Oracle JDBC SSL Termination failing on F5
We have created a new f5 VIP to terminate SSL and redirect the traffic to backend Oracle Database and the client is java application. We have configured the certificate using *.pfx file in f5 VIP, the same is used at client side to configure jks file to access. We have configure keystore and truststore on client side while accessing the VIP. But F5 is keep on complaining that the request received at f5 is not SSL Error in f5: cat ltm | grep Mar 17 13:15:46 abc.net warning tmm[11711]: 01260009:4: 10.0.0.0:58857 -> 10.0.0.0:8443: Connection error: ssl_passthru:5935: alert(40) not SSL Java code accessing F5 vip String jdbcUrl = "jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=F5ENDPOINT.net)(PORT=8443))(CONNECT_DATA=(SERVICE_NAME=ABC)))"; System.setProperty("javax.net.ssl.keyStore", "C:\\Apps\\rspt\\keystore.jks"); System.setProperty("javax.net.ssl.keyStoreType", "JKS"); System.setProperty("javax.net.ssl.keyStorePassword", "changeit"); System.setProperty("javax.net.ssl.trustStore", "C:\\Apps\\rspt\\trustStore.jks"); System.setProperty("javax.net.ssl.trustStoreType", "JKS"); System.setProperty("javax.net.ssl.trustStorePassword", "changeit"); Properties props = new Properties(); props.setProperty("user", userName); props.setProperty("password", password); props.setProperty("javax.net.ssl.keyStore", "C:\\Apps\\rspt\\keystore.jks"); props.setProperty("javax.net.ssl.keyStorePassword","changeit"); props.setProperty("javax.net.ssl.trustStore", "C:\\Apps\\rspt\\trustStore.jks"); props.setProperty("javax.net.ssl.trustStorePassword","changeit"); String query = "SELECT name FROM department WHERE departmentid= 1"; try { DriverManager.registerDriver(new oracle.jdbc.driver.OracleDriver()); con = DriverManager.getConnection(jdbcUrl,props); Statement statement = con.createStatement(); // Execute the query and obtain the result set ResultSet resultSet = statement.executeQuery(query); while (resultSet.next()) { String name = resultSet.getString("name"); System.out.println(" Name: " + name); } } catch (SQLException e) { e.printStackTrace(); } We have tried this with 80 PORT AND tcp as protocol in jdbc connection string and its working as expected. Only when we enable SSL termination on 8443, we have this issue. Can you guide what we are missing here ?
delete_devices
Problem this snippet solves: Introduced: EM_v3.0 Use the delete_devices API to remove devices currently being managed by an Enterprise Manager. How to use this snippet: Prototype Python ic.Management.EM.deletedevices(deviceaddresses) C#, Java, and Perl ic.getManagementEM().delete_devices(deviceAddresses); Inputs Name Type Description IP addresses String Sequence This parameter specifies the IP addresses or hostnames of the F5 device(s) that you want to delete from the list of managed devices. Return values There is no explicit return when this API executes successfully. Exceptions The table lists error categories that Enterprise Manager can raise if the API call fails. Exception Name This exception is raised when... AccessDenied The credentials supplied by the client do not satisfy the F5 device's validation requirements. OperationFailed The API call causes an operation error. InvalidArgument The API call contains an invalid argument. Code : To view a code sample, click the relevant code type. C# (.net) Java Perl Pythonget_task_status
Problem this snippet solves: Introduced : EM_v3.0 Use the get_task_status API to determine the current status of a device discovery task. How to use this snippet: Python ic.Management.EM.get_task_status(ids = task_ids) C#, Java, and Perl ic.Management.EM.get_task_status(ids = task_ids); Inputs Name Type Description tasks String Sequence This parameter specifies the task IDs of the tasks for which you want to know the status. Return Values Name Type Description task TaskStatus Sequence The ID of the new discovery task. This ID can return the following values: TASK_STATUS_UNKNOWN TASK_STATUS_PENDING TASK_STATUS_STARTED TASK_STATUS_FAILED TASK_STATUS_COMPLETE TASK_STATUS_RUNNING TASK_STATUS_CANCELING TASK_STATUS_CANCELED TASK_STATUS_ABANDONED TASK_STATUS_TERMINATED TASK_STATUS_TIMED_OUT TASK_STATUS_RESCHEDULED Exceptions Exception Name This exception is raised when... AccessDenied The credentials supplied by the client do not satisfy the F5 device's validation requirements. OperationFailed The API call causes an operation error. InvalidArgument The API call contains an invalid argument. Code : To view a code sample, click the relevant code type. C# (.net) Java Perl Python2.5 bad ways to implement a server load balancing architecture
