Forum Discussion

Illia's avatar
Illia
Icon for Nimbostratus rankNimbostratus
Sep 27, 2021

OAuth token synchronization in APM HA pair

Hello.

I have an HA pair of APMs, acting as a OAuth authorization server. By default, devices in HA should synchronized OAuth tokens from Active to Standby. But I don't see issued tokens on Standby device.

The statemirror.mirrorsession system database variable set in "enabled".

 

:Active:In Sync] ~ # tmsh  show apm oauth token-details db-instance <db_name>

total-tokens:    7258

 

:Standby:In Sync] ~ # tmsh  show apm oauth token-details db-instance <db_name>

total-tokens:    0

 

No synchronization errors (Failed to initiate DB synchronization (ERR_DB)) in logs.

 

How can I check, that token synchronization is successful and issued OAuth tokens existing on both device in cluster?

application delivery
BIG-IP Access Policy Manager (APM)
oauth
security
  • Illia's avatar
    Illia
    Icon for Nimbostratus rankNimbostratus
    Sep 29, 2021

    Angelo, I've already checked it.

    The statemirror.mirrorsession system database variable set in "enabled".

    Do you have an ideas how to check database on Standby device?

  • Illia's avatar
    Illia
    Icon for Nimbostratus rankNimbostratus
    Sep 29, 2021

    Hello, Angelo. I'm not clearly understand your considerations. My devices is in one trust domain and in one Sync-Failover device group.

    https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-oauth-configuration/apm-oauth-overview.html

    As I can see here, "HA supports real-time synchronization of the BIG-IP configuration, including the OAuth database, and switching over seamlessly when needed."

     

    Why we need additional Syn-Only device group?

     

    • Angelo_V's avatar
      Angelo_V
      Icon for Cirrus rankCirrus
      Sep 29, 2021

      I think you are right, you don't need an additional Sync-Only device group.

      Try to check the statemirror.mirrorsession system database variable, it should be enable

       

      list /sys db statemirror.mirrorsessions

       

       

  • Illia's avatar
    Illia
    Icon for Nimbostratus rankNimbostratus
    Sep 27, 2021

    Hello, Angelo. There is only one sync-failover device group.

     

    Illia.

    • Angelo_V's avatar
      Angelo_V
      Icon for Cirrus rankCirrus
      Sep 27, 2021

      I think the problem is that.

       

      To synchronize access policies between multiple devices, you configure a Sync-Only device group, which includes the devices between which you want to synchronize access policies. Device group setup requires establishing trust relationships between devices and creating a device group. You set the devices in each group to use Automatic Sync and Full Sync, and then synchronize access policies one at a time, resolving conflicts as you go.

      Important: Sync-Only groups must be configured before you pair Active-Standby devices. To add an Active-Standby device pair to a Sync-Only device group, first you must reset the trust between the devices. Next, you must remove the devices from the Sync-Failover device group. Next, you must add both devices to a Sync-Only device group. Finally, add the devices as an Active-Standby pair to the Sync-Failover group.

       

      https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-11-5-0/4.html#conceptid

  • Angelo_V's avatar
    Angelo_V
    Icon for Cirrus rankCirrus
    Sep 27, 2021

    Hi Illia,

    in addition to the HA-SYNC device group, have you also configured a sync-only device group?

     

    Angelo