Lab 1: Deploy an API Protection Profile

Section 1.1 - Setup Lab Environment

To access your dedicated student lab environment, you will need a web browser and Remote Desktop Protocol (RDP) client software. The web browser will be used to access the Unified Demo Framework (UDF) Training Portal. The RDP client will be used to connect to the jumphost, where you will be able to access the BIG-IP management interfaces (HTTPS, SSH).

1. Click DEPLOYMENT located on the top left corner to display the environment

2. Click ACCESS next to jumphost.f5lab.local

   

3. Select your RDP resolution.

4. The RDP client on your local host establishes a RDP connection to the Jumphost.

5. Login with the following credentials:

   • User: f5lab\user1
   • Password: user1

6. After successful logon the Chrome browser will auto launch opening the site https://portal.f5lab.local. This process usually takes 30 seconds after logon.

   

7. Click the Classes tab at the top of the page.

8. Scroll down the page until you see 304 API Protection on the left

   

9. Hover over tile Deploy an API Protection Profile. A start and stop icon should appear within the tile. Click the Play Button to start the automation to build the environment

   

10. The screen should refresh displaying the progress of the automation within 30 seconds. Scroll to the bottom of the automation workflow to ensure all requests succeeded. If you you experience errors try running the automation a second time or open an issue on the Access Labs Repo.

    

Section 1.2 - Implement Course-Graing Access Control

Task 1 - Create a Provider

The cornerstone of the API protection profile is the ability to authorize users using JWT. Unlike Guided Configuration that creates the JWT Provider for you based on a few defined parameters, you must create the provider manually.

1. Navigate to Access >> Federation >> OAuth Client/Resource Server >> Provider. Click the + (Plus Symbol)

   

2. Configure the following parameters:

   • Name: api-as-provider
   • Trusted Certificate Authorities: ca.acme.com.
   • OpenID URL: replace f5-oauth.local with as.acme.com

3. Click Discover

   

4. The Authentication URI, Token URI, Token Validation Scope URI, UserInfo URI and keys should be updated.

   

5. Click Save

Task 2 - Create a JWT Provider

1. Navigate to Access >> Federation >> JSON Web Token >> Provider List. Click the + (Plus Symbol).

   

2. Enter the name: as-jwt-provider

3. Click Add so api-as-provider is added to list of providers

4. Click Save

   

Task 3 - Create an API Protection Profile

1. Navigate to API Protection >> Profile. Click the + (plus symbol)

   

   Note

   The JSON file is located on the jumpbox in c:\access-labs\class3\module4\student_files

2. Enter the following parameters:

   • Name: api-protection
   • OpenAPI File: Active Directory OpenAPI.json
   • DNS Resolver: internal-dns-resolver
   • Authorization: OAuth 2.0

3. Click Add

4. Click Save

   

Task 4 - Explore the Path Configuration

1. Note the Spec file contained a single path of /user but it supports four different request methods.

2. The API server that all requests will be sent to is http://adapi.f5lab.local:81

   

Task 5 - Associate a JWT Provider

1. Click Access Control from the top ribbon

2. Click Edit (Per Request Policy)

   

3. Notice the same paths displayed in the API Protection profile appear here. Currently there is no fine-grained access control. We will implement it later in the lab.

4. Click the + (plus symbol) next the Subroutine OAuth Scope Check AuthZ to expand its properties:

   

   Note

   The OAuth scope agent currently has a red asterisk since no provider is associated with it.

5. Click OAuth Scope

   

6. Enter the following parameters:

   • Token Validation Mode: Internal
   • JWT Provider List: as-jwt-provider
   • Response: api-protection_auto_response1

7. Click Save

   

Task 6 - Create a virtual server

1. Navigate to Local Traffic >> Virtual Servers >> Virtual Server List. Click the + (plus symbol)

   

2. Enter the following parameters:

   • Name: api.acme.com
   • Destination Address/Mask: 10.1.10.102
   • Service Port: 443
   • HTTP Profile (Client): http
   • SSL Profile(Client): acme.com
   • Source Address Translation: Auto Map
   • API Protection: api-protection

3. Click Finished

   

Task 7 - Import Postman Collections

1. From the Jumpbox, open Postman via the desktop shortcut or toolbar at the bottom

   

2. Click Yes if prompted for “Do you want to allow this app to make changes to your device?”

   

3. Click Import located on the top left of the Postman application

   

4. Click Upload Files

   

5. Navigate to C:\access-labs\class3\module4\student_files, select student-class3-module4-lab01.postman_collection.json, and click Open

   

6. Click Import

   

7. A collection called student-class3-module4-lab01 will appear on the left side in Postman

Task 8 - Retreive your OAuth clientID

1. Expand the student-class3-module4-lab01 Collection

2. Select the request Request1: Retrieve Postman ClientID

3. Click Send

   

4. You receive a 200 OK with a response body. The clientID is now stored as a Postman Variable to be used in future requests. Your ClientID will not be the same as displayed in the screenshot below.

