Oracle Access Manager AAA Server in High Availability configuration

We have deployed LTM (10.2.1) including APM in our environment. The intention was to use APM with Oracle Access Manager as an External Authentication agent. This requires setting up an AAA server of the Type Oracle Access Manager (OAM) in the APM module.

However only one AAA server of the type Oracle Access Manager (OAM) is allowed by LTM. In order to maintain the existing High Availability of backend Oracle OAM servers, we have configured a Virtual Server (called OAM_VS) which listens on a self-IP of LTM (and an unused port) as our Oracle AAA server. This Virtual Server has a default pool which contains our two test_ OAM servers as resources.

So far so good, this approach appears to work till now. To the best of my knowledge, it works as follows: when a client tries to reach a backend service which is protected by Oracle Access Manager, It sends an HTTP request to a publicly available IP/Port (which in our case is mapped to ~~to an APM-enabled Virtual Server~~ ~~called Public_VS), APM intercepts the traffic and connects to our Virtual Server (OAM_VS) i.e the AAA server which verifies the credentials.~~

~~Now, the connection between APM and the AAA server appears not to be HTTP and may be encrypted (if configured). What we are trying to achieve is as follows:~~

In addition to the existing test_ OAM server pool , to configure another pool which contains our two production_ OAM servers as resources.

~~Depending on the incoming URL to Public_VS , change the default pool of our OAM_VS such that:-~~

for urls belonging to test servers APM will make the Authentication request to the test_ OAM server pool

for urls belonging to production servers APM will make the Authentication request to the production_ OAM server pool

Ensure that the traffic related to a particular URL is persisted to the correct back-end pool of the AAA server (OAM_VS)

~~We cannot generate an I-rule that works in APM to achieve the above since the process paths on both Virtual servers appear to be unrelated.~~

~~An approach which seems promising is to use the TCP function~~ ~~CLIENT_DATA~~ and parse the first few lines to see if the request coming from APM to our OAM_VS contains a particular url and change the pool using LB:: reselect or similar command to change the default pool on the fly.

~~However until now I couldn’t get this to work, I would greatly appreciate any help in this regard.~~

Forum Discussion

Oracle Access Manager AAA Server in High Availability configuration

Introducing the F5 Application Study Tool (AST)

Displaying Application Study Tool (AST) Dashboards in Your Own Grafana Instance

Recent Discussions

What dose "Accept" do in BIG-IP ASM event logs

Is anyone using Certbot for F5 certificate automation? If not, what tool do you use?

Change Content-Type from application/octet-stream to multipart/form-data

f5 AI Gateway pii-redactor not working

Terraform apply failures - loadbalancer_type.https.port_choice

Related Content

F5 NGINX Plus R34 Release Now Available

Getting Started with BIG-IP Next: Configuring Instance High Availability

F5 NGINX Plus R33 Release Now Available

F5 Certified Administrator NGINX certification now available!

Manage F5 BIG-IP Advanced WAF Configuration Drift with webhooks and GitOps

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS