azure

Kong latency 2

techhadoop , , , ,

Short answer:
In Kong logs, proxy latency is the time spent waiting on your upstream service (the API/backend) — i.e., how long it took the upstream to respond to Kong.

Here’s the breakdown of the three latency fields you’ll see in Kong logs:

  • latencies.proxyUpstream latency (a.k.a. “proxy latency”): time from when Kong sends the request to the upstream until it starts getting the response.
  • latencies.kongKong internal time: routing + plugin execution + overhead inside Kong.
  • latencies.requestTotal request time as seen by the client.

Quick mental model:

Client ──> [ Kong (latencies.kong) ] ──> Upstream API (latencies.proxy) ──> [ Kong ] ──> Client
                           \________________ latencies.request ________________/

A common point of confusion: in response headers,

  • X-Kong-Upstream-Latencylatencies.proxy (upstream time)
  • X-Kong-Proxy-Latencylatencies.kong (Kong time)

So, if you see high proxy latency, the slowness is almost always in your backend (or the network to it), not Kong itself. Focus on the upstream’s performance (DB calls, external services), network/DNS, and connection reuse; use Kong’s service/route timeouts (connect_timeout, read_timeout, write_timeout) to guard against outliers.Short answer:
In Kong logs, proxy latency is the time spent waiting on your upstream service (the API/backend) — i.e., how long it took the upstream to respond to Kong.

Here’s the breakdown of the three latency fields you’ll see in Kong logs:

  • latencies.proxyUpstream latency (a.k.a. “proxy latency”): time from when Kong sends the request to the upstream until it starts getting the response.
  • latencies.kongKong internal time: routing + plugin execution + overhead inside Kong.
  • latencies.requestTotal request time as seen by the client.

Quick mental model:

Client ──> [ Kong (latencies.kong) ] ──> Upstream API (latencies.proxy) ──> [ Kong ] ──> Client
                           \________________ latencies.request ________________/

A common point of confusion: in response headers,

  • X-Kong-Upstream-Latencylatencies.proxy (upstream time)
  • X-Kong-Proxy-Latencylatencies.kong (Kong time)

So, if you see high proxy latency, the slowness is almost always in your backend (or the network to it), not Kong itself. Focus on the upstream’s performance (DB calls, external services), network/DNS, and connection reuse; use Kong’s service/route timeouts (connect_timeout, read_timeout, write_timeout) to guard against outliers.

Kong – HIGH-LEVEL AUTH FLOW

techhadoop , , , ,

Here’s a clear breakdown of how authentication works in a Kong + Ping Identity + IAM setup, which is common in enterprise environments where Kong acts as an API gateway and Ping Identity (like PingFederate/PingOne) handles user authentication and token issuance.

HIGH-LEVEL AUTH FLOW

Scenario:

Client → Kong Gateway → Protected Service
Kong integrates with Ping Identity for OIDC authentication or JWT validation, often backed by a central IAM system.

COMPONENT ROLES

ComponentRole
Kong GatewayAPI gateway that enforces authentication & authorization plugins
Ping IdentityIdentity Provider (IdP) – handles login, token issuance, and federation
IAM (e.g., Ping IAM, LDAP, AD)Stores users, groups, permissions, policies

AUTHENTICATION FLOW (OIDC Plugin)

OpenID Connect (Authorization Code Flow):

  1. Client → Kong
    Tries to access a protected API.
  2. Kong (OIDC Plugin)
    Redirects client to Ping Identity (Authorization Endpoint).
  3. Ping Identity (PingFederate or PingOne)
    • Authenticates user (UI, MFA, etc.).
    • Issues authorization_code.
  4. Kong → Ping Identity (Token Endpoint)
    Exchanges code for access_token (and optionally id_token, refresh_token).
  5. Kong (OIDC Plugin)
    • Validates token.
    • Optionally maps user to Kong consumer.
    • Passes request to backend with enriched headers (e.g., X-Consumer-Username).
  6. Backend Service
    Receives authenticated request with headers.

JWT Token Validation (Alt. Flow)

If Ping Identity issues JWT tokens, you can use Kong’s JWT plugin to validate them without redirect:

  1. Client gets access_token from Ping (out of band or SPA).
  2. Client sends request with Authorization: Bearer <token>.
  3. Kong JWT plugin verifies:
    • Signature using Ping’s public key / JWKS.
    • Claims like iss, aud, exp, etc.
  4. If valid, forward to upstream.

Where IAM Comes In

IAM sits behind Ping Identity and handles:

  • User/group storage (via LDAP, AD, DB, etc.)
  • Role mapping (e.g., admin/user)
  • Authorization policies (PingAccess, policy processor)
  • MFA/SSO rules

Ping Identity federates those identities into SSO tokens and passes them to Kong.

Plugin Example: OIDC Config

curl -X POST http://<admin>:8001/services/my-service/plugins \
  --data "name=openid-connect" \
  --data "config.issuer=https://ping-idp.com" \
  --data "config.client_id=my-client" \
  --data "config.client_secret=abc123" \
  --data "config.redirect_uri=https://my-kong.com/callback" \
  --data "config.scopes=openid profile email"

Kong Headers Passed to Backend

After successful auth, Kong can pass:

  • X-Consumer-Username
  • X-Authenticated-Userid
  • Authorization: Bearer <token> (if configured)

Optional Enhancements

  • Use ACL plugin to enforce group-level access.
  • Use OIDC group claim mapping to Kong consumer groups.
  • Enable rate limiting per consumer.
  • Log authenticated user ID to Splunk or ELK.

Allow LDAP users to access the Kong Manager GUI in Kong Gateway

techhadoop , , , ,

To allow LDAP users to access the Kong Manager GUI in Kong Gateway Enterprise 3.4, you’ll need to integrate LDAP authentication via the Kong Enterprise Role-Based Access Control (RBAC) system.

Here’s how you can get it working step-by-step 👇

👤 Step 1: Configure LDAP Authentication for Kong Manager

Edit your kong.conf or pass these as environment variables if you’re using a container setup.

admin_gui_auth = ldap-auth
admin_gui_auth_conf = {
  "ldap_host": "ldap.example.com",
  "ldap_port": 389,
  "ldap_base_dn": "dc=example,dc=com",
  "ldap_attribute": "uid",
  "ldap_bind_dn": "cn=admin,dc=example,dc=com",
  "ldap_password": "adminpassword",
  "start_tls": false,
  "verify_ldap_host": false
}

✅ If you’re using LDAPS, set ldap_port = 636 and start_tls = false or configure accordingly.

