BIG-IP Access Policy Manager - F5 Networks · PDF fileOverview: Syncing access policies with a Sync-Only device group This implementation describes how to sync access policies from

BIG-IP® Access Policy Manager®: SyncingAccess Policies

Version 11.3

Table of Contents

Legal Notices.....................................................................................................................................5

Chapter 1: Synching Access Policies..................................................................7Overview: Syncing access policies with a Sync-Only device group.........................................8

About device groups and synchronization.....................................................................8

Task summary..........................................................................................................................9

Establishing device trust................................................................................................9

Creating a Sync-Only device group for access policy sync.........................................10

Synchronizing an access policy across devices initially..............................................10

Configuring static resources with access policy sync..................................................11

Configuring dynamic resources with access policy sync.............................................12

Resolving access policy sync conflicts........................................................................12

Implementation result.............................................................................................................13

Acknowledgments..........................................................................................................................15

3

Table of Contents

4

Table of Contents

Legal Notices

Publication Date

This document was published on November 15, 2012.

Publication Number

MAN-0441-00

Copyright

Copyright © 2012, F5 Networks, Inc. All rights reserved.

F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumesno responsibility for the use of this information, nor any infringement of patents or other rights of thirdparties which may result from its use. No license is granted by implication or otherwise under any patent,copyright, or other intellectual property right of F5 except as specifically described by applicable userlicenses. F5 reserves the right to change specifications at any time without notice.

Trademarks

Access Policy Manager, Advanced Client Authentication, Advanced Routing, APM, Application SecurityManager, ARX, AskF5, ASM, BIG-IP, BIG-IQ, Cloud Extender, CloudFucious, Cloud Manager, ClusteredMultiprocessing, CMP, COHESION, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express,DSC, DSI, Edge Client, Edge Gateway, Edge Portal, ELEVATE, EM, Enterprise Manager, ENGAGE, F5,F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass,Global Traffic Manager, GTM, GUARDIAN, IBR, Intelligent Browser Referencing, Intelligent Compression,IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, L7 Rate Shaping,LC, Link Controller, Local Traffic Manager, LTM, Message Security Manager, MSM, OneConnect,OpenBloX, OpenBloX [DESIGN], Packet Velocity, Policy Enforcement Manager, PEM, Protocol SecurityManager, PSM, Real Traffic Policy Builder, Rosetta Diameter Gateway, ScaleN, Signaling DeliveryController, SDC, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, TrafficManagement Operating System, Traffix Diameter Load Balancer, Traffix Systems, Traffix Systems(DESIGN), Transparent Data Reduction, UNITY, VAULT, VIPRION, vCMP, virtual ClusteredMultiprocessing, WA, WAN Optimization Manager, WebAccelerator, WOM, and ZoneRunner, aretrademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be usedwithout F5's express written consent.

All other product and company names herein may be trademarks of their respective owners.

Patents

This product may be protected by U.S. Patent 7,114,180; 8,301,837. This list is believed to be current asof November 15, 2012.

This product may be protected by U.S. Patent 6,311,278. This list is believed to be current as of November15, 2012.

This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,047,301; 7,707,289.This list is believed to be current as of November 15, 2012.

This product may be protected by U.S. Patents 6,327,242; 6,374,300; 6,473,802; 6,970,733; 7,051,126;7,102,996; 7,197,661; 7,287,084; 7,916,728; 7,916,730; 7,783,781; 7,774,484; 7,975,025; 7,996,886;

8,004,971; 8,010,668; 8,024,483; 8,103,770; 8,103,809; 8,108,554; 8,112,491; 8,150,957. This list is believedto be current as of November 15, 2012.

This product may be protected by U.S. Patents 6,640,240; 6,772,203; 6,970,733. This list is believed to becurrent as of November 15, 2012.

This product may be protected by U.S. Patents 7,126,955; 7,286,476; 7,882,084; 8,121,117. This list isbelieved to be current as of November 15, 2012.

This product may be protected by U.S. Patents 7,877,511; 7,958,347. This list is believed to be current asof November 15, 2012.

Patents

This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,197,661; 7,287,084;7,975,025; 7,996,886; 8,004,971; 8,010,668; 8,024,483; 8,103,770; 8,108,554; 8,150,957. This list is believedto be current as of November 15, 2012.

Export Regulation Notice

This product may include cryptographic software. Under the Export Administration Act, the United Statesgovernment may consider it a criminal offense to export this product from the United States.

RF Interference Warning

This is a Class A product. In a domestic environment this product may cause radio interference, in whichcase the user may be required to take adequate measures.

FCC Compliance

This equipment has been tested and found to comply with the limits for a Class A digital device pursuantto Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmfulinterference when the equipment is operated in a commercial environment. This unit generates, uses, andcan radiate radio frequency energy and, if not installed and used in accordance with the instruction manual,may cause harmful interference to radio communications. Operation of this equipment in a residential areais likely to cause harmful interference, in which case the user, at his own expense, will be required to takewhatever measures may be required to correct the interference.

Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authorityto operate this equipment under part 15 of the FCC rules.

Canadian Regulatory Compliance

This Class A digital apparatus complies with Canadian ICES-003.

Standards Compliance

This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable toInformation Technology products at the time of manufacture.

6

Legal Notices

Chapter

1

Synching Access Policies

Topics:

• Overview: Syncing access policies with aSync-Only device group

• Task summary• Implementation result

Overview: Syncing access policies with a Sync-Only device group

This implementation describes how to sync access policies from one BIG-IP® Access Policy Manager®

device to another Access Policy Manager device, or to multiple devices in a device group. This allows youto maintain up-to-date access policies on multiple Access Policy Manager devices, while adjusting appropriatesettings for objects that are specific to device locations.

To synchronize access policies between multiple devices, you configure a Sync-Only device group, whichincludes the devices between which you want to synchronize access policies. Device group setup requiresestablishing trust relationships between devices and creating a device group. You set the devices in eachgroup to use Automatic Sync, and then synchronize access policies one at a time, resolving conflicts asyou go, .

Attention: Sync-Only groups must be configured before you pair Active-Standby devices. To addan Active-Standby device pair to a Sync-Only device group, first you must reset the trust betweenthe devices. Next, you must remove the devices from the Sync-Failover device group. Next, you mustadd both devices to a Sync-Only device group. Finally, add the devices as an Active-Standby pairto the Sync-Failover group.

About device groups and synchronization

When you have more than one BIG-IP® device in a local trust domain, you can synchronize BIG-IPconfiguration data among those devices by creating a device group. A device group is a collection of BIG-IPdevices that trust each other and synchronize their BIG-IP configuration data. If you want to exclude certaindevices from ConfigSync, you can simply exclude them from membership in that particular device group.

You can synchronize some types of data on a global level across all BIG-IP devices, while synchronizingother data in a more granular way, on an individual application level to a subset of devices.

Important: To configure redundancy on a device, you do not need to explicitly specify that youwant the BIG-IP device to be part of a redundant configuration. Instead, this occurs automaticallywhen you add the device to an existing device group.

Before you configure device trust

Before you configure device trust, you should consider the following:

• Only version 11.x or later systems can join the local trust domain.• You can manage device trust when logged in to a certificate signing authority only. You cannot manage

device trust when logged in to a subordinate non-authority device.• If you reset trust authority on a certificate signing authority by retaining the authority of the device, you

must subsequently recreate the local trust domain and the device group.• As a best practice, you should configure the ConfigSync and mirroring addresses on a device before

you add that device to the trust domain.• You must configure DNS on all systems.• You must configure NTP on all systems, preferably to the same NTP server.

8


Task summary

The configuration process for a BIG-IP® system entails configuring a Sync-Only device group, syncingaccess policies to a device group, and resolving conflicts caused by location-specific and dynamic resources.You must pre-configure a device group to sync access policies to multiple systems.

Establishing device trust

Creating a Sync-Only device group for access policy sync

Synchronizing an access policy across devices initially

Configuring static resources with access policy sync

Configuring dynamic resources with access policy sync

Resolving access policy sync conflicts

Establishing device trust

Before you begin this task, verify that:

• Each BIG-IP® device that is to be part of the local trust domain has a device certificate installed on it.• The local device is designated as a certificate signing authority.

You perform this task to establish trust among devices on one or more network segments. Devices that trusteach other constitute the local trust domain. A device must be a member of the local trust domain prior tojoining a device group.

By default, the BIG-IP software includes a local trust domain with one member, which is the local device.You can choose any one of the BIG-IP devices slated for a device group and log into that device to addother devices to the local trust domain. For example, devices A, B, and C each initially shows only itself asa member of the local trust domain. To configure the local trust domain to include all three devices, youcan simply log into device A and add devices B and C to the local trust domain. Note that there is no needto repeat this process on devices B and C.

1. On the Main tab, click Device Management > Device Trust, and then either Peer List or SubordinateList.

2. Click Add.

3. Type an IP address, administrator user name, and administrator password for the remote BIG-IP® device.

This IP address can be either a management IP address or a self IP address.

4. Click Retrieve Device Information.

5. Verify that the certificate of the remote device is correct.

6. Verify that the name of the remote device is correct.

7. Verify that the management IP address and name of the remote device are correct.

8. Click Finished.

The device you added is now a member of the local trust domain.

Repeat this task for each device that you want to add to the local trust domain.

