Forum Discussion

Christoph_Fris1's avatar
Christoph_Fris1
Icon for Nimbostratus rankNimbostratus
Jan 12, 2017

APM integration with Oracle Access Manager

Hello together,

 

it would be interesting how many of you have implemented the APM modul together with Oracle Access Manager.

 

Which Firmware version are you using on the F5? Which Patchlevel do you have on OAM side? How many webgates do you have implemented on F5 side? Did you face any problems during the integration?

 

I'm asking this because I couldn't find many guys which are using this combination - and yeah I know that there is a Deployment Guide from F5 (which is really good), but I want real customer experience about this.

 

To our setup: Actual we're using firmware 12.1.0 HF1 together with OAM 11gR2 PS3. At the moment we have about 20 webgates active (10g webgates, because 11g isn't supported yet by F5 :/). And we faced a lot of issues during our migration from OAM 11gR1 to R2 together with the F5 integration.

 

But for now on it's working, not 100% perfect but it's working :).

 

Cheers, Christoph

 

3 Replies

  • Which Mode do you use? Open/Simple/Cert?

    Because we're using the Simple Mode and faced some issues regarding the certs from OAM side and F5 Side, both systems need the same ones in order to get communication working.

    Here are the steps, which we received from F5 Support when we faced this issue: In simple mode the certificates need to be identical on both sides. Since the certs were most likely manipulated with the Keytool utility that comes with the JDK installation, I suspect the cert was already installed on bigip at /config/aaa/oam////oblix/config/simple/ before applying the workaround.

    1. So please delete /config/aaa/oam// directory on bigip and perform "bigstart restart eam".
    
    2. Please compare aaa_key.pem ,aaa_cert.pem, aaa_chain.pem, password.xml, ObAccessClient.xml files on BIG-IP and OAM server using "openssl x509" command . If they are not same, manually copy the following files to the corresponding location,
    cp aaa_key.pem              /config/aaa/oam/Common/<$OAM_Server_Name>/$/oblix/config/simple/
    cp aaa_cert.pem             /config/aaa/oam/Common/<$OAM_Server_Name>/$/oblix/config/simple/
    cp aaa_chain.pem          /config/aaa/oam/Common/<$OAM_Server_Name>/$/oblix/config/simple/
    cp password.xml              /config/aaa/oam/Common/<$OAM_Server_Name>/$/oblix/config/
    cp ObAccessClient.xml  /config/aaa/oam/Common/<$OAM_Server_Name>/$/oblix/lib/
    
    3. There is another comparability issue reported if the OAM server used is OAM11G.
    The default simple root certificate in 10G and 11G are different. So when configuring 10G agent (webgate) with OAM 11G server the webgate and access server root certificates will not match and will cause the communication to fail. For simple mode of communication OAM 11G is shipped with a root certificate and private key in a DER format (cacert.der,cakey.der) while in 10G release it was in PEM format cacert.pem, cakey.pem This issue will not appear if using 11G webgate as it's having the same simple mode root certificate as the one of the access server 11G.
    
    Solution : change root certificate and private key in DER format from OAM server to PEM format
    
    Steps:
    
    1. Convert cacert.der located on the OAM server at OAM-Domain-Home/config/fmwconfig to PEM format using the command:
    openssl x509 -inform DER -in cacert.der -outform PEM -out cacert.pem 2. Copy the generated cacert.pem to the webgate instance directory for example: "C:\Program Files\NetPoint\WebComponent\access\oblix\tools\openssl\simpleCA\cacert.pem" on the WebGate machine.
    3. Restarted the web server.
    

    But after changing that there was also a different Bug (CBC Protection Bug - Oracle Docs 13387353) - so you have to set some extra Java properties

    EXTRA_JAVA_PROPERTIES="-Djsse.enableCBCProtection=false ${EXTRA_JAVA_PROPERTIES}"
    export EXTRA_JAVA_PROPERTIES
    

    Hope this will help you, but also i'm not sure if it is the same bug, maybe you should also contact your F5 Support.

    Cheers, Christoph

  • Waqas's avatar
    Waqas
    Icon for Nimbostratus rankNimbostratus

    Can you please confirm if I can make Big ip ver 14.1 work with OAM 12.2