Restart Kong after updating this config.

👥 Step 2: Create an RBAC User Linked to the LDAP Username

Kong still needs an RBAC user that maps to the LDAP-authenticated identity.

curl -i -X POST http://localhost:8001/rbac/users \
  --data "name=jdoe" \
  --data "user_token=jdoe-admin-token"

The name here must match the LDAP uid or whatever attribute you configured with ldap_attribute.

🔐 Step 3: Assign a Role to the RBAC User

curl -i -X POST http://localhost:8001/rbac/users/jdoe/roles \
  --data "roles=read-only"  # Or "admin", "super-admin", etc.

Available roles: read-only, admin, super-admin, or your own custom roles.

🔓 Step 4: Log into Kong Manager with LDAP User

Go to your Kong Manager GUI:

https://<KONG_MANAGER_URL>:8445

Enter:

  • Username: jdoe (LDAP uid)
  • Password: LDAP user’s actual password (Kong will bind to LDAP and verify it)

🛠️ Optional: Test LDAP Config from CLI

You can test the LDAP binding from Kong CLI:

curl -i -X POST http://localhost:8001/rbac/users \
  --data "name=testuser" \
  --data "user_token=test123"

Then try logging into Kong Manager with testuser using their LDAP password.

EKS – subnet size

techhadoop , , , ,

To determine the appropriate subnet class for an Amazon EKS (Elastic Kubernetes Service) cluster with 5 nodes, it’s important to account for both the nodes and the additional IP addresses needed for pods and other resources. Here’s a recommended approach:

Calculation and Considerations:

  1. EKS Node IP Addresses:
    • Each node will need its own IP address.
    • For 5 nodes, that’s 5 IP addresses.
  2. Pod IP Addresses:
    • By default, the Amazon VPC CNI plugin assigns one IP address per pod from the node’s subnet.
    • The number of pods per node depends on your instance type and the configuration of your Kubernetes cluster.
    • For example, if you expect each node to host around 20 pods, you’ll need approximately 100 IP addresses for pods.
  3. Additional Resources:
    • Include IP addresses for other resources like load balancers, services, etc.

Subnet Size Recommendation:

A /24 subnet provides 254 usable IP addresses, which is typically sufficient for a small EKS cluster with 5 nodes.

Example Calculation:

  • Nodes: 5 IP addresses
  • Pods: 100 IP addresses (assuming 20 pods per node)
  • Additional Resources: 10 IP addresses (for services, load balancers, etc.)

Total IP Addresses Needed: 5 (nodes) + 100 (pods) + 10 (resources) = 115 IP addresses.

Recommended Subnet Size:

A /24 subnet should be sufficient for this setup:

  • CIDR Notation: 192.168.0.0/24
  • Total IP Addresses: 256
  • Usable IP Addresses: 254

Example Configuration:

  • Subnet 1: 192.168.0.0/24

Reasons to Choose a Bigger Subnet (e.g., /22 or /20):

  1. Future Scalability: If you anticipate significant growth in the number of nodes or pods, a larger subnet will provide ample IP addresses for future expansion without the need to reconfigure your network.
  2. Flexibility: More IP addresses give you flexibility to add additional resources such as load balancers, services, or new applications.
  3. Avoiding Exhaustion: Ensuring you have a large pool of IP addresses can prevent issues related to IP address exhaustion, which can disrupt your cluster’s operations.

Example Subnet Sizes:

  • /22 Subnet:
    • Total IP Addresses: 1,024
    • Usable IP Addresses: 1,022
  • /20 Subnet:
    • Total IP Addresses: 4,096
    • Usable IP Addresses: 4,094

When to Consider Smaller Subnets (e.g., /24):

  1. Small Deployments: If your EKS cluster is small and you do not expect significant growth, a /24 subnet might be sufficient.
  2. Cost Efficiency: Smaller subnets can sometimes be more cost-effective in environments where IP address scarcity is not a concern.

For an EKS cluster with 5 nodes, I would recommend going with a /22 subnet. This gives you a healthy margin of IP addresses for your nodes, pods, and additional resources while providing room for future growth.

Kong API Gateway

techhadoop , , , ,

Kong API Gateway is a lightweight, fast, and flexible solution for managing APIs. It acts as a reverse proxy, sitting between clients (e.g., applications, users) and upstream services (e.g., APIs, microservices). Kong provides features like request routing, authentication, rate limiting, logging, and monitoring.

How Kong API Gateway Works

  1. Clients Make Requests:
    • Applications or users send HTTP/HTTPS requests to the Kong Gateway.
  2. Kong Intercepts Requests:
    • Kong routes these requests to the appropriate upstream service based on configuration rules.
    • It can apply middleware plugins for authentication, rate limiting, transformations, logging, and more.
  3. Plugins Process Requests:
    • Plugins enhance Kong’s functionality. For example:
      • Authentication plugins: Validate tokens or credentials.
      • Rate limiting plugins: Control the number of requests allowed.
      • Logging plugins: Send logs to monitoring systems.
      • Transformation plugins: Modify requests or responses.
  4. Request Routed to Upstream:
    • Kong forwards the processed request to the backend service (API or microservice).
  5. Upstream Service Responds:
    • The upstream service sends the response back to Kong.
  6. Kong Returns Response:
    • Kong optionally applies response transformations (e.g., add headers) before sending the response to the client.

Key Components of Kong

ComponentDescription
ProxyRoutes incoming requests to the appropriate upstream service.
Admin APIManages Kong configurations, including services, routes, and plugins.
DatabaseStores Kong configuration data (e.g., PostgreSQL or Cassandra).
PluginsExtend Kong’s functionality (e.g., authentication, monitoring, logging).
Upstream ServicesThe actual backend services or APIs that Kong forwards requests to.

