iRule "virtual" command to use virtual server as pool member - how does it work? Typical event lifecycle?
Per SOL10379 (https://support.f5.com/kb/en-us/solutions/public/10000/300/sol10379.html), starting with 9.4, it's possible for a virtual server to use another virtual server on the same device as a pool member, using the iRules "virtual" command. When this is done, does the normal event processing occur for both virtual servers involved? That is, from an event lifecycle perspective, will it act just as if the virtual server that is a pool member were being accessed externally? In our situation, we have an APM OAM AAA server applied to an HTTP port 80 virtual server; we would like to establish an SSL offload virtual server on the same device, that uses the port 80 virtual server as a pool member. But I'm not clear on whether the port 80 virtual server's event lifecycle for request processing, APM policy processing, etc. will all occur. We're observing some strange behavior, and are exploring if this may be a root cause. thx!
F5 APM Oracle Access Manager SSO
Hello Dears, I'm trying to configure SSO for applications that are authenticated using Oracle Access Manager. Here's the flow without F5: 1- User connect to a protected resource 2- User is redirected to OAM 3- User authenticate against OAM using Kerberos 4- OAM has a delegation account configured, so it authenticates against active directory to see if user is authorized 5- If authenticated, the OAM redirects user again to the Protected Resource I have been reading a lot of documents from F5 and I reached a conclusion that I need to use active directory as authentication source for initial connection to webtop.. And then use OAM as authentication source for access portals themselves and for SSO. However I'm way over my head and can't find solid info on how to implement this, I thought of doing kerberos but I'm not actually authenticating against AD using Kerberos, I'm authenticating against OAM.. I found this in a document, but in my version (12 and 13) it doesn't exit anymore?? I could have configured an OAM server and its SSO config but I guess this type of configuration is retired (or hopefully under a new name!) https://www.f5.com/pdf/deployment-guides/f5-oracle-oam-apm-dg.pdf I have also been reading on this document, but it doesn't mention SSO https://www.f5.com/pdf/deployment-guides/oracle-oam-apm-11-dg.pdf I'd appreciate it if someone could explain how this requirement could be fulfilled..
APM integration with Oracle Access Manager
Hello together, it would be interesting how many of you have implemented the APM modul together with Oracle Access Manager. Which Firmware version are you using on the F5? Which Patchlevel do you have on OAM side? How many webgates do you have implemented on F5 side? Did you face any problems during the integration? I'm asking this because I couldn't find many guys which are using this combination - and yeah I know that there is a Deployment Guide from F5 (which is really good), but I want real customer experience about this. To our setup: Actual we're using firmware 12.1.0 HF1 together with OAM 11gR2 PS3. At the moment we have about 20 webgates active (10g webgates, because 11g isn't supported yet by F5 :/). And we faced a lot of issues during our migration from OAM 11gR1 to R2 together with the F5 integration. But for now on it's working, not 100% perfect but it's working :). Cheers, ChristophF5 APM WebGate - 10g or 11g?
Hello- Has the latest version of the APM WebGate been upgraded to a true 11g webgate, or is it still a 10g webgate? The latest documentation I can find (link) points to a 10g version, but that documentation is over a year old and we’ve heard it both ways. Clarification would be greatly appreciated! Thanks, Sam S.APM OAM Simple transport security mode, to v11.1.2 OAM server
Am having trouble configuring an OAM AccessGate in "Simple" transport security mode. It works correctly when "Open" transport mode is used. And, after reconfiguring the accessgate on the OAM server to "Simple" mode, that accessgate works correctly when we configure a webgate on an Oracle HTTP Server (OHS) instance. But that same "Simple" mode accessgate doesn't work on the F5. Our F5 is running 11.5.2 plain; the OAM server is at v11.1.2. Is there anyone with a comparable configuration, operating successfully in "Simple" transport security mode? If so, can you share if there were any difficulties establishing the configuration, and if you need to do anything not described in the F5 integration guide for OAM? I have a support case open, but we haven't succeeded in fixing it yet, and am hoping for feedback from someone successful in this config. One specific question - the OAM 11.1 integration guide for configuring a webgate on an OHS server has you copying the certificate/key, password.xml and ObAccessClient.xml files from the OAM server onto the OHS server. The F5 APM module, on the other hand, seems to always generate its own certificate for the Simple mode. The F5 guide has a similar copying step for Cert mode, but not Simple mode. I'm wondering if possibly Simple mode changed with OAM v11, and now we need to do that copying step on the F5 as well (e.g., maybe both side's certs need to be from the same Oracle built-in CA). So far, however, copying them into place in the /config/aaa/oam/Common tree (overlaying the F5-generated files) and restarting eam hasn't seemed to have any impact. Did anyone find they had to do such a copy-files-from-the-OAM-server for Simple mode, and if so, do you have a procedure for doing so? ty!APM OAM, access server hostname FQDN trimmed to simple name before use...?
Environment: Big-IP 4200v running LTM 11.5.2 with APM We have an OAM integrated as a AAA server in APM, and for some reason, even though we use a fully-qualified name for the access server hostname, it seems that the OAM SDK calls are all trying to reach out to the simple version of the name (that is, we have host.domain.com in the configuration, but the OAP calls all are made to host:5575, instead of host.domain.com:5575). I know this is the case, because I have manual name resolution in place at this point, via hosts file entries - and if I don't have the simple name resolved, OAM calls fail - if I add in resolution of the simple name, it works fine. This does not happen with other OAM integrations we have, on other F5s, they all use the fqdn. This isn't really a problem, we can live with the simple name - but it's dang curious. Any thoughts?
