Forum Discussion
NimbostratusError while establishing device trust
Not sure what's going on here. Any ideas?
Thanks in advance,
Chris
[chris@luckylx02 bin]$ f5bdt2 "$sglb" "$mg2" "$b1n" "$b2n"
SOAP-ENV:Server Exception caught in Management::urn:iControl:Management/Trust::add_authority_device()
Exception: Common::OperationFailed
primary_error_code : 16908289 (0x01020001)
secondary_error_code : 0
error_string : Trust daemon returned an error: Could not examine network interfaces: CsO/w78D
Code:
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;
use SOAP::Lite;
use MIME::Base64;
BEGIN { push (@INC, '/home/chris'); }
use iControlTypeCast;
$sHost = $ARGV[1];
my $sUID = admin;
my $sPWD = $ARGV[0];
my $b1n = $ARGV[2];
my $b2n = $ARGV[3];
----------------------------------------------------------------------------
checkResponse makes sure the error isn't a SOAP error
----------------------------------------------------------------------------
sub checkResponse() {
my ($soapResponse) = (@_);
if ( $soapResponse->fault )
{
print $soapResponse->faultcode, " ", $soapResponse->faultstring, "\n";
exit();
}
}
sub buildtrust {
$soapResponse =
$dtrmgmt->add_authority_device
(
SOAP::Data->name (address => 10.255.255.3),
SOAP::Data->name ( username => admin ),
SOAP::Data->name ( password => XXXXXXXX ),
SOAP::Data->name ( device_object_name => "$b1n" ),
SOAP::Data->name ( browser_cert_serial_number => "" ),
SOAP::Data->name ( browser_cert_signature => "" ),
SOAP::Data->name ( browser_cert_sha1_fingerprint => "" ),
SOAP::Data->name ( browser_cert_md5_fingerprint => "" ),
);
&checkResponse($soapResponse);
$soapResponse =
$dgmgmt->create
(
SOAP::Data->name (device_groups => [sg-sf] ),
SOAP::Data->name ( type => [DGT_FAILOVER] ),
);
&checkResponse($soapResponse);
$soapResponse =
$dgmgmt->add_device
(
SOAP::Data->name (device_groups => [sg-sf] ),
SOAP::Data->name ( devices => [$b1n , $b2n] ),
);
&checkResponse($soapResponse);
}
$dtrmgmt = SOAP::Lite
-> uri('urn:iControl:Management/Trust')
-> readable(1)
-> proxy("");
eval {
$dtrmgmt->transport->http_request->header( 'Authorization' => 'Basic '
. MIME::Base64::encode("$sUID:$sPWD", ''));
};
$dgmgmt = SOAP::Lite
-> uri('urn:iControl:Management/DeviceGroup')
-> readable(1)
-> proxy("");
eval {
$dgmgmt->transport->http_request->header( 'Authorization' => 'Basic '
. MIME::Base64::encode("$sUID:$sPWD", ''));
};
Main Program Logic
&buildtrust;
[chris@luckylx02 bin]$ f5bdt2 "$sglb" "$mg2" "$b1n" "$b2n"
SOAP-ENV:Server Exception caught in Management::urn:iControl:Management/Trust::add_authority_device()
Exception: Common::OperationFailed
primary_error_code : 16908289 (0x01020001)
secondary_error_code : 0
error_string : Trust daemon returned an error: Could not examine network interfaces: CsO/w78D
8 Replies
Faintly_LuckyHere's what I got out of the LTM log:
Jan 29 11:33:06 thnlb2 err devmgmtd[7300]: com.f5.devmgmt.server.Server$ClientDispatcher.run(Server.java:290): Handler threw server exception: [STACK TRACE: {com.f5.devmgmt.client.ServerException: Could not examine network interfaces: CsO/w78B}{ at com.f5.devmgmt.server.Server.isSelfAddress(Server.java:654)}{ at com.f5.devmgmt.server.Server.validateNotSelfAddress(Server.java:677)}{ at com.f5.devmgmt.server.handler.impl.trust.AddAuthority.(AddAuthority.java:76)}{ at com.f5.devmgmt.server.handler.impl.trust.AddAuthoritySyncHandler.execute(AddAuthoritySyncHandler.java:48)}{ at com.f5.devmgmt.server.handler.trust.AddAuthoritySyncHandlerBase.dispatch(AddAuthoritySyncHandlerBase.java:33)}{ at com.f5.devmgmt.server.Server$ClientDispatcher.run(Server.java:284)}{ at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)}{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}{ at java.lang.Thread.run(Unknown Source)}]
I'm guessing that I should open a support case on this, but I'd like confirmation that this is an internal issue and not one that exists between my keyboard and my chair before I do so.
