Forum Discussion
AntonyLovric_15
Nimbostratus
NimbostratusAPM + OAM (11GR1) Installation guide for HTTP Basic Authentication over HTTPS
I can't find a guide that describes how to setup APM with OAM11g and use HTTP Basic authentication (over https). I found the SSO guide and was able to follow the 11g and 10g sequence diagrams and understand how things are working. I believe what I want to do is feasible, I was just hoping to find a tech-note/guide that confirmed my thoughts.
Cheers Antony
ps I have a good background in programming/networking/security, but I'm a rookie/noob in terms of F5.....
Hi Anthony.
It depends on what part(s) of the OAM tech stack you want to use.
For User Auth only, you can use this guide:
http://www.f5.com/pdf/deployment-guides/big-ip-apm-dg.pdf
Which will provide for HTTP Basic Auth to the user ( the APM login page with username/password ), using OID - Oracle Internet Directory, OAM's LDAP server.
If you want to use APM's Webgate functionality, then you use this guide:
http://www.f5.com/pdf/deployment-guides/oracle-oam-apm-11-dg.pdf
Which gives you both User Auth, and Web Access Control using the full OAM stack with AuthN/AuthZ policies. It is VERY important that you test and verify your OAM polices prior to setting up APM webgate - use a web server with a 10g Webgate agent is highly recommended. You MUST follow the steps in this deployment guide - exactly as outlined, in order, to have a successful deployment.
Good Luck, let us know how it goes !
-Chris.
Hi Anthony.
It depends on what part(s) of the OAM tech stack you want to use.
For User Auth only, you can use this guide:
http://www.f5.com/pdf/deployment-guides/big-ip-apm-dg.pdf
Which will provide for HTTP Basic Auth to the user ( the APM login page with username/password ), using OID - Oracle Internet Directory, OAM's LDAP server.
If you want to use APM's Webgate functionality, then you use this guide:
http://www.f5.com/pdf/deployment-guides/oracle-oam-apm-11-dg.pdf
Which gives you both User Auth, and Web Access Control using the full OAM stack with AuthN/AuthZ policies. It is VERY important that you test and verify your OAM polices prior to setting up APM webgate - use a web server with a 10g Webgate agent is highly recommended. You MUST follow the steps in this deployment guide - exactly as outlined, in order, to have a successful deployment.
Good Luck, let us know how it goes !
-Chris.
lunitic_56137Chris, I went by the deployment guide and I cannot get the authentication to fire off. I also get a "failed to get host identifier..." error when using the eamtest tool. I went back over the DG and followed it to the letter. Still no joy. There seems to be an issue with the AccessGate contacting the OAM server and firing off the auth process. The APM VPE config, which is not covered in the DG, is pretty generic at this point. Start --> OAM AAA --> Allow. I have checked and rechecked everything but nothing seems to be helping. Any ideas of where to go? These resources that you have listed seem to be the only ones available at this time. Thanks in advance- lunitic_56137BTW, We are on 11.4.1 HF3 and OAM 11g with the AccessGate configured for 10G in the OAM server config.
AntonyLovric_15Thanks for the reply, sorry I'm late getting back to you. (I was off on vacation for a week, then working on some other stuff the following week.)
I've read the articles you've linked before. I was looking for an example that demonstrated message flow for 'basic' authentication vs the documented 'SSO/forms' based authentication examples.
From this link; http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-oam-integration-11-2-0/1.html
I was trying to find a sequence diagram like the one in the image 'Accessing a protected resource using Access Policy Manager deployed with OAM 11g' using basic authentication instead of Forms-based authentication.
Thanks Antony
I'll mark your answer as the correct one because I've scoured the support site and haven't found anything. When I finish the implementation I'll ask my client if I can pass back/upload the sequence diagram I wrote.
- AntonyLovric_15
So I'm at the stage where we're configuring OAM with APM. Based on some documentation;
I'm trying to configure the F5 to not redirect to the OAM server for authentication (Forms) but to pass the credentials to the OAM server to make the policy decision (HTTP Basic). Is there a newer version of the above document that applies to 11.4 ?