9

BIG-IP® Access Policy Manager®: Syncing Access Policies

Creating a Sync-Only device group for access policy sync

You perform this task to create a Sync-Only type of device group. When you create a Sync-Only devicegroup, the BIG-IP system can then automatically synchronize certain types of data such as security policiesto the other devices in the group, even when some of those devices reside in another network. You canperform this task on any BIG-IP® device within the local trust domain.

Important: When you sync access policies from one device to another, you can only select a devicegroup to which to sync an access policy, if the device group is with the settings specified in thistask.

1. On the Main tab, click Device Management > Device Groups.

2. On the Device Groups list screen, click Create.The New Device Group screen opens.

3. Type a name for the device group, select the device group type Sync-Only, and type a description forthe device group.

4. For the Members setting, select an IP address and host name from the Available list for each BIG-IPdevice that you want to include in the device group. Use the Move button to move the host name to theIncludes list.

The list shows any devices that are members of the device's local trust domain.

5. For the Automatic Sync setting, select the Enabled check box.

6. Click Finished.

You now have a Sync-Only type of device group containing BIG-IP devices as members.

Attention: Sync-Only groups must be configured before you pair Active-Standby devices. To addan Active-Standby device pair to a Sync-Only device group, first reset the trust between the devices.Next, remove the devices from the Sync-Failover device group. Then add both devices to a Sync-Onlydevice group. Finally, add the devices as an Active-Standby pair to the Sync-Failover group.

Synchronizing an access policy across devices initially

After you set up a sync-only device group for your Access Policy Manager devices, you can sync an accesspolicy from one device to other devices in the group. You can perform an access policy sync from anydevice in the group.

1. On the Main tab, click Access Policy > Access Profiles > Policy Sync.A list of access policies and related sync status information opens. The sync status is either:

Policies with no sync pendingNo synchronization is currently in progress for access policies on this list.

Policies with sync pendingA synchronization is in progress for these access policies. Select an access policy from this list to viewthe Sync Details or Resolve Conflicts panel for it.

2. Select an access policy and click the Sync Access Policy button.The Policy Sync screen opens.

3. From the Device Group list, select the device group to which to sync the access policy.

This list displays only Sync-Only device groups with automatic sync enabled.

10


4. In the Description field, type a description of the reason for the access policy sync operation.

5. From the Ignore errors due to Variable Assign Agent during sync list, select whether to ignore errorscaused by syncing the variable assign agent.

Note: If the access policy includes a Variable Assign action, errors occur when resources aremissing from the target device. If you select Yes, you might need to manually configure theresources on the target device.

6. Click Sync.The sync process begins.

The access policy is synced between devices in the device group.

Attention: An access policy sync operation takes 25-30 seconds, depending on the number ofdevices.

Configuring static resources with access policy sync

A BIG-IP Access Policy Manager may exist in a different physical location from another BIG-IP in thesame device group, and may use different resources that are specific to that location or local network. Forexample, different authentication servers might exist in each location. Configure static resources to set thesestatic resources for devices in different locations.

1. On the Main tab, click Access Policy > Access Profiles > Policy Sync.If policies are present and configured for sync, a list of access policies and related sync status informationopens.


3. Click the Advanced Settings button, then click Static Resources.The list displays a name, type, and Location Specific check box for each resource. You might need toconfigure a location-specific resource differently on a remote system. With the Location Specific checkbox selected, the first time a resource is synced as part of a policy, you must resolve its configurationon the remote system. Subsequent access policy sync operations do not modify a previously syncedlocation-specific resource.

Important: Many resource types are marked as location-specific by default. If a resource isnot location-specific in this configuration, clear the Location Specific check box.

4. Click the OK button.The APM Policy Sync screen is displayed.

5. Click the Sync button.


If this is the first time you sync a policy with location-specific resources, or you have added location-specificresources to the policy sync operation, you must resolve the location-specific issues on each affected targetsystem.

11


Configuring dynamic resources with access policy sync

When access policies are configured with the Variable Assign action, some dynamically assigned resourcesmay not be available on sync target machines. You can specify that such resources are included in a policysync operation and will be created on the target devices.

1. On the Main tab, click Access Policy > Access Profiles > Policy Sync.A list of access policies and related sync status information opens.


3. Click the Advanced Settings button, then click Dynamic Resources.The list displays a name, type, Dynamic Resource, and Location Specific check box for each resource.

4. Select the dynamic resources by clicking the check boxes.

5. Click the OK button.The APM Policy Sync screen is displayed.

6. Click the Sync button.


Resolve the location-specific issues on each affected target system.

Resolving access policy sync conflicts

After you sync an access policy, you might need to resolve conflicts on the target devices. Conflicts occurwhen an access policy contains new location-specific resources.

1. On a target system that requires conflicts to be resolved, on the Main tab, click Access Policy > AccessProfiles > Policy Sync.A list of access policies and related sync status information opens.

