Reporting : Virtual Server - SSL Certificate Mapping

So pulled together a quick python 2.x script you can run directly on your F5 from Bash.

It will output commented list of Virtual Server Name, Client SSL Profiles, Server SSL Profiles (SSL Profiles will be a spaced list)

Save the following script to a file on your F5 e.g. name the file ssl_profile.py, then run with the following:

python ssl_profile.py > output.csv

The outputted file output.csv will be a basic file containing the info you need.

HUGE NOTE: this is doing a very basic string compare so expect faults positives if you have overlapping profile names. I got the default profiles clientssl and serverssl listed in almost every virtual server as all the SSL Profiles contain one of these in their name.

Script is as follows, hope it helps. If it does help please up vote my answer 😄

!/usr/bin/python
import subprocess
import re

def get_partitions(output):
    return [line for line in
            [re.sub(r'auth partition | {0,}\{| {0,}\}|descri.*', '', line.strip()) for line in output.splitlines()]
            if line]
    
def run_command(cmd):
    process = subprocess.Popen(cmd.split(), stdout=subprocess.PIPE)
    output, error = process.communicate()
    if not error:
        return output
    
def get_client_ssl_profiles(partition):
    for line in run_command('tmsh list ltm profile client-ssl /'+partition+'/* one-line').splitlines():
        reClientSslProfile = re.search(r'^ltm profile client-ssl (.*?) ', line)
        if reClientSslProfile:
            yield reClientSslProfile.group(1)

def get_server_ssl_profiles(partition): 
    for line in run_command('tmsh list ltm profile server-ssl /'+partition+'/* one-line').splitlines():
        reServerSslProfile = re.search(r'^ltm profile server-ssl (.*?) ', line)
        if reServerSslProfile:
            yield reServerSslProfile.group(1)
            
def get_virutalservers(partition): 
    for line in run_command('tmsh list ltm virtual /'+partition+'/* one-line').splitlines():
        reVS = re.search(r'^ltm virtual (.*?) ', line)
        if reVS:
            yield reVS.group(1)
            
def ssl_profile_used_by_vs(vs, sslProfile):
    return sslProfile in run_command('tmsh list ltm virtual '+vs+' one-line')

def printCSV(vsDist):
    print('Virtual Server, Client SSL, Server SSL')
    for k, v in vsDist.items():
        print k + ', ',
        print ' '.join(v['clientssl'])+', ',
        print ' '.join(v['serverssl'])+', '

if __name__ == "__main__":
    clientSslProfiles = []
    serverSslProfiles = []
    virtualServers = {}
    partitions = get_partitions(run_command('tmsh list auth partition'))
    for partition in partitions:
        for profile in get_client_ssl_profiles(partition):
            clientSslProfiles.append(profile)
        for profile in get_server_ssl_profiles(partition):
            serverSslProfiles.append(profile)
        for vs in get_virutalservers(partition):
            virtualServers[vs] = {'clientssl': [], 'serverssl': []}
            
    for vs in virtualServers.keys():
        vsCmd = run_command('tmsh list ltm virtual '+vs+' one-line')
        virtualServers[vs]['clientssl'] = [profile for profile in clientSslProfiles if profile in vsCmd]
        virtualServers[vs]['serverssl'] = [profile for profile in serverSslProfiles if profile in vsCmd]
    
    printCSV(virtualServers)

The difficultly here is the SSL profiles as under the Virtual configuration they are simple listed as their profile name, so you could have a profile named 'clientsidestuff' but you have no idea what that is until you look at it.

If all your SSL profile names have something common in them like 'serverssl' and 'clientssl' in them then can use that to help identify them in the Virtual configuration, so you can run the following from Bash:

tmsh list ltm virtual /partition/* | egrep 'ltm|clientssl|serverssl' | sed 's/ {//; s/ltm virtual //'

If you have multiple partitions then likely need to run per partitions or wildcard the partition name, e.g.:

tmsh list ltm virtual /prod*/* | egrep 'ltm|clientssl|serverssl' | sed 's/ {//; s/ltm virtual //'

This will give you an output of similar to the following:

/prod_web/north_en01.web.intranet_vs_443
        /prod_web/clientssl_prod_web_en01
        /prod_web/serverssl_prod_web_en01
/prod_web/north_en02.web.intranet_vs_80_redir
/prod_web/north_en03.web.intranet_vs_443
        /prod_web/north_en01.web_clientssl
        /prod_web/north_en01.web_serverssl

Should be able to arrange this into a spreadsheet. Recommend putting the output into something like Notepad++ you can do to search and replace with regex (search '\n ' replace with '\t') then should be able to cut and paste into excel.

I also do have an old python script to do a similar thing but I will need to find it in my archives and see if it works.

Greetings,

tmsh list ltm virtual one-line | awk '{print $3, $15, $20}'

ssl_one profile_one profile_two

Viewed in the typical manner:

tmsh list ltm virtual ssl_one
ltm virtual ssl_one {
    destination 10.12.23.123:https
    ip-protocol tcp
    mask 255.255.255.255
    pool quick_pool
    profiles {
        profile_one {
            context clientside
        }
        profile_two {
            context serverside
        }
        tcp { }
    }

Hope this is somewhat helpful!

While running this script it giving an error.

 File "ssl_profile.py", line 1

  !/usr/bin/python

  ^

SyntaxError: invalid syntax

Since I am very bad in scripting, I cannot find what is issue.