Diagram: How Kong API Gateway Works

Here’s a simplified visual representation of Kong’s architecture:

Detailed Kong Workflow with Features

  1. Request Received by Kong
    A request like https://api.example.com/v1/orders reaches Kong.
    Kong matches the request with:
    • A route: (e.g., /v1/orders).
    • A service: The upstream API serving the request.
  2. Plugins Applied
    Kong processes the request with active plugins for:
    • Authentication: Checks API keys, OAuth tokens, or LDAP credentials.
    • Rate Limiting: Ensures the client doesn’t exceed allowed requests.
    • Logging: Sends logs to external systems like ElasticSearch or Splunk.
  3. Routing to Upstream
    After processing, Kong forwards the request to the appropriate upstream service.
    Example:
  4. Response Handling
    The upstream service responds to Kong.
    Plugins can modify responses (e.g., masking sensitive data).
  5. Response Sent to Client
    Kong sends the final response back to the client.

Common Use Cases

  1. API Security:
    • Add layers of authentication (e.g., JWT, OAuth, mTLS).
    • Enforce access control policies.
  2. Traffic Control:
    • Apply rate limiting or request throttling to prevent abuse.
  3. API Management:
    • Route requests to appropriate backend APIs or microservices.
  4. Monitoring & Analytics:
    • Capture detailed logs and metrics about API usage.
  5. Ease of Scalability:
    • Kong can scale horizontally, ensuring high availability and performance.

Advanced Configurations

  1. Load Balancing: Kong can distribute requests across multiple instances of an upstream service.
  2. mTLS: Mutual TLS ensures secure communication between Kong and clients or upstream services.
  3. Custom Plugins: You can write custom Lua or Go plugins to extend Kong’s capabilities.

Databricks vs. MapR (HPE Ezmeral Data Fabric)

techhadoop , , , ,

Databricks vs. MapR (HPE Ezmeral Data Fabric)

Databricks and MapR (now HPE Ezmeral Data Fabric) are platforms tailored for handling big data and analytics workloads, but they cater to slightly different use cases and approaches. Here’s a detailed comparison based on key aspects:

1. Core Purpose and Focus

AspectDatabricksMapR (HPE Ezmeral Data Fabric)
Primary Use CaseUnified data analytics and AI platform for big data and ML.Distributed file system and data platform for scalable storage, analytics, and applications.
FocusMachine Learning, Data Engineering, and Data Science.Enterprise-grade distributed storage, streaming, and analytics.
Deployment ModelCloud-native (AWS, Azure, GCP).On-premise, hybrid cloud, or cloud-native.

2. Data Storage and Processing

AspectDatabricksMapR (HPE Ezmeral Data Fabric)
Data FormatSupports Delta Lake (optimized storage for analytics).Supports HDFS, POSIX, NFS, and S3-compatible object storage.
Distributed StorageRelies on cloud storage (S3, ADLS, GCS).MapR-FS offers integrated, distributed storage.
Real-Time ProcessingIntegrates with Spark Structured Streaming.Built-in support for MapR Streams (Apache Kafka-compatible).

3. Compute and Processing Engine

AspectDatabricksMapR (HPE Ezmeral Data Fabric)
Primary EngineApache Spark (optimized for performance).Supports Hadoop ecosystem tools, Spark, Hive, Drill, etc.
IntegrationTight integration with ML libraries like MLflow, TensorFlow, and PyTorch.Supports multiple processing frameworks (Hadoop, Spark, etc.).
ScalabilityElastic cloud-based scaling for compute.Scales both storage and compute independently.

4. Machine Learning and AI Capabilities

AspectDatabricksMapR (HPE Ezmeral Data Fabric)
ML & AI SupportProvides native ML runtime, feature store, and MLflow for lifecycle management.Requires integration with external ML frameworks (e.g., TensorFlow, Spark MLlib).
Ease of UseDesigned for data scientists and engineers to build ML pipelines easily.Requires more manual configuration for ML workloads.

5. Ecosystem and Tooling

AspectDatabricksMapR (HPE Ezmeral Data Fabric)
Data CatalogingUnity Catalog for data governance and lineage.Requires third-party tools for cataloging and lineage.
Streaming SupportIntegrates with Spark Structured Streaming.Built-in MapR Streams for high-throughput streaming.
Data IntegrationSupports a wide range of connectors and libraries.Native connectors for Kafka, S3, POSIX, NFS, and Hadoop tools.

6. Security and Governance

AspectDatabricksMapR (HPE Ezmeral Data Fabric)
AuthenticationCloud-based IAM systems (e.g., AWS IAM).Kerberos, LDAP, and custom authentication options.
Access ControlFine-grained access controls with Unity Catalog.Role-based access with POSIX compliance and NFS integration.
EncryptionEncryption for data in transit and at rest via cloud services.Native encryption (e.g., MapR volumes support AES encryption).

7. Deployment and Management

AspectDatabricksMapR (HPE Ezmeral Data Fabric)
Ease of DeploymentFully managed SaaS platform; minimal setup required.Requires expertise to set up and manage on-prem or hybrid deployments.
Platform ManagementManaged by Databricks.Managed by the enterprise or service provider (if hybrid).
ElasticityAuto-scaling for cloud resources.Requires manual configuration for scalability.

8. Cost Model

AspectDatabricksMapR (HPE Ezmeral Data Fabric)
Pricing ModelConsumption-based pricing for compute and storage.License-based or pay-as-you-go for cloud deployments.
Operational OverheadMinimal for managed service.Higher for on-prem installations due to hardware and management.

Key Considerations

  1. Choose Databricks If:
    • Your workload is cloud-first, analytics-heavy, and AI/ML-focused.
    • You require a unified platform for data engineering, analytics, and machine learning.
    • You prioritize ease of use and scalability with managed services.
  2. Choose MapR (HPE Ezmeral Data Fabric) If:
    • You have existing on-premise or hybrid infrastructure with a focus on distributed storage and real-time data processing.
    • You need flexibility in data storage and integration with diverse workloads.
    • You want strong support for edge, IoT, and streaming use cases.

Conclusion

Databricks excels in cloud-based analytics, AI, and ML workflows, while MapR (HPE Ezmeral Data Fabric) focuses on enterprise-grade data storage, streaming, and integration for hybrid or on-premise deployments. The choice between the two depends on your organization’s specific needs for storage, analytics, scalability, and operational preferences.

