Forum Discussion

Fuchan_Tan_3092's avatar
Fuchan_Tan_3092
Icon for Nimbostratus rankNimbostratus
Mar 22, 2012

How to create LocalLBProfileClientSSL?

Hello,

 

 

Has anyone successfully created LocalLBProfileClientSSL?

 

 

 

Thanks,

 

 

Mike Tan

 

  • Yes. In Java you can do something like:

     

     

    String[] clientSSLProfileNameArray = new String[] {"(Name of the profile goes here)"};

     

    LocalLBProfileString key = new LocalLBProfileString();

     

    LocalLBProfileString cert = new LocalLBProfileString();

     

     

    key.setValue( "Name of the key goes here"+ ".key");

     

    cert.setValue( "Name of the cert goes here"+ ".crt");

     

     

    iControlInterfaces.getLocalLBProfileClientSSL().create(clientSSLProfileNameArray, new LocalLBProfileString[] {key}, new LocalLBProfileString[] {cert});
  • Thank you for the input.

     

     

    Here is what I did

     

     

    /* both /config/ssl/ssl.key/miketan999.key and /config/ssl/ssl.crt/miketan999.crt are in place */

     

     

    iControl.LocalLBProfileString [] keys = new iControl.LocalLBProfileString[1];

     

    keys[0]=new iControl.LocalLBProfileString();

     

    keys[0].setValue("miketan999.key");

     

     

    iControl.LocalLBProfileString [] certs = new iControl.LocalLBProfileString[1];

     

    certs[0]=new iControl.LocalLBProfileString();

     

    certs[0].setValue("miketan999.crt");

     

     

    i_interfaces.getLocalLBProfileClientSSL().create(profile_names, keys, certs);

     

     

    But i am getting the following error -

     

    AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server faultSubcode: faultString: Exception caught in LocalLB::urn:iControl:LocalLB/ProfileClientSSL::create() Exception: Common::OperationFailed primary_error_code : 17236755 (0x01070313) secondary_error_code : 0 error_string : 01070313:3: Error reading key PEM file /config/ssl/ssl.key/miketan999.key for profile miketan999_clientssl_profile: error:0906A068:PEM routines:PEM_do_header:bad password read faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:Exception caught in LocalLB::urn:iControl:LocalLB/ProfileClientSSL::create() Exception: Common::OperationFailed primary_error_code : 17236755 (0x01070313) secondary_error_code : 0 error_string : 01070313:3: Error reading key PEM file /config/ssl/ssl.key/miketan999.key for profile miketan999_clientssl_profile: error:0906A068:PEM routines:PEM_do_header:bad password read

     

     

    I do have the passphrase for the cert, but do not know where to put it in before calling the i_interfaces.getLocalLBProfileClientSSL().create(profile_names, keys, certs);

     

     

    Any thoughts? Please refer to the question titled as 'PEM routines:PEM_do_header:bad password read' that I have posted earlier.

     

     

    Thanks,

     

    Mike Tan

     

  • That's interesting, I was going to suggest using the set_passphrase() method, but that won't work until you've already successfully created the profile, and the create() method doesn't let you pass the passphrase. I wonder if it's possible to set the key and cert to the default, then set the passphrase, then set the correct key and cert. If not, you might have to use openssl to decrypt the cert and key, so that you won't need the passphrase when creating the SSL profile.
  • The objective to convert the following tcl script by using Java iControl:

     

     

    profile clientssl ${CreateClientSslProfile.ProfileName} {

     

    defaults from clientssl

     

    key "${CreateClientSslProfile.SslKeyFile}"

     

    cert "${CreateClientSslProfile.SslCertFile}"

     

    chain "${CreateClientSslProfile.SslChainFile}"

     

    passphrase "${CreateClientSslProfile.SslPassPhrase}"

     

    }

     

     

    The issue is when to set the passphrase. Do you set the passphrase before or after the call - i_interfaces.getLocalLBProfileClientSSL().create(profile_names, keys, certs)?

     

     

    I tried call i_interfaces.getLocalLBProfileClientSSL().create(profile_names, keys, certs), but i am getting "PEM routines:PEM_do_header:bad password read" error.

     

     

    I also tried to set the passphrase first before calling i_interfaces.getLocalLBProfileClientSSL().create(profile_names, keys, certs), but i got profile does not exist error.

     

     

  • Update - my sert and keys are working, I am just converting from big pipe commands to java iControl.

     

  • There's a request to add support for a clientssl profile private key passphrase in BZ383104 - (iControl needs to have a provision for password when creating a client-ssl profile.).

     

     

    You could open a case with F5 Support and ask to have your case attached to the BZ ID. This will help raise the visibility of the new feature.

     

     

    Aaron

     

  • Hi Mike,

     

     

    I think there might be a fix available for this issue on 10.2.4. I suggest contacting F5 Support again for details on BZ383104.

     

     

    Aaron