Forum Discussion

DustinW's avatar
DustinW
Icon for Nimbostratus rankNimbostratus
Aug 15, 2019
Solved

TMSH/Bash command to check which SAML: BIG-IP as IdP profile is using a specific SSL certificate

I have multiple IdP profiles using the same SSL certificate. Is there a command I can run to list the IdP profiles associated to specific certificate.

 

This would be similar to running 'tmsh list ltm virtual all one-line | grep [ssl-profile-name]' to find what VS a SSL Profile is bound to...

 

Cheers,

  • JG's avatar
    JG
    Aug 16, 2019

    Would the following work for you:

    tmsh -q -c "cd /; list /apm sso saml recursive" | grep -E '(idp-certificate|saml-profiles)'

    ?

15 Replies

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Aug 15, 2019
    tmsh -q -c "cd /; list /apm sso saml idp-certificate | grep cert

     Or something like this.

    [Edited]

    • DustinW's avatar
      DustinW
      Icon for Nimbostratus rankNimbostratus
      Aug 15, 2019

      Thanks for above but this does't seem to do what I require..

      The above shows which LTM SSL profile the certificate is bound to but doesn't specify the APM Access Policy  ››  SAML : BIG-IP as IdP profile/s related to the certificate name.

      Anymore ideas?

    • DustinW's avatar
      DustinW
      Icon for Nimbostratus rankNimbostratus
      Aug 15, 2019

      Thanks for prompt reply... I'm probably doing something wrong but the above is not giving me any results even though I know there are IdP profiles associated to the certificate.

      In your above command I'm guessing I exchange 'cert' for the certificate name I'm querying but when I hit enter it just prompts to a new line '>'

      Even if I switch 'idp-certificate' with the certificate name I receive the same result; new line '>' like it's waiting for input?

      Trying to fit my query into your command I'd be trying to: list the apm sso saml idp-profiles that contain 'specific certificate name' as the 'Signing Certificate' located in the 'IdP Service' 'Security Settings'.

      I hope I'm explaining this correctly. Sorry for any confusion.

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Aug 15, 2019

    What do you get with just this:

    tmsh -q -c "cd /; list /apm sso saml idp-certificate"

    ?

    [Edited]

    • DustinW's avatar
      DustinW
      Icon for Nimbostratus rankNimbostratus
      Aug 15, 2019

      [username_admin@F5Name:Active:In Sync] ~ # tmsh -q -c "cd /; list /apm sso saml idp-certificate

       

      • JG's avatar
        JG
        Icon for Cumulonimbus rankCumulonimbus
        Aug 15, 2019

        Sorry, there was a typo.

         

  • DustinW's avatar
    DustinW
    Icon for Nimbostratus rankNimbostratus
    Aug 15, 2019

    Yeah okay so now seems to run although I receive no results..

    Trying your original command with the added " I get the below. Have tried without .crt with same result. 

    [username_admin@F5:Active:In Sync] ~ # tmsh -q -c "cd /; list /apm sso saml idp-certificate | grep CertificateName.crt"
 Syntax Error: unexpected argument "|"

    Thanks for your time on this.. I have a fair few certs that are used against multiple IdP profiles and I don't want to manually go into each profile to confirm 'Security Settings' of the IdP profile.

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Aug 15, 2019
    tmsh -q -c "cd /; list /apm sso saml idp-certificate" | grep CertificateName.crt
    • DustinW's avatar
      DustinW
      Icon for Nimbostratus rankNimbostratus
      Aug 15, 2019

      OK we're getting somewhere now... that runs but nothing written to screen and no results look to be written to the device. Again tried with/without .crt and I'm positive that the certificate is used in the 'Security Settings' for multiple IdP profiles...

    • DustinW's avatar
      DustinW
      Icon for Nimbostratus rankNimbostratus
      Aug 15, 2019

      JG, just responding to your last reply I got via email (not sure why didn't show in this forum chain?). You asked does the below show all objects related to SAML

      tmsh -q -c "cd /; list /apm sso saml recursive"

      I've run the above and it does list all the APM SSO SAML profiles and the profile settings which includes the certificate used.

      I guess I can export this to file and massage the data to list only my requirements or I might be able to hack the query a bit to only show the required data.

      I'm pretty happy with this unless you can help further without too much hassle. Your time/effort is very much appreciated.

      • JG's avatar
        JG
        Icon for Cumulonimbus rankCumulonimbus
        Aug 15, 2019

        You can limit the output of the display to the idp-certificate attribute only, with:

        tmsh -q -c list apm sso saml idp-certificate

        but only if you are already in the partition /Common, for "recursive" is not available to this syntax.

        You could also use "grep" on the output of:

            tmsh -q -c "cd /; list /apm sso saml recursive"

        If you could share the output of this command, we can work out the exact syntax of grep for your use.

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Aug 16, 2019

    Would the following work for you:

    tmsh -q -c "cd /; list /apm sso saml recursive" | grep -E '(idp-certificate|saml-profiles)'

    ?

    • DustinW's avatar
      DustinW
      Icon for Nimbostratus rankNimbostratus
      Aug 16, 2019

      Def looking better. The above retrieves me a list of 'entity-ids' that use the specified 'idp-certificate'.

      I can pretty easily match these to the IdP profiles. I'm pretty happy with this result and am happy to continue to use the above to search the profiles moving forward. Your help with this is appreciated.

       

      Cheers.