Applies To:

Show Versions Show Versions

Manual Chapter: Setting up Application Connector
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About setting up Application Connector Service Center

The Application Connector Service Center is an iApps® LX Template that you install on your BIG-IP® system and configure to authorize communication with the Proxy.

Prerequisites for setting up Application Connector Service Center

Before you set up the Application Connector Service Center, make sure that your BIG-IP® system meets these configuration options:

  • BIG-IP software version 13.0 or later is installed and configured
  • Under System > Resource Provisioning , provision these modules, at a minimum: Local Traffic (LTM®) and iRules® Language Extensions (iRules LX).

For information about setting up the basic BIG-IP configuration on a new system, see BIG-IP System: Initial Configuration. For additional information about setting up BIG-IP systems, see the LTM Knowledge Center (support.f5.com/csp/knowledge-center/software/BIG-IP?module=BIG-IP%20LTM) or the Cloud Knowledge Centers (support.f5.com/csp/knowledge-center/cloud).

Task summary

The implementation process involves installation of the Application Connector Service Center.

Task list

Download the Application Connector Service Center iApps LX package

Before you can install the Application Connector Service Center iApps® LX template, you need to download the iApps LX package from downloads.f5.com.
  1. Log in to downloads.f5.com and click Find a Download.
  2. Select the F5 Application Connector Product Line.
  3. Select the product version.
  4. Select F5_Application_Connector_Service_Center.
  5. Read the End User Software License and click I Accept if you agree with the terms.
  6. Click the file name.
  7. Click the closest download location to you and save the RPM and MD5 files to your management workstation.
  8. Verify the integrity of the downloaded file, where <file_name>.md5 is the name of the .md5 file you downloaded.
    md5sum -c >file_name<.md5

Install the Application Connector Service Center iApp

Before you can install the Application Connector Service Center iApps® LX template, you need to download the iApps LX package from downloads.f5.com.
To access Application Connector Service Center, you install the iApps® Template onto your F5® system.
  1. Connect to your F5® system using the serial console or by opening an SSH session.
  2. Enable iApps Package Management LX on your BIG-IP system.
    touch /var/config/rest/iapps/enable
  3. From your management workstation, access the BIG-IP system by logging in to the BIG-IP Configuration utility with your user credentials.
  4. On the Main tab, click iApps > Package Management LX .
    Note: If you do not see this menu, you might need to reboot your device.
  5. Click Import.
    The iApps screen opens.
  6. For the File Name setting, click Browse.
  7. Locate the RPM file on your management workstation and click Open.
  8. Click Upload.
  9. On the Main tab, click iApps > Package Management LX and verify that the RPM is listed.
    If your F5 system is part of a device group with sync configured, the RPM copies automatically to the other devices.

Create a custom Client SSL profile

Before you create a custom Client SSL profile, you must have already built the cipher that you want the BIG-IP® system to use to negotiate client-side SSL connections.
You can create a custom Client SSL profile when you want the BIG-IP system to terminate client-side SSL traffic for the purpose of decrypting client-side ingress traffic and encrypting client-side egress traffic. By terminating client-side SSL traffic, the BIG-IP system offloads these decryption/encryption functions from the destination server. When you perform this task, you can specify multiple certificate key chains, one for each key type (RSA, DSA, and ECDSA). This enables the BIG-IP system to negotiate secure client connections using different cipher suites based on the client's preference.
Note: At a minimum, you must specify a certificate key chain that includes an RSA key pair. Specifying certificate key chains for DSA and ECDSA key pairs is optional, although highly recommended.
  1. On the Main tab, click Local Traffic > Profiles > SSL > Client .
    The Client SSL profile list screen opens.
  2. Click Create.
    The New Client SSL Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select clientssl.
  5. Select the Custom check box.
    The settings become available for change.
  6. For the Certificate Key Chain setting, click Add.
    1. From the Certificate list, select a certificate name.
      This is the name of a certificate that you installed on the BIG-IP® system. If you have not generated a certificate request nor installed a certificate on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing certificate named default.
      Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default certificate name, and ensure that this same certificate name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    2. From the Key list, select the name of the key associated with the certificate specified in the previous step.
      This is the name of a key that you installed on the BIG-IP® system. If you have not installed a key on the BIG-IP system, and the BIG-IP system is not part of a device service clustering (DSC) configuration, you can specify the name of the existing key named default.
      Important: If the BIG-IP system is part of a DSC Sync-Failover group, always select a non-default key name, and ensure that this same key name is specified in every instance of this SSL profile in the device group. Taking these actions helps to ensure that SSL handshakes are successful after a failover event.
    3. From the Chain list, select the chain that you want to include in the certificate key chain.
      A certificate chain can contain either a series of public key certificates in Privacy Enhanced Mail (PEM) format or a series of one or more PEM files. A certificate chain can contain certificates for Intermediate certificate Authorities (CAs).
      Note: The default self-signed certificate and the default CA bundle certificate are not appropriate for use as a certificate chain.
    4. For the Passphrase field, type a string that enables access to SSL certificate/key pairs that are stored on the BIG-IP system with password protection.
      This setting is optional. For added security, the BIG-IP system automatically encrypts the pass phrase itself. This pass phrase encryption process is invisible to BIG-IP® system administrative users.
    5. Click Add.
  7. Click Add and repeat the process for all certificate key chains that you want to specify. At a minimum, you must specify an RSA certificate key chain.
    Sample configuration with three key types specified

