Use F5 reverse proxy with Service Manager Service Portal

This section describes the steps to configure an F5 hardware load balancer as a reverse proxy for a single instance of Service Manager Service Portal.

The configuration consists of two parts: the Service Manager Service Portal server, and the F5 server. A tool (f5_reverse_proxy) is provided to automate the configuration required on the Service Manager Service Portal server, and example configuration files are also provided for the configuration required on the F5 server.

Additionally, the tool can regenerate self-signed SSL certificates if configured as such and replace the out-of-box certificate files with the new files. If you want to use your own certificates, you can choose to skip regenerating certificate when running the tool.

The following configurations are required to use F5 reverse proxy with Service Manager Service Portal.

On the Service Manager Service Portal Server

You can use the f5_reverse_proxy tool to change the proxy configuration of a single instance of Service Manager Service Portal.

Prerequisites

  • You have Ansible 2.2.0.0 and Linux nslookup installed in your Service Manager Service Portal environment.

  • You already have a “propel” user created and you have granted this user the sudo permission. Notice that you will need to run the tool provided as the “propel” user and will be prompted for its password.

  • You know the Service Manager Service Portal server FQDN (<Service_Portal_FQDN>) and the F5 server FQDN (<F5_FQDN>). The F5 FQDN is the virtual server FQDN.

This tool will perform the following three major steps.

  1. Replace the Service Manager Service Portal server FQDN in configuration files with the F5 FQDN.

  2. Modify the iptables file and configuration files to map the micro services ports to URLs needed by the F5 reverse proxy.

  3. (Optional) Regenerate certificates based on the F5 FQDN and overwrite the original certificates.

Note This tool removes the Drop rule from the Service Manager Service Portal iptables file. If the Drop rule is required in your environment, you can add it back afterwards.

To run this tool, follow these steps:

  1. Log in to the Service Manager Service Portal server as “propel”.

    Note If you are already logged in as another user, change to the “propel” user.

  2. Configure the network connectivity:

    # ssh-keygen -t rsa -f ~/.ssh/id_rsa
    # ssh-copy-id propel@<Service_Portal_FQDN>
    
  3. Run this script:

    # cd /opt/hp/propel/adminUtil/f5_reverse_proxy
    # ./f5_reverse_proxy.sh --sp-host <Service_Portal_FQDN> --f5-host <F5_FQDN> [other_options]
    

    The --sp-host and --f5-host parameters are mandatory, and the other options may or may not be required:

    • --cert-gen: Use this option to generate self-signed SSL certificates.
    • --no-change-host: You must use this option when the last script execution failed, but the log file indicates that first part (replacing the Service Manager Service Portal FQDN with the F5 FQDN) of the script was successfully completed. In this case, you MUST use this option to resume from the second part (changing the proxy).
    • --no-change-proxy: Use this option to skip the second part (changing the proxy) of the script.

    Note The script log file is located in the f5_reverse_proxy/log folder.

  4. After the script is finished, do the following:

    • If you did not use the --cert-gen option: Replace the out-of-box certificates in Service Manager Service Portal with your own SSL certificate files (generated with F5 host name), and then copy your certificate files (which must use the following file names) to the following locations:

      • The key: /opt/hp/propel/security/propel_host.key.rsa

      • The certificate: /opt/hp/propel/security/propel_host.crt

      • The trust CA: /opt/hp/propel/security/CA.crt

      For more information about how to replace certificates, see here.

    • If you used the --cert-gen option: Go the directories listed above, and check the time stamps of these files to make sure they were generated by the tool.

  5. Restart Service Manager Service Portal:

    # propel stop
    # Propel start
    

On the F5 server

Make sure the version of the F5 server is later than 11.4.

Note The following steps will use three text files, which you can find in the f5_reverse_proxy folder on the Service Manager Service Portal server: F5-iRule.txt, F5-CreatePool.txt, and F5-CreateVirtualServer.txt.

  1. In the F5 web UI, create the SSL profile with the files created in the "On the Service Manager Service Portal Server" section above.

    For example, create the SERVER SSL profile with the name "PROPEL-SERVER”, and create the CLIENT SSL profile with the name "PROPEL-CLIENT."

    Note For both PROPEL-SERVER and PROPEL-CLIENT SSL profiles, you can use the same certificate and private key.

  2. In the F5 web UI, create a new irule with the name "PROPEL-iRule", copy the content in the "F5-iRule.txt" file.

    Note Replace “smci010.hpeswlab.net” with your F5 server’s hostname.

  3. In the F5 web UI, create SNAT with the name PROPEL-SNAT.

  4. Go to the F5 background, create the pools by running the tmsh command in the "F5-CreatePool.txt" file.

    Note Replace “16.187.190.23” with your Service Manager Service Portal’s IP address.

  5. Go to the F5 background, create the virtual server by running the tmsh command in the "F5-CreateVirtualServer.txt" file.

    Note Replace “16.165.216.242” with your F5 server’s IP address.