Release Notes : Guided Configuration 2.0

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.1.0
Release Notes
Original Publication Date: 12/21/2017

Summary:

Guided Configurations for BIG-IP Access Policy Manager provides simple, workflow-driven configuration templates that cover common use case scenarios. Guided configurations can be easily created using the configuration templates. These configurations can be further edited, adding more components and apps, using the Guided Configuration interface.

Contents:

Included Configuration Templates

This release of Guided Configurations includes several configuration templates for Federation use cases.
  1. API Authorization with OAuth
  2. F5 As OAuth Client and Resource Server
  3. OAuth Authorization Server
  4. SAML Identity Provider for Applications (includes catalog of templates for SaaS app configurations)
  5. SAML Service Provider (includes a catalog of Identity Provider Connector templates)
Additional use case categories will be implemented in later releases of Guided Configurations. Currently, configuration for the additional use case categories are available using the Access menus. Configuration steps for authentication, endpoint posture checks, and virtual servers are common to many of the configuration templates.

Guided Configurations are based on iAppLX technology, which is included with Access Policy Manager. Updates to Guided Configurations occur separately from BIG-IP upgrades, by installing use case packs, as detailed later.

Important: We recommend that you upgrade to the latest guided Configuration use case pack, when it is available. The latest use case pack will include additional templates, features, and fixes.

About Upgrading Guided Configuration

Guided Configuration is upgraded with Use Case Packs. Such packs contain the latest templates for identity providers and SAML applications. Use case packs are provided on F5 DevCentral.

Upgrading the use case pack from the BIG-IP user interface

Download the use case pack from DevCentral.
You can upgrade use case packs to get the latest guided configurations, and the latest templates for applications and IdP connectors.
  1. On the Main tab, click Access > Guided Configuration .
  2. On the top right of the page, click Upgrade Guided Configuration.
  3. Click Choose File and select the Use Case pack to upgrade.
  4. Click Upload and Install.

Upgrading the use case pack with the REST API

Download the use case pack from DevCentral.
You can upgrade use case packs using a REST API.
  1. Make a POST request to install the use case pack, as detailed in the table. For purposes of this example, the use case pack is f5-iappslx-agc-usecase-pack-2-0.0.143.tar.gz.
    Item Description
    URI https://<bigip_address>/mgmt/tm/access/bundle-install-tasks
    METHOD POST
    Request Body {"filePath": "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-2-0.0.143.tar.gz"}
    Response Body { "filePath": "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-1-0.0.37.tar.gz", "toBeInstalledAppRpmsIndex": -1, "id": "49c61e18-46e4-4501-bc2d-a4833e93833c", "status": "CREATED", "userReference": { "link": "https://localhost/mgmt/shared/authz/users/admin" }, "identityReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/admin" } ], "ownerMachineId": "3f365fd8-81f8-4312-b837-f0080119635a", "generation": 1, "lastUpdateMicros": 1510767727481955, "kind": "tm:access:bundle-install-tasks:iappbundleinstalltaskstate", "selfLink": "https://localhost/mgmt/tm/access/bundle-install-tasks/49c61e18-46e4-4501-bc2d-a4833e93833c” }
  2. Issue a GET command to check the use case pack installation, as detailed in the table. For purposes of this example, the use case pack is f5-iappslx-agc-usecase-pack-2-0.0.143.tar.gz.
    Item Description
    URI https://<bigip_address>/mgmt/tm/access/bundle-install-tasks
    METHOD GET
    Request Body {"filePath": "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-2-0.0.143.tar.gz"}
    Response Body (displays the installation status of each use-case RPM) { "filePath": "/var/config/rest/downloads/f5-iappslx-agc-usecase-pack-2-0.0.143.tar.gz", "frameworkRpmInfo": { "name": "f5-iappslx-access-framework-1.0.1-0.0.143.noarch.rpm", "status": "INSTALLED", "error": "" }, "appRpmsInfo": [ { "name": "f5-iappslx-access-oauth-auth-server-2.0.0-0.0.143.noarch.rpm", "status": "INSTALLED", "error": "" }, { "name": "f5-iappslx-access-oauth-client-rs-2.0.0-0.0.143.noarch.rpm", "status": "INSTALLED", "error": "" }, { "name": "f5-iappslx-access-saml-idp-1.1.0-0.0.143.noarch.rpm", "status": "INSTALLED", "error": "" }, { "name": "f5-iappslx-access-saml-sp-1.0.0-0.0.143.noarch.rpm", "status": "INSTALLED", "error": "" } ], "toBeInstalledAppRpmsIndex": 4, "alreadyInstalledRpmsInfo": [], "step": "DONE", "manifestFileName": "pack-manifest.json", "manifest": { "description": "manifest of the AGC usecase pack", "usecasePackVersion": 2, "packages": [ { "name": "f5-iappslx-access-framework", "version": "1.0.1", "minBigIpVersion": "13.1.0", "type": "framework" }, { "name": "f5-iappslx-access-saml-idp", "version": "1.1.0", "minBigIpVersion": "13.1.0", "type": "usecase" }, { "name": "f5-iappslx-access-oauth-auth-server", "version": "1.0.0", "minBigIpVersion": "13.1.0", "type": "usecase" }, { "name": "f5-iappslx-access-oauth-client-rs", "version": "1.0.0", "minBigIpVersion": "13.1.0", "type": "usecase" } ] }, "id": "49c61e18-46e4-4501-bc2d-a4833e93833c", "status": "FINISHED", "startTime": "2017-11-15T09:51:30.787-0800", "endTime": "2017-11-15T09:51:45.736-0800", "userReference": { "link": "https://localhost/mgmt/shared/authz/users/admin" }, "identityReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/admin" } ], "ownerMachineId": "3f365fd8-81f8-4312-b837-f0080119635a", "generation": 17, "lastUpdateMicros": 1510768305736676, "kind": "tm:access:bundle-install-tasks:iappbundleinstalltaskstate", "selfLink": "https://localhost/mgmt/tm/access/bundle-install-tasks/49c61e18-46e4-4501-bc2d-a4833e93833c" }

