Manual Chapter : Integrating APM with PingAccess Servers

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.0.0, 16.1.0, 16.0.1, 16.0.0, 15.1.0
Manual Chapter

Integrating APM with PingAccess Servers

Overview: Integrating APM with PingAccess

You can configure Access Policy Manager (APM) to act as a Policy Enforcement Point (PEP) in place of PingAccess agents installed on web servers. In this case, APM intercepts client requests to web applications, and queries PingAccess servers for policy decisions. APM then enforces the policy decisions that the PingAccess server provides, such as these:
  • Allow or deny a request for a resource.
  • Redirect the user for authentication.
  • Modify request/response HTTP headers.

Prerequisites for PingAccess integration

Infrastructure for a PingAccess deployment might include one or more PingAccess servers with zero or more agents configured on each one. Before you start to configure Access Policy Manager (APM®) for PingAccess, download agent properties files from PingAccess servers. If PingAccess servers are deployed in a cluster, you need only one agent properties file per agent instance.
For more information, refer to
PingAccess Deployment Guide
, which is available from Ping Identity.
F5 is not responsible for any inaccuracies in third party content.

PingAccess SSL certificates and BIG-IP configuration

A PingAccess agent properties file can include only one SSL certificate. When importing the PingAccess agent properties file, Access Policy Manager (APM®) can also import the SSL certificate. With the certificate imported, APM creates a server SSL profile and specifies the SSL certificate in the
Trusted Certificate Authorities
field.
For more information, refer to
BIG-IP System: SSL Administration
on the AskF5 web site located at
support.f5.com/
.

Uploading PingAccess agent properties to APM

You upload agent properties files for use in Access Policy Manager (APM) communication with PingAccess servers.
If the PingAccess server is configured to use SSL, and APM can detect the server SSL certificate in the agent properties file, you will have the opportunity to import the server SSL certificate from the server along with the agent properties.
  1. On the Main tab, click
    Access
    Federation
    PingAccess
    Agent Properties
    .
  2. Click
    Create
    .
    A New screen opens.
  3. In the
    Name
    field, type a unique name.
  4. In the Configuration area for
    Properties File
    , click the
    Choose File
    button.
    A popup directory screen opens.
  5. Navigate to and select an agent properties file that you downloaded from a PingAccess server, and click
    Open
    .
    The popup screen closes. If APM detects a valid SSL certificate in the properties file, an
    Import SSL Certificate
    check box displays.
  6. If the
    Import SSL Certificate
    check box displays, select it.
    The SSL certificate comes from the PingAccess server.
  7. Click
    Finished
    .
    APM imports the properties file. If you selected the
    Import SSL Certificate
    check box, APM imports the certificate to the BIG-IP system and creates a server SSL profile that specifies the certificate as the trusted certificate authority. The name of the imported certificate and the name of the server SSL profile match the name you specified for this PingAccess properties object.
If the PingAccess server uses SSL, and APM did not detect and import an SSL certificate, you must download the SSL certificate from the PingAccess server, import it to the BIG-IP system, and configure a server SSL profile to use it.

Configuring a local traffic pool of PingAccess servers

You configure a pool of PingAccess servers that serve requests from the same PingAccess agent so that, when Access Policy Manager (APM) acts as a Policy Enforcement Point (PEP) in place of the PingAccess agent, APM has the correct group of PingAccess servers with which to interact.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pool List screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a unique name for the pool.
  4. For
    Health Monitors
    , you can select
    tcp
    .
    You can select an HTTP or HTTPS type of health monitor if you configure one to use this custom send string
    GET /pa/heartbeat.ping\r\n
    .
  5. In the Resources area, for the
    New Members
    setting, add PingAccess servers that serve requests from the same agent:
    1. Either type an IP address in the
      Address
      field, or select a preexisting node address from the
      Node List
      .
    2. In the
      Service Port
      field, type the port number.
      The default port number for PingAccess server is 3030. However, the port used in your configuration might differ.
    3. Click
      Add
      .
  6. Click
    Finished
    .
The new pool appears in the Pools list.

Creating a PingAccess profile for APM authentication

You configure a profile to specify PingAccess agent properties and PingAccess servers for integration with Access Policy Manager (APM).
  1. On the Main tab, click
    Access
    Federation
    PingAccess
    Profiles
    .
  2. Click
    Create
    .
    A New screen opens.
  3. In the
    Name
    field, type a unique name.
  4. For the
    Properties File
    field, select one from the list or click (
    +
    ) to upload a PingAccess agent properties file before you make a selection.
  5. From the
    Pool Name
    list, select the pool of PingAcess policy servers that you configured earlier.
  6. The
    Use HTTPS
    setting default is to have the check box selected (enabled).
  7. If
    Use HTTPS
    is enabled, from the
    Server SSL Profile
    list, select a profile that is configured with the PingAccess server SSL certificate as the trusted certificate authority.
    If APM imported the server SSL certificate from the PingAccess agent properties file, the profile name matches the properties file name.
For the PingAccess profile to go into effect, you must now add it to a virtual server.

