    clientside

     

    }

     

    mycompany-oam-access {}

     

    eam {}

     

    https_mycompany_org_profile {

     

    serverside

     

    }

     

    tcp {}

     

    weblogic {}

     

    websso {}

     

    }

     

    }

     

    virtual oam_test_vs {

     

    snat automap

     

    pool OAM_TEST_POOL

     

    rules oam_mux_request

     

    destination 192.168.17.13:26021

     

    ip protocol tcp

     

    }

     

     

     

    I BELIEVE THAT THE RULE DOES NOT WORK BECAUSE THE TCP CONNECTION TO THE OAM VIRTUAL SERVER IS KEPT OPEN ALL THE TIME AND IS NEVER CLOSED PER TRANSACTION OR ACCESS

     

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 17, 2011
    Can you add logging to the oam_mux_request iRule to see which pool and member was selected? You might also want to explicitly call the other pool if it's not a test request.

    when CLIENT_ACCEPTED {
   log "Client access from [IP::client_addr]"
   TCP::collect 300
}
when CLIENT_DATA {
   log "OAM request received [TCP::payload 300]"
   if { [TCP::payload 300] contains "swstest.mycompany.com" } {
      log "OAM request contains swstest.mycompany.com - using oam_test_pool"
      pool OAM_TEST_POOL
   } else {
      log "OAM request does not contain swstest.mycompany.com - using oam_prod_pool"
      pool OAM_PROD_POOL
   }
   TCP::release
}
when LB_SELECTED {
   log local0. "[IP::client_addr]:[TCP::client_port]: [LB::server]"
}
when SERVER_CONNECTED {
   log local0. "[IP::client_addr]:[TCP::client_port]: [IP::server_addr]:[TCP::server_port]"
}

    Aaron