Known issues with Guided Configuration

The following are known issues that affect Guided Configuration.

ID number Description
671037 Guided Configuration does not currently conform to FIPS and Common Criteria requirements. Guided Configuration takes authentication server credentials (username and password) from the Secure Vault on the BIG-IP and stores them in the insecure ILX Restricted Storage, which does not conform with secure storage requirements of FIPS, Common Criteria, PCI, HIPPA, or other modern security certifications, due to lack of protection for the master key.
672538 On a system configured with Guided Configuration objects, loading the default config with the command tmsh load sys config default removes the BIG-IP configuration objects as expected, but the Guided Configuration objects remain. To remove the Guided Configuration objects, use the command clear-rest-storage. To keep the Guided Configuration objects, undeploy all Guided Configuration applications before you run tmsh load sys config default."
672791 When Guided Configuration is deployed in an HA environment, the Guided Configuration Use case configurations (iApps) are not synced to the peer device. When HA is configured in Manual Sync Mode, use case configurations are not synced to the HA peer. To ensure that HA is correctly configured for Guided Configuration iApps to function as desired, use a workaround. Configure the following settings for HA. As a workaround, configure your settings for HA as follows:
  • Open port 443 on any Self-IPs you are using for REST Config Sync.
  • When you set-up HA using the Run Config sync/HA utility from the BIG-IP UI, make sure you select Allow Default on the port lockdown setting of the Config Sync Self IP (internal or HA). The default setting is Allow Default.
  • Enable auto-sync on the failover device-group.
  • Enable network failover on the failover device-group.
676785 When Manage Configuration is disabled in Guided Configuration on a deployed configuration, the associated policy changes to Apply Policy status, and is highlighted in yellow. As a workaround, use the BIG-IP UI to apply the policy.
677964

When a user returns to Guided Configuration after navigating to other BIG-IP menus, the page fails to render in Internet Explorer, as it stops running JavaScript.

As a workaround:
  • Reload the page by refreshing the browser
  • Close all Internet Explorer browser instances, restart the browser, and navigate to Guided Configurations again.
681485 Only Common partition objects are supported. When objects from any other partition are selected, deployment fails. Only select objects from the Common partition when creating a configuration.
682360 In Guided Configurations, an iAppLX and an iApp can overwrite each other if they use the same app name. As a workaround, do not use the same name for a Guided Configuration iApp and an iApp (v1.0) instance. The same name cannot be used for two application configurations.
683765 Even if the configuration is locked, a user can modify customization settings outside of Guided Configurations. However, the customization settings from Guided Configurations can be restored simply by redeploying the configuration.
685011 A user can view and access non-Guided Configuration configurations from the list page. Users should not edit or perform any other actions on instances on the Guided Configuration landing page that are not created by Guided Configuration.
685801,687843 For the API Authorization with OAuth and F5 as OAuth Client and Resource Server Guided Configuration applications, attempting to re-deploy an already deployed application results in a configuration error. As a workaround, undeploy and re-deploy the application.

Fixed issues in Guided Configuration

The following are fixed issues in this version of Guided Configuration.

ID number Description
685629 On the BIG-IP, if there is no Self-IP that uses an internal VLAN, the device is not discovered and REST calls to the device fail. As a result, Guided Configuration deployment fails. As a workaround, define a Self IP and choose an internal VLAN.
688272 The Relay State URL parameter is a required parameter for an IdP-initiated SAML transaction to work with the GSuite SaaS app; however, the user interface does not indicate that this parameter is required. If this setting is not specified, only an SP-initiated SAML transaction works. As a workaround, provide the relay state URL in the format https://www.google.com/a/<your domain name>/ServiceLogin?continue=https://<service parameter>. The service parameter is based on the type of app service, for example mail.google.com.

Legal notices

Contacting F5 Networks

Phone - North America: 1-888-882-7535 or (206) 272-6500
Phone - Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)
Fax: See Regional Support for your area.
Web: https://support.f5.com/csp/home
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.