I'm in a bit of mood after reading a Javaworld article on server load balancing that presents some fairly poor ideas on architectural implementations. It's not the concepts that are necessarily wrong; they will work. It's the architectures offered as a method of load balancing made me do a double-take and say "What?" I started reading this article because it was part 2 of a series on load balancing and this installment focused on application layer load balancing. You know, layer 7 load balancing. Something we at F5 just might know a thing or two about. But you never know where and from whom you'll learn something new, so I was eager to dive in and learn something. I learned something alright. I learned a couple of bad ways to implement a server load balancing architecture. TWO LOAD BALANCERS? The first indication I wasn't going to be pleased with these suggestions came with the description of a "popular" load-balancing architecture that included two load balancers: one for the transport layer (layer 4) and another for the application layer (layer 7). In contrast to low-level load balancing solutions, application-level server load balancing operates with application knowledge. One popular load-balancing architecture, shown in Figure 1, includes both an application-level load balancer and a transport-level load balancer. Even the most rudimentary, entry level load balancers on the market today - software and hardware, free and commercial - can handle both transport and application layer load balancing. There is absolutely no need to deploy two separate load balancers to handle two different layers in the stack. This is a poor architecture introducing unnecessary management and architectural complexity as well as additional points of failure into the network architecture. It's bad for performance because it introduces additional hops and points of inspection through which application messages must flow. To give the author credit he does recognize this and offers up a second option to counter the negative impact of the "additional network hops." One way to avoid additional network hops is to make use of the HTTP redirect directive. With the help of the redirect directive, the server reroutes a client to another location. Instead of returning the requested object, the server returns a redirect response such as 303. I found it interesting that the author cited an HTTP response code of 303, which is rarely returned in conjunction with redirects. More often a 302 is used. But it is valid, if not a bit odd. That's not the real problem with this one, anyway. The author claims "The HTTP redirect approach has two weaknesses." That's true, it has two weaknesses - and a few more as well. He correctly identifies that this approach does nothing for availability and exposes the infrastructure, which is a security risk. But he fails to mention that using HTTP redirects introduces additional latency because it requires additional requests that must be made by the client (increasing network traffic), and that it is further incapable of providing any other advanced functionality at the load balancing point because it essentially turns the architecture into a variation of a DSR (direct server return) configuration. THAT"S ONLY 2 BAD WAYS, WHERE'S THE .5? The half bad way comes from the fact that the solutions are presented as a Java based solution. They will work in the sense that they do what the author says they'll do, but they won't scale. Consider this: the reason you're implementing load balancing is to scale, because one server can't handle the load. A solution that involves putting a single server - with the same limitations on connections and session tables - in front of two servers with essentially the twice the capacity of the load balancer gains you nothing. The single server may be able to handle 1.5 times (if you're lucky) what the servers serving applications may be capable of due to the fact that the burden of processing application requests has been offloaded to the application servers, but you're still limited in the number of concurrent users and connections you can handle because it's limited by the platform on which you are deploying the solution. An application server acting as a cluster controller or load balancer simply doesn't scale as well as a purpose-built load balancing solution because it isn't optimized to be a load balancer and its resource management is limited to that of a typical application server. That's true whether you're using a software solution like Apache mod_proxy_balancer or hardware solution. So if you're implementing this type of a solution to scale an application, you aren't going to see the benefits you think you are, and in fact you may see a degradation of performance due to the introduction of additional hops, additional processing, and poorly designed network architectures. I'm all for load balancing, obviously, but I'm also all for doing it the right way. And these solutions are just not the right way to implement a load balancing solution unless you're trying to learn the concepts involved or are in a computer science class in college. If you're going to do something, do it right. And doing it right means taking into consideration the goals of the solution you're trying to implement. The goals of a load balancing solution are to provide availability and scale, neither of which the solutions presented in this article will truly achieve.
