Version notice:
Access-Related declarations¶
This section contains access-related declarations, typically involving BIG-IP Access Policy Manager. You must have BIG-IP APM licensed and provisioned to use these profiles.
Note
Most of the example declarations have been updated in the documentation for BIG-IP AS3 3.20 to remove any template that was specified, and rename any virtual services that used the name serviceMain to service. In BIG-IP AS3 3.20, the generic template is the default, which allows services to use any name.
This also means that many of these declarations on a version prior to 3.20 they will fail unless you add a template. See this FAQ entry and this Troubleshooting entry for more information.
Use the index on the right to locate specific examples.
Important
BIG-IP AS3 3.24 adds the ability to update APM policies. Updating Access Policy Management objects can be a slow process and may cause BIG-IP AS3 declarations to take longer to apply.
Referencing existing Access and Connectivity profiles¶
Version Notice:
Support for referencing existing Access and Connectivity profiles is available in BIG-IP AS3 3.14.0 and later.
This simple example shows how you reference existing Access and Connectivity profiles in BIG-IP AS3 version 3.14.0 and later. These profiles must already exist on the BIG-IP system; BIG-IP AS3 does not create these objects.
For detailed information on these profiles, see Connectivity profile documentation and the appropriate APM documentation for Access profile information. You can also see Pointer_Connectivity and Pointer_Access in the Schema Reference for usage options.
This declaration creates the following objects on the BIG-IP:
- A partition (tenant) named Example_APM_profiles.
- A virtual service named APMprofile_vs, which references Connectivity and Access profiles on the BIG-IP.
{
"class": "ADC",
"schemaVersion": "3.14.0",
"Example_APM_profiles": {
"class": "Tenant",
"Application": {
"class": "Application",
"APMprofile_vs": {
"class": "Service_HTTP",
"virtualPort": 8080,
"virtualAddresses": [
"1.1.1.10"
],
"profileAccess": {
"bigip": "/Common/accessProfile"
},
"profileConnectivity": {
"bigip": "/Common/connectivityProfile"
}
}
}
}
}
Referencing an external IAM policy using a URL (UPDATED)¶
Version Notice:
Support for referencing .gz files is available in 3.21 and later.
Support for the enable property is available in BIG-IP AS3 3.23 and later.
This example shows how you can reference an external IAM policy (also called an Access Profile) using a URL (see I cannot tell the difference between policyIAM and profileAccess objects in BIG-IP AS3 for details on these names).
Note
In versions prior to 3.21, BIG-IP AS3 only supports URLs referencing .tar files. BIG-IP AS3 3.21 adds support for referencing .gz files.
The properties policyIAM and profileAccess in the Service_HTTP and Service_HTTPS classes are references to the same object; use only one in a declaration.
For detailed information on Access Profiles, see the BIG-IP APM documentation for your version of APM. You can also see Service_HTTP and Service_HTTPS in the Schema Reference for usage options.
NEW in BIG-IP AS3 3.23¶
BIG-IP AS3 3.23 introduces the enable property. When set to true, this property effectively “applies” the policy in APM (the equivalent to clicking Apply in the BIG-IP UI). Prior to version 3.23, users had to manually apply the policy outside of BIG-IP AS3.
It is important to understand how the enable property works with the ignoreChanges property. The ignoreChanges property determines when a policy is updated. The enable property determines when it is applied. See the following table for a matrix of options.
ignoreChanges: false | ignoreChanges: true | |
enable: false | APM policy is updated, but not applied | No action |
enable: true | APM policy is updated and applied | APM policy is not updated (though it may be created), and the policy is applied if it was just created |
Important
In BIG-IP AS3 versions prior to 3.24, if you are updating a policy, you MUST update your virtual server to reference the updated policy. When a policy is updated, the system makes the name unique by incrementing a number on the end of the name. For example, if a policy was named “myAccessPolicy” in the initial declaration, if you update the declaration, the Access policy name is changed to “myAccessPolicy_1”. You must update the virtual server to use the new policy name.
In BIG-IP AS3 3.24 and later, this is no longer necessary, however updating Access Policy Management objects can be a slow process and may cause BIG-IP AS3 declarations to take longer to apply.
This declaration creates the following objects on the BIG-IP:
- A partition (tenant) named Sample_Access_profile.
- A virtual service named APMservice, which references an Access Profile .tar file via URL, and has both ignoreChanges and enabled set to true.
{
"class": "ADC",
"schemaVersion": "3.15.0",
"id": "123456",
"Sample_Access_profile": {
"class": "Tenant",
"app": {
"class": "Application",
"APMservice": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": ["1.2.3.4"],
"profileAccess": {
"use": "accessProfile"
}
},
"accessProfile": {
"class": "Access_Profile",
"url": "https://example.tar",
"ignoreChanges": true,
"enable": true
}
}
}
}
Referencing an external Per Request Access policy using a URL¶
Version Notice:
Support for referencing external per-request policies via URL is available in BIG-IP AS3 3.23 and later.
This example shows how you can reference an external Per-Request Access policy via URL. You can reference both .tar and .gz files.
For detailed information on Per-Request policies, see the BIG-IP APM documentation for your version.
You can also see Pointer_Per_Request_Access_Policy, as well as Service_HTTP and Service_HTTPS in the Schema Reference for usage options.
This declaration creates the following objects on the BIG-IP:
- A partition (tenant) named Sample_Per_Request_Access_Policy.
- A virtual service named APMservice, which references a Per-Request policy and an Access Profile .tar file via URL.