F5 – kong configuration

techhadoop , , , ,

Configure the F5 Load Balancer with VIP and SSL Certificate

  1. Create a Virtual Server (VIP):
    • Log in to your F5 management console.
    • Navigate to Local Traffic > Virtual Servers > Virtual Server List.
    • Click Create and configure the following:
      • Name: Give the VIP a meaningful name, like Kong_VIP.
      • Destination Address: Specify the IP address for the VIP.
      • Service Port: Set to 443 for HTTPS.
  2. Assign an SSL Certificate to the VIP:
    • Under the SSL Profile (Client) section, select Custom.
    • For Client SSL Profile, choose an existing SSL profile, or create a new one if needed:
      • Go to Local Traffic > Profiles > SSL > Client.
      • Click Create and provide a name, then upload the SSL certificate and key.
    • Assign this SSL profile to your VIP.
  3. Configure Load Balancing Method:
    • Under Load Balancing Method, choose a method that best fits your setup, such as Round Robin or Least Connections.
  4. Set Up Pool and Pool Members:
    • In the Pool section, create or select a pool to add your Kong instances as members:
      • Go to Local Traffic > Pools > Pool List, then Create a new pool.
      • Assign Kong instances as Pool Members using their internal IP addresses and ports (usually port 8000 for HTTP or 8443 for HTTPS if Kong is configured with SSL).
    • Make sure health monitors are set up for these pool members to detect when a Kong instance goes down.

Setup

Whether you need certificates on both the F5 load balancer and the Kong servers depends on how you plan to manage SSL/TLS termination and the level of encryption required for traffic between the F5 and Kong.

Here are two common setups:

1. SSL Termination on the F5 (Most Common)

  • Certificate Location: Only on the F5 load balancer.
  • How It Works: The F5 terminates the SSL connection with clients, decrypts the incoming HTTPS traffic, and forwards it to the Kong servers as plain HTTP traffic.
  • Benefits: Reduces the overhead on Kong servers because they don’t need to handle SSL encryption. It’s simpler to manage as only the F5 requires an SSL certificate.
  • Considerations: Traffic between the F5 and Kong servers is unencrypted, which is typically acceptable in private or secured networks (e.g., within a secure data center or VPC).

Configuration Steps:

  • Install and configure the SSL certificate only on the F5.
  • Set the F5 VIP to listen on HTTPS (port 443).
  • Configure Kong to listen on HTTP (port 8000 or a custom port).

This setup is generally sufficient if Kong instances and the F5 are within a trusted network.

2. End-to-End SSL (SSL Termination on Both F5 and Kong Servers)

  • Certificate Location: On both the F5 load balancer and the Kong servers.
  • How It Works: The F5 terminates the initial SSL connection from the client, but then re-encrypts the traffic before forwarding it to Kong. Kong servers also have SSL certificates, allowing them to decrypt this re-encrypted traffic.
  • Benefits: Ensures encrypted communication all the way from the client to the Kong servers, providing an extra layer of security.
  • Considerations: Requires SSL certificates on both F5 and Kong, and introduces some additional CPU overhead on Kong due to the need to decrypt/encrypt traffic.

Configuration Steps:

  • Install and configure an SSL certificate on the F5 for the VIP, and configure the VIP to listen on HTTPS.
  • Install an SSL certificate on each Kong server (these can be the same certificate as the F5 or separate ones).
  • Configure Kong to listen on HTTPS (port 8443 or another SSL-enabled port).
  • Configure the F5 to forward encrypted traffic to the Kong servers’ HTTPS port.

This approach is beneficial if security policies require end-to-end encryption, especially if the connection between the F5 and Kong instances crosses less secure network segments.

Summary

  • If you’re terminating SSL on the F5 only: A certificate is only required on the F5.
  • If you need end-to-end encryption: SSL certificates are required on both the F5 and each Kong server.

In most enterprise environments, SSL termination on the F5 is sufficient. However, for environments with stringent security requirements, end-to-end SSL provides additional security by ensuring all connections remain encrypted.

mTLS

  • Certificates:
    • The F5 load balancer needs server and client certificates and CA certificates to validate clients (client mTLS) and backend servers (backend mTLS).
    • Backend servers need server certificates and may require a CA certificate to verify the F5’s client certificate.
  • mTLS Setup:
    • For mTLS from the client to the F5, configure the Client SSL Profile on the F5.
    • For mTLS between the F5 and backend servers, configure the Server SSL Profile and set backend servers (like Kong) to require mTLS by validating the F5’s client certificate.

This setup provides mutual authentication between clients, the F5, and backend servers, ensuring secure, verified communication across all components in the chain.

do i need a certificate on both servers and F5 load balancer also how i integrate with mtls ?

For mTLS (mutual TLS) integration with an F5 load balancer and downstream servers like Kong or another backend, it is essential to determine where the certificates are needed and how to configure mTLS for mutual authentication between clients, the F5, and backend servers.

Certificates on Both the F5 Load Balancer and Backend Servers

  1. Certificates on the F5 Load Balancer:
    • The F5 acts as the entry point for client connections and needs a server certificate to handle HTTPS traffic.
    • If using mTLS, the F5 will also need a client certificate and a trusted certificate authority (CA) to validate incoming client certificates.
    • The F5 can be configured to terminate SSL and optionally re-encrypt traffic to backend servers.
  2. Certificates on Backend Servers:
    • For end-to-end encryption (where traffic from the F5 to backend servers remains encrypted), each backend server (e.g., Kong) also needs a server certificate.
    • If mutual TLS is required between the F5 and backend servers, the backend servers also need to verify the client (F5’s) certificate, so you’ll need to import the F5’s client certificate or a shared CA certificate on backend servers.

Configuring mTLS on F5 Load Balancer

Here’s how you can set up mTLS on an F5 load balancer to handle mutual authentication with clients and potentially with backend servers:

1. Configure mTLS Between Client and F5

  • Client SSL Profile:
    • Go to Local Traffic > Profiles > SSL > Client.
    • Create a Client SSL Profile for the VIP and enable Client Certificate Authentication by selecting Require under Client Certificate.
    • Import or reference a CA certificate that you trust to sign client certificates. This CA will validate client certificates.
  • Assign SSL Profile to VIP:
    • Attach this client SSL profile to the VIP handling client requests.
    • The F5 will now require clients to present a valid certificate from the specified CA to establish a secure connection.

