Forum Discussion
Nikolay_Matveev
Nimbostratus
NimbostratusAPM: terminate active session via API
Is it possible to obtain a list of active APM session and then terminate one of them using an API?
I assumed this could be done using iControl REST API but failed to find any relevant information in its user guide :(.
Yann_Desmarest_Nacreous
Hello,
You can show active sessions using the following script :
for i in $(sessiondump -list | cut -f1 -d\ ); do sessiondump -delete $i; doneYou should have a look at the sessiondump command to see if you can kill an active session.
Nikolay_MatveevThank you Yann. I understand you refer to CLI which is not exactly what I asked about. I need to be able to obtain list of current sessions and terminate one of them using an API call (ideally using a REST API) from an external application (not on the BigIP itself). Is this possible?- Yann_Desmarest_Unfortunately, I think this is currently not available out of the box. But you may launch bash scripts from the rest api instead
- Nikolay_MatveevHmm... that's not very good... If a script is invoked via the REST API can its console output be returned as a result of that API call?
Yann_DesmarestCirrus
Hello,
You can show active sessions using the following script :
for i in $(sessiondump -list | cut -f1 -d\ ); do sessiondump -delete $i; doneYou should have a look at the sessiondump command to see if you can kill an active session.
- Nikolay_MatveevThank you Yann. I understand you refer to CLI which is not exactly what I asked about. I need to be able to obtain list of current sessions and terminate one of them using an API call (ideally using a REST API) from an external application (not on the BigIP itself). Is this possible?
- Yann_DesmarestUnfortunately, I think this is currently not available out of the box. But you may launch bash scripts from the rest api instead
- Nikolay_MatveevHmm... that's not very good... If a script is invoked via the REST API can its console output be returned as a result of that API call?
You can run scripts via the REST API, but I would advise caution. Any commands that need input will fail, and if the command takes a long time to complete, it may not behave as expected. Same goes for commands that run a lot of output.
Arnaud_LemaireEmployee
just release in 12.1 : REST APIs for managing user sessions in APM
New iControl REST requests make it easier to manage sessions within APM by letting you list all user sessions and retrieve session ID, user login, and IP address for each APM server. Additional APIs are available for retrieving session information based on username or client IP address and for deleting the session based on the session ID.
{ "kind": "tm:apm:access-info:access-infostats", "selfLink": "https://localhost/mgmt/tm/apm/access-info/example?ver=12.1.0", "propertyDescriptions": { "clientIp": "", "logonUser": "" }, "naturalKeyPropertyNames": [] }- Yann_Desmarest
Since 13.x you can do a REST call to delete a session : curl -X DELETE https://hostname/mgmt/tm/apm/session/12345678
12345678 to be replaced by your session_id
- Vladimir_Akhmarov
Hello all!
Recently deployed such a solution:
- Created iCall script with session termination logic (thanks Yann)
- Created iCall handler with type perpetual
- Used iControlREST to execute iCall handler
See Yann's article
Create your own iCall script and handler:
sys icall script ApmSessionPurge_script { ... } sys icall handler perpetual ApmSessionPurge_handler { script ApmSessionPurge_script }In the end of "definition" section of your iCall script add below commands. This command must be used because once perpetual handler will be started someone must stop it.
# Stop iCall handler after execution catch {[exec -- /bin/tmsh stop sys icall handler perpetual ApmSessionPurge_handler]}Shell example to use iControlREST:
BIGIP_ADDR='192.0.2.1' BIGIP_USER='admin' BIGIP_PSWD='admin123' BIGIP_HDLR='ApmSessionPurge_handler' BIGIP_AUTH=$(curl -sk -H 'Content-Type: application/json' -X POST -d "{'username':'"$BIGIP_USER"', 'password':'"$BIGIP_PSWD"', 'loginProviderName':'tmos'}" https://${BIGIP_ADDR}/mgmt/shared/authn/login) # Use sed -nE below for regular Linux/MacOS BIGIP_TOKEN=$(echo $BIGIP_AUTH | sed -nr 's/.*\"token\":\"([A-Z0-9]+)\".*/\1/p') curl -sk -H 'Content-Type: application/json' -H "X-F5-Auth-Token: $BIGIP_TOKEN" -X POST -d "{\"command\":\"start\", \"name\":\"$BIGIP_HDLR\"}" https://${BIGIP_ADDR}/mgmt/tm/sys/icall/handler/perpetual 
Kurt_EricksonThis may be an easier way.
To get a list of Active access sessions:
curl -sk -u admin:<password> -H "Content-Type: application/json" -X GET https://<apm ip address>/mgmt/tm/apm/access-info | jq -M .
{
"kind": "tm:apm:access-info:access-infostats",
"selfLink": "https://localhost/mgmt/tm/apm/access-info?ver=15.1.0",
"entries": {
"https://localhost/mgmt/tm/apm/access-info/9c0a5b2d": {
"nestedStats": {
"entries": {
"clientIp": {
"description": "192.168.1.72"
},
"logonUser": {
"description": "user1"
}
}
}
},
"https://localhost/mgmt/tm/apm/access-info/b7c5ede0": {
"nestedStats": {
"entries": {
"clientIp": {
"description": "192.168.1.72"
},
"logonUser": {
"description": "user2"
}
}
}
}
}
}
To delete a specific Access session:
Locate the logonUser name and the URL ending with the session id.
curl -sk -u admin:<password> -X DELETE https://<apm ip address>/mgmt/tm/apm/session/<session id>
- Kurt_Erickson
Not very pretty but this will iterate through the current access sessions and delete them:
curl -sk -u admin:<password> -H "Content-Type: application/json" -X GET https://<apm ip address>/mgmt/tm/apm/access-info | jq -M . | grep https | grep -v selfLink | sed s'/\// /'g | sed s'/"/ /'g | awk '{system("curl -sk -u admin:<password> -X DELETE https://<apm ip address>/mgmt/tm/apm/session/"$7)}'
