Forum Discussion
D_N_28689
Nimbostratus
NimbostratusBlacklisting certificates by certificate id
Hello,
I'm completely new with F5 so please forgive me if I'm making some dumb assumptions.
I've been tasked to write a Java API that will blacklist certificates on the F5 based on the certificate ID.
Digging around the forums, I've read a method where by one manages the config file itself and loads that to F5 and tells F5 to pick up the file. I was wondering if there was a simpler way or doing this. I am under the impression F5 has some kind of method that allows me to pass it a cert ID, and it will black list that certificate automatically.
Is there such a method, and if there is, could someone point me to it? I've been digging around the API docs and haven't found it yet.
Is this methodology the right way of doing things?
Any input is greatly appreciated!
D
17 Replies
- Hello D N,
Just one clarification - do you mean management certificates, certs we're using to end-point, or certs passing through the BIG-IP?
Thanks,
Don. 
D_N_28689Hi, anyone out there have an idea?- Hey D N,
I didn't desert you, just checking my facts. I'll post back tomorrow.
Don. - Hi Again D N,
Sure thing about the Eclipse tutorial, glad it was of use.
So I'm not certain I understand exactly what you're doing, but have you looked at the Management::KeyCertificate interface? The delete routines will uninstall the cert, which will cause it to be rejected. Specifically KeyCertificate.delete_from_bundle().
Hope that helps, but if not, post back! We'll get it figured out.
Don. - D_N_28689Hello Don,
I looked at the Management::KeyCertificate interface per your recommendation. I noticed the ValidtyType enumeration and the VTYPE_CERTIFICATE_INVALID enum looks interesting as I suspect this may be what I am looking for. I wonder how the F5 determines whether to accept or reject a cert, in particular if it uses the KeyCertificate.certificate_check_validity method.
I basically need to be able to toggle on and off whether F5 will accept a particular certificate. I am not entirely sure how this is achieved through the KeyCertificate interface.
If I were to use KeyCertificate.delete_from_bundle() to make F5 reject a cert, then what would be the inverse operation? Also, assuming the inverse operation is a KeyCertificate.certificate_add_file_to_bundle, correct me if I am wrong, then this sounds like I would need to manage a copy of the cert for the import. - Hey again D N.
I have 'official' word back that the way I've been using it is how it's intended - certificate_add_to_bundle and certificate_delete_from_bundle are the routines at this time.
You should have a copy of the cert if you're keying off of it, right? Or am I confused about what you're doing? Tne only way I can think of that you wouldn't is if you requested it and had it genned form the API, in which case you'd have to save it to a different bundle (one not associated with anything) before deleting it. Or download it and keep a local copy (which is what I think you were refering to).
Don. - D_N_28689Hi again Don,
I was trying to gather details so I was away for a bit. The problem I have is that I am not sure if I have a copy of the cert at this time. I'll find out later on in development. However, if this is the 'official' word, I won't doubt it, I'll respond again if I solidify details on what I have and have not. Thanks very much! - D_N_28689Hello Don!
It looks like all I have is just the certificate ID, and not the certificate itself, so I'm not sure if this is what I need.
I want to be sure I am not using incorrect terminology, so I'm going to avoid using the word Blacklist. What do I need to do to make F5 reject a client (which provides a cert) from connecting? Is there anyway I can simply mark the cert as deactive? Later on, I can mark it as active again so that F5 accepts connections from that client?
Thank you again for all your assistance so far. - Hey D N.
I am no iRules Guru, but I'll point one or two at this thread - you may want to do this with an iRule, since it would have the connection and the cert in hand. Problem is if there are tens of thousands of certs you're dealing with, there might be some caveats. Let me point them over here for you though.
Don. 
kumaran_52786Hi Don,
I'm working with Danny on this project. We have found 2 API calls which are used to implement our requirements.
The two requests are:
SystemConfigSyncStub::upload_file()
LocalLBClassStub::set_external_class_file_name()
Now that we know what to use. I'm trying to do simple F5 simulator so that we can do inhouse testing on it. Hence, I downloaded the for both requests. I tried using Axis2 to generate WSDL 2 Java code generation. I'm getting tons of errors with the WSDL.
First it had issues with , then I changed that to .
Second I had issues with "message has more than 1 part". Hence, I tried to use wrapper. That didn't work as well.
Third, for the shake of testing. I removed one of the part inside the message tag. Then I'm getting this error =>
SoapConfigurationAxis2] - [SimulatorRms] Running Axis2 1.3 WSDL2Java for [/redknee//simulator/rms/trunk\src/wsdl/System.ConfigSync.wsdl]
3] - Exception in thread "main" org.apache.axis2.wsdl.codegen.CodeGenerationException: java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
3] - at org.apache.axis2.wsdl.codegen.CodeGenerationEngine.generate(CodeGenerationEngine.java:265)
Is there any help you can provide so taht code generation works. Let me know if I need to clarify anything.
Thanks for you help,
K