2. mTLS Between F5 and Backend Servers (Optional)

If you want end-to-end mTLS (client to F5 and F5 to backend):

  • Server SSL Profile:
    • Go to Local Traffic > Profiles > SSL > Server.
    • Create a Server SSL Profile and enable the Authenticate option to require the backend server to present a valid certificate.
    • Specify a trusted CA certificate to validate the backend server’s certificate.
  • Assign Server SSL Profile to Pool:
    • Attach this server SSL profile to the backend pool so that the F5 will establish an mTLS connection when connecting to each backend server.

Backend Server Configuration (e.g., Kong)

If Kong is the backend server, configure Kong to:

  • Present a server certificate to the F5 for mutual authentication.
  • Verify client certificates if mTLS is required from F5 to Kong:
    • Set client_ssl = on and configure ssl_client_certificate to reference the CA certificate or client certificates you trust.

Example snippet for kong.conf:

client_ssl = on

ssl_cert = /path/to/server.crt

ssl_cert_key = /path/to/server.key

ssl_client_certificate = /path/to/ca.crt  # This will be used to verify F5’s client certificate

Summary

  • Certificates:
    • The F5 load balancer needs server and client certificates and CA certificates to validate clients (client mTLS) and backend servers (backend mTLS).
    • Backend servers need server certificates and may require a CA certificate to verify the F5’s client certificate.
  • mTLS Setup:
    • For mTLS from the client to the F5, configure the Client SSL Profile on the F5.
    • For mTLS between the F5 and backend servers, configure the Server SSL Profile and set backend servers (like Kong) to require mTLS by validating the F5’s client certificate.

This setup provides mutual authentication between clients, the F5, and backend servers, ensuring secure, verified communication across all components in the chain.

setup both SSL and mTLS

Yes, you can absolutely have a setup with both SSL termination and mTLS on the F5 load balancer. Here’s how the setup would work, allowing for both standard SSL connections (for regular HTTPS traffic) and mTLS (for additional security and mutual authentication) on the same VIP.

Mixed SSL and mTLS on F5

The configuration would involve:

  1. Standard SSL Termination for clients that only need secure (HTTPS) connections.
  2. mTLS configuration for clients requiring mutual authentication (client certificate verification).

Steps to Set Up SSL and mTLS on F5

1. Configure VIP for SSL Termination with Optional mTLS

  1. Create a Client SSL Profile for Standard SSL:
    • Go to Local Traffic > Profiles > SSL > Client.
    • Create a new Client SSL profile for the VIP.
    • Import and assign the server certificate and private key for the F5 load balancer, enabling standard SSL termination for incoming HTTPS requests.
    • Set Client Certificate to Ignore or Optional for this profile. This setting allows both clients that do not have a client certificate and clients with a certificate to connect securely.
  2. Create an Additional Client SSL Profile for mTLS:
    • Create a second Client SSL Profile specifically for mTLS.
    • Assign the F5’s server certificate and private key as before.
    • Set Client Certificate to Require and specify the CA certificate that will validate incoming client certificates.
    • In Configuration > Authentication, select Require or Request to mandate client certificate validation for mTLS connections.
  3. Attach Both SSL Profiles to the VIP:
    • Attach both the standard SSL profile and mTLS SSL profile to the same VIP.
    • The F5 will now support both types of SSL connections (standard and mTLS) for incoming traffic.

2. Backend SSL Configuration (Optional)

If you want end-to-end SSL or mTLS between the F5 and backend servers:

  1. Create a Server SSL Profile for Backend SSL:
    • Go to Local Traffic > Profiles > SSL > Server and create a new Server SSL Profile.
    • Specify a trusted CA certificate if backend servers require validation of the F5’s certificate for mTLS.
    • Attach this Server SSL Profile to the backend pool so the F5 will establish an encrypted connection to the backend servers.
    • For mutual TLS to backend servers, configure the backend servers (e.g., Kong) to validate the F5’s client certificate.

3. Test SSL and mTLS Connections

  1. SSL Connection:
    • Test a standard SSL connection by accessing the VIP without providing a client certificate.
    • The F5 should accept the connection securely without requiring a client certificate.
  2. mTLS Connection:
    • Test an mTLS connection by providing a valid client certificate signed by the trusted CA.
    • The F5 should validate the client certificate before establishing the connection.

Summary

  • SSL and mTLS Profiles: Attach both a standard SSL profile (with client certificate optional or ignored) and an mTLS SSL profile (with client certificate required) to the same VIP.
  • Optional Backend mTLS: Optionally, configure mTLS for connections from the F5 to backend servers if end-to-end mutual authentication is required.
  • Client Experience: Clients that support mTLS can authenticate with certificates, while clients without certificates can still connect over standard SSL.

This configuration allows the F5 to handle both SSL and mTLS connections on the same endpoint, supporting secure flexibility in handling a range of client needs and security requirements.

Common Issues and Resolutions

1. Certificate Verification Failed

If Kong logs errors like:

  • unable to get local issuer certificate
  • certificate verify failed

Cause

  • F5 is presenting a certificate that Kong cannot validate because the CA is not trusted or the certificate chain is incomplete.

Solution

  1. Verify F5 Certificate Chain:
    • Ensure F5 is presenting the full certificate chain, including intermediate and root certificates.
    • On F5, upload the intermediate and root certificates alongside the server certificate.

Steps in F5:

  1. Go to SystemFile ManagementSSL Certificate List.
  2. Import the intermediate and root certificates if missing.
  3. Assign them to the SSL profile.
  4. Add the Root CA to Kong:
    • Export the root certificate (and intermediate certificate, if needed) from F5.
    • Add the CA to Kong’s trusted store:

curl -i -X POST http://<KONG_ADMIN_API&gt;:8001/ca_certificates \

  –data “cert=$(cat /path/to/root_ca.pem)”

  1. Enable Certificate Validation in Kong:
    • Ensure the tls_verify option is enabled for services connecting to F5:

curl -i -X PATCH http://<KONG_ADMIN_API&gt;:8001/services/<SERVICE_NAME_OR_ID> \

  –data “tls_verify=true”

2. SNI Mismatch

If Kong logs errors like:

  • SSL: certificate name does not match

Cause

  • The Server Name Indication (SNI) sent by Kong does not match the hostname in F5’s SSL certificate.