    Sample configuration with three key types specified

    The result is that all specified key chains appear in the text box.
  8. For the Ciphers setting, specify a cipher group or cipher string by choosing one of these options.
    Note: If you specified an ECDSA certificate key chain in the Certificate Key Chain setting, you must include the cipher string ECDHE_ECDSA in the cipher group or cipher string that you specify in the Ciphers setting. (At a minimum, you should specify a cipher group or string such as DEFAULT:ECDHE_ECDSA.) This is necessary to ensure successful cipher negotiation when the BIG-IP system is offered an ECDSA-based certificate only.
    Option Description
    Cipher Group

    Select an existing cipher group from the list when you want to use a system-defined or custom cipher group to define the ciphers that the BIG-IP system uses for negotiating SSL connections. Here's an example of the Ciphers setting where we've selected a custom cipher group that we created earlier.

    Cipher String

    Type a cipher string in the box if you want to manually specify a cipher string instead of selecting a cipher group. For security and performance reasons, consider following these recommendations:

    • Always append ciphers to the DEFAULT cipher string.
    • Type a cipher string that includes the ECC key type, because its shorter length speeds up encryption and decryption while still offering virtually the same level of security.
    • Disable ADH ciphers but also include the keyword HIGH. To do this, just include both !ADH and :HIGH in your cipher string.
    • For AES, DES, and RC4 encryption types, make sure you specify the DHE key exchange method. DHE uses Forward Privacy, which creates a key that it throws away after each session so that the same session key never gets used twice. When you use DHE, make sure that the SSL private key isn't being shared with a monitoring system or a security device like an intrusion detection or prevention system. Also, diagnostic tools like ssldump won't work when you're using Forward Secrecy.
    • Disable EXPORT ciphers by including !EXPORT in the cipher string.
    • If you can live with removing support for the SSLv3 protocol version, do it. This protocol version is not secure. Simply include :!SSLv3 in any cipher string you type.

    Here's an example of the Ciphers setting where we have opted to manually type the cipher string DEFAULT:ECDHE-RSA-AES-128-GCM-SHA256:!ADH:!EXPORT:HIGH:

  9. Configure all other profile settings as needed.
  10. Click Finished.
After performing this task, you can see the custom Client SSL profile in the list of Client SSL profiles on the system.
You must also assign the profile to a virtual server.

Create a virtual server to manage traffic from the Application Connector Proxy

If you want to use cookie persistence on your application virtual server, you should configure a cookie persistence profile before creating the virtual server.
Important: If you choose to add the persistence profile after you have already created the virtual server, you need to manually add the client_cookie_persistence.tcl iRule to the virtual server.
You can create a virtual server to manage traffic from Application Connector Proxy.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
    Use a name that helps you remember the purpose of this virtual server, such as application_connector_virtual.
  4. In the Destination Address field, type the IP address that the Application Connector Proxy connects to in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Note: You must ensure reachability of the specified address and port from the deployment location of the Application Connector Proxy.
  5. In the Service Port field, type 443 or select HTTPS from the list.
  6. For the SSL Profile (Client) setting, from the Available list, select the name of the Client SSL profile you previously created and move the name to the Selected list.
  7. From the Source Address Translation list, select Auto Map.
  8. Optional: If you would like to use cookie persistence on this virtual server, from the Default Persistence Profile list, select a previously configured cookie persistence profile.
  9. Click Finished.

