Forum Discussion
NimbostratusMultiple APM's AAA server of the Type Oracle Access Manager
We have deployed LTM (10.2.1) including APM in our environment. The intention was to use APM with Oracle Access Manager as an External Authentication agent. This requires setting up an AAA server of the Type Oracle Access Manager (OAM) in the APM module.
However only one AAA server of the type Oracle Access Manager (OAM) is allowed by LTM.
In order to maintain the existing High Availability of backend Oracle OAM servers, we have configured a Virtual Server (called OAM_VS) which listens on a self-IP of LTM (and an unused port) as our Oracle AAA server. This Virtual Server has a default pool which contains our two test_ OAM servers as resources.
So far so good, this approach appears to work till now. To the best of my knowledge, it works as follows:
when a client tries to reach a backend service which is protected by Oracle Access Manager, It sends an HTTP request to a publicly available IP/Port (which in our case is mapped to
to an APM-enabled Virtual Server
called Public_VS),
APM intercepts the traffic and connects to our Virtual Server (OAM_VS) i.e the AAA server which verifies the credentials.
Now, the connection between APM and the AAA server appears not to be HTTP and may be encrypted (if configured). What we are trying to achieve is as follows:
In addition to the existing test_ OAM server pool , to configure another pool which contains our two production_ OAM servers as resources.
Depending on the incoming URL to Public_VS , change the default pool of our OAM_VS such that:-
for urls belonging to test servers APM will make the Authentication request to the test_ OAM server pool
for urls belonging to production servers APM will make the Authentication request to the production_ OAM server pool
Ensure that the traffic related to a particular URL is persisted to the correct back-end pool of the AAA server (OAM_VS)
We cannot generate an I-rule that works in APM to achieve the above since the process paths on both Virtual servers appear to be unrelated.
An approach which seems promising is to use the TCP function
and parse the first few lines to see if the request coming from APM to our OAM_VS contains a particular url and change the pool using LB:: reselect or similar command to change the default pool on the fly.
CLIENT_DATA
However until now I couldn’t get this to work, I would greatly appreciate any help in this regard.
3 Replies
hoolioCirrostratus
Can you post the iRule you're testing and some sample TCP data for requests you want to go to each pool?
Do any APM experts out there have a cleaner solution?
Aaron
dehinde_21599Here is the irule (OAM_MUX):
when CLIENT_ACCEPTED {
log "Client access from [IP::client_addr]"
TCP::collect 300
}
when CLIENT_DATA {
log "OAM request received [TCP::payload 300]"
if { [TCP::payload 300] contains "testService.mycompany.com" } {
log "OAM request contains testService. mycompany.com - using oam_test_pool"
pool OAM_TEST_POOL
} elseif {
[TCP::payload 300] contains "prodService. mycompany.com " } {
log "OAM request contains prodService. mycompany.com - using oam_prod_pool"
pool OAM_PROD_POOL
}
TCP::release
}
Here is a sample TCP stream:
Ngrep port 6021
T 192.168.17.14:42506 -> 172.29.48.102:6021 [AP]
.......L..ro=t%3d0%20o%3d%20no%3d%20r%3d%20nr%3d%20wu%3d/kpi/%20wh%3dprodService.mycompany.com%20wo%3d1%20wa%3d0%20ws%3d st=ma%3d2%20mi%3d2%20sg%3d0%20sm%3d version=3 pd=
T 172.29.48.102:6021 -> 192.168.17.14:42506 [AP]
.......L..ro=t%3d0%20o%3d%20no%3d%20r%3d%20nr%3d%20wu%3d/kpi/%20wh%3dprodService.mycompany.com %20wo%3d1%20wa%3d10%20ws%3d20100518T16372370920 ri=SDID%3d20144909T11535290825%20WRORID%3d%20AUTHENTSCHEMEID%3d20200558T16f72370920 st=ma%3d
4%20mi%3d2%20sg%3d1750%20sm%3d rt=1
T 192.168.17.14:42506 -> 172.29.48.102:6021 [AP]
..."...M..ri=SDID%3d20100909T11235990825%20WRORID%3d%20AUTHENTSCHEMEID%3d20100518T16372370920%20AGID%3dtest au=ACL%3d1%20AuthId%3dDn%253duid%25253dUSERNAME,ou%25253dmycompany,dc%25253dusers,dc%25253dmycompany,dc%25253dcom%20Ip%3d%20SS
