iRule configurations for the F5 load balancer for CA PAM functionality

Discussion created by MWNiebuhr Employee on Apr 20, 2012
Latest reply on Sep 12, 2012 by dean.berry
Please note that the F5 load balancer is not certified to work with CA Process Automation, but has been setup by our services team at various locations. The below is what was found to be the necessary iRules configuration for Process Automation to work with a F5 load balancer.
This is by no means a complete how to. For assistance with F5 setup please contact your F5 administrator or engage your account team to get Services involvement.

This weekend I was able to get PAM 3.1 SP1 working with an F5. The F5 version is “BIG-IP 10.1.0 Build 3341.0 Final”.
Here are the steps to configure it:

In the F5 management interface, create an entry for each PAM cluster machine in the nodes section.
Create a pool and make the PAM nodes members of the pool.
Create a PAM Virtual Server and make the PAM pool the default pool.
Create the following iRule, which is the equivalent of in apache:

set PAMPOOL "[MyPool]"
set PRIMARY "[PrimaryIP]"
set PRIMPORT "[PrimaryPort]"
switch -glob [HTTP::uri] {
"/jmx-console*" { pool $PAMPOOL }
"/web-console*" { pool $PAMPOOL }
"/itpam*" { pool $PAMPOOL }
"/c2orepository/oasisHelp*" { pool $PAMPOOL }
"/c2orepository/htmlFile/aboutUs/*" { pool $PAMPOOL }
"/c2orepository/htmlFile/language/*" { pool $PAMPOOL }
"/itpam/ServerConfigurationRequestServlet" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
"/itpam/MirroringRequestProcessor*" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
"/c2orepository/*" { pool $PAMPOOL }
"/mirroringrepository*" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
"/itpam/StartAgent*" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
"/itpam/OasisPrimary" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
"/c2orepository/htmlFile/installation/*" { pool $PAMPOOL }
"/itpam/ServerConfigurationRequestServlet" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
"/itpam/AgentConfigurationRequestServlet" { pool $PAMPOOL }
"/birt/*" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
"/itpam/JNLPRequestProcessor*" { pool $PAMPOOL }
"/itpam/JNLPRequestProcessor/installation" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
"/c2orepository/media*" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
"/c2orepository/thirdParty*" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
"/itpam/clientproxy/c2oresourceaction" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
"/itpam/clientproxy/c2oreportaction" { pool $PAMPOOL member $PRIMARY $PRIMPORT }
default { pool $PAMPOOL }

Be sure to set the variables at the top to your own variables.

Note that the language used for iRules is TCL.

Associate this iRule with the Virtual Server (Resources tab).
Prepare to install PAM by changing your hosts file to point the F5 LB name to an active web server somewhere.

I still have do this in order to get the primary DO installed because, by default, the F5 virtual host doesn’t respond to the HTTP GET request that the installer issues; it returns a page cannot be found error.

There may be a pre-existing interface on the F5 that responds to http requests, but I don’t have the bandwidth to look into this at the moment. Note that the management interface appears to only be available via https, at least by default. If anyone comes up with a solution for this, please let us know.
Install PAM as you normally would.

Note that I occasionally ran into some cases where the load balancing stopped working for some reason; this even occurred before the introduction of the iRules. If you run into this problem, try enabling/disabling the nodes or the Virtual Server. You may also need to remove the nodes from the pool and/or remove the pool from the virtual server. We’re not sure why this happens; possibly a newer version of the F5 software would fix this issue.