Forum Discussion
NimbostratusUsing https monitor with Oracle Access Manager
I am trying to use an https monitor on our Oracle Access Manager web servers. I have read several devcentral posts that have left me confused as to whether a regular https monitor can use Status codes in the head in the receive string
ltm is version 11.4.1 build 634
listing the monitor via tmsh gives me the following ltm monitor https oam-https { cipherlist DEFAULT:+SHA:+3DES:+kEDH compatibility enabled defaults-from https destination : interval 5 recv "HTTP/1.1 200 OK\r\n" send "GET /oam/server/HeartBeat HTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n" time-until-up 0 timeout 16 }
The double slashes don't appear in the GUI where I entered the send and receive strings....
Using a Chrome Browser, going to the webserver url directly https://aninvtest01-oam-stg/oam/server/Heartbeat I get the following Request URL:https://aninvtest01-oam-stg/oam/server/HeartBeat Request Method:GET Status Code:200 OK Request Headersview parsed GET /oam/server/HeartBeat HTTP/1.1 Host: aninvtest01-oam-stg Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.146 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Response Headersview parsed HTTP/1.1 200 OK Date: Mon, 19 May 2014 19:11:57 GMT Server: Apache X-ORACLE-DMS-ECID: 0000KOLtSBy3j4Q6ybaeMG1JU^TR0000C1 X-Powered-By: Servlet/2.5 JSP/2.1 Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain
I must be missing something in the syntax of my send or receive string as it is marking the server as down...
11 Replies
Hi Mark, I would try using a blank Receive String first, cut your problem in half.
Sometimes the Send String is incorrect/malformed, sometimes the Rec string is incorrect. Get a successful Send string first, then work on the Rec string.
Browser plug-in decoders do not always show ALL the control characters, so you might have to use TCPdump on the big-ip or the OAM server to properly decode the traffic. Hint: a missing or extra "space" can be the difference sometimes with these Send/Rec strings working or not - Ugh!!
We are working on this in the OAM Dev lab with Oracle, so we should have some specific guidance soon, but no ETA.
Please let us know what you find works, or not !!
Thanx,
Chris.
Mark_CloutierOkay, I took out the receive string, ie made it blank and changed the send string to use the ip address for the host value, as it occurred to me that my ltm, being in my dmz doesn't have access to my internal dns.... however it still marking the member as down... send string is now as follows GET /oam/server/HeartBeat HTTP/1.1\r\nHost: 172.28.131.57 \r\nConnection: Close\r\n\r\n
- Mark_Cloutier
Just to confirm though, assuming I/we get the syntax right on the send and receive strings, I should be able to do this with a regular https monitor, even though all that gets sent back is the status code in the header right?
- nitass
Employee
however it still marking the member as down
can you try tcpdump? do you have server's ssl key to decrypt?
you may have to remove the monitor from pool first, start tcpdump and then assign it back to the pool.
tcpdump -nni 0.0:nnn -s0 -w /var/tmp/output.pcap host x.x.x.x and host y.y.y.y -v x.x.x.x is non-floating self ip on server vlan y.y.y.y is server ip - Mark_Cloutier
I can get the key tomorrow, but I can try the tcpdump against the nonsecure server first, according to my browser, the Heartbeat app is running on port 80 also
- Mark_Cloutier
Okay, HTTP works fine, I have an oam-http monitor with the following Send and recv strings. I took out the ip address for the host field, as I was hoping that wasn't needed, because then I would need different monitors for each member. I had read that you could leave that value as null.
GET /oam/server/HeartBeat HTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n HTTP/1.1 200 OK\r\n
But when I use the same Send and Recv strings on the https monitor it fails :(
I'll get the ssl key from the server folks tomorrow and run the tcpdump against the secure server to see what's different .... Thanks for your help
- Mark_Cloutier
GOT it... I spoke too soon on the removal of the host ip value having no effect. I noticed that my oam-http monitor had gone red, so I put the ip address back in and it went green. I went back to my https monitor and added in the host ip and it also went green....
Now, is there a way to do this without having to create a separate monitor for each member? Can the monitor populate the host value by using the node ip?
- nitass
Can the monitor populate the host value by using the node ip?
HTTP Monitor cURL GET With Host Specific Headers
https://devcentral.f5.com/wiki/advdesignconfig.httpmonitor_curl_getwithhostspecificheaders.ashx - Mark_Cloutier
As I figured, if I want to get the Node ip, I need to use and irule and use it in an external monitor.... I was trying my best to follow the advice listed at the beginning of this external monitor....
NOTE: Use external monitors only when a built-in monitor won't do the trick. This example is intended to demonstrate the use of cURL (which offers a large number of other useful options) to insert variable headers in an external monitor. However, if nothing in the request varies, and don't need those extra options, more basic HTTP monitors are much more efficiently configured using the built-in HTTP monitor template instead.
- nitass
by the way, have you tried fqdn (virtual server) instead of server (node) ip?
