Forum Discussion

seamlessfirework's avatar
Nov 23, 2023

Creating device trust / trust-domain through iControl REST Call(s)

Hey there

Currently I try to implement basic configuration through iControl REST calls. A personal deadend is building a device trust.

The API tells me how to do that: https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_cm_trust-domain.html. But it doens'nt work out. The same question has been asked here: https://community.f5.com/t5/technical-forum/rest-api-trust-domain-peer/td-p/164274. A solution is to send a POST with a tmsh command. Fair enough. But there hast to be a way to configure it the "right way" through proper REST calls. Any hints?

The URL I am calling:

  • https://{{baseurl}}/mgmt/tm/cm/trust-domain/add-device

Here is my JSON body

 

 

{
    "ca-device": "{{f5ClusterPeer2}}",
    "device-ip": "{{f5MgmtIpPeer}}",
    "device-name": "{{f5ClusterPeer2}}",
    "device-port": "443",
    "device-username": "{{f5DeviceTrustUser}}",
    "device-password": "{{f5DeviceTrustPassword}}"
}

 

 

Note: I use Postman.

The response I get is this:

 

 

{
    "code": 409,
    "message": "01020066:3: The requested trust domain () already exists in partition Common.",
    "errorStack": [],
    "apiError": 3
}

 

 

Calling the "Root" resource in the URL responds this:

 

 

{
    "code": 403,
    "message": "Operation is not allowed on property group /cm/trust-domain/Root/add-device.",
    "errorStack": [],
    "apiError": 1
}

 

 

Edit:

I found this in the API doc: https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_cm_add-to-trust.html. But still doesn't work out wit this JSON body:

{
    "ca-Device": "true",
    "device": "{{f5ClusterPeer2}}",
    "deviceName": "{{f5ClusterPeer2}}",
    "port": "443",
    "username": "{{f5DeviceTrustUser}}",
    "password": "{{f5DeviceTrustPassword}}"
}
  • Hi,

    I don't use Postman (I use cURL instead).

    You just need to send a REST API call to BIG-IP 1 to add the peer unit (BIGIP-2) to the existing root trust domain:

    curl -sk -u <ADMIN USERNAME>:<ADMIN PASSWORD> -H "Content-Type: application/json" -X PATCH -d \
    '{"addDevice":{"deviceIp":"<BIGIP-2 MGMT IP ADDRESS>","deviceName":"<BIGIP-2 HOSTNAME>","username":"<ADMIN USERNAME>","password":"<ADMIN PASSWORD>"}}' \
    https://<BIGIP-1 MGMT IP>/mgmt/tm/cm/trust-domain/Root

     

6 Replies

  • Many things in the API are broken. F5 NEXT will correct these due to being API first driven. For now, I use TMSH commands for many many workarounds with iControl, Ansible collection usage, etc. Another idea would be to use iRules LX and imperative calls using that API. I reserve imperative for base config like setting up HA and declarative framework for setting up VIPs and associated objects.

    • seamlessfirework's avatar
      seamlessfirework
      Icon for Cirrus rankCirrus

      Thank you for sharing your findings and thoughts. It feels broken sometimes for me, too. But sending tmsh commands through the API is a solution for me.

      As I understood AS3 deploys the config within individual partitions for every "tenant". Could you outline how you mix imperative commands with you declarative approach configuring VS etc.? Do you use git as your single source of truth for IaaC?

  • Hi,

    I don't use Postman (I use cURL instead).

    You just need to send a REST API call to BIG-IP 1 to add the peer unit (BIGIP-2) to the existing root trust domain:

    curl -sk -u <ADMIN USERNAME>:<ADMIN PASSWORD> -H "Content-Type: application/json" -X PATCH -d \
    '{"addDevice":{"deviceIp":"<BIGIP-2 MGMT IP ADDRESS>","deviceName":"<BIGIP-2 HOSTNAME>","username":"<ADMIN USERNAME>","password":"<ADMIN PASSWORD>"}}' \
    https://<BIGIP-1 MGMT IP>/mgmt/tm/cm/trust-domain/Root