Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Jul 29, 2015

APM OAM, access server hostname FQDN trimmed to simple name before use...?

Environment: Big-IP 4200v running LTM 11.5.2 with APM   We have an OAM integrated as a AAA server in APM, and for some reason, even though we use a fully-qualified name for the access server host...
BIG-IP Access Policy Manager (APM)
oam
oracle
security
daboochmeister's avatar
daboochmeister
Icon for Cirrus rankCirrus
Jul 30, 2015

Actually - I think we figured it out. The APM OAM module just uses the access server hostname that you configure in to establish an initial connection with the OAM servers - during that initial connection, it retrieves a more complete configuration from OAM (which it saves in file ObClientAccess.xml, buried in the OAM file system tree under /config/aaa). I noticed in that file that the plain names are being returned from the OAM server.

 

We still haven't found where in the OAM configuration it's occurring, but it's definitely something on the OAM side.

 

Can a moderator pls mark this response as the answer to this question? I don't seem to be able to mark my own responses as answers.

 

  • Nut_Pornsopon_1's avatar
    Nut_Pornsopon_1
    Icon for Nimbostratus rankNimbostratus
    Jul 30, 2015
    Hi, I'm not sure to understand you correctly. So, i'm try to debugging tcpdump from APM with OAM log byself. APM store OAM WebGate configuration within the path that you mention. If primary and secondary OAM server name in configure file contain only hostname instead FQDN. When you initialize APM, F5 will use hostname to communicate with OAM firstly if OAM not reachable with hostname. F5 will use FQDN to commnicate. Note : I'm very recommend you to use DNS instead configure host file. If you use host file you will found another issue in the future. Hope this help.
  • daboochmeister's avatar
    daboochmeister
    Icon for Cirrus rankCirrus
    Jul 31, 2015
    Thanks, Nut Pornsopon - the hosts file is temporary, till we get DNS updated (a different group within our organization manages DNS, and we're going through the process of coordinating an alias). I think you're understanding the overall issue correctly - we use FQDN in our APM AAA server configuration (for the "access server hostname", specifically), but after the initial use of that FQDN to reach the primary OAM server, the configuration received back from OAM has plain names in it, and those plain names are used from that point on. So we're coordinating with the OAM group to get their configuration corrected to use FQDN.