Applies To:

Show Versions Show Versions

Manual Chapter: Integrating APM with PingAccess Servers
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Integrating APM with PingAccess

You can configure Access Policy Manager® (APM®) to act as a Policy Enforcement Point (PEP) in place of PingAccess agents installed on web servers. In this case, APM intercepts client requests to web applications, and queries PingAccess servers for policy decisions. APM then enforces the policy decisions that the PingAccess server provides, such as these:

  • Allow or deny a request for a resource.
  • Redirect the user for authentication.
  • Modify request/response HTTP headers.

Task summary

Prerequisites for PingAccess integration

Infrastructure for a PingAccess deployment might include one or more PingAccess servers with zero or more agents configured on each one. Before you start to configure Access Policy Manager® (APM®) for PingAccess, download agent properties files from PingAccess servers. If PingAccess servers are deployed in a cluster, you need only one agent properties file per agent instance.

For more information, refer to PingAccess Deployment Guide, which is available from Ping Identity.

Note: F5 is not responsible for any inaccuracies in third party content.

PingAccess SSL certificates and BIG-IP configuration

A PingAccess agent properties file can include only one SSL certificate. When importing the PingAccess agent properties file, Access Policy Manager® (APM®) can also import the SSL certificate. With the certificate imported, APM creates a server SSL profile and specifies the SSL certificate in the Trusted Certificate Authorities field.

For more information, refer to BIG-IP® System: SSL Administration on the AskF5™ web site located at support.f5.com/.

Uploading PingAccess agent properties to APM

You upload agent properties files for use in Access Policy Manager® (APM®) communication with PingAccess servers.
Note: If the PingAccess server is configured to use SSL, and APM can detect the server SSL certificate in the agent properties file, you will have the opportunity to import the server SSL certificate from the server along with the agent properties.
  1. On the Main tab, click Access > Federation > PingAccess > Agent Properties .
  2. Click Create.
    A New screen opens.
  3. In the Name field, type a unique name.
  4. In the Configuration area for Properties File, click the Choose File button.
    A popup directory screen opens.
  5. Navigate to and select an agent properties file that you downloaded from a PingAccess server, and click Open.
    The popup screen closes. If APM detects a valid SSL certificate in the properties file, an Import SSL Certificate check box displays.
  6. If the Import SSL Certificate check box displays, select it.
    The SSL certificate comes from the PingAccess server.
  7. Click Finished.
    APM imports the properties file. If you selected the Import SSL Certificate check box, APM imports the certificate to the BIG-IP® system and creates a server SSL profile that specifies the certificate as the trusted certificate authority. The name of the imported certificate and the name of the server SSL profile match the name you specified for this PingAccess properties object.
If the PingAccess server uses SSL, and APM did not detect and import an SSL certificate, you must download the SSL certificate from the PingAccess server, import it to the BIG-IP system, and configure a server SSL profile to use it.

Configuring a local traffic pool of PingAccess servers

You configure a pool of PingAccess servers that serve requests from the same PingAccess agent so that, when Access Policy Manager® (APM®) acts as a Policy Enforcement Point (PEP) in place of the PingAccess agent, APM has the correct group of PingAccess servers with which to interact.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. For Health Monitors, you can select tcp.
    You can select an HTTP or HTTPS type of health monitor if you configure one to use this custom send string GET /pa/heartbeat.ping\r\n.
  5. In the Resources area, for the New Members setting, add PingAccess servers that serve requests from the same agent:
    1. Either type an IP address in the Address field, or select a preexisting node address from the Node List.
    2. In the Service Port field, type the port number.
      The default port number for PingAccess server is 3030. However, the port used in your configuration might differ.
    3. Click Add.
  6. Click Finished.
The new pool appears in the Pools list.

Creating a PingAccess profile for APM authentication

You configure a profile to specify PingAccess agent properties and PingAccess servers for integration with Access Policy Manager® (APM®).
  1. On the Main tab, click Access > Federation > PingAccess > Profiles .
  2. Click Create.
    A New screen opens.
  3. In the Name field, type a unique name.
  4. For the Properties File field, select one from the list or click (+) to upload a PingAccess agent properties file before you make a selection.
  5. From the Pool Name list, select the pool of PingAcess policy servers that you configured earlier.
  6. The Use HTTPS setting default is to have the check box selected (enabled).
  7. If Use HTTPS is enabled, from the Server SSL Profile list, select a profile that is configured with the PingAccess server SSL certificate as the trusted certificate authority.

