APM + OAM (11GR1) Installation guide for HTTP Basic Authentication over HTTPS

Question

I can't find a guide that describes how to setup APM with OAM11g and use HTTP Basic authentication (over https).  I found the SSO guide and was able to follow the 11g and 10g sequence diagrams and understand how things are working.  I believe what I want to do is feasible, I was just hoping to find a tech-note/guide that confirmed my thoughts.&nbsp;
Cheers
Antony&nbsp;
ps I have a good background in programming/networking/security, but I'm a rookie/noob in terms of F5.....&nbsp;

chris_akker_129 · Accepted Answer

Hi Anthony.&nbsp;
It depends on what part(s) of the OAM tech stack you want to use.&nbsp;
For User Auth only, you can use this guide:&nbsp;
http://www.f5.com/pdf/deployment-guides/big-ip-apm-dg.pdf&nbsp;
Which will provide for HTTP Basic Auth to the user ( the APM login page with username/password ), using OID - Oracle Internet Directory, OAM's LDAP server.&nbsp;
If you want to use APM's Webgate functionality, then you use this guide:&nbsp;
http://www.f5.com/pdf/deployment-guides/oracle-oam-apm-11-dg.pdf&nbsp;
Which gives you both User Auth, and Web Access Control using the full OAM stack with AuthN/AuthZ policies.  It is VERY important that you test and verify your OAM polices prior to setting up APM webgate - use a web server with a 10g Webgate agent is highly recommended.  You MUST follow the steps in this deployment guide - exactly as outlined, in order, to have a successful deployment.&nbsp;
Good Luck, let us know how it goes !&nbsp;
-Chris.&nbsp;

antonylovric_15 · Answer

Thanks for the reply, sorry I'm late getting back to you.  (I was off on vacation for a week, then working on some other stuff the following week.)  &nbsp;
I've read the articles you've linked before.  I was looking for an example that demonstrated message flow for 'basic' authentication vs the documented 'SSO/forms' based authentication examples.&nbsp;
From this link;
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-oam-integration-11-2-0/1.html&nbsp;
I was trying to find a sequence diagram like the one in the image 'Accessing a protected resource using Access Policy Manager deployed with OAM 11g' using basic authentication instead of Forms-based authentication. &nbsp;
Thanks
Antony&nbsp;
I'll mark your answer as the correct one because I've scoured the support site and haven't found anything.  When I finish the implementation I'll ask my client if I can pass back/upload the sequence diagram I wrote.&nbsp;

lunitic_56137 · Answer

Chris, I went by the deployment guide and I cannot get the authentication to fire off.  I also get a "failed to get host identifier..." error when using the eamtest tool.  I went back over the DG and followed it to the letter.  Still no joy.  There seems to be an issue with the AccessGate contacting the OAM server and firing off the auth process.  The APM VPE config, which is not covered in the DG, is pretty generic at this point.  Start --&gt; OAM AAA --&gt; Allow.

I have checked and rechecked everything but nothing seems to be helping.  Any ideas of where to go?  These resources that you have listed seem to be the only ones available at this time.

Thanks in advance

lunitic_56137 · Answer

BTW, We are on 11.4.1 HF3 and OAM 11g with the AccessGate configured for 10G in the OAM server config.

antonylovric_15 · Answer

So I'm at the stage where we're configuring OAM with APM.  Based on some documentation;
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_sso.html
I'm trying to configure the F5 to not redirect to the OAM server for authentication (Forms) but to pass the credentials to the OAM server to make the policy decision (HTTP Basic).

Is there a newer version of the above document that applies to 11.4 ?

Forum Discussion

APM + OAM (11GR1) Installation guide for HTTP Basic Authentication over HTTPS

5 Replies

Recent Discussions

Deleting Old Certs

GCP F5 deployment - Active -Active with config Sync

BUG Query

GSLB - Monitoring LTM VIP load balancing via iRule

Hybrid Exchange traffic and Starttls

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

Distributed caching of authentication requests with NGINX Ingress Controller

Application Programming Interface (API) Authentication types simplified

iControl REST Authentication Token Management