Forum Discussion
Eric_Frankenfie
Nimbostratus
NimbostratusGet Profile_Type_Client_SSL from Virtual Server
I am trying to retrieve the client SSL profile from a list of virtual servers, but I am having difficulties. Any help would be greatly appreciated
Here is what I have so far:
Get list of virtual servers
$vs_list = (Get-F5.iControl).LocalLBVirtualServer.get_list()
Get profiles associated with each virtual server
$vs_profile_list = (Get-F5.iControl).LocalLBVirtualServer.get_profile($vs_list)
I tried this, but get 0 results (GetF5.iControl).LocalLBVirtualServer.get_profile($vs_list).PROFILE_TYPE_CLIENT_SSL
Hi eric,
there is no specific filter for client-ssl profile. You can probably parse based on a good naming convention. Here is a sample to dump all profiles of a specific virtual via iControl REST (just replace the virtual server name in the self link, please):curl -s -k -u admin:admin -H "Content-Type: application/json" -X GET https://localhost/mgmt/tm/ltm/virtual/~Common~vs_101_8081/profiles?\$select=name | grep -ioP '(?<=\{"name":")[^"]+(?="\})'Sorry for not being able to support you regarding the legacy iControl.
Thanks, Stephan
Eric_FrankenfieMaybe I am approaching this incorrectly.
I am trying to list all certificates expiring in the next 30 days, their respective profiles, and the virtual servers using those profiles.
We are running 10.2.4, so I think the legacy iControl is my only option.
- If a shell script based approach would be an alternative I can try to put down some lines tomorrow morning.
- Eric_FrankenfieThanks, that would be helpful.
Hi eric,
the following one is a quick shot to map virtual > client-ssl profile > cert in use > cert expiration for all virtual servers. It does not display information selectivly. Challenge here is to convert the OpenSSL date output into universal format to match versus current date. Found a script for that but had no time yet to implement this function. Try this, please (for v10 only):!/bin/bash Script to map virtual server > client-ssl profile > ssl certificate > expiration date version: 0.01 author: Stephan Manthey tested for TMOS v10.2.4 only not supporting certificate bundles not including chain / intermediate certificates (TMOS v11 stores certs in filestore and provides tmsh commands for cert data!) usage: - copy i.e. to /var/tmp/map_virtual_certs - run chmod +x /var/tmp/map_virtual_certs - run command /var/tmp/map_virtual_certs create sed dictionary to map certificates and expiration date for cert in /config/ssl/ssl.crt/*.crt do echo -n "$cert;" | sed -r 's/config/ssl/ssl.crt/g;s(.*)s/;\1/;\1g' openssl x509 -noout -enddate -in $cert | sed -r 'snotAfter=g;s$;/gg' done > /var/tmp/ssl-cert-exp-dict create list of client-ssl profiles tmsh list ltm profile client-ssl | \ awk '/^ltm profile client-ssl/ {print ";" $4 ";"}' > /var/tmp/client-ssl-list create sed dictionary to map client-ssl profiles and used certs tmsh list ltm profile client-ssl cert | tr -d "\n{" | tr "}" "\n" | \ tr -s '[[:blank:]]' | awk '{print "s/;" $4 ";/;" $4 ";" $6 ";/g"}' > /var/tmp/client-ssl-cert-dict create sed dictionary to replace profile list in virtual servers by client-ssl profiles only tmsh list ltm profile client-ssl | \ awk '/^ltm profile client-ssl/ {print "s/^([^;]+).*;" $4 ";.*$/\\1;" $4 ";/g"}' > /var/tmp/client-ssl-dict apply dictionaries to virtual servers tmsh list ltm virtual profiles | grep -vE '^[[:blank:]]+(profiles \{|\}|context)' | \ tr -d "\n\{" | tr "}" "\n" | tr -s '[[:blank:]]' | \ sed -r 's/^ltm virtual //g;s/[[:blank:]]$//g;s/$/;/g' | tr '[[:blank:]]' ';' | \ grep -f /var/tmp/client-ssl-list | sed -r -f /var/tmp/client-ssl-dict | \ sed -r -f /var/tmp/client-ssl-cert-dict | sed -r -f /var/tmp/ssl-cert-exp-dict remove temp files rm -f /var/tmp/ssl-cert-exp-dict /var/tmp/client-ssl-list /var/tmp/client-ssl-cert-dict /var/tmp/client-ssl-dict 2>/dev/nullThanks, Stephan