Thanks,
ChrisWhich method is returning the error, the call to add_authority_device(), create(), or add_device()? From the code it looks good since I don't know what you are passing in for parameters, not sure where the "CsO/w78B" interface is coming from. Have you gone through the same process in the GUI with the same parameters and does that work?
- Faintly_LuckyJoe:
From what I'm seeing in the debugs, it definitely appears to be the add_authority_device call. My response checking subroutine exits if there's an error, and the debugs confirm that it's the only call that's been made.
I haven't done it in the GUI, though I have successfully done it via TMSH utilizing the "tmsh modify cm trust-domain Root ca-devices add { 10.255.255.3 } username admin password XXXXXXXX name XXXXXXXX" command. It works like a charm and establishes trust between the two devices, creates the other device, and adds it to the device_trust_group device-group all in one command. At that point, I issue a second TMSH command to create the sg-sf sync-failover group and add the devices to it. In the GUI, it appears to follow the same process: Device Trust>Peer List>Add. Provide IP, admin user name, and admin password, then click retrieve device info.
Are you saying that there are calls that I need to make prior to making the add_authority_device call? If so, could you please elaborate? This is the last piece of a rapid deployment framework that I've written for v10/11 new customer deployments (Managed Services Provider) and I'd much rather use iControl to establish trust rather than script it out in expect.
I really appreciate you taking the time to respond and help me figure out what's going on.
Chris In looking at the server code, it looks like your value for "address" is getting garbled at some point. Not sure if it's on the client side, or on the server. The one thing that sticks out is that you aren't enclosing your "string" values with quotes, specifically for the "address" parameter. Just for kicks, could you try surrounding the strings with quotes?
$soapResponse =$dtrmgmt->add_authority_device(SOAP::Data->name (address => "10.255.255.3"),SOAP::Data->name ( username => "admin" ),SOAP::Data->name ( password => "XXXXXXXX" ),SOAP::Data->name ( device_object_name => "$b1n" ),SOAP::Data->name ( browser_cert_serial_number => "" ),SOAP::Data->name ( browser_cert_signature => "" ),SOAP::Data->name ( browser_cert_sha1_fingerprint => "" ),SOAP::Data->name ( browser_cert_md5_fingerprint => "" ),);And see if that takes care of it. It could be that SOAP::Lite is doing something wonky with the value 10.255.255.3 and not passing it as a string but converting it somehow.
If that doesn't work for you, could you enable SOAP::Lite tracing and look for what's passed in the SOAPRequest for the address parameter? Toss this at the top of your script when you import the SOAP::Lite lib and that will dump the full request/response to the console.
use SOAP::Lite + trace => qw(method debug);
Hopefully the string enclosing will work, but if not the trace should get us a little further.
-Joe
OK, I'm almost 100% sure that enclosing the strings will solve the problem. I tried another iControl call with SOAP::Lite to a method that took an IP address. When I passed the string as
SOAP::Data->name(self_ips => ["10.255.255.3"])
it passed in the trace correctly,
[self_ips ...="" soapenc:arraytype="xsd:string[1]"][item xsi:type="xsd:string"]10.255.255.3[/item][/self_ips]
But, when I omitted the quotes
SOAP::Data->name(self_ips => [10.255.255.3])
it was converted into Base64binary
[self_ips ...="" soapenc::arraytype="xsd:base64Binary[1]"][item xsi:type="xsd:base64Binary"]CsO/w78D[/item][/self_ips]
The "CsO/w78D" is the error you were getting for an invalid address.
-Joe
- Faintly_LuckyJoe,
Thank you very much for helping out with this. I'll modify my code and let you know what happens. I can't believe that I missed that in the debugs.
Looks like this will turn out to be a PEBKAC error after all :/
Chris - Faintly_LuckyJoe,
It was indeed the quoting.
Once that part of the script was working, I also had some problems getting the devices added to the device group after it was created, but I was able to figure it out.
I'll be making a submission to the code share within a the next few days based upon this script.
Once again, thank you very much for your help.
Chris - Awesome, glad to help!
-Joe