Configure Application Connector Service Center

After you have installed the Application Connector Service Center iApps LX Template, you can configure it.
  1. Log in to the BIG-IP Configuration utility.
  2. On the Main tab, click iApps > Application Services > Applications LX .
  3. Click Create.
    The New Application Service screen opens.
  4. Leave the Name setting blank.
  5. From the Template list, select the template that you installed to your system.
  6. Enter your BIG-IP system credentials when prompted.
    The Application Connector Service Center screen opens.
  7. Create a Service Center using the template by scrolling down to the bottom of the page and typing a name in the App Name field.
  8. Click Save.
    The Application Service List displays. Your application name should be listed with a grey circle in the Status column, indicating that is not yet deployed.
  9. Select the application you created and click Deploy.
    The circle in the Status column should change to green, indicating that it is now successfully deployed.
  10. Click the application name to open the Application Connector Service Center.
  11. Click the Config tab to open additional configuration menu options.
  12. Click the App Virtual Server tab.
    A list of virtual servers displays.
  13. Select one or more virtual servers to be used to pass application traffic.
  14. Click Save.
  15. Click Yes when you are prompted to save the virtual server.
  16. Click the Proxy Virtual Server tab.
    A list of configured virtual servers displays.
  17. Select the previously configured virtual server to which you want the Application Connector Proxy to connect.
  18. Click Save.
  19. Click Yes when you are prompted to create a new virtual server.
Your Application Connector Service Center is now running.

About setting up Application Connector Proxy

The Application Connector Proxy is a Node.js application running in a Docker Container, which you install on a host running Docker. You can connect to one or more service centers.

Prerequisites for setting up the Application Connector Proxy

Before you can set up the Application Connector Proxy, make sure that:

  • You have a running Linux instance in a virtual private cloud (VPC) in your cloud environment. For information about using Amazon EC2, see https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html.
  • You have a public IP address for your instance.
  • You have a private key pair for accessing your instance.
  • You have Docker installed and running on your Linux instance.
  • Your security group is configured to allow inbound traffic on these ports, at a minimum: 22, 80, and 8090.

Task summary

The implementation process involves installation of the Application Connector Proxy.

Task list

Create your AWS credentials file

If you want to use the node auto discovery feature for Amazon Web Services (AWS), your Application Connector Proxy installation requires an aws_config.json file, which contains the credentials to sign HTTP requests to AWS. The node auto discovery feature uses these credentials to access AWS cloud resources, and populate the data in the Proxy.
Note: AWS recommends that you create credentials on a per IAM user basis, and discourages creating root account access keys.
  1. In the AWS Management Console, from the Services menu at the top of the screen, select IAM.
  2. In the Navigation pane, click Groups.
  3. Click Create New Group.
  4. Type a group name.
  5. Click Next Step.
  6. Select the appropriate policy.
    For security purposes, F5® recommends that you attach the AmazonEC2ReadOnlyAccess policy.
  7. Click Next Step.
  8. Click Create Group.
  9. Click Users and then click Add user.
  10. Complete the User name and Access type fields.
  11. Click Next: Permissions.
  12. Choose a group, or create another new group to give service level access.
  13. Click Next: Review.
  14. After reviewing the information, click Create user.
  15. Select Generate an access key for each user and then click Create.
  16. Click Download .csv.
    This downloads an access key ID and a Secret Access Key pair to your workstation as credential.xlsx.
    Important: AWS enables you to download these credentials only once, so be sure to keep track of where they are stored.
  17. Create a new text file named aws_config.json that contains this information, but replace the values with those from the credential.xlsx file that you downloaded:
    {  
       "accessKeyId":"666666FFFFFFFFFFFFFFFFFFFFSFDDSFDSFDSFDSF",
       "secretAccessKey":"ABCDEEEEEEEEEEEEEEEEEEEEEEEEEEEE",
       "region":"us-west-2"
    }
  18. Use SCP to copy the aws_config.json file to the /home/<user>/cloud_vendors/aws directory on the Linux instance where you are installing Application Connector Proxy.

Download the Application Connector Proxy Docker image

Before you can install the Application Connector Proxy, you need to download the Docker image from downloads.f5.com.
  1. Log in to downloads.f5.com and click Find a Download.
  2. Select the product family.
  3. Select the product version.
  4. Read the End User Software License, and click I Accept if you agree with the terms.
  5. Click the file name.
  6. Click the closest download location to you, and save the TGZ file to your management workstation.