2. From the Policies with Sync Pending list, select an access policy for which you want to resolve conflicts.If conflicts exist, the Resolve Conflicts panel displays one entry and an Unresolved link for eachlocation-specific or dynamic resource that is in conflict.

3. Click an Unresolved link.A popup window opens displaying two panes.

• A navigation pane with one or more groups of settings. In the navigation pane, an icon indicates thatdata is required.

• A data entry pane in which you can type or select values. The data entry pane displays the valuesfrom the source device, with labels for required fields asterisked (*) and filled with yellow.

4. Select a group of settings from the left pane, and type or select the required information in the right paneuntil you have added the required information.

You can fill in the required information only, or any other information and settings you wish to configure.

In the navigation pane, an icon indicates that required information for a group of settings is complete.

5. Click the OK button.The popup window closes. If no more Unresolved links remain, the Finish button is active.

6. After you resolve all conflicts, click the Finish button.

Access Policy Manager creates the resolved access policy on the device. After sync is completed on alltarget devices, sync status on the source device will be updated to Sync completed.

12


About ignoring errors due to the Variable Assign agent

The Ignore errors due to Variable Assign Agent during sync setting affects system behavior only whena Variable Assign agent is included in an access policy, and the Variable Assign agent uses resources.

Important: The user name and password fields are not considered to be resources.

If you set Ignore errors due to Variable Assign Agent during sync to Yes:

• If you do not select any dynamic resources, after the policy sync completes you must create all neededresources on each target system.

• If you select the appropriate dynamic resources, after the policy sync completes, you must resolve anyconflicts that exist on the target systems. If you do not select all the dynamic resources that are required,you must create them on each target system.

If you set Ignore errors due to Variable Assign Agent during sync to No:

• If you do not select any dynamic resources, an error is displayed and the policy sync does not start.• If you select the appropriate dynamic resources, after the policy sync completes, you must resolve any

conflicts that exist on the target systems.

Implementation result

To summarize, you now have synchronized access policies between devices in a sync-only device group.

Understanding sync details

On the Sync Details tab, you can see sync status for an access policy.

DescriptionColumn

The specific device to which the access policy wassynced.

Device

One of the following:Sync Status

• Sync initiated - This status indicates that thesync is in progress, initiated from this device.

• Sync Completed - This status indicates that thesync completed successfully to the specifieddevice.

• Not available - This status indicates that thedevice to which the sync was initiated was notavailable, or not available yet.

• Sync cancelled - This status indicates that thesync was cancelled before it could complete tothe specified device.

• User Changes Failed - This status indicatesthat policy creation failed after the administratorresolved the conflicts. Sync success is set toStandby.

13


DescriptionColumn

• Pending location specific updates -This status indicates that the access policy on thespecified device requires updates because ofconflicts due to location-specific information.Resolve the conflicts to complete the syncsuccessfully.

The time at which the last status entry completed onthe specific device.

Status End Time

More information about the Sync Status for a specificdevice.

Sync Status Details

Understanding sync history

On the Sync History tab, you can see the sync history for an access policy.

DescriptionColumn

The last time a sync was initiated for this accesspolicy.

Last sync

The outcome of the last sync for this access policy.Last Sync Status

The device group to which the access policy wassynced.

Device Group

A clickable icon that presents information about thesync operation for the device group.

Description

An access policy was created with certain resourceswhich the sync process indicates are not

Non Location Specific Objects

location-specific, but that may in fact belocation-specific on the target device. This columnlists such objects, which you can then verify bychecking the objects on the remote systems, andmodifying if necessary.

14


Acknowledgments

This product includes software developed by Gabriel Forté.

This product includes software developed by Bill Paul.

This product includes software developed by Jonathan Stone.

This product includes software developed by Manuel Bouyer.

This product includes software developed by Paul Richards.

This product includes software developed by the NetBSD Foundation, Inc. and its contributors.

This product includes software developed by the Politecnico di Torino, and its contributors.

This product includes software developed by the Swedish Institute of Computer Science and its contributors.

This product includes software developed by the University of California, Berkeley and its contributors.

This product includes software developed by the Computer Systems Engineering Group at the LawrenceBerkeley Laboratory.

This product includes software developed by Christopher G. Demetriou for the NetBSD Project.

This product includes software developed by Adam Glass.

This product includes software developed by Christian E. Hopps.

This product includes software developed by Dean Huxley.

This product includes software developed by John Kohl.

This product includes software developed by Paul Kranenburg.

This product includes software developed by Terrence R. Lambert.

This product includes software developed by Philip A. Nelson.

This product includes software developed by Herb Peyerl.

This product includes software developed by Jochen Pohl for the NetBSD Project.

This product includes software developed by Chris Provenzano.

This product includes software developed by Theo de Raadt.

This product includes software developed by David Muir Sharnoff.

