For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vivek_9701's avatar
Vivek_9701
Icon for Nimbostratus rankNimbostratus
Sep 14, 2010

BIGIP iRule implementation

Hi,

 

 

I am new to iRule, we have requirment to write some iRule which can solve the issue.Below you can see the scenerio.

 

 

1. Provide form-based authentication of user against Active Directory Steps required: - Setup AD/LDAP connection in BIG-IP - Create base64 encoded version of provided login form - Create iRule which triggers login form, catches HTTP post response and performs auth against LDAP. If successfully authenticated, issue an authentication cookie with HTTPOnly flagback to the user .

 

 

See http://devcentral.f5.com/wiki/default.aspx/iRules/ClientAuthUsingHTMLForms.html and http://www.owasp.org/index.php/HttpOnly

 

 

2. Provide high-level authorization check by verifying membership of an Active Directory group Steps required: LDAP connection in BIG-IP should be configured with a group dn which points to a group which all SAP vendor users are members of

 

 

3. Pass a secure token with user name of the logged on user as an HTTP header to the Web front-end Steps required: After the user is authenticated, always add extra HTTP headers with the name of the logged on user. Suggestion to use Z-Authenticated-User and Z-Authenticated-User-Encrypted The encrypted header Z-Authenticated-User-Encrypted should be an AES encrypted value of Z-Authenticated-User http://devcentral.f5.com/wiki/default.aspx/iRules/AES__encrypt.html The key of the AES encryption should only be shared with the SAP Web front-end. (The web front-end will validate that Z-Authenticated-User = AES_DECRYPT(Z-Authenticated-User-Encrypted) )

 

 

4. Clean outgoing HTTP header information such as “Server” name and version Steps required: For outgoing responses, remove the HTTP header Server. http://devcentral.f5.com/wiki/default.aspx/iRules/HTTP__header.html

 

 

5. Store outgoing cookie SAPLogonTicket in BIG-IP session and remove it from the HTTP response Steps required: For outgoing responses, get the cookie SAPLogonTicket (either from Set-cookie or Cookie HTTP header). Remove it from the HTTP response and store it in session http://devcentral.f5.com/wiki/default.aspx/iRules/session.html

 

 

6. If user is authenticated, add SAPLogonTicket cookie from BIG-IP session to request before passing it to web front-end Steps required: For incoming requests, retrieve the SAPLogonTicket cookie from session and add it to the request.

 

 

Can anyone help me to setup iRule.

 

 

Regards

 

Sam
application delivery
dev
devops
iRules

6 Replies

  • L4L7_53191's avatar
    L4L7_53191
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2010
    Sam: it really sounds like you should look at using the APM (Access Policy Manager) module for this particular use case.

     

    -Matt
  • Vivek_9701's avatar
    Vivek_9701
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2010
    http://devcentral.f5.com/weblogs/watkins/archive/2010/07/19/securing-the-corporate-intranet-with-access-policy-manager.aspx
  • Vivek_9701's avatar
    Vivek_9701
    Icon for Nimbostratus rankNimbostratus
    Sep 14, 2010
    APM doesn't help in this above senearion, Can you please help me to implment thorigh iRule.
  • Cspillane_18296's avatar
    Cspillane_18296
    Icon for Nimbostratus rankNimbostratus
    Sep 15, 2010
    hmmm...looks like alot of work and sounds like you're gonna need several iRules. Probably a bit beyond my capabilities. I think you can use an authentication profile for the LDAP side of things, but this isn't something I'm familiar with...