Proper VMware Identity Manager Node Monitoring when using F5 BIG-IP Appliances
Introduction:
The document will walk you through the setup of a custom F5 BIG-IP Health Monitor for use with VMware Identity Manager appliances when acting as nodes in a cluster.
Background:
In previous versions of documentation from VMware and F5 which discussed clustering of VMware Identity Manager with F5 BIG-IP load balancers, it was suggested to use the `http_head_f5` health monitor. However, due to security updates within VMware Identity Manager 2.8 and higher, the use of the aforementioned F5 BIG-IP health monitor is no longer a viable option. Because of this, many customers were using the `gateway_icmp` F5 health monitor as a temporary workaround. Unfortunately, this would allow the F5 BIG-IP to see a node as good even though it may only be responding to a ping, resulting in traffic failures and web pages failing to load for end users. Therefore, a better health monitor needed to be used.
Solution:
Working together, VMware and F5 come up with a validated custom health monitor using built-in VMware Identity Manager APIs to determine if the node (or appliance) in question is properly responding.
The basic F5 health monitor information is as follows:
Send String:
GET /SAAS/API/1.0/REST/system/health/heartbeat HTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n
Receive String:
ok$
Receive Disable String:
404
Creation Procedure:
Here is how to create this within the F5 BIG-IP.
- Login as administrator to your F5 BIG-IP appliance.
- Browse to Monitors under the Local Traffic tab in the left hand menu.
- Click the CREATE button in the upper left to start the creation of a new health monitor.
- Give it a name such as ViDM_Monitor or something similar and provide a description as needed.
- Select HTTPS as type. This will set the parent monitor to https and open up the "Configuration" screen with options for Send String, Receive String, and Receive Disable String among the many shown.
- Use the following for the Send String.GET /SAAS/API/1.0/REST/system/health/heartbeat HTTP/1.1\r\nHost:
\r\nConnection: Close\r\n\r\n - Use the following for the Receive String.ok$
- Use the following as the Receive Disable String.404
- Leave the rest of the fields as their default settings.
- Click the FINISHED button.
Now you need to assign this to the VMware Identity Manager Pool for the F5 BIG-IP virtual server to utilize.
NOTE: Make sure you do this part during off-hours or scheduled down time.
- Assuming you are already logged in from above, browse to Local Traffic > Virtual Servers > Pools and select your pool of VMware Identity Manager appliances.
- Edit the Health Monitors section to remove previous active health monitors and assign your new health monitor you just created above.
- Click the UPDATE button when ready.
- Validate the new health monitor works properly and as expected by viewing the pool members status and Virtual Server status within the F5 BIG-IP admin console.
Conclusion:
Now you can rest assured the F5 BIG-IP is properly monitoring your VMware Identity Manager cluster to determine which nodes are live and which are not!
Acknowledgements:
Big thanks to F5's Matt Mabis for helping us work through these settings and to VMware's Michael Almond and Karen Zelenko for guidance and support in testing this.