Forum Discussion
GavinW_29074
Nimbostratus
NimbostratusTMSH::Install Command missing???
Hi there,
I'm moving ahead with starting to write my own iApp to deploy our hosted applications...
However I've hit a stumbling block... I want the set-up wizard to create the certificate's for the VIPs as part of the wizard using some text boxes on screen which I'll paste the existing server keys into...
I've found the following command within the tmsh reference guide:
(tmos.sys.crypto.cert) install cert test from-editorHowever I'm struggling to find a way of doing this using an iApp...
Any ideas?
Cheers
Gavin
Hi Gavin,
Yeah, it looks like the "install" part of tmsh isn't plumbed through to the scripting API. That's an oversight and I believe a bug exists for it. However, it might actually be by design since I think you can do what you want to do using "tmsh::create / sys file ssl-cert" and "tmsh::create / sys file ssl-key". I just generated an SSL cert key pair using openssl and successfully imported it using the scripting API.
Here's a code snippet to show what I did:
tmsh::create sys file ssl-cert blah source-path FILE:/var/tmp/blah.crt
tmsh::create sys file ssl-key blah source-path FILE:/var/tmp/blah.key
tmsh::create ltm profile client-ssl blah key blah cert blah
If you needed to generate the key/cert from a tmsh script/iApp, you could do that by using "exec" to invoke openssl - or you can do it off-box and pull the crt/key in using a remote URL in the "file" command. To see help on the file command within tmsh, type "help sys file ssl-cert" or "help sys file ssl-key".
Cheers,
-Brent
GavinW_29074Brent
Cheers for the update...
Guess the next challenge is how I create the file on the filesystem from a text box on the iApp screen???
Any pointers?
Cheers
Gavin- The TCL file commands are all available from the Implementation section. Here is a link to documentation on them: http://wiki.tcl.tk/367.
set user_input_file [open "$my_file_name" "w" "0755"]
puts $user_input_file $::section__text_box_input
close $user_input_file
Hope that helps,
Mitra Kelly - Hi Gavin,
Unfortunately, an appropriate input widget for accepting a key and cert from the iApp interface doesn't exist - the best you're going to get is an xxlarge string input. To get the input from that onto disk, you'll need to use TCL's "open" command in the implementation script and stuff the cert/key into files using "puts" (and then subsequently closing the files). Then use the "sys file" commands I showed above to aim the config at it.
An alternative would be to use remote URLs in the file command and to place the key/cert pairs in a place that the BIG-IP will have access to. Then you'd just need to accept those URLs (or at least parts of them) as iApp template inputs for use with the "sys file" commands. If you do this, of course take due care not to expose your private keys to unauthorized access.
I'll make sure that an enhancement request exists for accepting key/cert data from iApp templates.
Cheers,
-Brent - GavinW_29074Brent,
Cheers for the update... I notice Mitra's reply just before yours... Does this look sensible?
Also, the next challenge i've got is that the 'string' element doesn't allow a multi-line input, which is the standard format for our SSL certs...
Is there a way I can get a multi-line text box?
Cheers
Gavin - GavinW_29074As a quick update, i've tried reformatting the pem file so that it is all on one line, and then running the create... However it fails with 'unable to validate certificate, invalid x509 file'.
So looks like unless I can get a multi-line text box, i've either got to pull the file in from an external URL, or manually create the files on the FS... :(
Gav - GavinW_29074Ok, an update on this then..
I went ahead with the File System method, and am currently running some further tests...
One thing i've spotted is that when creating ssl-cert files as part of an iApp, the SSL Certificate List page entry for the created certificate lists 'No Certificate' on the Certificate Subject(s) row...
This only appears to be an issue when using iApps, as importing exactly the same cert using exactly the same command, but not as part of an app works perfectly and the Certificate Subject(s) row and further cert details are populated...
Not sure if it's an issue, but thought I'd ask...
Cheers
Gav - Sorry I dropped off this for a while...
With respect to accepting a key/cert in a field of an iApp, I created a "request for enhancement" for this: ID 372904 but it hasn't gone through any triage or been targeted at a release. The RFE is actually to add more input types to APL with mention of multiline text inputs as well as file uploads - I can't say what will actually happen with it at this time. If you want to follow up on it, please work through your account team and F5 support.
I'll try to take a look at the "No Certificate" issue you noticed soon. I'm interested in if it's cosmetic or if it keeps SSL connections from succeeding when they try to use such a cert. If it does, then it sounds like a bug that we'll want to reproduce and get filed.
Cheers,
-Brent
