F5 BIG-IP APM LX v1.0

Introduction

TickStream.KeyID F5® BIG-IP® APM® LX is an iApp® template that allows you to provide 2nd factor authentication for F5 APM implementations. The template creates a set of iRules®, iRules® LX workspace and plugin, and an access policy for protecting a virtual server resource. Operations are completed using JavaScript / Node.js based iRules® LX.

System Requirements

Except for the TickStream.KeyID Server, all needed components are self contained in the iApp® template.

  • F5® BIG-IP® APM® version 13.0
  • TickStream.KeyID Server 1.9

F5® BIG-IP® APM® LX iApp® Template

  1. Download the TickStream.KeyID F5® BIG-IP® APM® LX iApp® template using the link provided to you.
  2. Log in to the administration console for your F5® BIG-IP® device.
  3. From the main menu, click iApps -> Templates.
  4. Click the Import button.
  5. Click the Browse button to locate the iApp template downloaded previously. If you are updating an existing template, check the Overwrite Existing Templates box.
  6. From the main menu, click iApps -> Application Services.
  7. Click the Create button.
  8. Specify a name for the particular iApp installation, i.e. myapp. From the template drop down, choose KeyID.
  9. In the iRules Workspace confguration section provide the following:

    Item Description
    Source Type Source of iRules workspace may be either a URL or file path.
    Source URL URL to the KeyID iRules workspace.
    File Path Linux file path to KeyID iRules workspace on the device i.e. /var/ilx/workspaces/Common/archive/KeyID-APM-LX-1.0.tgz
  10. In the Webservices configuration section provide the following information:

    Item Description
    URL The url to the KeyID web services operations page.
    Authentication Key The KeyID licensing key.
    Timeout Total operational timeout in milliseconds.
    Log verbosity A higher number will log more detailed information.
  11. In the Libraries configuration section provide the following information:

    Item Description
    jQuery URL Path to jquery-1.11.1.min.js.
    KeyID Library URL Path to KeyID javascript library.
  12. In the KeyID configuration section, you may adjust the defaults as necessary:

    Item Description
    Enable passive validation Users will be always be granted access.
    Enable passive enrollment Profiles will be built silently on each successful login.
    Enable custom threshold Specify minimum fidelity and confidence level for granting access.
    Threshold minimum fidelity Minimum fidelity level for allowing access. Specified as a double, i.e. 70.0.
    Threshold minimum confidence Minimum confidence level for allowing access. Specified as a double, i.e. 50.0.
    Input to verify Choose either the username or password field for KeyID verification.
    Obfuscate password If set to true (recommended) remove password characters on the client before submitting typing behavior.
  13. In the APM Profile configuration section, choose a profile type:

    Item Description
    Profile type Create a new APM profile or add to an existing one. A new profile requires that an APM authentication method be preconfigured. An existing policy must contain a logon page policy object.
    Authentication Type Choose an APM authentication type, i.e. HTTP auth.
    Instance Select an existing authentication instance.
    Logon page to protect Logon page policy object to protect.
    Profile to add KeyID macros to APM profile that contains logon page policy object to protect.
    Logon page input for KeyID Choose an unused logon page input for submitting KeyID data.
  14. Click the Finished button to create the application.

  15. Apply the access policy that was created by the template.
  16. From the main menu, click Local Traffic -> Virtual Servers
  17. Click on an existing virtual server resource that you would like to protect with the KeyID access profile.
  18. From the properties page, change the Access Profile setting to match the one created by the KeyID template, i.e. KeyID-APM-myapp. The access profile will require that an HTTP profile and Client SSL profile are selected. Click the Update button.
  19. From the resource page, click the Manage button in the iRules® section.
  20. Add the following iRules® to the Enabled selection list:
    /Common/KeyIDLx-myapp/KeyID

  21. Click the Finished button.

  22. Using a web browser, visit your virtual server address which should now present an access policy login page.

Logging

The KeyID F5® BIG-IP® APM® iApp® template writes logging information to the BIG-IP® local traffic manager log. The verbosity of the logs can be changed by reconfiguring the corresponding iApp template setting. Each log entry is prefaced by the APM® session ID that generated it. The KeyID web services can also be configured to log authentication information to the KeyID database.

Reports

The KeyID F5® BIG-IP® APM® iApp® stores helpful information in session variables that are logged in APM® reports. Additional reporting metrics can be harvested from the KeyID database.

F5® BIG-IP® APM® SSL VPNs

TickStream.KeyID has also been tested with F5® BIG-IP® APM® deployed as an SSL VPN and are protected with an F5® BIG-IP® APM® access policy. Users must enter their credentials using the forms authentication login page. No other special configuration is necessary other than assigning the access policy to the F5® BIG-IP® APM® profile.

Uninstallation

To remove the KeyID F5® BIG-IP® APM® iApp® template you must first remove any assigned APM macros using the visual policy editor. You must also delete the macro policy objects using the editor. You can then delete the iApp instance, iRules® LX workspace and plugin using the web control panel or TMSH®.

Common Issues

Your BIG-IP® must have proper network routing configured for KeyID webservice traffic to pass successfully.

The URL for KeyID webservices must be resolvable by DNS or a local hosts entry.

JavaScript is required for client computers to be able to login to APM® with the KeyID iApp enabled.