For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Fuchan_Tan_3092's avatar
Fuchan_Tan_3092
Icon for Nimbostratus rankNimbostratus
Mar 22, 2012

How to create LocalLBProfileClientSSL?

Hello,

 

 

Has anyone successfully created LocalLBProfileClientSSL?

 

 

 

Thanks,

 

 

Mike Tan

 

dev
devops
iControl

8 Replies

  • Jonathan_Scholi's avatar
    Jonathan_Scholi
    Icon for Cirrostratus rankCirrostratus
    Mar 23, 2012
    Yes. In Java you can do something like:

     

     

    String[] clientSSLProfileNameArray = new String[] {"(Name of the profile goes here)"};

     

    LocalLBProfileString key = new LocalLBProfileString();

     

    LocalLBProfileString cert = new LocalLBProfileString();

     

     

    key.setValue( "Name of the key goes here"+ ".key");

     

    cert.setValue( "Name of the cert goes here"+ ".crt");

     

     

    iControlInterfaces.getLocalLBProfileClientSSL().create(clientSSLProfileNameArray, new LocalLBProfileString[] {key}, new LocalLBProfileString[] {cert});
  • Fuchan_Tan_3092's avatar
    Fuchan_Tan_3092
    Icon for Nimbostratus rankNimbostratus
    Mar 28, 2012
    Thank you for the input.

     

     

    Here is what I did

     

     

    /* both /config/ssl/ssl.key/miketan999.key and /config/ssl/ssl.crt/miketan999.crt are in place */

     

     

    iControl.LocalLBProfileString [] keys = new iControl.LocalLBProfileString[1];

     

    keys[0]=new iControl.LocalLBProfileString();

     

    keys[0].setValue("miketan999.key");

     

     

    iControl.LocalLBProfileString [] certs = new iControl.LocalLBProfileString[1];

     

    certs[0]=new iControl.LocalLBProfileString();

     

    certs[0].setValue("miketan999.crt");

     

     

    i_interfaces.getLocalLBProfileClientSSL().create(profile_names, keys, certs);

     

     

    But i am getting the following error -

     

    AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server faultSubcode: faultString: Exception caught in LocalLB::urn:iControl:LocalLB/ProfileClientSSL::create() Exception: Common::OperationFailed primary_error_code : 17236755 (0x01070313) secondary_error_code : 0 error_string : 01070313:3: Error reading key PEM file /config/ssl/ssl.key/miketan999.key for profile miketan999_clientssl_profile: error:0906A068:PEM routines:PEM_do_header:bad password read faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:Exception caught in LocalLB::urn:iControl:LocalLB/ProfileClientSSL::create() Exception: Common::OperationFailed primary_error_code : 17236755 (0x01070313) secondary_error_code : 0 error_string : 01070313:3: Error reading key PEM file /config/ssl/ssl.key/miketan999.key for profile miketan999_clientssl_profile: error:0906A068:PEM routines:PEM_do_header:bad password read

     

     

    I do have the passphrase for the cert, but do not know where to put it in before calling the i_interfaces.getLocalLBProfileClientSSL().create(profile_names, keys, certs);

     

     

    Any thoughts? Please refer to the question titled as 'PEM routines:PEM_do_header:bad password read' that I have posted earlier.

     

     

    Thanks,

     

    Mike Tan

     

  • Jonathan_Scholi's avatar
    Jonathan_Scholi
    Icon for Cirrostratus rankCirrostratus
    Mar 28, 2012
    That's interesting, I was going to suggest using the set_passphrase() method, but that won't work until you've already successfully created the profile, and the create() method doesn't let you pass the passphrase. I wonder if it's possible to set the key and cert to the default, then set the passphrase, then set the correct key and cert. If not, you might have to use openssl to decrypt the cert and key, so that you won't need the passphrase when creating the SSL profile.
  • Fuchan_Tan_3092's avatar
    Fuchan_Tan_3092
    Icon for Nimbostratus rankNimbostratus
    Mar 28, 2012
    The objective to convert the following tcl script by using Java iControl:

     

     

    profile clientssl ${CreateClientSslProfile.ProfileName} {

     

    defaults from clientssl

     

    key "${CreateClientSslProfile.SslKeyFile}"

     

    cert "${CreateClientSslProfile.SslCertFile}"

     

    chain "${CreateClientSslProfile.SslChainFile}"

     

    passphrase "${CreateClientSslProfile.SslPassPhrase}"

     

    }

     

     

    The issue is when to set the passphrase. Do you set the passphrase before or after the call - i_interfaces.getLocalLBProfileClientSSL().create(profile_names, keys, certs)?

     

     

    I tried call i_interfaces.getLocalLBProfileClientSSL().create(profile_names, keys, certs), but i am getting "PEM routines:PEM_do_header:bad password read" error.

     

     

    I also tried to set the passphrase first before calling i_interfaces.getLocalLBProfileClientSSL().create(profile_names, keys, certs), but i got profile does not exist error.

     

     

  • Fuchan_Tan_3092's avatar
    Fuchan_Tan_3092
    Icon for Nimbostratus rankNimbostratus
    Mar 28, 2012
    Update - my sert and keys are working, I am just converting from big pipe commands to java iControl.

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 31, 2012
    There's a request to add support for a clientssl profile private key passphrase in BZ383104 - (iControl needs to have a provision for password when creating a client-ssl profile.).

     

     

    You could open a case with F5 Support and ask to have your case attached to the BZ ID. This will help raise the visibility of the new feature.

     

     

    Aaron

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 20, 2012
    Hi Mike,

     

     

    I think there might be a fix available for this issue on 10.2.4. I suggest contacting F5 Support again for details on BZ383104.

     

     

    Aaron