{
"class": "ADC",
"schemaVersion": "3.23.0",
"id": "123456",
"Sample_Per_Request_Access_Policy": {
"class": "Tenant",
"app": {
"class": "Application",
"APMservice": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": ["1.2.3.4"],
"profileAccess": {
"use": "accessProfile"
},
"policyPerRequestAccess": {
"use": "perRequestPolicy"
}
},
"accessProfile": {
"class": "Access_Profile",
"url": "https://example.tar",
"ignoreChanges": true
},
"perRequestPolicy": {
"class": "Per_Request_Access_Policy",
"url": "https://example2.tar",
"ignoreChanges": true
}
}
}
}
Referencing existing VDI profiles¶
Version Notice:
Support for referencing existing VDI profiles is available in BIG-IP AS3 3.24 and later.
You MUST have BIG-IP APM licensed and provisioned to use VDI profiles.
This example shows how you can reference VDI profiles that already exist on your BIG-IP device in BIG-IP AS3 3.24 and later. A VDI profile is a group of settings that you can use to enable and configure VDI services such as Citrix, VMware View and Microsoft RDP, so they work with BIG-IP APM.
For more information on using VDI profiles, see BIG-IP APM Third-Party Integration Guide. For detailed information on using BIG-IP APM, see the BIG-IP APM documentation for your version.
You can also see Pointer_VDI_Profile, as well as Service_HTTP and Service_HTTPS in the Schema Reference for usage options.
This declaration creates the following objects on the BIG-IP:
- Partition (tenant) named VDI_Service_HTTP.
- An Application named VDIApp
- A virtual server named service that includes references to existing VDI, Access, and Connectivity profiles.
{
"class": "ADC",
"schemaVersion": "3.24.0",
"id": "Service_HTTP",
"VDI_Service_HTTP": {
"class": "Tenant",
"VDIApp": {
"class": "Application",
"service": {
"class": "Service_HTTP",
"virtualPort": 8080,
"virtualAddresses": [
"1.2.3.4"
],
"profileAccess": {
"bigip": "/Common/accessProfile"
},
"profileConnectivity": {
"bigip": "/Common/connectivityProfile"
},
"profileVdi": {
"bigip": "/Common/vdi"
}
}
}
}
}
Using multiple APM profiles in a declaration¶
Version Notice:
Support for adding and referencing multiple APM profiles is available in BIG-IP AS3 3.25 and later.
BIG-IP AS3 3.36 and later adds the ssloCreated property.
This example shows how you can add and reference multiple APM (Access) profiles in a single BIG-IP AS3 declaration. This makes use of the special Shared application, which holds objects other applications can share.
New in BIG-IP AS3 3.36
BIG-IP AS3 3.36 added the ssloCreated property. This was to correct an issue where you could not attach SSL Orchestrator access profiles because RBA and WEBSSO profiles are automatically attached tot he policy. You set the ssloCreate property to true if the profile was created by SSLO. When set to true, the non-configurable Kerberos Request-Based Authentication (/Common/rba) and WebSSO (/Common/websso) profiles are not automatically attached to Services when this profile is attached.
For detailed information on using BIG-IP APM, including APM Access profiles, see the BIG-IP APM documentation for your version.
This declaration creates the following objects on the BIG-IP:
- A partition (tenant) named tenant1a.
- An Application named application1a
- A virtual server named APMservice that includes a pointer to an Access profile.
- An Application named application1b
- A virtual server named APMservice that includes a pointer to an Access profile.
- An Application named Shared that uses the shared template.
- An Access Profile named accessProfileTenant1a that references the profile via URL, and is available for the applications/virtual servers in tenant1a to use.
- A partition (tenant) named tenant2a.
- An Application named application
- A virtual server named APMservice that includes a pointer to an Access profile in /Common/Shared.
- A partition (tenant) named Common.
- An Application named Shared that uses the shared template.
- An Access Profile named accessProfileCommon that references the profile via URL, and is available for the application/virtual server in tenant2a to use.
NOTE: If you attempt to use this declaration on a version prior to 3.36, it will fail. On previous versions, remove the ssloCreate lines, highlighted in yellow.
{
"class": "ADC",
"schemaVersion": "3.25.0",
"tenant1a": {
"class": "Tenant",
"application1a": {
"class": "Application",
"APMservice": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": [
"192.0.2.0"
],
"profileAccess": {
"use": "/tenant1a/Shared/accessProfileTenant1a"
}
}
},
"application1b": {
"class": "Application",
"APMservice": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": [
"192.0.2.1"
],
"profileAccess": {
"use": "/tenant1a/Shared/accessProfileTenant1a"
}
}
},
"Shared":{
"class": "Application",
"template": "shared",
"accessProfileTenant1a": {
"class": "Access_Profile",
"url": "https://apm.example.com/apm/apmProfile.tar.gz",
"ssloCreated": false,
"ignoreChanges": false
}
}
},
"tenant2a": {
"class": "Tenant",
"application": {
"class": "Application",
"APMservice": {
"class": "Service_HTTP",
"virtualPort": 80,
"virtualAddresses": [
"192.0.2.2"
],
"profileAccess": {
"use": "/Common/Shared/accessProfileCommon"
}
}
}
},
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"accessProfileCommon": {
"class": "Access_Profile",
"url": "https://apm.example.com/apm/apmProfile.tar.gz",
"ssloCreated": true,
"ignoreChanges": false
}
}
}
}