Hi eric,
thanks to F.Barth for providing an easy to use solution to convert date into standard format. Here is an updated version displaying only virtuals with certs to expire within defined period of time. You can run the script from CLI along with a parameter to specify number of days for warning period (default of 30).!/bin/bash Script to map virtual server > client-ssl profile > ssl certificate > expiration date version: 0.02 author: Stephan Manthey tested for TMOS v10.2.4 only not supporting certificate bundles not including chain / intermediate certificates (TMOS v11 stores certs in filestore and provides tmsh commands for cert data!) usage: - copy i.e. to /var/tmp/map_virtual_certs - run chmod +x /var/tmp/map_virtual_certs - run command /var/tmp/map_virtual_certs changes, fixes (v0.02): - modified date format - selective output of virtual servers with certs to expire withing warning period - command line parameter to enter days for warning period (default value: 30) (i.e. ./map_virtual_certs 60) enable debugging (set -x) set -x set number of days to warn remainingdays=$1 if [ -z ${remainingdays} ] then remainingdays=30 fi remainingseconds=$((${remainingdays} * 86400)) get current date currdate=`date +%s` set warning time period warningtime=$((${currdate} + ${remainingseconds})) create sed dictionary to map certificates and expiration date for cert in /config/ssl/ssl.crt/*.crt do echo -n "$cert" | sed -r 's/config/ssl/ssl.crt/g;s/(.*)/s;\1;;\1;/g' openssl x509 -noout -enddate -in $cert | awk -F '=' '{print $2}' | \ xargs -I{} date -d {} +%Y/%m/%d | sed -r 's/$/;g/g' done > /var/tmp/ssl-cert-exp-dict verify cert expiration within warning time period for cert in /config/ssl/ssl.crt/*.crt do expirationtime=`openssl x509 -enddate -in $cert | awk -F '=' '{print $2}' | xargs -I{} date -d {} +%s` if [ "${expirationtime}" -lt "${warningtime}" ] then echo ";$cert;" | sed -r 's/config/ssl/ssl.crt/g;' fi done > /var/tmp/ssl-cert-warning-list create list of client-ssl profiles tmsh list ltm profile client-ssl | \ awk '/^ltm profile client-ssl/ {print ";" $4 ";"}' > /var/tmp/client-ssl-list create sed dictionary to map client-ssl profiles and used certs tmsh list ltm profile client-ssl cert | tr -d "\n{" | tr "}" "\n" | \ tr -s '[[:blank:]]' | awk '{print "s/;" $4 ";/;" $4 ";" $6 ";/g"}' > /var/tmp/client-ssl-cert-dict create sed dictionary to replace profile list in virtual servers by client-ssl profiles only tmsh list ltm profile client-ssl | \ awk '/^ltm profile client-ssl/ {print "s/^([^;]+).*;" $4 ";.*$/\\1;" $4 ";/g"}' > /var/tmp/client-ssl-dict apply dictionaries to virtual servers tmsh list ltm virtual profiles | grep -vE '^[[:blank:]]+(profiles \{|\}|context)' | \ tr -d "\n\{" | tr "}" "\n" | tr -s '[[:blank:]]' | \ sed -r 's/^ltm virtual //g;s/[[:blank:]]$//g;s/$/;/g' | tr '[[:blank:]]' ';' | \ grep -f /var/tmp/client-ssl-list | sed -r -f /var/tmp/client-ssl-dict | \ sed -r -f /var/tmp/client-ssl-cert-dict | grep -f /var/tmp/ssl-cert-warning-list | \ sed -r -f /var/tmp/ssl-cert-exp-dict remove temp files rm -f /var/tmp/ssl-cert-exp-dict /var/tmp/client-ssl-list /var/tmp/client-ssl-cert-dict \ /var/tmp/client-ssl-dict /var/tmp/ssl-cert-warning-list 2>/dev/nullThanks, Stephan
PS: Designed to work on v10 only!
