Introduction

TickStream.KeyID F5® BIG-IP® APM® is an iApp® template that allows you to provide 2nd factor authentication for F5 APM implementations. The template creates a set of iRules®, hosted content, and an access policy for protecting a virtual server resource.

System Requirements

Except for the TickStream.KeyID Server, all needed components are self contained in the iApp® template.

  • F5 BIG-IP APM version 11.5 and newer
  • TickStream.KeyID Server 1.9

F5 iApp Template

  1. Download the TickStream.KeyID F5 BIG-IP APM iApp template using the link provided to you.
  2. Log in to the administration console for your F5 BigIP device.
  3. From the main menu, click iApps -> Templates.
  4. Click the Import button.
  5. Click the Browse button to locate the iApp template downloaded previously. If you are updating an existing template, check the Overwrite Existing Templates box.
  6. From the main menu, click iApps -> Application Services.
  7. Click the Create button.
  8. Specify a name for the particular iApp installation, i.e. myapp. From the template drop down, choose KeyID.
  9. In the Webservices configuration section provide the following information:

    Item Description
    URL The url to the KeyID web services operations page.
    Authentication Key The KeyID licensing key.
    Name Server You must provide the IP address of a name server, or a virtual server configured for name services, i.e. 192.168.1.10 or /common/namesrvr-vs.
  10. In the Authentication configuration section provide the following information:

    Item Description
    Authentication Type Choose an authentication type for constructing the F5 BIG-IP APM access policy.
    Instance Enter the path to an appropriate AAA server, i.e. /Common/localdb.
  11. In the KeyID configuration section, you may adjust the defaults as necessary:

    Item Description
    Enable passive validation Users will be always be granted access.
    Enable passive enrollment Profiles will be built silently on each successful login.
    Minimum cohesion Profiles will continue enrollment until this percentage is met, or the maximum is exceeded. Specified as a double, i.e. 70.0.
    Minimum efforts Minimum number of efforts to enroll. Specified as an integer, i.e. 10.
    Maximum efforts Maximum number of efforts to enroll. Specified as an integer, i.e. 15.
    Enable custom threshold Set a custom threshold for allowing access.
    Minimum fidelity Minimum fidelity level for allowing access. Specified as a double, i.e. 70.0.
    Minimum confidence Minimum confidence level for allowing access. Specified as a double, i.e. 50.0.
  12. Click the Finished button to create the application.

  13. Apply the access policy that was created by the template.
  14. From the main menu, click Local Traffic -> Virtual Servers
  15. Click on an existing virtual server resource that you would like to protect with the KeyID access profile.
  16. From the properties page, change the Access Profile setting to match the one created by the KeyID template, i.e. KeyID-myapp. The access profile will require that an HTTP profile and Client SSL profile are selected. Click the Update button.
  17. From the resource page, click the Manage button in the iRules section.
  18. Add the following iRules to the Enabled selection list:
    /Common/myapp.app/KeyID
    /Common/myapp.app/KeyID-AddSession
    /Common/myapp.app/KeyID-Lib
    /Common/myapp.app/KeyID-RemoveProfile
  19. Click the Finished button.
  20. Using a web browser, visit your virtual server address which should now present an access policy login page.

Logging

The KeyID F5 BIG-IP APM writes logging information to the BigIP local traffic manager log. The verbosity of the logs can be changed by reconfiguring the corresponding iApp template setting. Each log entry is prefaced by the APM session ID that generated it. The KeyID web services can also be configured to log authentication information to the KeyID database.

Reports

The KeyID F5 BIG-IP APM iApp stores helpful information in session variables that are logged in APM reports. Additional reporting metrics can be harvested from the KeyID database.

F5 BIG-IP APM SSL VPNs

TickStream.KeyID has also been tested with F5 BIG-IP APM deployed as an SSL VPN and are protected with an F5 BIG-IP APM access policy. Users must enter their credentials using the forms authentication login page. No other special configuration is necessary other than assigning the access policy to the F5 BIG-IP APM profile.