Install the Application Connector Proxy

Before you can install the Application Connector Proxy, you need to download the installation package from downloads.f5.com.
To access the Application Connector Proxy, you install the Proxy Docker image onto your Linux instance.
  1. Log in to the Linux instance in your cloud environment where you would like to install the Proxy.
  2. Use SCP to copy the TGZ file to your Linux instance to the /home/<user>/cloud_vendors/aws directory.
  3. Install the Docker image.
    sudo docker load -i <file-name>.tar.gz
  4. Start the Docker container.
    sudo docker run -d -e httpPort=8090 --restart=always --net=host -e proxyName=<proxy-name> -e user=<user-name> -e passwd=<password> -it -v /home/<user-dir>/cloud_vendors/aws:/app/proxy/vendors/aws -v /app/proxy/log -v /app/proxy/config f5/acproxy:x.x.x-build.xx
  5. Verify that the Docker container is running.
    sudo docker ps
You should now be able to log in to the Proxy using the public IP address, plus port 8090, for your Linux instance, using the username and password that you set when you started the Docker container.
Application Connector Docker container configuration environment variables

These environment variables are available for use when setting up the Docker container.

Variable Description Default Example Required
adminPort

HTTPS proxy mgmt. port <integer>

8080

-e adminPort=8090

No
proxyName The name of the Application Connector Proxy <string> -e proxyName=proxy Yes
proxyDescription The description of the Application Connector Proxy <string> null No
proxyId Proxy Instance Id <string> null -e proxyId=xyz No
user HTTPs Basic Auth Username <string> (4-32 characters) admin -e user=abcd No
passwd HTTPS Basic Auth Password <string> (4-32 characters) admin -e passwd=efgh No
retry Enable proxy auto-reconnect <boolean> true -e retry=false No
publish Enable proxy to auto discover and publish AWS nodes <boolean> false -e publish=true No
Docker options

These are some of the relevant options available for running Docker. For more information, see the Docker documentation at docs.docker.com.

Switch name Description Default Allowed values
-d Runs container in daemon mode (background) false
--restart Restart policy for this container no no, always, on-failure, unless-stopped
--net Type of networking for this container none, bridge, host
-i Keep STDIN open even if not attached false
-t Allocate a pseudo-TTY false
-v Bind mount a volume None Syntax is: <host source volume>:<container destination volume>
Mappable Docker container files

These are the Docker container files that might be helpful for you to map from the container to the host.

Note: After you have attached to a container, you can view any files not mapped to the local host. You can attach to a running container using this command: docker exec -it $CONTAINER_ID /bin/bash.
File Description Default container location Host mapped example
ac.log Application Connector log file /app/proxy/log -v home/{user}/log:/app/proxy/log
server.cert Proxy HTTPS server certificate file /app/proxy/certificates -v home/{user}/certs:/app/proxy/certificates
Server.key Proxy HTTPS server key file app/proxy/certificates -v home/{user}/certs:/app/proxy/certificates
aws_config.json AWS Credentials needed for auto node discovery /app/proxy/vendors/aws -v home/{user}/aws:/app/proxy/vendors/aws
config.json Proxy configuration file /app/proxy/config -v home/{user}/config:/app/proxy/config

Configure the Application Connector Proxy

After you have installed the Application Connector Proxy Docker container, you can configure the Proxy to communicate with the Service Center.
  1. Log in to the Proxy using the public IP address for your Linux instance.
  2. In the Service Center Connections section, click Add.
  3. In the Name field, type the FQDN for the BIG-IP® system on which the Service Center is installed.
  4. In the IP / FQDN field, type the IP address or FQDN for the virtual server that you created to connect to the Proxy.
  5. In the Port field, type the port number (443) for the virtual server that you created to connect to the Proxy.
  6. Click the Connect WebSocket icon.
    If the connection is successful, this message displays: SUCCESS: 200. The status for the Service Center should be yellow, meaning that it is in a "connected not authorized" state.

Verify the Application Connector Service Center connection to the Proxy

After completing the installation and configuration, you can verify that the Service Center can communicate with the Proxy.
  1. Log in to the BIG-IP Configuration utility.
  2. On the Main tab, click iApps > Application Services > Applications LX .
  3. Click your application name to open the Application Connector Service Center.
  4. Click the Proxies tab.
  5. Confirm that your newly added proxy is in the Proxies list.
  6. Confirm that the proxy that is connected is the one that you expected it to be.
  7. Click the green shield icon to authorize the proxy.

Verify the Application Connector Proxy connection to the Service Center

After completing the installation and configuration, you can verify that the Proxy can communicate with the Service Center.
  1. Log in to the Proxy using the public IP address for your Linux instance.
  2. Confirm that the status of the Service Center is now green, indicating that it is in an Authorized state.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)