Multiple APM's AAA server of the Type Oracle Access Manager

Here is the irule (OAM_MUX):

 

 

when CLIENT_ACCEPTED {

 

 

log "Client access from [IP::client_addr]"

 

TCP::collect 300

 

}

 

when CLIENT_DATA {

 

log "OAM request received [TCP::payload 300]"

 

 

if { [TCP::payload 300] contains "testService.mycompany.com" } {

 

log "OAM request contains testService. mycompany.com - using oam_test_pool"

 

pool OAM_TEST_POOL

 

} elseif {

 

[TCP::payload 300] contains "prodService. mycompany.com " } {

 

log "OAM request contains prodService. mycompany.com - using oam_prod_pool"

 

pool OAM_PROD_POOL

 

}

 

 

TCP::release

 

}

 

 

 

Here is a sample TCP stream:

 

 

Ngrep port 6021

 

 

T 192.168.17.14:42506 -> 172.29.48.102:6021 [AP]

 

.......L..ro=t%3d0%20o%3d%20no%3d%20r%3d%20nr%3d%20wu%3d/kpi/%20wh%3dprodService.mycompany.com%20wo%3d1%20wa%3d0%20ws%3d st=ma%3d2%20mi%3d2%20sg%3d0%20sm%3d version=3 pd=

 

 

T 172.29.48.102:6021 -> 192.168.17.14:42506 [AP]

 

.......L..ro=t%3d0%20o%3d%20no%3d%20r%3d%20nr%3d%20wu%3d/kpi/%20wh%3dprodService.mycompany.com %20wo%3d1%20wa%3d10%20ws%3d20100518T16372370920 ri=SDID%3d20144909T11535290825%20WRORID%3d%20AUTHENTSCHEMEID%3d20200558T16f72370920 st=ma%3d

 

4%20mi%3d2%20sg%3d1750%20sm%3d rt=1

 

 

T 192.168.17.14:42506 -> 172.29.48.102:6021 [AP]

 

..."...M..ri=SDID%3d20100909T11235990825%20WRORID%3d%20AUTHENTSCHEMEID%3d20100518T16372370920%20AGID%3dtest au=ACL%3d1%20AuthId%3dDn%253duid%25253dUSERNAME,ou%25253dmycompany,dc%25253dusers,dc%25253dmycompany,dc%25253dcom%20Ip%3d%20SS

 

T%3d0%20SRT%3d0%20MIST%3d3600%20LIST%3d0%20SessionToken%3dRXOQzXzzEnhXuR0IiW57Ri7LSEJuYvp0b7taow5WuxdLlvdfyf3zTvDQLytjn4Avpi43+EHXpJvrSrM5dw5/6E2auO4oMFTgUGkpMQsRK2OvWZIrCF6SCaw+l66aJy6SU+3/xxERjIXFLp5HdpyNjcl7DMf5gac2Js7S3gk6UMNyBj

 

/kjYuG8vXC85b5bWP1O2YE+7EYRFqwSdyL+TwYCisqfDuCbUMtsbHZ+SOB4BO+T6jEUOS4G1q0CuVRfDEcrCeerfM+4LCwhZmM/Tb80g%253d%253d ro=t%3d0%20o%3d%20no%3d%20r%3d%20nr%3d%20wu%3d/kpi-0.4c/%20wh%prodService.mycompany.com%20wo%3d1%20wa%3d10%20ws%3d20100518

 

T16372370920 rc=rl%3dsc%253d7%2520mi%253d35%2520hr%253d17%2520dy%253d17%2520mn%253d1%2520yr%253d111%2520wd%253d4%2520yd%253d47%20ru%3d1297964107%20rr%3d//prodService.mycompany.com/kpi/%20ro%3dGET%20rc%3dtest%20rt%3dhttp%20al%3d

 

0 ai= aa=ey%3d4%20ci%3dtest%20go%3dZ%20ts%3d7%20tm%3d35%20th%3d17%20td%3d17%20to%3d1%20ty%3d111%20tw%3d4%20tx%3d47%20ti%3d0

 

 