   

Task 9 - Attempt to Retrieve User1's Attributes without JWT

1. Select the request Request 2: Retrieve User Attributes without JWT

2. Click Send

3. You receive a 403 Forbidden response status code since you do not have a valid JWT

   

Task 10 - Retrieve User1's Attributes with a JWT

1. Select the request Request 3: Retrieve User Attributes with JWT

2. Select the Authorization tab

3. Click Get New Access Token

   

4. Login using Username: user1, Password: user1

   

5. Click Use Token.

   

6. Notice the Access Token field is now populated

   

7. Click Send

8. You receive a 200 OK response status code with attributes for user1 in the body of the response

   

Task 11 - Set a Valid User Attribute

1. Select the request Request 4: Update a Valid User Attribute

2. Select the Authorization tab

3. Select the previously created User1 token from the Available Tokens dropdown

   

4. The Token field is now populated

   

5. Click Send

   Note

   If you receive a 403 response status code, request a new token. You can change the name of the token request prior to sending by setting the Token Name. You can delete expired tokens by clicking the Available Tokens dropdown, clicking Manage Tokens, and then clicking the trashcan next to the Token.

6. You receive a 200 OK response status code with a response body that contains user1’s employeeNumber 123456

   

Task 12 - Set an Nonexistent User’s Attribute

1. Select the request Request 5: Update a Nonexistent User's Attribute

2. Select the Authorization tab

3. Select the previously created User1 token from the Available Tokens dropdown

4. The Token field is now populated

5. Click Send

   Note

   If you receive a 403 response status code, request a new token. You can change the name of the token request prior to sending by setting the Token Name. You can delete expired tokens by clicking the Available Tokens dropdown, clicking Manage Tokens, and then clicking the trashcan next to the Token.

6. You receive a 2O0 OK response status code. The request successfully passed through the API Gateway, but the server failed to process the request.

Task 13 - Update a Valid User with PUT

1. Select the request Request 6: Update a Valid User’s Attribute with PUT

2. Select the Authorization tab

3. Select the previously created User1 token from the Available Tokens dropdown

4. The Token field is now populated

5. Click Send

6. You receive a 403 Forbidden response status code. This is expected because the PUT Method was not specified in the API Protection Profile for the path /user

   

Task 14 - Create a User

1. Select the request Request 7: Create a User

2. Select the Authorization tab

3. Select the previously created User1 token from the Available Tokens dropdown

   

4. Click Send

5. You receive a 200 OK response status code with a response body that contains Bob Smith’s user attributes

   

Task 15 - Request invalid endpoint

1. Select the request Request 8: Request Invalid Endpoint

2. Select the Authorization tab

3. Select the previously created User1 token from the Available Tokens dropdown

4. The Token field is now populated

5. Click Send

6. You receive a 403 Forbidden response status code. This is expected because the path /hacker/attack was not specified in the API Protection Profile

   

Section 1.3 - Implement Fine-Grained Access Controls

Up to this point any authenticated user to the API is authorized to use them. In this section we will restrict user1’s ability to create users, but will still be able to modify a user’s employee number.

Task 1 - Retrieve Group Membership Subsession Variable

Note

In order to implement fine-grained control the session variables that contain the data must be known. This first session shows you how to display the session variables and their values.

1. From the Jumpbox desktop click on the BIG-IP1 Putty icon

   

2. Enter the command sessiondump –delete all to remove any existing APM sessions

   

3. Enter the command tailf /var/log/apm. Hit enter a few times to create some space on the screen

   

4. From Postman, Select the request Request 3: Retrieve User Attributes with JWT. The Authorization field should already be populated with User1’s token.

5. Click Send

6. You receive a 200 OK response status code with attributes for user1 in the body of the response

   

   Note

   Your SessionID will be different

7. Return to the CLI and examine the logs. You will see a message about a new subsession being created. Copy the subsession ID

   

8. Exit the logs using Ctrl+Z

9. Enter the command sessiondump -subkeys <subsessionID>

   

10. Scroll through input until you find the session variable for subsession.oauth.scope.last.jwt.groups

Task 2 - Edit the per-request policy

1. Return to BIG-IP1’s management interface and navigate to Access >> API Protection >> Profile. Click Profile to modify the previously created API protection Profile (not the + Plus symbol)

2. Click Edit Under Per-Request Policy

   

3. Click the Allow terminal located at the end of the POST /user branch

   

4. Select Reject

5. Click Save

   

6. Click the + (Plus Symbol) on the POST /user branch

   

7. Click the General Purpose tab

8. Select Empty

9. Click Add Item

   

10. Enter the name Claim Check

    

11. Click the Branch Rules tab

12. Click the Add Branch Rule

    

13. Enter Name CreateUser

14. Click Change

    

15. Click the Advanced tab

16. Enter the string in the notes section to restrict access to only members of the CreateUser Group. Make sure the ” characters are properly formatted after pasting. If they aren’t, simply delete and re-enter them manually.

