Forum Discussion
NimbostratusGet ClientSSL and ServerSSL profiles using the Rest API
I've written the following script so that I can document at a high level the VIPs that I have created without having to dig into them every time I need to know pools, irules, members, etc... the problem I have is that I need to know which SSL Cert Profiles are in use for both Client and Server and I can't seem to figure out a way to do it based on the virtual server. Does anyone know of a way to do this using the Rest API? I've read through the ll.5 icontrol rest document but can't seem to find where the ClientSSL and ServerSSL profiles are located.
Create a policy to trust all Certs
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
$Credential = Get-Credential
$LoadBalancer = "x.x.x.x"
$VSURL = "https://$LoadBalancer/mgmt/tm/ltm/virtual"
$PoolURL = "https://$LoadBalancer/mgmt/tm/ltm/pool"
$ClientSSLURL = "https://$LoadBalancer/mgmt/tm/ltm/clientssl"
$VSRegEx = "(?<=/virtual/)(.*)(?=\?)"
$ExportFile = "./F5Export.csv"
Lookup Virtual Servers
$VirtualServerLookup = Invoke-RestMethod $VSURL -Credential $Credential
foreach ($VSLookup in $VirtualServerLookup.Items)
{
$VirtualServerLog = ""
$VirtualServer = [regex]::match($VSLookup.selfLink, $VSRegEx)
$VirtualServerURL = "$VSURL/$VirtualServer"
Lookup Virtual Server Information
$VS = Invoke-RestMethod $VirtualServerURL -Credential $Credential
$VSName = $VS.Name
$VSDestination = $VS.Destination
$VSRules = $VS.Rules
$VSEnabled = $VS.Enabled
$VSPersist = $VS.Persist.Name
$VSPool = $VS.Pool
Write-Host " Name: $VSName" -ForegroundColor Green
Write-Host " VIP: $VSDestination"
$VirtualServerLog += "$VSName,"
$VirtualServerLog += "$VSDestination,"
foreach ($VSRule in $VSRules)
{
Write-Host " Rule: $VSRule"
$VirtualServerLog += "$VSRule,"
}
Write-Host " Enabled: $VSEnabled"
$VirtualServerLog += "$VSEnabled,"
foreach ($Persist in $VSPersist)
{
Write-Host " Persistance: $Persist"
$VirtualServerLog += "$Persist,"
}
foreach ($Pool in $VSPool)
{
$PoolLookup = $Pool -replace "/","~"
$PoolSearch = Invoke-RestMethod $PoolURL/$PoolLookup -Credential $Credential
$PoolName = $PoolSearch.Name
$PoolPartition = $PoolSearch.Partition
Write-Host " Pool: $Pool"
Write-Host " Pool Name: $PoolName"
Write-Host "Pool Partition: $PoolPartition"
$VirtualServerLog += "$Pool,"
$VirtualServerLog += "$PoolName,"
$VirtualServerLog += "$PoolPartition,"
Lookup Member Information
$MemberSearch =
Invoke-RestMethod "$PoolURL/$PoolLookup/members/" -Credential $Credential
foreach ($Member in $MemberSearch.Items)
{
$MemberName = $Member.Name
$MemberAddress = $Member.Address
$MemberState = $Member.State
$MemberMonitor = $Member.Monitor
$MemberSession = $Member.Session
Write-Host " Member Name: $MemberName IP Address:$MemberAddress"
$VirtualServerLog += "$MemberName,"
$VirtualServerLog += "$MemberAddress,"
$VirtualServerLog += "$MemberState,"
$VirtualServerLog += "$MemberMonitor,"
$VirtualServerLog += "$MemberSession,"
}
}
$VirtualServerLog | Out-File $ExportFile -Append
Write-Host ""
}
2 Replies
James_ThomsonEmployee
You're looking for the profile associated with the virtual server. They are in a subcollection.
This GET https://192.168.153.234/mgmt/tm/ltm/virtual/testssl
gives me
"profilesReference": { "link": "https://localhost/mgmt/tm/ltm/virtual/~Common~testssl/profiles?ver=12.1.0", "isSubcollection": true}
so if I then send GET to that:
https://192.168.153.234/mgmt/tm/ltm/virtual/~Common~testssl/profiles
I get the following:
{ "kind": "tm:ltm:virtual:profiles:profilescollectionstate", "selfLink": "https://localhost/mgmt/tm/ltm/virtual/~Common~testssl/profiles?ver=12.1.0", "items": [ { "kind": "tm:ltm:virtual:profiles:profilesstate", "name": "clientssl", "partition": "Common", "fullPath": "/Common/clientssl", "generation": 284, "selfLink": "https://localhost/mgmt/tm/ltm/virtual/~Common~testssl/profiles/~Common~clientssl?ver=12.1.0", "context": "clientside" }, { "kind": "tm:ltm:virtual:profiles:profilesstate", "name": "serverssl", "partition": "Common", "fullPath": "/Common/serverssl", "generation": 284, "selfLink": "https://localhost/mgmt/tm/ltm/virtual/~Common~testssl/profiles/~Common~serverssl?ver=12.1.0", "context": "serverside" },
Kevin_NelsonUsing James' information, this is a single-line (with a couple pre-configured conditions) that I used to verify the expected Server-side SSL profiles were assigned on a list of VIPs configured with a particular pool name pattern (where the pool names are POOL_200 or POOL_210):
Get-VirtualServer | ? Pool -match '.*/POOL_2[0,1]0' | Select Name,Pool,@{Name="ServerProfile"; Expression={ ( Invoke-RestMethod -Uri ( $_.profilesReference.link -replace "localhost", "" ) -Credential $cred ).items | ? context -eq serverside | Select -ExpandProperty Name } }The pre-configured conditions were a stored credential (
) adequate for authenticating with the LTM and the establishment of the F5 session using the stored credential ($cred = Get-Credential
). The stored credential is used again in the inlineNew-F5Session -LTMName -LTMCredentials $cred
in the command.Invoke-RestMethodThe result looked something like this:
name pool ServerProfile ---- ---- ------------- VIP_A /Common/POOL_200 serverssl-custom VIP_B /Common/POOL_210 serverssl-custom VIP_C /Common/POOL_210 serverssl-custom VIP_D /Common/POOL_200 serverssl-custom VIP_E /Common/POOL_210 serverssl-customYou could change
tocontext -eq serverside
to see that profile or otherwise change the selection to suit.context -eq clientside