Solution

  1. Verify F5 SSL Certificate:
    • Ensure the certificate on F5 is issued for the hostname used by Kong.
    • Use a tool like openssl to check the F5 certificate:

openssl s_client -connect <F5_VIP>:443 -showcerts

  1. Set SNI in Kong:
    • Specify the correct SNI for the service in Kong:

bash

Copy code

curl -i -X PATCH http://<KONG_ADMIN_API&gt;:8001/services/<SERVICE_NAME_OR_ID> \

  –data “tls_verify=true” \

  –data “tls_verify_depth=2” \

  –data “sni=<F5_HOSTNAME>”

3. Mutual TLS (mTLS) Configuration

If using mTLS, errors may include:

  • SSL handshake failed
  • no client certificate presented

Cause

  • Kong is not presenting a client certificate, or F5 is not configured to validate the client certificate.

Solution

  1. Upload Client Certificate to Kong:
    • Add the client certificate and private key to Kong:

bash

curl -i -X POST http://<KONG_ADMIN_API&gt;:8001/certificates \

  –data “cert=$(cat /path/to/client_certificate.pem)” \

  –data “key=$(cat /path/to/client_key.pem)”

  1. Associate the Certificate with the Service:
    • Attach the certificate to the service connecting to F5:

bash

Copy code

curl -i -X PATCH http://<KONG_ADMIN_API&gt;:8001/services/<SERVICE_NAME_OR_ID> \

  –data “client_certificate=<CERTIFICATE_ID>”

  1. Enable Client Certificate Validation on F5:
    • On F5, enable client certificate authentication in the SSL profile:
      • Go to Local TrafficSSL Profiles → Edit the profile.
      • Enable Require Client Certificate.
      • Upload the CA certificate that issued the client certificate.

4. Protocol or Cipher Mismatch

Errors like:

  • SSL routines:ssl_choose_client_version:unsupported protocol
  • ssl_cipher_list failure

Cause

  • Mismatch in SSL protocols or ciphers supported by F5 and Kong.

Solution

  1. Check SSL Protocols and Ciphers on F5:
    • Ensure F5 supports the protocols (e.g., TLS 1.2/1.3) and ciphers used by Kong.
    • Modify the F5 SSL profile to include compatible protocols and ciphers.
  2. Set Cipher Suites in Kong:
    • Update Kong’s nginx_kong.conf to include compatible ciphers:

nginx

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_protocols TLSv1.2 TLSv1.3;

  1. Restart Kong after the update.

5. Untrusted Self-Signed Certificate

If F5 uses a self-signed certificate, Kong cannot validate it by default.

Solution

  1. Export the self-signed certificate from F5.
  2. Add the certificate to Kong’s trusted CA store:

bash

Copy code

curl -i -X POST http://<KONG_ADMIN_API&gt;:8001/ca_certificates \

  –data “cert=$(cat /path/to/self_signed_certificate.pem)”

Best Practices

  • Use Valid Certificates:
    • Always use certificates from trusted Certificate Authorities (CAs) for production systems.
  • Enable Logging:
    • Monitor logs in Kong and F5 to troubleshoot SSL/TLS issues.
  • Regular Certificate Rotation:
    • Ensure certificates are renewed and updated before expiry.
  • Secure Configuration:
    • Use modern TLS protocols (e.g., TLS 1.2/1.3) and strong cipher suites.

By addressing these common issues, you can ensure smooth integration between F5 and Kong Gateway with robust SSL/TLS security. Let me know if you need detailed help with any specific step!

Common Issues and Resolutions

1. Certificate Verification Failed

If Kong logs errors like:

  • unable to get local issuer certificate
  • certificate verify failed

Cause

  • F5 is presenting a certificate that Kong cannot validate because the CA is not trusted or the certificate chain is incomplete.

Solution

  1. Verify F5 Certificate Chain:
    • Ensure F5 is presenting the full certificate chain, including intermediate and root certificates.
    • On F5, upload the intermediate and root certificates alongside the server certificate.

Steps in F5:

  1. Go to SystemFile ManagementSSL Certificate List.
  2. Import the intermediate and root certificates if missing.
  3. Assign them to the SSL profile.
  4. Add the Root CA to Kong:
    • Export the root certificate (and intermediate certificate, if needed) from F5.
    • Add the CA to Kong’s trusted store:

curl -i -X POST http://<KONG_ADMIN_API&gt;:8001/ca_certificates \

  –data “cert=$(cat /path/to/root_ca.pem)”

  1. Enable Certificate Validation in Kong:
    • Ensure the tls_verify option is enabled for services connecting to F5:

curl -i -X PATCH http://<KONG_ADMIN_API&gt;:8001/services/<SERVICE_NAME_OR_ID> \

  –data “tls_verify=true”

2. SNI Mismatch

If Kong logs errors like:

  • SSL: certificate name does not match

Cause

  • The Server Name Indication (SNI) sent by Kong does not match the hostname in F5’s SSL certificate.

Solution

  1. Verify F5 SSL Certificate:
    • Ensure the certificate on F5 is issued for the hostname used by Kong.
    • Use a tool like openssl to check the F5 certificate:

openssl s_client -connect <F5_VIP>:443 -showcerts

  1. Set SNI in Kong:
    • Specify the correct SNI for the service in Kong:

curl -i -X PATCH http://<KONG_ADMIN_API&gt;:8001/services/<SERVICE_NAME_OR_ID> \

  –data “tls_verify=true” \

  –data “tls_verify_depth=2” \

  –data “sni=<F5_HOSTNAME>”

3. Mutual TLS (mTLS) Configuration

If using mTLS, errors may include:

  • SSL handshake failed
  • no client certificate presented

Cause

  • Kong is not presenting a client certificate, or F5 is not configured to validate the client certificate.

Solution

  1. Upload Client Certificate to Kong:
    • Add the client certificate and private key to Kong:

curl -i -X POST http://<KONG_ADMIN_API&gt;:8001/certificates \

  –data “cert=$(cat /path/to/client_certificate.pem)” \

  –data “key=$(cat /path/to/client_key.pem)”

  1. Associate the Certificate with the Service:
    • Attach the certificate to the service connecting to F5:

curl -i -X PATCH http://<KONG_ADMIN_API&gt;:8001/services/<SERVICE_NAME_OR_ID> \

  –data “client_certificate=<CERTIFICATE_ID>”

  1. Enable Client Certificate Validation on F5:
    • On F5, enable client certificate authentication in the SSL profile:
      • Go to Local TrafficSSL Profiles → Edit the profile.
      • Enable Require Client Certificate.
      • Upload the CA certificate that issued the client certificate.

