Forum Discussion

mihaic's avatar
Dec 14, 2023

need some help with a AS3 declaration

I have the declaration below. I get  "│ Error: posting as3 config failed for tenants:(Tenant_01) with error: Tenant Creation failed"

I am trying to create 2 virtual servers one HTTP and one HTTPS that share 2 pools. 

I had a working declaration that created the HTTP  part.

Question. Can irules and other objects be shared between 2 virtual servers ?

For irules i use URL as the source, can I do the same for certificate and key?

 

{
    "class": "AS3",
    "action": "deploy",
    "persist": true,
    "declaration": {
        "class": "ADC",
        "schemaVersion": "3.0.0",
        "id": "${TENANT}-declaration",
        "label": "${TENANT}",
        "remark": "HTTP application",
        "updateMode" :"selective",
        "${TENANT}": {
            "class": "Tenant",
            "defaultRouteDomain": 0,
            "Shared": {
                "class": "Application",
                "template": "shared",
                "${POOL1}": {
                    "class": "Pool",
                    "loadBalancingMode":"${LB_MODE}",
                    "monitors": [
                        "${MONITOR}"
                    ],
                    "members": [
                        {
                            "servicePort": ${SERVICEPORT},
                            "serverAddresses": ${MEMBERS_1}                                              
                        }
                    ]
                },
                "${POOL2}": {
                    "class": "Pool",
                    "loadBalancingMode":"${LB_MODE}",
                    "monitors": [
                        "${MONITOR}"
                    ],
                    "members": [
                        {
                            "servicePort": ${SERVICEPORT},
                            "serverAddresses": ${MEMBERS_2}                                              
                        }
                    ]
                }                
            },
            "Application_1": {
                "class": "Application",
                "template": "Service_Generic",
            "${VIP_NAME}": {
                "class": "Service_HTTP",
                "virtualAddresses": [
                    "${VIP}"
                ],
                "virtualPort": 80,
                "persistenceMethods": [
                    "${PERSISTANCE}"
                ],
                "profileTCP": "normal",
                "profileHTTP": {
                    "use": "${HTTP_PROFILE}"
                },
                "snat": "auto",
                "iRules": [
                    "${IRULE_NAME}"
                  ],
                "pool": "/${TENANT}/Shared/${POOL1}"
                },
                "${HTTP_PROFILE}":{
                    "class": "HTTP_Profile",
                    "xForwardedFor": true
                },
                "${IRULE_NAME}": {
                    "class": "iRule",
                    "remark": "choose private pool based URI",
                    "iRule": {
                        "url": "${IRULE}"
                    }
                  },                
            "${VIP_NAME}": {
                "class": "Service_HTTPS",
                "virtualAddresses": [
                   "${VIP}"
                    ],
                "virtualPort": 443,
                "persistenceMethods": [
                    "${PERSISTANCE}"
                    ],
                "profileTCP": "normal",
                "profileHTTP": {
                    "use": "${HTTP_PROFILE}-secure"
                    },
                "snat": "auto",
                "iRules": [
                        "${IRULE_NAME}-secure"
                      ],
                "pool": "/${TENANT}/Shared/${POOL1}",
                "serverTLS": "webtls"
                },
                "${HTTP_PROFILE}-secure":{
                    "class": "HTTP_Profile",
                    "xForwardedFor": true
                },
                "${IRULE_NAME}-secure": {
                    "class": "iRule",
                    "remark": "choose private pool based URI",
                    "iRule": {
                        "url": "${IRULE}"
                    }
                },
                "webtls": {
                    "class": "TLS_Server",
                    "certificates": [{
                      "certificate": "${VIP_NAME}-cert"
                    }]
                },                
                "${VIP_NAME}-cert": {
                    "class": "Certificate",
                    "remark": "in practice using a passphrase is recommended",
                    "certificate": {
                        "url": "${CERT_URL}"
                    },
                    "privateKey": {
                        "url": "${KEY_URL}"
                    }
                }                
            }
        }
    }
}

 

  • See the article below of how to declare objects in the shared as3 folder under the partition like pools:

     

    Solved: AS3 referencing objects across applications - DevCentral (f5.com)

     

     

    If the 2 apps/virtual servers are in the same tenant you can try the "use:" pointer to define the pool outside of the 2 virtual servers in the AS3 declaration

     

    BIG-IP AS3 Declaration Purpose and Function (f5.com)

     

    "persistenceMethods": [ {"use": "mypersist"} ]
    "mypersist": {
        "class": "Persist",
        "persistenceMethod": "cookie",
        "cookieName": "MYCOOKIE"
    }

    Other than that for certficates I have not tried using url but I saw:

    TLS Encryption (f5.com)

     "pkcs12_crt_key_encr_url": {
              "class": "Certificate",
              "remark": "saves encr key in openssl format",
              "passphrase": {
                "ciphertext": "cGFzc3dvcmQ=",
                "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
                "ignoreChanges": true
              },
              "pkcs12Options": {
                  "keyImportFormat": "openssl-legacy"
              },
              "pkcs12": {
                  "url": "https://mycompany/certs/my_p12.p12" }
      
            },
            "pkcs12_crt_key_bundle": { 
                "class": "Certificate",
                "remark": "multiple certs, no passphrase, ignore change on redeploy",
                "pkcs12Options": {
                  "keyImportFormat": "openssl-legacy",
                  "ignoreChanges": true
                },
                "pkcs12": {
                    "url": "http://mycompany/certs/my_pfx.pfx" }
      
            }

     

     

     

  • See the article below of how to declare objects in the shared as3 folder under the partition like pools:

     

    Solved: AS3 referencing objects across applications - DevCentral (f5.com)

     

     

    If the 2 apps/virtual servers are in the same tenant you can try the "use:" pointer to define the pool outside of the 2 virtual servers in the AS3 declaration

     

    BIG-IP AS3 Declaration Purpose and Function (f5.com)

     

    "persistenceMethods": [ {"use": "mypersist"} ]
    "mypersist": {
        "class": "Persist",
        "persistenceMethod": "cookie",
        "cookieName": "MYCOOKIE"
    }

    Other than that for certficates I have not tried using url but I saw:

    TLS Encryption (f5.com)

     "pkcs12_crt_key_encr_url": {
              "class": "Certificate",
              "remark": "saves encr key in openssl format",
              "passphrase": {
                "ciphertext": "cGFzc3dvcmQ=",
                "protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
                "ignoreChanges": true
              },
              "pkcs12Options": {
                  "keyImportFormat": "openssl-legacy"
              },
              "pkcs12": {
                  "url": "https://mycompany/certs/my_p12.p12" }
      
            },
            "pkcs12_crt_key_bundle": { 
                "class": "Certificate",
                "remark": "multiple certs, no passphrase, ignore change on redeploy",
                "pkcs12Options": {
                  "keyImportFormat": "openssl-legacy",
                  "ignoreChanges": true
                },
                "pkcs12": {
                    "url": "http://mycompany/certs/my_pfx.pfx" }
      
            }

     

     

     

      • JRahm's avatar
        JRahm
        Icon for Admin rankAdmin

        url works (here and for other things like policies) but keep in mind that when using url it is not idempotent. It'll run every time even without changes, which can make AS3 apply operations longer than needed and touch config you were not expecting, like if only adding a pool member IP.

        H/T Matt Stovall on that nugget.