Configuring a pool of web application services to protect

You configure a pool to specify the web application services behind a virtual server that Access Policy Manager (APM) protects when acting as a PingAccess agent.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pools list screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a name for the pool.
    Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
    The pool name is limited to 63 characters.
  4. In the Resources area, for the
    New Members
    setting, add web application services that APM protects:
    1. Either type an IP address in the
      Address
      field, or select a preexisting node address from the
      Node List
      .
    2. In the
      Service Port
      field, type the port number for the web application service.
    3. Click
      Add
      .
  5. Click
    Finished
    .
The new pool appears in the Pools list.
To use this pool, you must now specify it in the virtual server configuration. If the web application servers use SSL, download the SSL certificate, import it into the BIG-IP system, and create a server SSL profile with the certificate to assign to the virtual server configuration.

Creating a virtual server for a PingAccess profile

A virtual server represents a destination IP address for application traffic.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Destination Address/Mask
    field, type the IP address for a host virtual server.
    The IP address you type must be available and not in the loopback network.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  4. In the
    Service Port
    field:
    • If you want to specify a single service port or all ports, confirm that the
      Port
      button is selected, and type or select a service port.
    • If you want to specify multiple ports other than all ports, select the
      Port List
      button, and confirm that the port list that you previously created appears in the box.
  5. From the
    HTTP Profile (Client)
    list, select a previously-created HTTP/2 profile for client-side traffic.
  6. If SSL protocol is in use on the web application servers in the pool that you configured previously:
    1. From
      SSL Profile (Client)
      , select a profile.
    2. From
      SSL Profile (Server)
      , select a profile.
  7. From the
    Source Address Translation
    list, select
    Auto Map
    .
  8. Scroll down to the Access Policy area.
  9. Confirm that
    Access Profile
    is set to
    None
    .
    APM supports assignment of only one of these profiles to a virtual server: an access profile or a PingAccess profile.
  10. From the
    PingAccess Profile
    list, select a profile.
  11. Retain the default values for all other settings in the Access Policy area.
  12. In the Resources area of the screen, from the
    Default Pool
    list, select the name of the pool that you configured to specify web applications that APM protects.
  13. Click
    Finished
    .
A destination IP address on the BIG-IP system is now available for application traffic.

Troubleshooting SSL handshake failure

If the connection between the BIG-IP system and an external server is SSL-protected and it fails, these steps might help you if the problem is due to the BIG-IP system using a later version of TLS than the external server uses. (Older servers that do not support later TLS versions might generate an alert and close the connection.)
  1. From the command line on the BIG-IP system, type
    tmsh list sys db
    SSL.OuterRecordTls1_0
    .
    Information about the db variable displays. If the db variable is set to its default value of enable, the BIG-IP system specifies TLS version 1.0 in the outer SSL record, and this should cause no problem for a server that does not support later TLS versions.
  2. If the db variable is set to disable, to make a change that affects only the sessions started through a virtual server with a particular server SSL profile, update the server SSL profile.
    1. On the Main tab, click
      Local Traffic
      Profiles
      SSL
      Server
      .
    2. Click the name of the profile you want to update.
    3. For
      Configuration
      , select
      Advanced
      and select the
      Custom
      check box.
    4. Scroll to the
      Options List
      setting.
    5. From the
      Available Options
      list, select
      No TLSv1.1
      and
      No TLSv1.2
      and click the
      Enable
      button.
      The selected options display on the
      Enabled Options
      list.
    6. Click
      Update
      .
  3. If the db variable is set to disable, and you are sure that you should make a system-wide change, type
    tmsh modify sys db
    SSL.OuterRecordTls1_0
    value
    enable
    .
    The db variable is restored to its default value.
Refer to
BIG-IP System: SSL Administration
and Release notes for BIG-IP Local Traffic Manager on the AskF5 web site located at
support.f5.com/
.

Modifying APM logging for PingAccess profile

For troubleshooting purposes, you might need to modify the log level for PingAccess profile.
Only the default-log-setting applies to PingAccess profile logging. Log settings in an access profile do not apply, because Access Policy Manager (APM) does not support an access profile with PingAccess.
  1. On the Main tab, click
    Access
    Overview
    Event Logs
    Settings
    .
    A log settings table screen opens.
  2. Select
    default-log-setting
    and click
    Edit
    .
    A popup screen opens.
  3. On the left, select
    Access System Logs
    .
  4. From the
    PingAccess Profile
    list, select a value.
    The default value is
    Notice
    . F5 does not recommend selecting
    Debug
    unless you are instructed to do so by support engineers.
  5. Click
    OK
    .
    The popup screen closes.