This product includes software developed by SigmaSoft, Th. Lockert.

This product includes software developed for the NetBSD Project by Jason R. Thorpe.

This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com.

This product includes software developed for the NetBSD Project by Frank Van der Linden.

This product includes software developed for the NetBSD Project by John M. Vinopal.

This product includes software developed by Christos Zoulas.

This product includes software developed by the University of Vermont and State Agricultural College andGarrett A. Wollman.

This product includes software developed by Balazs Scheidler ([email protected]), which is protected underthe GNU Public License.

This product includes software developed by Niels Mueller ([email protected]), which is protected underthe GNU Public License.

In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developedby Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operatingsystems includes mainly non-profit oriented systems for research and education, including but not restrictedto NetBSD, FreeBSD, Mach (by CMU).

This product includes software developed by the Apache Group for use in the Apache HTTP server project(http://www.apache.org/).

This product includes software licensed from Richard H. Porter under the GNU Library General PublicLicense (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.

This product includes the standard version of Perl software licensed under the Perl Artistic License (© 1997,1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standardversion of Perl at http://www.perl.com.

This product includes software developed by Jared Minch.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product contains software based on oprofile, which is protected under the GNU Public License.

This product includes software with glib library utility functions, which is protected under the GNU PublicLicense.

This product includes software with grub2 bootloader functions, which is protected under the GNU PublicLicense.

This product includes software with the Intel Gigabit Linux driver, which is protected under the GNU PublicLicense. Copyright ©1999 - 2012 Intel Corporation.

This product includes software with the Intel 10 Gigabit PCI Express Linux driver, which is protected underthe GNU Public License. Copyright ©1999 - 2012 Intel Corporation.

This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html)and licensed under the GNU General Public License.

This product contains software licensed from Dr. Brian Gladman under the GNU General Public License(GPL).

This product includes software developed by the Apache Software Foundation (http://www.apache.org/).

This product includes Hypersonic SQL.

This product contains software developed by the Regents of the University of California, Sun Microsystems,Inc., Scriptics Corporation, and others.

This product includes software developed by the Internet Software Consortium.

This product includes software developed by Nominum, Inc. (http://www.nominum.com).

This product contains software developed by Broadcom Corporation, which is protected under the GNUPublic License.

This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser GeneralPublic License, as published by the Free Software Foundation.

This product includes software under license from Qosmos (www.qosmos.com).

This product includes software developed by Andrew Tridgell, which is protected under the GNU PublicLicense, copyright ©1992-2000.

16

Acknowledgments

This product includes software developed by Jeremy Allison, which is protected under the GNU PublicLicense, copyright ©1998.

This product includes software developed by Guenther Deschner, which is protected under the GNU PublicLicense, copyright ©2008.

This product includes software developed by www.samba.org, which is protected under the GNU PublicLicense, copyright ©2007.

This product includes software from Allan Jardine, distributed under the MIT License.

This product includes software from Trent Richardson, distributed under the MIT License.

This product includes vmbus drivers distributed by Microsoft Corporation.

This product includes software from Cavium.

This product includes software from Webroot, Inc.

This product includes software from Maxmind, Inc.

This product includes software licensed from www.samba.org under the GNU Library General PublicLicense.

This product includes software from OpenVision Technologies, Inc. Copyright ©1993-1996, OpenVisionTechnologies, Inc. All Rights Reserved.

This product includes software developed by Matt Johnson, distributed under the MIT License. Copyright©2012.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associateddocumentation files (the "Software"), to deal in the Software without restriction, including without limitationthe rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portionsof the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS INTHE SOFTWARE.

This product includes software from NLnetLabs. Copyright ©2005, 2006. All Rights Reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted providedthat the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and thefollowing disclaimer.

• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and thefollowing disclaimer in the documentation and/or other materials provided with the distribution.

• Neither the name of NLnetLabs nor the names of its contributors may be used to endorse or promoteproducts derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BELIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

17


CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OFSUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER INCONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISINGIN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITYOF SUCH DAMAGE.

This product includes GRand Unified Bootloader (GRUB) software developed under the GNU PublicLicense, copyright ©2007.

This product includes Intel QuickAssist kernel module, library, and headers software licensed under theGNU General Public License (GPL).

This product includes gd-libgd library software developed by the following in accordance with the followingcopyrights:

• Portions copyright ©1994, 1995, 1996, 1997, 1998, 2000, 2001, 2002 by Cold Spring Harbor Laboratory.Funded under Grant P41-RR02188 by the National Institutes of Health.

