cancel
Showing results for 
Search instead for 
Did you mean: 

OAuth token synchronization in APM HA pair

Illia
Nimbostratus
Nimbostratus

Hello.

I have an HA pair of APMs, acting as a OAuth authorization server. By default, devices in HA should synchronized OAuth tokens from Active to Standby. But I don't see issued tokens on Standby device.

The statemirror.mirrorsession system database variable set in "enabled".

 

:Active:In Sync] ~ # tmsh  show apm oauth token-details db-instance <db_name>

total-tokens:    7258

 

:Standby:In Sync] ~ # tmsh  show apm oauth token-details db-instance <db_name>

total-tokens:    0

 

No synchronization errors (Failed to initiate DB synchronization (ERR_DB)) in logs.

 

How can I check, that token synchronization is successful and issued OAuth tokens existing on both device in cluster?

6 REPLIES 6

Angelo_V
Cirrus
Cirrus

Hi Illia,

in addition to the HA-SYNC device group, have you also configured a sync-only device group?

 

Angelo

Illia
Nimbostratus
Nimbostratus

Hello, Angelo. There is only one sync-failover device group.

 

Illia.

I think the problem is that.

 

To synchronize access policies between multiple devices, you configure a Sync-Only device group, which includes the devices between which you want to synchronize access policies. Device group setup requires establishing trust relationships between devices and creating a device group. You set the devices in each group to use Automatic Sync and Full Sync, and then synchronize access policies one at a time, resolving conflicts as you go.

Important: Sync-Only groups must be configured before you pair Active-Standby devices. To add an Active-Standby device pair to a Sync-Only device group, first you must reset the trust between the devices. Next, you must remove the devices from the Sync-Failover device group. Next, you must add both devices to a Sync-Only device group. Finally, add the devices as an Active-Standby pair to the Sync-Failover group.

 

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-implementations-11-5-0/4.html#conceptid

Illia
Nimbostratus
Nimbostratus

Hello, Angelo. I'm not clearly understand your considerations. My devices is in one trust domain and in one Sync-Failover device group.

https://techdocs.f5.com/en-us/bigip-15-1-0/big-ip-access-policy-manager-oauth-configuration/apm-oauth-overview.html

As I can see here, "HA supports real-time synchronization of the BIG-IP configuration, including the OAuth database, and switching over seamlessly when needed."

 

Why we need additional Syn-Only device group?

 

I think you are right, you don't need an additional Sync-Only device group.

Try to check the statemirror.mirrorsession system database variable, it should be enable

 

list /sys db statemirror.mirrorsessions

 

 

Illia
Nimbostratus
Nimbostratus

Angelo, I've already checked it.

The statemirror.mirrorsession system database variable set in "enabled".

Do you have an ideas how to check database on Standby device?