F5 BIG-IP APM LX v1.0
Introduction
TickStream.KeyID F5® BIG-IP® APM® LX is an iApp® template that allows you to provide 2nd factor authentication for F5 APM implementations. The template creates a set of iRules®, iRules® LX workspace and plugin, and an access policy for protecting a virtual server resource. Operations are completed using JavaScript / Node.js based iRules® LX.
System Requirements
Except for the TickStream.KeyID Server, all needed components are self contained in the iApp® template.
- F5® BIG-IP® APM® version 13.0
- TickStream.KeyID Server 1.9
F5® BIG-IP® APM® LX iApp® Template
- Download the TickStream.KeyID F5® BIG-IP® APM® LX iApp® template using the link provided to you.
- Log in to the administration console for your F5® BIG-IP® device.
- From the main menu, click iApps -> Templates.
- Click the Import button.
- Click the Browse button to locate the iApp template downloaded previously. If you are updating an existing template, check the Overwrite Existing Templates box.
- From the main menu, click iApps -> Application Services.
- Click the Create button.
- Specify a name for the particular iApp installation, i.e.
myapp
. From the template drop down, choose KeyID. -
In the iRules Workspace confguration section provide the following:
Item Description Source Type Source of iRules workspace may be either a URL or file path. Source URL URL to the KeyID iRules workspace. File Path Linux file path to KeyID iRules workspace on the device i.e. /var/ilx/workspaces/Common/archive/KeyID-APM-LX-1.0.tgz -
In the Webservices configuration section provide the following information:
Item Description URL The url to the KeyID web services operations page. Authentication Key The KeyID licensing key. Timeout Total operational timeout in milliseconds. Log verbosity A higher number will log more detailed information. -
In the Libraries configuration section provide the following information:
Item Description jQuery URL Path to jquery-1.11.1.min.js. KeyID Library URL Path to KeyID javascript library. -
In the KeyID configuration section, you may adjust the defaults as necessary:
Item Description Enable passive validation Users will be always be granted access. Enable passive enrollment Profiles will be built silently on each successful login. Enable custom threshold Specify minimum fidelity and confidence level for granting access. Threshold minimum fidelity Minimum fidelity level for allowing access. Specified as a double, i.e. 70.0
.Threshold minimum confidence Minimum confidence level for allowing access. Specified as a double, i.e. 50.0
.Input to verify Choose either the username or password field for KeyID verification. Obfuscate password If set to true (recommended) remove password characters on the client before submitting typing behavior. -
In the APM Profile configuration section, choose a profile type:
Item Description Profile type Create a new APM profile or add to an existing one. A new profile requires that an APM authentication method be preconfigured. An existing policy must contain a logon page policy object. Authentication Type Choose an APM authentication type, i.e. HTTP auth. Instance Select an existing authentication instance. Logon page to protect Logon page policy object to protect. Profile to add KeyID macros to APM profile that contains logon page policy object to protect. Logon page input for KeyID Choose an unused logon page input for submitting KeyID data. -
Click the Finished button to create the application.
- Apply the access policy that was created by the template.
- From the main menu, click Local Traffic -> Virtual Servers
- Click on an existing virtual server resource that you would like to protect with the KeyID access profile.
- From the properties page, change the Access Profile setting to match the one created by the KeyID template, i.e.
KeyID-APM-myapp
. The access profile will require that an HTTP profile and Client SSL profile are selected. Click the Update button. - From the resource page, click the Manage button in the iRules® section.
-
Add the following iRules® to the Enabled selection list:
/Common/KeyIDLx-myapp/KeyID
-
Click the Finished button.
- Using a web browser, visit your virtual server address which should now present an access policy login page.
Logging
The KeyID F5® BIG-IP® APM® iApp® template writes logging information to the BIG-IP® local traffic manager log. The verbosity of the logs can be changed by reconfiguring the corresponding iApp template setting. Each log entry is prefaced by the APM® session ID that generated it. The KeyID web services can also be configured to log authentication information to the KeyID database.
Reports
The KeyID F5® BIG-IP® APM® iApp® stores helpful information in session variables that are logged in APM® reports. Additional reporting metrics can be harvested from the KeyID database.
F5® BIG-IP® APM® SSL VPNs
TickStream.KeyID has also been tested with F5® BIG-IP® APM® deployed as an SSL VPN and are protected with an F5® BIG-IP® APM® access policy. Users must enter their credentials using the forms authentication login page. No other special configuration is necessary other than assigning the access policy to the F5® BIG-IP® APM® profile.
Uninstallation
To remove the KeyID F5® BIG-IP® APM® iApp® template you must first remove any assigned APM macros using the visual policy editor. You must also delete the macro policy objects using the editor. You can then delete the iApp instance, iRules® LX workspace and plugin using the web control panel or TMSH®.
Common Issues
Your BIG-IP® must have proper network routing configured for KeyID webservice traffic to pass successfully.
The URL for KeyID webservices must be resolvable by DNS or a local hosts entry.
JavaScript is required for client computers to be able to login to APM® with the KeyID iApp enabled.