T%3d0%20SRT%3d0%20MIST%3d3600%20LIST%3d0%20SessionToken%3dRXOQzXzzEnhXuR0IiW57Ri7LSEJuYvp0b7taow5WuxdLlvdfyf3zTvDQLytjn4Avpi43+EHXpJvrSrM5dw5/6E2auO4oMFTgUGkpMQsRK2OvWZIrCF6SCaw+l66aJy6SU+3/xxERjIXFLp5HdpyNjcl7DMf5gac2Js7S3gk6UMNyBj
/kjYuG8vXC85b5bWP1O2YE+7EYRFqwSdyL+TwYCisqfDuCbUMtsbHZ+SOB4BO+T6jEUOS4G1q0CuVRfDEcrCeerfM+4LCwhZmM/Tb80g%253d%253d ro=t%3d0%20o%3d%20no%3d%20r%3d%20nr%3d%20wu%3d/kpi-0.4c/%20wh%prodService.mycompany.com%20wo%3d1%20wa%3d10%20ws%3d20100518
T16372370920 rc=rl%3dsc%253d7%2520mi%253d35%2520hr%253d17%2520dy%253d17%2520mn%253d1%2520yr%253d111%2520wd%253d4%2520yd%253d47%20ru%3d1297964107%20rr%3d//prodService.mycompany.com/kpi/%20ro%3dGET%20rc%3dtest%20rt%3dhttp%20al%3d
0 ai= aa=ey%3d4%20ci%3dtest%20go%3dZ%20ts%3d7%20tm%3d35%20th%3d17%20td%3d17%20to%3d1%20ty%3d111%20tw%3d4%20tx%3d47%20ti%3d0
T 172.29.48.102:6021 -> 192.168.17.14:42506 [AP]
...Y...M..pa=APP_NAME%3dKPI%20HTTP_OBLIX_UID%3dUSERNAME%20APP_USER%3dUSERNAME au=ACL%3d1%20AuthId%3dDn%253duid%25253dUSERNAME,ou%25253dmycompany,dc%25253dusers,dc%25253dmycompany,dc%25253dorg%20Ip%3d%20SST%3d1297964107%20SRT%3d1297964107%20MIS
T%3d3600%20LIST%3d0%20SessionToken%3dRXOQzXzzEnhXuR0IiW57Ri7LSEJuYvp0b7taow4Wuxdnlvdfyf3zTvDQLytjn4Avpi43+EHXpJvrSrM5dw5/6E2auO4oMFTgUGkpMQsRK2OvWZIrCF6SCaw+l66aJy6SU+3/xxERjIXFLp5HdpyNjcl7DMf5gac2Js7S3gk6UMNyBj/kjYuG8vXC85b5bWP1O2Y
E+7EYRFqwSdyL+TwYCisqfDuCbUMtsbHZ+SOB4BO+T6jEUOS4G1q0CuVRfDEcrCeerfM+4LCwhZmM/Tb80g%253d%253d st=ma%3d8%20mi%3d2%20sg%3d1750%20sm%3d rt=1
AND here is a sample of my bigIP conf:
monitor OAM_monitors {
defaults from tcp
interval 30
up interval 300
time until up 91
dest *:6021
}
aaa oam server OAMTEST01_AAA {
accessgate name oamname
access server hostname "oam01.my-company.com"
access server name AS01
accessgate password crypt "***********"
access server retry count 1
}
sso config test_oam01_sso {
external access mgmt oam
aaa oam server OAMTEST01_AAA
}
profile access mycompany-oam-access {
access policy name mycompany-oam-access
sso config test_oam01_sso
domain cookie ".mycompany.com"
secure cookie disable
default language "en"
logout uri timeout 5
}
pool OAM_PROD_POOL {
monitor all OAM_monitors
members {
172.29.48.123:6021 {}
172.29.48.124:6021 {}
}
}
pool OAM_TEST_POOL {
monitor all OAM_monitors
members 172.29.32.102:6021 {}
}
rule oam_mux_request {
when CLIENT_ACCEPTED {
log "Client access from [IP::client_addr]"
TCP::collect 300
}
when CLIENT_DATA {
log "OAM request received [TCP::payload 300]"
if { [TCP::payload 300] contains "swstest.mycompany.com" } {
log "OAM request contains swstest.mycompany.com - using oam_test_pool"
pool OAM_TEST_POOL
}
TCP::release
}
}
virtual mycomp_oam_vs {
snat automap
fallback persist source_addr
destination xxx.xxx.xxx.101:https
ip protocol tcp
rules mycomp_oam_vs_https_checkaccess
persist mycompany_cookie
profiles {
client_https_mycompany_org_profile {
clientside
}
mycompany-oam-access {}
eam {}
https_mycompany_org_profile {
serverside
}
tcp {}
weblogic {}
websso {}
}
}
virtual oam_test_vs {
snat automap
pool OAM_TEST_POOL
rules oam_mux_request
destination 192.168.17.13:26021
ip protocol tcp
}
I BELIEVE THAT THE RULE DOES NOT WORK BECAUSE THE TCP CONNECTION TO THE OAM VIRTUAL SERVER IS KEPT OPEN ALL THE TIME AND IS NEVER CLOSED PER TRANSACTION OR ACCESS- hoolioCan you add logging to the oam_mux_request iRule to see which pool and member was selected? You might also want to explicitly call the other pool if it's not a test request.
when CLIENT_ACCEPTED { log "Client access from [IP::client_addr]" TCP::collect 300 } when CLIENT_DATA { log "OAM request received [TCP::payload 300]" if { [TCP::payload 300] contains "swstest.mycompany.com" } { log "OAM request contains swstest.mycompany.com - using oam_test_pool" pool OAM_TEST_POOL } else { log "OAM request does not contain swstest.mycompany.com - using oam_prod_pool" pool OAM_PROD_POOL } TCP::release } when LB_SELECTED { log local0. "[IP::client_addr]:[TCP::client_port]: [LB::server]" } when SERVER_CONNECTED { log local0. "[IP::client_addr]:[TCP::client_port]: [IP::server_addr]:[TCP::server_port]" }
Aaron