• Portions copyright ©1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc.• Portions relating to GD2 format copyright ©1999, 2000, 2001, 2002 Philip Warner.• Portions relating to PNG copyright ©1999, 2000, 2001, 2002 Greg Roelofs.• Portions relating to gdttf.c copyright ©1999, 2000, 2001, 2002 John Ellson ([email protected]).• Portions relating to gdft.c copyright ©2001, 2002 John Ellson ([email protected]).• Portions copyright ©2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 2008 Pierre-Alain Joye

([email protected]).• Portions relating to JPEG and to color quantization copyright ©2000, 2001, 2002, Doug Becker and

copyright ©1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software isbased in part on the work of the Independent JPEG Group.

• Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande.Permission has been granted to copy, distribute and modify gd in any context without fee, including acommercial application, provided that this notice is present in user-accessible supporting documentation.

This product includes software developed by Oracle America, Inc. Copyright ©2012.

1. Java Technology Restrictions. Licensee shall not create, modify, change the behavior of, or authorizelicensees of ;icensee to create, modify, or change the behavior of, classes, interfaces, or subpackagesthat are in any way identified as "java", "javax”, "sun" or similar convention as specified by Oracle inany naming convention designation. In the event that Licensee creates an additional API(s) which: (a)extends the functionality of a Java Environment; and (b) is exposed to third party software developersfor the purpose of developing additional software which invokes such additional API, Licensee mustpromptly publish broadly an accurate specification for such API for free use by all developer.

2. Trademarks and Logos. This License does not authorize an end user licensee to use any Oracle America,Inc. name, trademark, service mark, logo or icon. The end user licensee acknowledges that Oracle ownsthe Java trademark and all Java-related trademarks, logos and icon including the Coffee Cup and Duke("Java Marks") and agrees to: (a) comply with the Java Trademark Guidelines athttp://www.oraclc.com/html/3party.html; (b) not do anything harmful to or inconsistent with Oracle'srights in the Java Marks; and (c) assist Oracle in protecting those rights, including assigning to Oracleany rights acquired by Licensee in any Java Mark.

3. Source Code. Software may contain source code that, unless expressly licensed for other purposes, isprovided solely for reference purposes pursuant to the terms of your license. Source code may not beredistributed unless expressly provided for in the terms of your license.

4. Third Party Code. Additional copyright notices and license terms applicable to portion of the Softwareare set forth in the THIRDPARTYLICENSEREADME.txt file.

5. Commercial Features. Use of the Commercial Features for any commercial or production purposerequires a separate license from Oracle. "Commercial Features" means those features identified in Table

18

Acknowledgments

I-I (Commercial Features In Java SE Product Editions) of tile Software documentation accessible athttp://www.oracle.com/technetwork/java/javase/documentation/index.html.

This product includes utilities developed by Linus Torvalds for inspecting devices connected to a USB bus.

This product includes perl-PHP-Serialization software, developed by Jesse Brown, copyright ©2003, anddistributed under the Perl Development Artistic License (http://dev.perl.org/licenses/artistic.html).

This product includes software developed by members of the CentOS Project under the GNU Public License,copyright ©2004-2011 by the CentOS Project.

This product includes software developed by members of the OpenJDK Project under the GNU PublicLicense Version 2, copyright ©2012 by Oracle Corporation.

This product includes software developed by The VMWare Guest Components Team under the GNU PublicLicense Version 2, copyright ©1999-2011 by VMWare, Inc.

This product includes software developed by The Netty Project under the Apache Public License Version2, copyright ©2008-2012 by The Netty Project.

This product includes software developed by Stephen Colebourne under the Apache Public License Version2, copyright ©2001-2011 Joda.org.

This product includes software developed by the GlassFish Community under the GNU Public LicenseVersion 2 with classpath exception, copyright ©2012 Oracle Corporation.

This product includes software developed by the Mort Bay Consulting under the Apache Public LicenseVersion 2, copyright ©1995-2012 Mort Bay Consulting.

This product contains software developed by members of the Jackson Project under the GNU Lesser GeneralPublic License Version 2.1, ©2007 – 2012 by the Jackson Project”.

This product contains software developed by QOS.ch under the MIT License, ©2004 – 2011 by QOS.ch.

This product includes software licensed from Gerald Combs ([email protected]) under the GNU GeneralPublic License as published by the Free Software Foundation; either version 2 of the License, or any laterversion. Copyright ©1998 Gerald Combs.

This product includes software developed by Daniel Stenberg. Copyright ©1996 - 2012, Daniel Stenberg,([email protected]). All rights reserved.

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is herebygranted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OROTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THEUSE OR OTHER DEALINGS IN THE SOFTWARE.

Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwiseto promote the sale, use or other dealings in this Software without prior written authorization of the copyrightholder.

This product includes software licensed from Rémi Denis-Courmont under the GNU Library General PublicLicense. Copyright ©2006 - 2011.

This product includes software developed by jQuery Foundation and other contributors, distributed underthe MIT License. Copyright ©2012 jQuery Foundation and other contributors (http://jquery.com/).