4. Protocol or Cipher Mismatch

Errors like:

  • SSL routines:ssl_choose_client_version:unsupported protocol
  • ssl_cipher_list failure

Cause

  • Mismatch in SSL protocols or ciphers supported by F5 and Kong.

Solution

  1. Check SSL Protocols and Ciphers on F5:
    • Ensure F5 supports the protocols (e.g., TLS 1.2/1.3) and ciphers used by Kong.
    • Modify the F5 SSL profile to include compatible protocols and ciphers.
  2. Set Cipher Suites in Kong:
    • Update Kong’s nginx_kong.conf to include compatible ciphers:

nginx

ssl_ciphers HIGH:!aNULL:!MD5;

ssl_protocols TLSv1.2 TLSv1.3;

  1. Restart Kong after the update.

5. Untrusted Self-Signed Certificate

If F5 uses a self-signed certificate, Kong cannot validate it by default.

Solution

  1. Export the self-signed certificate from F5.
  2. Add the certificate to Kong’s trusted CA store:

curl -i -X POST http://<KONG_ADMIN_API&gt;:8001/ca_certificates \

  –data “cert=$(cat /path/to/self_signed_certificate.pem)”

Best Practices

  • Use Valid Certificates:
    • Always use certificates from trusted Certificate Authorities (CAs) for production systems.
  • Enable Logging:
    • Monitor logs in Kong and F5 to troubleshoot SSL/TLS issues.
  • Regular Certificate Rotation:
    • Ensure certificates are renewed and updated before expiry.
  • Secure Configuration:
    • Use modern TLS protocols (e.g., TLS 1.2/1.3) and strong cipher suites.

By addressing these common issues, you can ensure smooth integration between F5 and Kong Gateway with robust SSL/TLS security. Let me know if you need detailed help with any specific step!

How to bind ldap user with RBAC roles in Kong

techhadoop , , , ,

How to bind ldap user with RBAC roles in Kong

Binding LDAP users with RBAC roles in Kong requires integration with an LDAP directory for user authentication, followed by mapping those users to Kong’s RBAC roles. Here’s a step-by-step guide to achieving this setup in Kong:

Step 1: Configure Kong for LDAP Authentication

First, enable Kong’s LDAP authentication plugin to allow LDAP users to access Kong services.

  1. Install the LDAP Authentication Plugin:
    • The LDAP plugin is available as part of Kong’s plugin suite. Verify that it’s installed by running:

curl -i -X GET http://<kong-admin-url&gt;:8001/plugins

  1. Configure the LDAP Plugin:
    • You can set up the LDAP authentication plugin on a specific route, service, or globally. Here’s an example of enabling it globally:

curl -i -X POST http://<kong-admin-url&gt;:8001/plugins \

  –data “name=ldap-auth” \

  –data “config.ldap_host=<ldap-server-ip-or-hostname>” \

  –data “config.ldap_port=389” \

  –data “config.start_tls=true” \

  –data “config.base_dn=dc=example,dc=com” \

  –data “config.attribute=username” \

  –data “config.cache_ttl=60” \

  –data “config.header_type=ldap”

  1. Replace values such as ldap_host, ldap_port, and base_dn with those specific to your LDAP setup.
  1. Test LDAP Authentication:
    • Ensure that LDAP authentication works by making a request with an LDAP user’s credentials:

curl -i -X GET http://<kong-proxy-url&gt;:8000/your-service \

  –header “Authorization: ldap <base64-encoded-credentials>”

Step 2: Create Kong RBAC Roles and Permissions

  1. Enable RBAC in Kong:
    • RBAC is enabled by setting the KONG_ENFORCE_RBAC=on environment variable and restarting Kong.
  2. Create RBAC Roles:
    • Use the Kong Admin API to create roles. For example:

curl -i -X POST http://<kong-admin-url&gt;:8001/rbac/roles \

  –data “name=admin”

  1. Create other roles as needed (e.g., developer, read-only, etc.).
  2. Assign Permissions to Roles:
    • Define permissions for each role to control access to various Kong resources. For example:

curl -i -X POST http://<kong-admin-url&gt;:8001/rbac/roles/admin/endpoints \

  –data “endpoint=/services” \

  –data “actions=create,read,update,delete”

  1. Assign permissions according to your access control needs.

Step 3: Bind LDAP Users to RBAC Roles

LDAP users need Kong RBAC tokens to access the Admin API according to their roles. This step involves creating RBAC users and mapping them to LDAP users.

  1. Create RBAC Users in Kong:
    • For each LDAP user, create a corresponding RBAC user in Kong:

curl -i -X POST http://<kong-admin-url&gt;:8001/rbac/users \

  –data “name=<ldap-username>” \

  –data “user_token=<custom-generated-token>”

  1. Store the user_token securely, as it serves as the RBAC access token for the user.
  2. Map RBAC Users to Roles:
    • Assign the RBAC user to a role:

curl -i -X POST http://<kong-admin-url&gt;:8001/rbac/users/<ldap-username>/roles \

  –data “roles[]=admin”

  1. Assign roles according to each user’s LDAP role or group to control access.

Step 4: Authenticate LDAP Users with Kong RBAC

Once LDAP users have been mapped to Kong RBAC roles, they can access Kong based on the permissions defined for their roles.

  1. Access Kong Admin API:
    • LDAP users can authenticate to Kong using their RBAC token by including it in the Authorization header:

curl -i -X GET http://<kong-admin-url&gt;:8001/<protected-endpoint> \

  –header “Authorization: <user_token>”

  1. The RBAC token grants access according to the user’s assigned role and permissions.

Additional Considerations

  • LDAP Group Mapping: If using groups in LDAP, you could create Kong roles that correspond to LDAP groups. This allows easier role assignment by assigning a Kong RBAC user to a role based on their LDAP group.
  • Token Expiration and Rotation: Define an expiration policy for RBAC tokens and ensure tokens are securely managed and rotated if necessary.
  • Monitoring and Auditing: Use Kong’s logging features and plugins to monitor access and audit role usage.

By following these steps, you’ll establish a secure, role-based access control system in Kong, integrating LDAP authentication with Kong RBAC.

