For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DustinW's avatar
DustinW
Icon for Nimbostratus rankNimbostratus
Aug 15, 2019
Solved

TMSH/Bash command to check which SAML: BIG-IP as IdP profile is using a specific SSL certificate

I have multiple IdP profiles using the same SSL certificate. Is there a command I can run to list the IdP profiles associated to specific certificate.   This would be similar to running 'tmsh li...
  • JG's avatar
    JG
    Aug 16, 2019

    Would the following work for you:

    tmsh -q -c "cd /; list /apm sso saml recursive" | grep -E '(idp-certificate|saml-profiles)'

    ?

JG's avatar
JG
Icon for Cumulonimbus rankCumulonimbus
Aug 15, 2019
tmsh -q -c "cd /; list /apm sso saml idp-certificate" | grep CertificateName.crt
  • DustinW's avatar
    DustinW
    Icon for Nimbostratus rankNimbostratus
    Aug 15, 2019

    OK we're getting somewhere now... that runs but nothing written to screen and no results look to be written to the device. Again tried with/without .crt and I'm positive that the certificate is used in the 'Security Settings' for multiple IdP profiles...

  • DustinW's avatar
    DustinW
    Icon for Nimbostratus rankNimbostratus
    Aug 15, 2019

    JG, just responding to your last reply I got via email (not sure why didn't show in this forum chain?). You asked does the below show all objects related to SAML

    tmsh -q -c "cd /; list /apm sso saml recursive"

    I've run the above and it does list all the APM SSO SAML profiles and the profile settings which includes the certificate used.

    I guess I can export this to file and massage the data to list only my requirements or I might be able to hack the query a bit to only show the required data.

    I'm pretty happy with this unless you can help further without too much hassle. Your time/effort is very much appreciated.

    • JG's avatar
      JG
      Icon for Cumulonimbus rankCumulonimbus
      Aug 15, 2019

      You can limit the output of the display to the idp-certificate attribute only, with:

      tmsh -q -c list apm sso saml idp-certificate

      but only if you are already in the partition /Common, for "recursive" is not available to this syntax.

      You could also use "grep" on the output of:

          tmsh -q -c "cd /; list /apm sso saml recursive"

      If you could share the output of this command, we can work out the exact syntax of grep for your use.

    • DustinW's avatar
      DustinW
      Icon for Nimbostratus rankNimbostratus
      Aug 15, 2019

      Hello JG, please find below a 'sanitized' version of the output I received for 2 IdP profiles which use the same certificate. Ideally what i want to be able to do is either just list all the 'apm sso saml' profiles and the 'idp-certificate' associated with them (which we have although including the surrounding data) not a huge issue for me.

      Or somehow search a specific certificate name and list the 'apm sso saml' profiles associated with the specific certificate. 

      [UserName_admin@F5-Name:Active:In Sync] ~ # tmsh -q -c "cd /; list /apm sso saml recursive"
apm sso saml Common/iDP-ProfileName-1 {
    description "IdP Service-1"
    entity-id https://idp-1.domain.com
    idp-certificate Common/idp.domain.com.crt
    idp-signkey Common/idp.domain.com.key
    saml-profiles { web-browser-sso }
    sp-connectors {
        Common/sp_ext_domain
    }
    subject-type transient
    subject-value "%{session.logon.last.logonname}"
}
apm sso saml Common/iDP_ProfileName-2 {
    description "IdP Service-2"
    entity-id https://idp-2.domain.com
    idp-certificate Common/idp.domain.com.crt
    idp-signkey Common/idp.domain.com.key
    saml-profiles { web-browser-sso }
    sp-connectors {
        Common/sp_ext_domain
    }
    subject-type transient
    subject-value "%{session.logon.last.logonname}"
}

      Again thanks for you time.