Forum Discussion

Cole's avatar
Cole
Icon for Nimbostratus rankNimbostratus
Mar 16, 2021

Strategy for updating large amount of SSL profiles associated with a single virtual server

I'm looking to shed some of the older ciphers that are a part of the DEFAULT cipher string in our SSL profiles. The problem is, we host quite a few SSL profiles (100+) with a single virtual server. I discovered that I'm unable to update a single profile that's applied to a virtual server that has others with a (then) mismatched security policy. The support article from F5 says that I will have to remove all of the client SSL profiles from the server, update them all, and then re-add them all back. (https://support.f5.com/csp/article/K04316654)

 

Is it possible that something like this could be scripted so that 1) I can reduce the amount of hand-work editing each of these individual profiles and 2) more importantly reduce the maintenance window that I'll inevitably need to schedule as removing the profiles will cause an interruption in my production web traffic.

 

Or any other angles to this that I'm not seeing that might make this a smoother adjustment?

 

 

 

  • eey0re's avatar
    eey0re
    Icon for Cirrostratus rankCirrostratus

    My 14.1.4 lets me - what version are you on, and is it just the ciphers you are changing or something else too?

     

    Anyway, there here a few options:

     

    1. Use a custom parent profile.

     

    With over 100 profiles, using a custom parent profile for them all is a really good idea so that you can manage the shared settings in one place. Do not modify the base profile (/Common/clientssl).

     

    Start by creating a profile that customises nothing, and still has the "DEFAULT" cipher string. Then edit each profile to use that new profile as a parent, and uncheck the Cipher custom checkbox (right-hand side) to inherit the ciphers. Finally, edit the ciphers in the parent profile.

     

    Docs: LTM Profiles Reference - The custom profile as the parent profile

     

     

    2. Transactions in TMSH

     

    Run "create /cli transaction", then all your "modify ltm profile client-ssl" commands, then "submit /cli transaction"

     

     

    3. Transactions in iControlREST. The same can be achieve with the REST API, but this needs some dev skills. See DevCentral article: Demystifying iControl REST Part 7 - Understanding Transactions.

     

     

    4. Load config merge. Use TMSH to "list" all your profiles, edit them in a text editor, then merge them back in using: load /sys config from-terminal merge

     

    I hope one of these options works for you.