Kong – Ldap setting

techhadoop , , , ,

For Kong’s Admin API to have visibility into LDAP users and roles, the following steps ensure LDAP users are recognized and mapped to roles in Kong’s RBAC system. Here’s an overview of how it works and how to set it up:

1. Enable LDAP Authentication on the Admin API

  • Configure Kong to authenticate users from an LDAP server by setting up the ldap-auth plugin on the Admin API. This allows the Admin API to recognize LDAP credentials and authenticate users.
  • This configuration is typically done in kong.conf or using environment variables when launching Kong:

export KONG_ADMIN_LISTEN=”0.0.0.0:8001″

export KONG_LDAP_HOST=”ldap-server.example.com”

export KONG_LDAP_PORT=389

export KONG_LDAP_BASE_DN=”ou=users,dc=example,dc=com”

export KONG_LDAP_BIND_DN=”cn=admin,dc=example,dc=com”

export KONG_LDAP_BIND_PASSWORD=”admin_password”

2. Configure LDAP Bindings for Users in RBAC

  • After LDAP is enabled, Kong must map LDAP users to RBAC roles. This can be done by associating Kong roles with the LDAP user groups or specific LDAP users through RBAC settings.
  • You can create roles and assign permissions to them in Kong’s RBAC configuration by using Admin API requests. For example:

# Create a custom role (if you don’t want to use kong-admin)

curl -i -X POST http://localhost:8001/rbac/roles \

     –data “name=admin-role”

# Assign permissions to the role

curl -i -X POST http://localhost:8001/rbac/roles/admin-role/endpoints \

     –data “workspace=default” \

     –data “endpoint=/services” \

     –data “actions=read,update”

3. Map LDAP Users to Roles

  • Once the roles are set up, map LDAP users to the created roles. You can do this by adding RBAC permissions based on LDAP username:

# Assign the LDAP user to the role

curl -i -X POST http://localhost:8001/rbac/users \

     –data “username=<ldap-username>” \

     –data “custom_id=<unique-ldap-id>” \

     –data “roles=admin-role”

  • Here, <ldap-username> is the LDAP user, and <unique-ldap-id> is the identifier used in LDAP (e.g., uid=…).

4. Authenticate via LDAP User to Access Admin API

  • After assigning the role to the LDAP user, authenticate as the LDAP user using the Admin API. Kong will check the LDAP server for credentials and match the user to the associated RBAC role.
  • Once authenticated, LDAP users with RBAC roles are granted access based on their assigned permissions in Kong.

5. Verify Configuration

  • Test that your LDAP users can access Kong’s Admin API endpoints according to their role permissions by using curl or another HTTP client, as previously described.

unable to verify the first certificate – KONG

techhadoop , , , ,

unable to verify the first certificate

The error “unable to verify the first certificate” typically indicates that the client (or server) cannot verify the certificate because it does not have the correct root certificate, intermediate certificate, or the certificate chain is incomplete. Here’s how you can troubleshoot and resolve this issue:

Common Causes of the Error:

  1. Missing Root or Intermediate Certificates
    • The server or client lacks the necessary CA certificates to complete the chain of trust.
  2. Self-Signed Certificate
    • If the certificate is self-signed, the server or client must explicitly trust the certificate.
  3. Incomplete Certificate Chain
    • The server might not be sending the entire certificate chain (intermediate certificates) along with the server certificate.
  4. Incorrect Client/Server Configuration
    • The client or server may not be configured to trust the CA that issued the certificate.

Steps to Fix the Issue:

1. Verify the Certificate Chain

Check whether the certificate chain is complete. You can use openssl to check the chain from the client side:

openssl s_client -connect your-kong-api:443 -showcerts

This will show the certificates presented by the server. Verify if the server provides the full chain, including the intermediate certificates.

2. Install Missing CA Certificates on the Client

If the client does not trust the CA that issued the server certificate, you need to install the root CA certificate on the client. For example, on most systems, you can install the CA certificates by adding them to the trusted certificate store.

  • Linux (e.g., Ubuntu/Debian): Copy the CA certificate (e.g., ca.crt) to the /usr/local/share/ca-certificates/ directory and then update the certificate store:

sudo cp ca.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

  • Windows: Import the root certificate into the Trusted Root Certification Authorities store via the Certificate Manager.
  • macOS: You can import the CA certificate into Keychain Access and mark it as trusted.

3. Verify the Server-Side Configuration

If you’re managing the server (e.g., Kong API Gateway), ensure that the server is sending the complete certificate chain. You can provide both the server certificate and any intermediate certificates in the configuration.

For example, in Kong, you can configure SSL certificates like this:

curl -i -X POST http://localhost:8001/certificates \

–form “cert=@/path/to/server.crt” \

–form “key=@/path/to/server.key” \

–form “cert_alt=@/path/to/intermediate.crt”

Ensure that the server certificate and intermediate certificates are included in the cert field.

4. Test the Connection with the Correct CA

When testing using curl, ensure you include the correct root CA or intermediate CA:

curl -v –cacert /path/to/ca.crt https://your-kong-api/your-route

This will make curl use the specified CA certificate for validation.

5. Check for Self-Signed Certificates

If you’re using self-signed certificates, you’ll need to make sure that both the client and server are explicitly configured to trust the self-signed certificate.

For example, when using curl:

curl -v –key client.key –cert client.crt –cacert ca.crt https://your-kong-api/

If the certificate is self-signed and you want to bypass certificate verification (not recommended in production), you can use:

curl -v –insecure https://your-kong-api/

6. Include the Correct Intermediate Certificates

If the server is not sending the intermediate certificate (or you forgot to add it), make sure that the intermediate certificate is included in the chain. You can concatenate the server certificate and intermediate certificate into one file:

cat server.crt intermediate.crt > full_chain.crt

Then, use the full chain certificate for your server configuration.

Summary of Steps:

  1. Check the certificate chain using openssl s_client to see if all necessary certificates are presented.
  2. Ensure the client trusts the root CA by installing the root or intermediate CA on the client.
  3. Ensure the server presents the full certificate chain (server certificate + intermediate certificates).
  4. Test the connection using the correct CA with curl or another tool.
  5. Handle self-signed certificates by explicitly trusting them or bypassing verification in non-production environments.

By following these steps, you should be able to resolve the “unable to verify the first certificate” issue.