Allowing JNLP access to an application protected by APM/Oauth2

Question

In order to protect a critical application (Oracle EBS), we went the AzureAD/OAuth2 pre-authentication way.

This mean that the users needs to have a valid M365 session in their browser to reach the application. They can then log in (again) and use the application.

The issue I'm facing is that Oracle EBS makes a large usage of java applications through JNLP. Once you download and launch the jnlp, the application doesn't start, because it cannot reach the application endpoint. This is caused by java not having the "oauth session" needed to access the application. the java application is actually redirected to the Microsoft login page. (The web-base application use the same url as the java applications. both uses for example https://my-ebs-app.organization.com/)

So I need a form of "App Tunnel" or ACL to allow thos JNLP to actually reach the application server for the users who have a valid oauth2 session.

Any Idea on a solution to this issue ?

f5_design_engineer · Answer

Hi&nbsp; Olivier_Beytrison&nbsp;&nbsp;,&nbsp;
Could you please try and have a look at this F5 KB article which matches to your situation, please check if it helps:
K01781182: Not able to access Oracle ERP applications via BIG-IP APM.
https://my.f5.com/manage/s/article/K01781182

K01781182: Not able to access Oracle ERP applications via BIG-IP APM.

&nbsp;
&nbsp;Download Article

Show social share buttons
&nbsp;
&nbsp;
Published Date:&nbsp;Mar 23, 2020Updated Date:&nbsp;Feb 22, 2023
Toggle showing the products this articleApplies to:
Description
Delivering access to&nbsp;ERP&nbsp;applications from the&nbsp;Oracle EBS&nbsp;application server fails when using the&nbsp;PortalAccess&nbsp;technology, from&nbsp;APM.It can be thrown numerous error messages and popup windows but the bottom line is: the application does not work.
Environment

You're using BigIP&nbsp;APM;
The application come from the&nbsp;Oracle EBS&nbsp;environment;
You're delivering access to this application through the&nbsp;Portal Access&nbsp;technology.Cause
The&nbsp;Oracle EBS&nbsp;applications are making usage of the Java technology.F5 Product Development has investigated numerous situations and they have carried out numerous experiments.The conclusion is: the&nbsp;REWRITE&nbsp;engine from BigIP&nbsp;APM&nbsp;cannot properly handle the Java code from those applicationsAs such: those applications do not work with&nbsp;Portal Access.
Recommended ActionsF5 Networks recommends making usage of a different technology than&nbsp;Portal Access&nbsp;- such as:&nbsp;appTunnel&nbsp;or&nbsp;Network Access&nbsp;- to deliver those applications to remote users.

K55104964: Network Access - Split Tunnel configuration
K62501251: Network Access - Full Tunnel configuration
Additional InformationNone

Related Content

Manual Chapter : Configuring Network Access Resources
Manual Chapter : Configuring App Tunnel Access
Also there is a deployment guide as follows, check if it helps:
&nbsp;
https://www.f5.com/pdf/deployment-guides/iapp-oracle-ebs-dg.pdf
Deploying the BIG-IP System with Oracle E-Business Suite
Please let us know if the issue still persists, so that we may try to gind if there is any alternate way to find a fix for you.
Best regards
F5 Design Engineer

olivier_beytrison · Answer

Hello,Well I have only a single VIP. For now I've setup the APM Policy on the VS that host the Oracle EBS service. Maybe that's not the right way to do it. But as stated above I've asked our integrator to send me someone knowledgeable about APM to help me sort this out.Regards,Olivier B.

leslie_hubertus · Answer

Hi&nbsp;Olivier_Beytrison&nbsp;- hopefully someone from the community will answer first, but just in case nobody has helped by Monday, I'll feature your question in the weekly Highlights article in order to boost visibility to increase the chances someone will reply.&nbsp;

423685 · Answer

one possible solution to the issue you're facing is to use a reverse proxy or application gateway that can handle the authentication and forwarding of requests to the Oracle EBS application server. This allows you to establish a secure connection between the client and the reverse proxy, while the proxy handles the authentication and forwards the requests to the application server.&nbsp;
Here's a high-level overview of how this solution could work:

Set up a reverse proxy or application gateway (e.g., Nginx, Apache HTTP Server, Azure Application Gateway) in front of the Oracle EBS application server.

Configure the reverse proxy to handle the authentication part using Azure AD and OAuth2. This typically involves configuring the proxy to validate the OAuth2 access tokens or session cookies from the M365 session.

When a client tries to access the Oracle EBS application through the JNLP, they will be redirected to the reverse proxy for authentication.

Once the client's M365 session is validated and authenticated, the reverse proxy can create a separate session or token specific to the Oracle EBS application.

The reverse proxy then forwards the requests from the client to the Oracle EBS application server, including the necessary authentication information (e.g., session token) required by the Java applications in the JNLP.

(Edited by Leslie Hubertus to remove spam link)

aubreykingf5 · Answer

Have you established persistence at all for this? It's been quite a bit, but I think that, if you want to pass a token from one VIP (auth) to another (app), you will need universal persistence on the VIPs so that the BIG-IP knows it's the same application flow. Also, did you follow any reference guide or doc for this build?
https://www.f5.com/pdf/deployment-guides/f5-oracle-ebusiness-suite-dg.pdf
Can you show your policy?

Forum Discussion

Allowing JNLP access to an application protected by APM/Oauth2

7 Replies

K01781182: Not able to access Oracle ERP applications via BIG-IP APM.

K01781182: Not able to access Oracle ERP applications via BIG-IP APM.

Related Content

Recent Discussions

[ASM] - what is "Browser Challange file" ?

Rewrite uri translation not working

no available managed rule groups for Israel il-central-1

About shun list for L7 DDoS?

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

Related Content

Community Learning Path: Web Application and API Protection (WAAP)

Protect an application exposed on Internet with F5 XC WAAP

Protect Applications from Spring4Shell. (CVE-2022-22965)

Protect your Mobile Applications with F5 Distributed Cloud Bot Defense

Protect your applications using F5’s Distributed Cloud and Fast ACL’s