    If APM imported the server SSL certificate from the PingAccess agent properties file, the profile name matches the properties file name.

For the PingAccess profile to go into effect, you must now add it to a virtual server.

Configuring a pool of web application services to protect

You configure a pool to specify the web application services behind a virtual server that Access Policy Manager® (APM®) protects when acting as a PingAccess agent.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. In the Resources area, for the New Members setting, add web application services that APM protects:
    1. Either type an IP address in the Address field, or select a preexisting node address from the Node List.
    2. In the Service Port field, type the port number for the web application service.
    3. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.
To use this pool, you must now specify it in the virtual server configuration. If the web application servers use SSL, download the SSL certificate, import it into the BIG-IP® system, and create a server SSL profile with the certificate to assign to the virtual server configuration.

Creating a virtual server for a PingAccess profile

A virtual server represents a destination IP address for application traffic.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Destination Address field, type the IP address for a host virtual server.
    The IP address you type must be available and not in the loopback network.
    This field accepts an address in CIDR format (IP address/prefix). However, when you type the complete IP address for a host, you do not need to type a prefix after the address.
  4. In the Service Port field, type a port number or select a service name from the Service Port list.
  5. From the HTTP Profile list, select http.
  6. If SSL protocol is in use on the web application servers in the pool that you configured previously:
    1. From SSL Profile (Client), select a profile.
    2. From SSL Profile (Server), select a profile.
  7. From the Source Address Translation list, select Auto Map.
  8. Scroll down to the Access Policy area.
  9. Confirm that Access Profile is set to None.
    Note: APM supports assignment of only one of these profiles to a virtual server: an access profile or a PingAccess profile.
  10. From the PingAccess Profile list, select a profile.
  11. Retain the default values for all other settings in the Access Policy area.
  12. In the Resources area of the screen, from the Default Pool list, select the name of the pool that you configured to specify web applications that APM protects.
  13. Click Finished.
A destination IP address on the BIG-IP® system is now available for application traffic.

Troubleshooting SSL handshake failure

If the connection between the BIG-IP® system and an external server is SSL-protected and it fails, these steps might help you if the problem is due to the BIG-IP system using a later version of TLS than the external server uses. (Older servers that do not support later TLS versions might generate an alert and close the connection.)
  1. From the command line on the BIG-IP system, type tmsh list sys db SSL.OuterRecordTls1_0.
    Information about the db variable displays. If the db variable is set to its default value of enable, the BIG-IP system specifies TLS version 1.0 in the outer SSL record, and this should cause no problem for a server that does not support later TLS versions.
  2. If the db variable is set to disable, to make a change that affects only the sessions started through a virtual server with a particular server SSL profile, update the server SSL profile.
    1. On the Main tab, click Local Traffic > Profiles > SSL > Server .
    2. Click the name of the profile you want to update.
    3. For Configuration, select Advanced and select the Custom check box.
    4. Scroll to the Options List setting.
    5. From the Available Options list, select No TLSv1.1 and No TLSv1.2 and click the Enable button.
      The selected options display on the Enabled Options list.
    6. Click Update.
  3. If the db variable is set to disable, and you are sure that you should make a system-wide change, type tmsh modify sys db SSL.OuterRecordTls1_0 value enable.
    The db variable is restored to its default value.
Refer to BIG-IP® System: SSL Administration and Release notes for BIG-IP Local Traffic Manager™ on the AskF5™ web site located at support.f5.com/.

Modifying APM logging for PingAccess profile

For troubleshooting purposes, you might need to modify the log level for PingAccess profile.
Note: Only the default-log-setting applies to PingAccess profile logging. Log settings in an access profile do not apply, because Access Policy Manager® (APM®) does not support an access profile with PingAccess.
  1. On the Main tab, click Access > Overview > Event Logs > Settings .
    A log settings table screen opens.
  2. Select default-log-setting and click Edit.
    A popup screen opens.
  3. On the left, select Access System Logs.
  4. From the PingAccess Profile list, select a value.
    The default value is Notice. F5 does not recommend selecting Debug unless you are instructed to do so by support engineers.
  5. Click OK.
    The popup screen closes.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)