Forum Discussion

bednarcm's avatar
bednarcm
Icon for Nimbostratus rankNimbostratus
Apr 22, 2022

AS3 and SSL Orchestrator profiles

Hi,

Is there possible to enable SSLO (existing application topology) inside AS3 declaration? BIG-IP 15.1

I've got Access Profile and Policy Per-Request prepared via SSLO configurator. When I try to enable it via declaration... :

 

"profileAccess": {
   "bigip": "/Common/ssloDefault_accessProfile"
},
"policyPerRequestAccess": {
   "bigip": "/Common/ssloP_mysslo.app/ssloP_mysslo_per_req_policy"
}

 

... I get an error message:

 

"code": 422,
"message": "declaration failed",
"response": "01b40017:3: Configuration error: Virtual Server (/Sample_01/Application_1/serviceMain) with Access Profile of type sslo is not compatible with profile of type (rba).",

 

But there is no RBA profile in this declaration. Whole F5 example based declaration:

 

{
     "class": "AS3",
     "action": "deploy",
     "persist": true,
     "declaration": {
         "class": "ADC",
         "schemaVersion": "3.35.0",
         "id": "example-declaration-01",
         "label": "Sample 1",
         "remark": "Simple HTTP application with round robin pool",
         "Sample_01": {
             "class": "Tenant",
             "defaultRouteDomain": 0,
             "Application_1": {
                 "class": "Application",
                 "template": "http",
             "serviceMain": {
                 "class": "Service_HTTP",
                 "virtualAddresses": [
                     "10.10.10.10"
                 ],
                 "pool": "web_pool",
                 "profileAccess": {
                     "bigip": "/Common/ssloDefault_accessProfile"
                 },
                 "policyPerRequestAccess": {
                     "bigip": "/Common/ssloP_mysslo.app/ssloP_mysslo_per_req_policy"
                 }
                 },
                 "web_pool": {
                     "class": "Pool",
                     "monitors": [
                         "http"
                     ],
                     "members": [
                         {
                             "servicePort": 80,
                             "serverAddresses": [
                                 "192.0.1.10",
                                 "192.0.1.11"
                             ]
                         }
                     ]
                 }
             }
         }
     }
 }

 

I can apply SSLO to this Virtual Server manually after service creation, but it doesn't work via AS3.

What can be wrong?

application delivery
security
  • Ruby69's avatar
    Ruby69
    Icon for Nimbostratus rankNimbostratus
    Apr 26, 2022

    A layered architecture takes advantage of a powerful feature of the BIG-IP called "VIP targeting". The idea is that one virtual server calls another. You're simply moving bits around in memory here, so there's almost zero latency between the two VIPs. The "external" virtual server is client-facing. The SSL Orchestrator topology virtual servers are thus "internal" (not listening on any usable VLAN). Traffic enters the external VIP and traffic rules pass control to any of a number of internal "topologies as functions" VIPs. As stated, there's near infinite possibilities here, but I've included some iRules to get you started.                                                          Landstar Online