Forum Discussion
MVPF5 AWAF/ASM Fails to update OpenAPI file through REST-API
Hello Everyone,
I followed Update an existing API security policy with a newer swagger file but this only works when creating a new policy not upgrading an existing one when you change the openapi/swagger file.
{"isBase64":false,"executionStartTime":"2025-12-03T09:41:52Z","status":"FAILURE","lastUpdateMicros":1.764754912e+15,"username":"niki","kind":"tm:asm:tasks:import-open-api:import-open-api-taskstate","selfLink":"https://localhost/mgmt/tm/asm/tasks/import-open-api/sC_gfgZ2fnY4mbMDkh0ApA?ver=17.1.1","policyName":"my-openapi-policy","filename":"openapi.json","endTime":"2025-12-03T09:41:52Z","apiType":"swagger","id":"sC_gfgZ2fnY4mbMDkh0ApA","startTime":"2025-12-03T09:41:52.009027Z","result":{"message":"Could not add the Policy '/Common/my-openapi-policy'. Failed validating value '/Common/my-openapi-policy' for fullPath: The valueniki@master-1:~
I use this paylod for the POST request to /mgmt/tm/asm/tasks/import-open-api
$swagger_file is the previous uploaded swagger file
$waf_policy is /mgmt/tm/asm/policies/<policy hash>
{ apiType: "swagger", filename: $swagger_file, policyReference: { link: $waf_policy } }
7 Replies
SamCoCirrus
I am just making a quick guess but how is the request ? have you try to use HTTP PATCH instead of POST ?
- Nikoolayy1
PUT and PATCH are not implemented for this endpoint. Already tested this.
- Juergen_Mang
I use this paylod for the POST request to /mgmt/tm/asm/tasks/import-open-api
$swagger_file is the previous uploaded swagger file
$waf_policy is /mgmt/tm/asm/policies/<policy hash>
{ apiType: "swagger", filename: $swagger_file, policyReference: { link: $waf_policy } } - Nikoolayy1
Yes thanks Juergen_Mang for some reason when using hash id then there is no issue! Why with F5 developers always do stuff like that no idea as in AS3 local traffic policies are called endpoint policies and here in some places you use the name and in others the hash 😑
curl -sk -u xxx:xxxx1 \
-X POST "https://xxxx/mgmt/tm/asm/tasks/import-open-api" \
-H "Content-Type: application/json" \
--data "{
\"policyReference\": {
\"link\": \"/mgmt/tm/asm/policies/xxxxx\"
},
\"filename\": \"openapi.json\"
}"
Also the need of 4 REST-API tasks.
First uploading the new file > then getting the hash id > then recreating the policy > then applying the policy 😁
Here is something from me about getting the ID from the name.
curl -sk -u xxx:'xxx' \
"https://xxx/mgmt/tm/asm/policies?\$filter=fullPath+eq+'/Common/<policy name>'" \
| sed -n 's/.*"id":"\([^"]*\)".*/\1/p'I still think F5 could fix the option with the name as to not only create new policy but update the existing one as to have 3 REST API tasks and not 4.
- Juergen_Mang
Hi Nik,
the policy hash can be simply calculated locally: https://my.f5.com/manage/s/article/K40414407
printf "%s" "$POLICY" | openssl dgst -md5 -binary | base64 | cut -c-22 | sed 'y/+\//-_/'You can let the F5 fetch the OpenAPI file from a webserver, but I personally prefer also uploading the OpenAPI file.
- Nikoolayy1
When F5 calls it ID and not a hash adds confusion. Outside of that this is helpful still I need to check it as I wanted to run things with a k8s job and I may need to create a container that has curl + openssl will see if busybox can do it.
- Juergen_Mang
Using the F5 REST API is a bit of an adventure; you need an Indiana Jones mentality ;)
