cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

AS3 and SSL Orchestrator profiles

bednarcm
Nimbostratus
Nimbostratus

Hi,

Is there possible to enable SSLO (existing application topology) inside AS3 declaration? BIG-IP 15.1

I've got Access Profile and Policy Per-Request prepared via SSLO configurator. When I try to enable it via declaration... :

 

"profileAccess": {
   "bigip": "/Common/ssloDefault_accessProfile"
},
"policyPerRequestAccess": {
   "bigip": "/Common/ssloP_mysslo.app/ssloP_mysslo_per_req_policy"
}

 

... I get an error message:

 

"code": 422,
"message": "declaration failed",
"response": "01b40017:3: Configuration error: Virtual Server (/Sample_01/Application_1/serviceMain) with Access Profile of type sslo is not compatible with profile of type (rba).",

 

But there is no RBA profile in this declaration. Whole F5 example based declaration:

 

{
     "class": "AS3",
     "action": "deploy",
     "persist": true,
     "declaration": {
         "class": "ADC",
         "schemaVersion": "3.35.0",
         "id": "example-declaration-01",
         "label": "Sample 1",
         "remark": "Simple HTTP application with round robin pool",
         "Sample_01": {
             "class": "Tenant",
             "defaultRouteDomain": 0,
             "Application_1": {
                 "class": "Application",
                 "template": "http",
             "serviceMain": {
                 "class": "Service_HTTP",
                 "virtualAddresses": [
                     "10.10.10.10"
                 ],
                 "pool": "web_pool",
                 "profileAccess": {
                     "bigip": "/Common/ssloDefault_accessProfile"
                 },
                 "policyPerRequestAccess": {
                     "bigip": "/Common/ssloP_mysslo.app/ssloP_mysslo_per_req_policy"
                 }
                 },
                 "web_pool": {
                     "class": "Pool",
                     "monitors": [
                         "http"
                     ],
                     "members": [
                         {
                             "servicePort": 80,
                             "serverAddresses": [
                                 "192.0.1.10",
                                 "192.0.1.11"
                             ]
                         }
                     ]
                 }
             }
         }
     }
 }

 

I can apply SSLO to this Virtual Server manually after service creation, but it doesn't work via AS3.

What can be wrong?

1 REPLY 1

Ruby69
Nimbostratus
Nimbostratus

A layered architecture takes advantage of a powerful feature of the BIG-IP called "VIP targeting". The idea is that one virtual server calls another. You're simply moving bits around in memory here, so there's almost zero latency between the two VIPs. The "external" virtual server is client-facing. The SSL Orchestrator topology virtual servers are thus "internal" (not listening on any usable VLAN). Traffic enters the external VIP and traffic rules pass control to any of a number of internal "topologies as functions" VIPs. As stated, there's near infinite possibilities here, but I've included some iRules to get you started.                                                          Landstar Online