iControl with Java - Retrieve List of Virtual Servers does not include Applications
Hi, i connect to the F5 using the Java Wrapper API; Now, when i get the list of Virtual-Servers via iControlInterfaces.getLocalLBVirtualServer().get_list() it only returns the virtual servers that are not created with an application (i.e. with the f5.microsoft_exchange_2010_2013_cas template). I could not find any way to further "open" the list; How can i retrieve these too? Many thanks in advance! Rene
Read Access Denied on LocalLBRule::get_metadata
I'm using the iControl Java lib and am getting "Read Access Denied" errors. public class F5Test implements Credentials { private Interfaces f5Interface = new Interfaces("my-lb.example.com", 443, UNAME, PSWD); public static void main(String[] args) { F5Test test = new F5Test(); test.test(); } void test() { try { f5Interface.getManagementPartition().set_active_partition("my-partition"); String[] rules = { "irule_my_rule" }; String[][] md = f5Interface.getLocalLBRule().get_metadata(rules); for(String[] mds : md) { for(String metadata : mds) { System.out.println(metadata); } } } catch (RemoteException e) { e.printStackTrace(); } catch (Exception e) { e.printStackTrace(); } } } When I run this I get: AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server faultSubcode: faultString: Exception caught in LocalLB::urn:iControl:LocalLB/Rule::get_metadata() Exception: Common::OperationFailed primary_error_code : 17238051 (0x01070823) secondary_error_code : 0 error_string : 01070823:3: Read Access Denied: user (zharvey) type (rule metadata) faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:Exception caught in LocalLB::urn:iControl:LocalLB/Rule::get_metadata() Exception: Common::OperationFailed primary_error_code : 17238051 (0x01070823) secondary_error_code : 0 error_string : 01070823:3: Read Access Denied: user (zharvey) type (rule metadata) at org.apache.axis.message.SOAPFaultBuilder.createFault(SOAPFaultBuilder.java:222) at org.apache.axis.message.SOAPFaultBuilder.endElement(SOAPFaultBuilder.java:129) ...rest of stack trace omitted for brevity I have confirmed that the iRule "irule_my_rule" is defined inside "my-partition" and our IT staff confirms I have full r/w permission for it. Am I using the API incorrectly or is this an F5 config issue?
Ability to create new LocalLBPool without any members through iControl Java API
I've been using the iControl Java (assembly) API to manage/configure the BigIP LTM instance (the virtual edition trial version). The management console of BigIP allows creating a LTM pool without any (initial) members added and just passing a load balancing method and a pool name. However, trying to do the same via the iControl Java API as follows results in an exception which isn't informative on why it's failing: final LocalLBPoolBindingStub localLBPool = (LocalLBPoolBindingStub) new LocalLBPoolLocator().getLocalLBPoolPort(this.bigIpLoadBalancerURL); localLBPool.create(new String[]{poolName}, new LocalLBLBMethod[]{loadBalancingMethod}, new CommonIPPortDefinition[0][0]); Notice that I am passing an empty array as the 3rd param to the create method. It fails with: Caused by: (500)Internal Server Error at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at iControl.LocalLBPoolBindingStub.create(LocalLBPoolBindingStub.java:2429) and no more information. 1) Should it be possible to use iControl API to create a new pool without any (initial) members? From a BigIP point of view, I think it's possible since the UI allows you to do that. 2) Is there a way I can figure out what exactly the problem is with that method call? The error message isn't too informative. Environment information: iControl Java (assembly) API version: 11.4.1 (the latest that was available here https://devcentral.f5.com/d/icontrol-library-for-java) BigIP version: 10.1 Virtual edition trial version available from here https://www.f5.com/trial/big-ip-ltm-virtual-edition.phpAbility to create new LocalLBPool without any members through iControl Java API
