One Time Passwords via an SMS Gateway with BIG-IP Access Policy Manager

Nimbostratus

Apr 10, 2012

Hi,

I would like to add some additional info I have experienced during the implementation of the email based OTP design. The build I have implemented is based on a version of the F5 Tutorial provided with a slight difference. My client is not using a sms gateway or email server to send emails to the user but a mixture of both: the principle is still the same for the email based OTP.

My build works like this, the F5 points to an smtp server as a relay server, which sends an email to mysmsserviceonline@telco.com to send the text message to the user.

I followed the instructions to setup mail relay from the guide

http://support.f5.com/kb/en-us/solutions/public/3000/600/sol3664.html

ltm01 ~ cat /etc/postfix/main.cf | grep relay

relayhost = [smtp.server.com]

To provide accountability and auditable for my client, I created a custom log, using the guide below:

https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1084377/Writing-to-and-rotating-custom-log-files.aspx

OTP EMAIL Scipt

I amended the script to my needs,

!/bin/bash

while true

tail -n0 -f /var/log/customlog | while read line

var2=`echo "$line" | grep -i otp | awk -F'[,]' '{ print $2 }'`

var3=`echo "$line" | grep -i otp | awk -F'[,]' '{ print $3 }'`

var4=`echo "$line" | grep -i otp | awk -F'[,]' '{ print $4 }'`

Mobile number from AD

var6=`echo "$line" | grep -i otp | awk -F'[,]' '{ print $6 }'`

Strips whitespaces from mobile number

var6=`echo "$var6" | sed 's/ //g'`

if [ "$var3" = "otp" -a -n "$var4" ]; then

I was required to amend header to lock down who was requiring access by using '-- -f ', email address pulled from AD

echo One Time Password is $var4 | mail $var6@telcosmsgateway.com -- -f user@myclient.com

done

I had several issues with the script being called; basically, if I ran it manually it would work however the script wouldn’t get called automatically. I tried several options before I came up with my solution; one suggestion was to use user_alerf config file to call my program, this worked in a fashion, but the delay between when it was called was too great for the APM session.

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/44/aft/1178752/showtab/groupforums/Default.aspx1227184

https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/256/Custom-SNMP-Traps.aspx

To get round my issue I came up with two custom scripts to ensure the script ruan in the background. The first would run every 5 minutes to check the script is still running and restart if necessary and the other would restart the script at 4:05am.

The reason for the second script was I encountered some issues with the log file rollover; the script was still running but would not process requests. I believe the issue was due to the customlog being tarred and so the ‘while true’ was no longer valid.

I tested this by manually deleting the log and testing. It held true, I had to manually restart syslog-ns to make the script write to the log again.

These are the scripts I used:

OTPEmailCheck.sh

!/bin/bash

RUNNING=`ps -ef | grep OTPEmail.sh | grep -v grep | awk '{print $2}'`

echo $RUNNING

If the variable RUNNING has not been define i.e. is empy then run

if [[ -z $RUNNING ]]; then

/config/OTPEmail.sh &

echo "script stated"

else

echo "already running"

OTPEmailRestart.sh

!/bin/bash

RUNNING=`ps -ef | grep OTPEmail.sh | grep -v grep | awk '{print $2}'`

echo $RUNNING

if [[ -z $RUNNING ]]; then

echo "OTPEmail.sh is not running. OTPEmailCheck.sh will start program within 5mins"

else

KILL=`kill -9 $RUNNING`

echo $KILL

/config/OTPEmail.sh &

echo "OTPEmail.sh was restated"

Crontab

5 * * * * /bin/bash /root/scripts/OTPEmailCheck.sh

5 4 * * * /bin/bash /root/scripts/OTPEmailRestart.sh

After that it worked as desired.

Hope this helps someone else who’s having issues

Ferg.

One Time Passwords via an SMS Gateway with BIG-IP Access Policy Manager

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS