For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

lnxgeek's avatar
lnxgeek
Icon for MVP rankMVP
Oct 08, 2023
Solved

Modify SSL profiles via REST API

Hi wiz's

I have been spending some time on automating certificate maintenance.

This has brought my attention to this documentation: https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_ltm_profile_client-ssl.html

In the table descriping "cert", "chain" and "key" it states in the notes that they are depricated and I should use certKeyChain option instead.

However no matter what I construct of calls which makes changes to an already existing clientssl profile (PATCH and PUT) I'm told:

{"code":403,"message":"Operation is not supported on component /ltm/profile/client-ssl.","errorStack":[],"apiError":1}

Example code:

 

curl -sk -H "X-F5-Auth-Token: $TOKEN" -X PATCH https://$f5/mgmt/tm/ltm/profile/client-ssl/ --header 'Content-Type: application/json' --data-raw '{                  
    "name":"sletmig",                                                                             
    "certKeyChain":[{"name":"default","cert":"hest.dk_2023","key":"hest.dk_2023","chain":"My_CA"}]
}'
{"code":403,"message":"Operation is not supported on component /ltm/profile/client-ssl.","errorStack":[],"apiError":1}

 

I can make the change via this syntax:

 

curl -sk -H "X-F5-Auth-Token: $TOKEN" -X PATCH  https://$f5/mgmt/tm/ltm/profile/client-ssl/~Common~sletmig   -H "Content-Type: application/json" -d '{
  "key":"/Common/hest.dk_2023",
  "cert":"/Common/hest.dk_2023",
  "chain":"/Common/My_CA"
  }'|jq

 

Do I read the documentation wrong or am I missing something else?

JRahm any hints?

 

api
devops
  • JRahm's avatar
    JRahm
    Oct 09, 2023

    Hi lnxgeek that's correct, you can't PATCH a collection, just the resources within that collection. From that doc, the methods support are shown one the resource, not the collection:

    Resource URI
/mgmt/tm/ltm/profile/client-ssl/~resource id
Resource Methods
OPTIONS, GET, PUT, PATCH, DELETE, POST

    Let me know if I'm misunderstanding the issue. Also, check your DM, I sent you something that might be of interest to you, but I'm equally interested in your test feedback if you have the time to check it out.

5 Replies

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Oct 09, 2023

    Hi lnxgeek that's correct, you can't PATCH a collection, just the resources within that collection. From that doc, the methods support are shown one the resource, not the collection:

    Resource URI
/mgmt/tm/ltm/profile/client-ssl/~resource id
Resource Methods
OPTIONS, GET, PUT, PATCH, DELETE, POST

    Let me know if I'm misunderstanding the issue. Also, check your DM, I sent you something that might be of interest to you, but I'm equally interested in your test feedback if you have the time to check it out.

    • lnxgeek's avatar
      lnxgeek
      Icon for MVP rankMVP
      Oct 10, 2023

      Hi JRahm 

      In that context it make sense.

      But does that mean that my working example (don't know what to call it 😀) shouldn't be considered deprecated?

      I don't want to work down a future dead end 😆

      • JRahm's avatar
        JRahm
        Icon for Admin rankAdmin
        Oct 10, 2023

        What version of TMOS are you running? If you've tested on 17.1.x and it's working, it will go away on BIG-IP. That said, the APIs for BIG-IP Next are different and will connect to Central Manager, not the Next instances directly.