I've been using the iControl Java (assembly) API to manage/configure the BigIP LTM instance (the virtual edition trial version). The management console of BigIP allows creating a LTM pool without any (initial) members added and just passing a load balancing method and a pool name. However, trying to do the same via the iControl Java API as follows results in an exception which isn't informative on why it's failing: final LocalLBPoolBindingStub localLBPool = (LocalLBPoolBindingStub) new LocalLBPoolLocator().getLocalLBPoolPort(this.bigIpLoadBalancerURL); localLBPool.create(new String[]{poolName}, new LocalLBLBMethod[]{loadBalancingMethod}, new CommonIPPortDefinition[0][0]); Notice that I am passing an empty array as the 3rd param to the create method. It fails with: Caused by: (500)Internal Server Error at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at iControl.LocalLBPoolBindingStub.create(LocalLBPoolBindingStub.java:2429) and no more information. 1) Should it be possible to use iControl API to create a new pool without any (initial) members? From a BigIP point of view, I think it's possible since the UI allows you to do that. 2) Is there a way I can figure out what exactly the problem is with that method call? The error message isn't too informative. Environment information: iControl Java (assembly) API version: 11.4.1 (the latest that was available here https://devcentral.f5.com/d/icontrol-library-for-java) BigIP version: 10.1 Virtual edition trial version available from here https://www.f5.com/trial/big-ip-ltm-virtual-edition.phpiControl transaction problem
Here is my code written with iControl Library for Java. // set timeout interfaces.getSystemSession().set_session_timeout(60); interfaces.getSystemSession().set_transaction_timeout(30); // get transaction final long sessionId = interfaces.getSystemSession().get_session_identifier(); interfaces.getSystemSession().setHeader("urn:iControl", "session", Long.toString(sessionId)); interfaces.getLocalLBPool().setHeader("urn:iControl","session",Long.toString(sessionId); // start transaction interfaces.getSystemSession().submit_transaction(); // create pool1 interfaces.getLocalLBPool().create_v2(poolname1, lbmethod1, addressport1); // sleep 30 sec to wait transaction will be expired Thread.sleep(30000); // create pool2 interfaces.getLocalLBPool().create_v2(poolname2, lbmethod2, addressport2); // submit transaction interfaces.getSystemSession().submit_transaction(); I expected that creating both pool1 and pool2 would be rollbacked, but pool2 was succesfully created. Is there a way to detect transaction expiration and roleback all configuration in transaction ?Virtual Server creation through iControl Java API fails silently due to missing profiles
I'm using iControl Java API to create a virtual server. The code is as follows: final LocalLBVirtualServerBindingStub virtualServerStub = (LocalLBVirtualServerBindingStub) new LocalLBVirtualServerLocator().getLocalLBVirtualServerPort(foobarURL); final CommonProtocolType vserverProtocolType = CommonProtocolType.fromString(protocol); final CommonVirtualServerDefinition[] vserverDefinition = new CommonVirtualServerDefinition[]{new CommonVirtualServerDefinition(name, ip, port, vserverProtocolType)}; final LocalLBVirtualServerVirtualServerResource[] resource = new LocalLBVirtualServerVirtualServerResource[]{new LocalLBVirtualServerVirtualServerResource(LocalLBVirtualServerVirtualServerType.RESOURCE_TYPE_POOL, loadBalancerPoolName)}; virtualServerStub.create(vserverDefinition, new String[]{netmask}, resource, new LocalLBVirtualServerVirtualServerProfile[0][0]); Now this call just "passes" although no virtual server is really created (I checked through the admin UI). There are no exceptions or even any other relevant logging. After various trial and error tests, I realized that the problem was that the code was passing no "profiles" for the virtual server creation: virtualServerStub.create(vserverDefinition, new String[]{netmask}, resource, new LocalLBVirtualServerVirtualServerProfile[0][0]); The questions I have are: 1) Why isn't the API throwing an exception if profiles is mandatory 2) Is there an API I can use to fetch the list of available profiles for a particular "protocol" and any available "default profile" for that protocol? The reason why I would like to have something like this is, because for a user who is using this code, it won't be feasible to send in some random profile name strings that perhaps won't apply to a particular "protocol" of the virtual server or even the "service type" of the virtual server. P.S: I stumbled upon a similar thread here https://devcentral.f5.com/questions/virtual-server-create-fails-silently which shows sample code to create the virtual server and in there it hard codes certain profile names which is exactly what I'm trying to avoid. Environment details: iControl Java (assembly) API version: 11.4.1 (the latest that was available here https://devcentral.f5.com/d/icontrol-library-for-java) BigIP version: 10.1 Virtual edition trial version available from here https://www.f5.com/trial/big-ip-ltm-virtual-edition.php