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associateddocumentation files (the "Software"), to deal in the Software without restriction, including without limitation

19


the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software,and to permit persons to whom the Software is furnished to do so, subject to the following conditions:



This product includes software developed by Trent Richardson, distributed under the MIT License. Copyright©2012 jQuery Foundation and other contributors (http://jquery.com/).




This product includes software developed by Allan Jardine, distributed under the MIT License. Copyright©2008 - 2012, Allan Jardine, all rights reserved, jQuery Foundation and other contributors(http://jquery.com/).




This product includes software developed by Douglas Gilbert. Copyright ©1992 - 2012 The FreeBSDProject. All rights reserved.


1. Redistributions of source code must retain the above copyright notice, this list of conditions and thefollowing disclaimer.

20

Acknowledgments

2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and thefollowing disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE FREEBSD PROJECT `ÀS IS'' AND ANY EXPRESS ORIMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NOEVENT SHALL THE FREEBSD PROJECT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The views and conclusions contained in the software and documentation are those of the authors and shouldnot be interpreted as representing official policies, either expressed or implied, of the FreeBSD Project.

This product includes software developed as open source software. Copyright ©1994 - 2012 The FreeBSDProject. All rights reserved.




3. The names of the authors may not be used to endorse or promote products derived from this softwarewithout specific prior written permission.

THIS SOFTWARE IS PROVIDED `ÀS IS'' AND WITHOUT ANY EXPRESS OR IMPLIEDWARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OFMERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

This product includes cryptographic software written by Eric Young ([email protected]). Copyright ©1998- 2011 The OpenSSL Project. All rights reserved.




3. All advertising materials mentioning features or use of this software must display the followingacknowledgment: "This product includes software developed by the OpenSSL Project for use in theOpenSSL Toolkit. (http://www.openssl.org/)"

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote productsderived from this software without prior written permission. For written permission, please [email protected].

5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in theirnames without prior written permission of the OpenSSL Project.

6. Redistributions of any form whatsoever must retain the following acknowledgment: "This productincludes software developed by the OpenSSL Project for use in the OpenSSL Toolkit(http://www.openssl.org/)"

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `ÀS IS'' AND ANY EXPRESSED ORIMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF

21


MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NOEVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software licensed from William Ferrell, Selene Scriven and many other contributorsunder the GNU General Public License, copyright ©1998 - 2006.

This product includes software developed by Thomas Williams and Colin Kelley. Copyright ©1986 - 1993,1998, 2004, 2007

Permission to use, copy, and distribute this software and its documentation for any purpose with or withoutfee is hereby granted, provided that the above copyright notice appear in all copies and that both thatcopyright notice and this permission notice appear in supporting documentation. Permission to modify thesoftware is granted, but not the right to distribute the complete modified source code. Modifications are tobe distributed as patches to the released version. Permission to distribute binaries produced by compilingmodified sources is granted, provided you

1. distribute the corresponding source modifications from the released version in the form of a patch filealong with the binaries,

2. add special version identification to distinguish your version in addition to the base release versionnumber,

3. provide your name and address as the primary contact for the support of your modified version, and4. retain our contact information in regard to use of the base software.

Permission to distribute the released version of the source code along with corresponding source modificationsin the form of a patch file is granted with same provisions 2 through 4 for binary distributions. This softwareis provided "as is" without express or implied warranty to the extent permitted by applicable law.

This product includes software developed by Brian Gladman, Worcester, UK Copyright ©1998-2010. Allrights reserved. The redistribution and use of this software (with or without changes) is allowed withoutthe payment of fees or royalties provided that:

• source code distributions include the above copyright notice, this list of conditions and the followingdisclaimer;

• binary distributions include the above copyright notice, this list of conditions and the following disclaimerin their documentation.

This software is provided 'as is' with no explicit or implied warranties in respect of its operation, including,but not limited to, correctness and fitness for purpose.

This product includes software developed by the Computer Systems Engineering Group at LawrenceBerkeley Laboratory. Copyright ©1990-1994 Regents of the University of California. All rights reserved.Redistribution and use in source and binary forms, with or without modification, are permitted providedthat the following conditions are met:



3. All advertising materials mentioning features or use of this software must display the followingacknowledgment: This product includes software developed by the Computer Systems EngineeringGroup at Lawrence Berkeley Laboratory.

22

Acknowledgments

4. Neither the name of the University nor of the Laboratory may be used to endorse or promote productsderived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANYEXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AREDISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANYDIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED ANDON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THISSOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product includes software developed by Sony Computer Science Laboratories Inc. Copyright ©

1997-2003 Sony Computer Science Laboratories Inc. All rights reserved. Redistribution and use in sourceand binary forms, with or without modification, are permitted provided that the following conditions aremet:



THIS SOFTWARE IS PROVIDED BY SONY CSL AND CONTRIBUTORS "AS IS" AND ANY EXPRESSOR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIESOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. INNO EVENT SHALL SONY CSL OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUTNOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORYOF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDINGNEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

This product contains software developed by Google, Inc. Copyright ©2011 Google, Inc.