17. Click Finished

    Note

    expr {[mcget {subsession.oauth.scope.last.jwt.groups}] contains “CreateUser”}

    

18. Click Save

    

19. Click Reject on the CreateUser Branch to permit access

    

20. Select Allow

21. Click Save

    

22. Review the Policy Flow

    

Task 3 - Test the Fine-Grained Access Control with user1

1. From Postman select the request Request 7: Create User

2. Select the Authorization Tab

3. Select the previously created User1 token from the Available Tokens dropdown

4. The Token field is now populated

5. Click Send

6. You receive a 403 Forbidden response status code when using user1. User1 does not contain the proper claim data.

   

Task 4 - Test the Fine-Grained Access Control with user2

1. Select the request Request 7: Create User

2. Select the Authorization tab

3. Ensure the Token Name is set to user2

4. Click Get New Access Token

   

5. Login using Username: user2, Password: user2

   

6. Ensure the User2 Token is selected

7. Click Use Token at the top right.

   

8. The Token field is now populated

9. Click Send

10. You receive a 200 OK response status code when using user2. User2 does contain the proper claim data

    

Section 1.4 - Implement Rate Limiting

The API Protection Profile allows a BIG-IP administrator to throttle the amount of connections to an API through the use of Key Names.

Task 1 - Test pre-rate limiting Access

1. Click the arrow located to the right of the student-class3-module4-lab01 collection.

2. Click Run

   

3. Deselect all requests except Request 3: Retrieve User Attributes with JWT

4. Set the iterations to 100

5. Click the blue Run Student-class3-module4-la… button

   

6. You receive a 200 OK for every request. Leave Runner open

   

Task 2 - Define the rate limiting keys

1. Navigate to API Protection >> Profile. Click Profile to modify the previously created API protection Profile. Not the + Plus symbol.

   

2. Click api-protection

   

3. Click Rate Limiting from the top ribbon

   

   Note

   The API protection profile default settings contains five Key Names created, but their values are empty. Additional Keys can be created if necessary

4. Click api-protection_auto_rate_limiting_key1

   

5. Enter the Key Value %{subsession.oauth.scope.last.jwt.user}

6. Click Edit

   

7. Click api-protection_auto_rate_limiting_key2

8. Enter the Key Value %{subsession.oauth.scope.last.jwt.groupid}

9. Click Edit

   

10. Click api-protection_auto_rate_limiting_key3

11. Enter the Key Value %{subsession.oauth.scope.last.jwt.client}

12. Click Edit

    

13. Click api-protection_auto_rate_limiting_key4

14. Enter the Key Value %{subsession.oauth.scope.last.jwt.tier}

15. Click Edit

    

16. Click api-protection_auto_rate_limiting_key5

17. Enter the Key Value %{subsession.oauth.scope.last.jwt.org}

18. Click Edit

    

19. Click Save

    

Task 3 - Create a Rate Limiting Policy

1. Click Create in the rate limiting section

   

2. Enter the Name acme-rate-limits

3. Move all five keys under Selected Keys

4. Enter 10 for the number of requests per minute

5. Enter 5 for the number requests per second

6. Click Add.

   

7. Click Save

   

Task 4 - Apply the Rate Limiting Policy

1. Click Access Control from the ribbon

   

2. Click Edit Per Request Policy

   

3. Click the + (Plus Symbol) on the Out branch of the OAuth Scope Check AuthZ Macro

   

4. Click the Traffic Management tab

5. Select API Rate Limiting

6. Click Add Item

   

7. Click Add new entry

8. Select acme-rate-limits

9. Click Save

   

10. Verify the Rate Limiting agent now appears in the appropriate location

    

Task 5 - Test Rate Limiting

1. Return to Postman

2. Click Run Again to rerun the request an additional 100 times.

   

3. On the 6th request you begin to receive a 429 Too Many Requests response status code

   

Section 1.5 - Onboard a New API

Organizations change. With this change, new APIs are introduced requiring modifications to the API Gateway. In this section you will learn how to add additional paths.

Task 1 - Verify no access to API

1. From Postman, select the request Request 9: Create DNS Entry

2. Select the Authorization tab

3. Select the previously created User1 token from the Available Tokens dropdown

4. The Token field is now populated

5. Click Send

6. You receive a 403 Forbidden response status code because the the new API has not been published at the Gateway.

Task 2 - Add the new API path

1. From the browser, navigate to API Protection >> Profile. Click Profile to modify the previously created API protection Profile (not the + Plus symbol)

   

2. Click api-protection

   

3. Click Paths

   

4. Click Create

   

5. The URI /dns

6. Select the Method POST

7. Click Add

   

8. Click Save

   

Task 3 - Test Access to the new path

1. From Postman, select the request Request 9: Create DNS Entry
2. You receive a 200 OK that the endpoint is now published.