f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
Unable to assign SSLO-type policies to an HTTP/HTTPS application if APM is not provisioned
Environment
- Application Services Version: 3.36.0
- BIG-IP Version: 15.1.5.1
Summary
An error is produced when attempting to add SSL Orchestrator policies to an HTTP or HTTPS application service indicating that APM must be provisioned. SSL Orchestrator does not require APM.
Steps To Reproduce
Steps to reproduce the behavior:
- Create an SSL Orchestrator "existing application" topology. This will create an (access) per-session and per-request policy.
- Submit the following declaration including the above policies:
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.35.0",
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"webapp": {
"class": "Pool",
"members": [
{
"servicePort": 443,
"shareNodes": true,
"serverAddresses": ["{{ webapp_pool }}"]
}
],
"minimumMonitors": 1,
"monitors": [
{
"bigip": "/Common/https"
}
]
},
"wildcard.f5labs.com": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/wildcard.f5labs.com.crt"
},
"privateKey": {
"bigip": "/Common/wildcard.f5labs.com.key"
}
},
"webapp_clientssl": {
"class": "TLS_Server",
"insertEmptyFragmentsEnabled": true,
"certificates": [
{
"certificate": "/Common/Shared/wildcard.f5labs.com"
}
]
},
"webapp_vip": {
"class": "Service_HTTPS",
"layer4": "tcp",
"profileTCP": {
"bigip": "/Common/tcp"
},
"virtualAddresses": [
"{{ sslo_vip }}"
],
"profileHTTP": {
"bigip": "/Common/http"
},
"redirect80": false,
"clientTLS": {
"bigip": "/Common/serverssl"
},
"serverTLS": "/Common/Shared/webapp_clientssl",
"translateServerAddress": true,
"translateServerPort": true,
"snat": "auto",
"allowVlans": [
{
"bigip": "/Common/client-vlan"
}
],
"profileAccess": {
"bigip": "/Common/ssloDefault_accessProfile"
},
"policyPerRequestAccess": {
"bigip": "/Common/ssloP_sslopolicy.app/ssloP_sslopolicy_per_req_policy"
},
"pool": "webapp"
}
}
}
}
}
- Observe the following error response:
fatal: [localhost]: FAILED! => {"changed": false, "msg": "{'code': 422, 'errors': ['/Common/Shared/webapp_vip/profileAccess: One of these F5 modules needs to be provisioned: apm'], 'declarationFullId': '', 'message': 'declaration is invalid'}"}
Expected Behavior
SSL Orchestrator does not require APM, so the above AS3 declaration should create an HTTPS application with SSLO policies attached, without APM provisioned.
Thank you for your feedback. I have added it to our internal product backlog as AUTOTOOL-3333.
Thank you @kevingstewart. In order to prioritize and understand the issue better, please reach out to us at [email protected]
Thanks @kevingstewart for reaching out. We will prioritize this request
While SSL Orchestrator builds its policies using the Access2 framework, it does not specifically require APM to be provisioned. These are different types of policies that are specific to SSLO. The error states that an AS3 call with the SSLO (access) profiles applied to a VIP will fail if APM is not provisioned. This is incorrect.
Hi @mdditt2000
I have another, different customer that is hitting this same issue. Can we get an update on when this will be fixed? AUTOTOOL-3333.
Customer are keen AS3 users but also need to apply SSLO configurations so this is important to them.
- Application Services Version: 3.46
- BIG-IP Version: 17.1.0.2
