F5 BIG-IP APM v2.0
Introduction
TickStream.KeyID F5® BIG-IP® APM® is an iApp® template that allows you to provide 2nd factor authentication for F5 APM implementations. The template creates a set of iRules® and an access policy for protecting a virtual server resource. All operations are completed using traditional TCL based iRules®. This version will be deprecated in favor of the a new iRules® LX® version.
System Requirements
Except for the TickStream.KeyID Server, all needed components are self contained in the iApp® template.
- F5® BIG-IP® APM® version 11.5 and newer
- TickStream.KeyID Server 1.9
F5® BIG-IP® APM® iApp® Template
- Download the TickStream.KeyID F5® BIG-IP® APM® iApp® template using the link provided to you.
- Log in to the administration console for your F5® BIG-IP® device.
- From the main menu, click iApps -> Templates.
- Click the Import button.
- Click the Browse button to locate the iApp template downloaded previously. If you are updating an existing template, check the Overwrite Existing Templates box.
- From the main menu, click iApps -> Application Services.
- Click the Create button.
- Specify a name for the particular iApp installation, i.e.
myapp
. From the template drop down, choose KeyID. -
In the Webservices configuration section provide the following information:
Item Description URL The url to the KeyID web services operations page. Authentication Key The KeyID licensing key. Name Server You must provide the IP address of a name server, or a virtual server configured for name services, i.e. 192.168.1.10
or/common/namesrvr-vs
. -
In the Authentication configuration section provide the following information:
Item Description Authentication Type Choose an authentication type for constructing the F5® BIG-IP® APM® access policy. Instance Enter the path to an appropriate AAA server, i.e. /Common/localdb
. -
In the KeyID configuration section, you may adjust the defaults as necessary:
Item Description Enable passive validation Users will be always be granted access. Enable passive enrollment Profiles will be built silently on each successful login. Minimum cohesion Profiles will continue enrollment until this percentage is met, or the maximum is exceeded. Specified as a double, i.e. 70.0
.Minimum efforts Minimum number of efforts to enroll. Specified as an integer, i.e. 10
.Maximum efforts Maximum number of efforts to enroll. Specified as an integer, i.e. 15
.Enable custom threshold Set a custom threshold for allowing access. Minimum fidelity Minimum fidelity level for allowing access. Specified as a double, i.e. 70.0
.Minimum confidence Minimum confidence level for allowing access. Specified as a double, i.e. 50.0
. -
Click the Finished button to create the application.
- Apply the access policy that was created by the template.
- From the main menu, click Local Traffic -> Virtual Servers
- Click on an existing virtual server resource that you would like to protect with the KeyID access profile.
- From the properties page, change the Access Profile setting to match the one created by the KeyID template, i.e.
KeyID-myapp
. The access profile will require that an HTTP profile and Client SSL profile are selected. Click the Update button. - From the resource page, click the Manage button in the iRules® section.
- Add the following iRules® to the Enabled selection list:
/Common/myapp.app/KeyID
/Common/myapp.app/KeyID-AddSession
/Common/myapp.app/KeyID-Lib
/Common/myapp.app/KeyID-RemoveProfile
- Click the Finished button.
- Using a web browser, visit your virtual server address which should now present an access policy login page.
Logging
The KeyID F5® BIG-IP® APM® iApp® template writes logging information to the BIG-IP® local traffic manager log. The verbosity of the logs can be changed by reconfiguring the corresponding iApp template setting. Each log entry is prefaced by the APM® session ID that generated it. The KeyID web services can also be configured to log authentication information to the KeyID database.
Reports
The KeyID F5® BIG-IP® APM® iApp® stores helpful information in session variables that are logged in APM® reports. Additional reporting metrics can be harvested from the KeyID database.
F5® BIG-IP® APM® SSL VPNs
TickStream.KeyID has also been tested with F5® BIG-IP® APM® deployed as an SSL VPN and are protected with an F5® BIG-IP® APM® access policy. Users must enter their credentials using the forms authentication login page. No other special configuration is necessary other than assigning the access policy to the F5® BIG-IP® APM® profile.