This software incorporates JFreeChart, ©2000-2007 by Object Refinery Limited and Contributors.

This product contains software developed by the Mojarra project. Source code for the Mojarra softwaremay be obtained at https://javaserverfaces.dev.java.net/.

This product includes software developed by McAfee®.

23


This product includes software developed by Ian Gulliver ©2006, which is protected under the GNU GeneralPublic License, as published by the Free Software Foundation.

This product contains software developed by the RE2 Authors. Copyright ©2009 The RE2 Authors. Allrights reserved. Redistribution and use in source and binary forms, with or without modification, are permittedprovided that the following conditions are met:

• Redistributions of source code must retain the above copyright notice, this list of conditions and thefollowing disclaimer.

• Redistributions in binary form must reproduce the above copyright notice, this list of conditions and thefollowing disclaimer in the documentation and/or other materials provided with the distribution.

• Neither the name of Google Inc. nor the names of its contributors may be used to endorse or promoteproducts derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THEIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSEARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BELIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, ORCONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OFSUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESSINTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER INCONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISINGIN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITYOF SUCH DAMAGE.

This product includes the Zend Engine, freely available at http://www.zend.com.

This product includes software developed by Digital Envoy, Inc.

This product contains software developed by NuSphere Corporation, which is protected under the GNULesser General Public License.

This product contains software developed by Erik Arvidsson and Emil A Eklund.

This product contains software developed by Aditus Consulting.

This product contains software developed by Dynarch.com, which is protected under the GNU LesserGeneral Public License, version 2.1 or later.

This product contains software developed by InfoSoft Global (P) Limited.

This product includes software written by Steffen Beyer and licensed under the Perl Artistic License andthe GPL.

This product includes software written by Makamaka Hannyaharamitu ©2007-2008.

Rsync was written by Andrew Tridgell and Paul Mackerras, and is available under the GNU Public License.

This product includes Malloc library software developed by Mark Moraes. (©1988, 1989, 1993, Universityof Toronto).

This product includes open SSH software developed by Tatu Ylonen ([email protected]), Espoo, Finland(©1995).

This product includes open SSH software developed by Niels Provos (©1999).

This product includes SSH software developed by Mindbright Technology AB, Stockholm, Sweden,www.mindbright.se, [email protected] (©1998-1999).

This product includes free SSL software developed by Object Oriented Concepts, Inc., St. John's, NF,Canada, (©2000).

24

Acknowledgments

This product includes software developed by Object Oriented Concepts, Inc., Billerica, MA, USA (©2000).

This product includes free software developed by ImageMagick Studio LLC (©1999-2011).

This product includes software developed by Bob Withers.

This product includes software developed by Jean-Loup Gaily and Mark Adler.

This product includes software developed by Markus FXJ Oberhumer.

This product includes software developed by Guillaume Fihon.

This product includes QPDF software, developed by Jay Berkenbilt, copyright ©2005-2010, and distributedunder version 2 of the OSI Artistic License (http://www.opensource.org/licenses/artistic-license-2.0.php).

25


26

Acknowledgments

Index

A

access policies 8resolving conflicts 12

access policyconfiguring dynamic resources for sync 12configuring static resources for sync 11initial sync 10

access policy syncconfiguring 9described 8result of 13

authority devicesand device trust 8

automatic synchronizationenabling 10

B

BIG-IP versionsand device trust 8

C

configuration data, synchronizing 8conflicts

resolving between devices 12

D

device discoveryfor device trust 9

device groupsand synchronizing configuration data 8creating 10

device trustestablishing 9managing 8resetting 8

DNSconfiguring 8

dynamic resourcesignoring errors 13

I

ignoring errorsdue to Variable Assign agent 13

L

local trust domainand device groups 10defined 9joining 8

location-specific resourcesresolving conflicts 12

N

NTPconfiguring 8

R

resolving conflicts between devices 12

S

synchronizingaccess policies 10access policies with dynamic resources 12access policies with static resources 11

syncingaccess policies 9

syncing an access policy 10configuring dynamic resources 12configuring static resources 11

sync-onlysyncing access policies 8

Sync-Only device groupscreating for access policy sync 10

T

trust domains, See local trust domaintrust relationships

establishing 8

V

variable assign actionsyncing acess policies 12

X

x509 certificatesfor device trust 9

27

Index

28

Index

Documents

BIG-IP Access Policy Manager - F5 Networks · PDF fileOverview: Syncing access policies with a Sync-Only device group This implementation describes how to sync access policies from