SNI External Monitor for ADFS

Question

Kevin Stewart solved the mystery of why my built-in GTM monitor would not work against our ADFS servers (https://devcentral.f5.com/questions/monitor-for-adfs-server-gtm). The ADFS servers require SNI. He provided me with a script to create an external monitor. I created an external monitor in the GUI, and referenced the script, but cannot get it to work.&nbsp;
To troubleshoot, I created a test monitor against one of our websites hosted behind our LTMs, so that I could tcpdump in clear-text. The packet capture shows that the external monitor is calling for the page that is referenced in the script. I have tried grepping for several strings that the packet capture shows, but he server never gets marked "up". Do I need to enter arguments or variables in the external monitor GUI?&nbsp;

kevin_stewart · Answer

It seems the while loop inside getscript() was looping indefinitely, which only appears to happen as part of the monitor. Here's a minor tweak:
!/bin/bash

pidfile="/var/run/$MONITOR_NAME.$1..$2.pid"

if [ -f $pidfile ]
    then
    kill -9 -`cat $pidfile` &gt; /dev/null 2&gt;&amp;1
fi

echo "$$" &gt; $pidfile

node_ip=`echo $1 |sed 's/::ffff://'`
node_port=$2

getscript () {
    echo 'GET / HTTP/1.1'
    echo 'Host: adfs.open-techs.com'
    echo ''
    sleep 1
    echo 'quit
'
}

docurl () {
    IFS=$'
'
    arr=($(getscript | openssl s_client -connect ${node_ip}:${node_port} -cipher 'ECDHE-RSA-AES256-SHA' -servername 'adfs.open-techs.com' 2&gt;/dev/nul |grep -E '200 OK'))
    unset IFS
}

docurl

echo ${arr[0]}

if [ -n "${arr[0]}" ]
then
     Remove the pidfile before the script echoes anything to stdout and is killed by bigd
    rm -f $pidfile
    echo "up"
fi

Remove the pidfile before the script ends
rm -f $pidfile

You may have to adjust the sleep statement depending on the application server's response.

ots02 · Answer

Thanks Kevin. Applied new script. What shows up in /dev/nul is:&nbsp;
depth=1 /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4&nbsp;
verify error:num=20:unable to get local issuer certificate&nbsp;
verify return:0&nbsp;
read:errno=0&nbsp;

kevin_stewart · Answer

The best first steps to troubleshooting this script are:

Un-comment the "echo ${arr[0]}" statement

Execute this command from the command line with the required IP and port parameters:
./ocsp-monitor.sh 10.10.10.5 443

With the echo un-commented you should see the results from the grep and optionally the "up" string.

Have you tested the openssl command directly from the command line?
openssl s_client -connect [IP:port] -cipher 'ECDHE-RSA-AES256-SHA' -servername 'adfs.open-techs.com'

ots02 · Answer

OK - will do that.&nbsp;
I added -CApath /etc/pki/tls/certs into the openssl line, and now I get:&nbsp;
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA&nbsp;
verify return:1&nbsp;
depth=1 /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4&nbsp;
verify return:1&nbsp;
depth=0 /OU=GT96587017/OU=See www.geotrust.com/resources/cps (c)15/OU=Domain Control Validated - QuickSSL(R)
Premium/CN=adfs.open-techs.com&nbsp;
verify return:1&nbsp;
read:errno=0&nbsp;

kevin_stewart · Answer

It may be worthwhile to test this manually. Execute the openssl command by itself, and if it succeeds you'll be left with an empty prompt (not the shell prompt). Type the following at that prompt to send the HTTP request:
GET /adfs/ls/idpinitiatedsignon.aspx HTTP/1.1
Host: adfs.open-techs.com
[two carriage returns]

If the SSL handshake and HTTP request were correct you should see the text of the HTTP response. This is essentially what the script is doing. By the way, I removed the "/adfs/ls/idpinitiatedsignon.aspx" URI from the GET line in the last script, so you'll probably want to re-add that. If all of that works, then it's just a matter of figuring out what you're going to be grepping for in the script.

Forum Discussion

SNI External Monitor for ADFS

Recent Discussions

APM webtop customization header message

Installing a PKCS 12 File onto an F5 Device

Irule to allow specific IPs

Uploading SKCS 12 File to F5 Device

F5 not Identifying Parameter in Text/Plain Upload

Related Content

External Monitor Templates

Create an external SNMPv3 monitor

Radius External Monitor (Python)

Custom HTTPS External Monitor

Big-IP and ADFS Part 5 – “Working with ADFS 3.0 and SNI”