T 172.29.48.102:6021 -> 192.168.17.14:42506 [AP]

 

...Y...M..pa=APP_NAME%3dKPI%20HTTP_OBLIX_UID%3dUSERNAME%20APP_USER%3dUSERNAME au=ACL%3d1%20AuthId%3dDn%253duid%25253dUSERNAME,ou%25253dmycompany,dc%25253dusers,dc%25253dmycompany,dc%25253dorg%20Ip%3d%20SST%3d1297964107%20SRT%3d1297964107%20MIS

 

T%3d3600%20LIST%3d0%20SessionToken%3dRXOQzXzzEnhXuR0IiW57Ri7LSEJuYvp0b7taow4Wuxdnlvdfyf3zTvDQLytjn4Avpi43+EHXpJvrSrM5dw5/6E2auO4oMFTgUGkpMQsRK2OvWZIrCF6SCaw+l66aJy6SU+3/xxERjIXFLp5HdpyNjcl7DMf5gac2Js7S3gk6UMNyBj/kjYuG8vXC85b5bWP1O2Y

 

E+7EYRFqwSdyL+TwYCisqfDuCbUMtsbHZ+SOB4BO+T6jEUOS4G1q0CuVRfDEcrCeerfM+4LCwhZmM/Tb80g%253d%253d st=ma%3d8%20mi%3d2%20sg%3d1750%20sm%3d rt=1

 

 

 

AND here is a sample of my bigIP conf:

 

 

 

monitor OAM_monitors {

 

defaults from tcp

 

interval 30

 

up interval 300

 

time until up 91

 

dest *:6021

 

}

 

aaa oam server OAMTEST01_AAA {

 

accessgate name oamname

 

access server hostname "oam01.my-company.com"

 

access server name AS01

 

accessgate password crypt "***********"

 

access server retry count 1

 

}

 

sso config test_oam01_sso {

 

external access mgmt oam

 

aaa oam server OAMTEST01_AAA

 

}

 

profile access mycompany-oam-access {

 

access policy name mycompany-oam-access

 

sso config test_oam01_sso

 

domain cookie ".mycompany.com"

 

secure cookie disable

 

default language "en"

 

logout uri timeout 5

 

}

 

pool OAM_PROD_POOL {

 

monitor all OAM_monitors

 

members {

 

172.29.48.123:6021 {}

 

172.29.48.124:6021 {}

 

}

 

}

 

pool OAM_TEST_POOL {

 

monitor all OAM_monitors

 

members 172.29.32.102:6021 {}

 

}

 

rule oam_mux_request {

 

when CLIENT_ACCEPTED {

 

log "Client access from [IP::client_addr]"

 

TCP::collect 300

 

}

 

when CLIENT_DATA {

 

log "OAM request received [TCP::payload 300]"

 

 

if { [TCP::payload 300] contains "swstest.mycompany.com" } {

 

log "OAM request contains swstest.mycompany.com - using oam_test_pool"

 

pool OAM_TEST_POOL

 

}

 

TCP::release

 

}

 

}

 

virtual mycomp_oam_vs {

 

snat automap

 

fallback persist source_addr

 

destination xxx.xxx.xxx.101:https

 

ip protocol tcp

 

rules mycomp_oam_vs_https_checkaccess

 

persist mycompany_cookie

 

profiles {

 

client_https_mycompany_org_profile {

 

clientside

 

}

 

mycompany-oam-access {}

 

eam {}

 

https_mycompany_org_profile {

 

serverside

 

}

 

tcp {}

 

weblogic {}

 

websso {}

 

}

 

}

 

virtual oam_test_vs {

 

snat automap

 

pool OAM_TEST_POOL

 

rules oam_mux_request

 

destination 192.168.17.13:26021

 

ip protocol tcp

 

}

 

 

 

I BELIEVE THAT THE RULE DOES NOT WORK BECAUSE THE TCP CONNECTION TO THE OAM VIRTUAL SERVER IS KEPT OPEN ALL THE TIME AND IS NEVER CLOSED PER TRANSACTION OR ACCESS