For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Curtis_Owings_2's avatar
Curtis_Owings_2
Icon for Nimbostratus rankNimbostratus
Jan 06, 2016
Solved

With the API, how might you find the SSL Profiles which are not assigned to any VIP?

From tmsh I can ltm.virtual> list and see...

ltm virtual beta.riccweb.com {
    destination 170.40.168.7:https
    ip-protocol tcp
    mask 255.255.255.255
    pool wdc-riccwstst-5005
    profiles {
        beta.riccweb.com {
            context clientside
        }
        http { }
        tcp { }
    }
    source 0.0.0.0/0
    vs-index 38

However, with the API I can only get as far as "" and I'm not sure if I can call a list from here... also the applied clietside SSL information is not apparently visible?

BIG-IP
devops
iControlREST
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Jan 06, 2016

    I'm afraid the API does not make this easy as far as I know. I think I've come across this kind of situation before, and You will need to perform some rather tedious crunching. You also need to adopt a policy in your environment of naming your objects in a certain way that makes this possible.

    Here goes
    • Prefix all profiles with the name of their type. Example, client-SSL profiles will always be called 
      clientssl_foo
      , then when you want to find client-ssl profiles, you simply look for the profiles that have "clientssl_" in their names.
      • to enumerate all client-ssl profiles, you need 
        GET https://bigip/tm/ltm/profile/client-ssl
      • save this list of all client-ssl profiles in a suitable data structure
    • Enumerate all Virtual servers 
      • GET https://bigip/tm/ltm/virtual?expandSubcollections=true
      • The query parameter "expandsubcollections" adds some recursion, to keep you from having to issue too many repeated queries. Be careful though, for the size of response might be huge if you're dealing with a box with large configuration.
      • You will get al the profiles for each VIP under the Virtual result's items->[indexes]->profilesReference->items[indexes] (indexes indicate this is an array you iterate over)

    • Each of the items under 

      profilesReference
      is a profile, and you can simply check if the name contains "clientssl_"

      • if the name contains "client_ssl", then you can remove the item with this name from the earlier generated list of all clientssl profiles.

    • When you have iterated over all virtuals and their profiles, you know that whatever is left in your original list is the set of clientssl profiles that were not assigned.

    Footnote

    It may be a good idea for you to raise a formal support case and make a formal Request for Enhancement, so that future versions at least make this easier by adding some "type" annotations to profiles, and virtual servers -- or some other mechanism that negates the need for users to adopt a naming convention.

    A second way of doing this, that is not much better
    • Enumerate all client-ssl profiles (or whatever profile you wish)
      • save this list as list1
    • Enumerate all virtuals (with expandSubcollections)
    • for each virtual, check all listed profiles against list1, and eliminate any profiles that are found.
    • repeat for each virtual until all virtuals examined, or list1 is empty.

3 Replies

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Jan 06, 2016

    I'm afraid the API does not make this easy as far as I know. I think I've come across this kind of situation before, and You will need to perform some rather tedious crunching. You also need to adopt a policy in your environment of naming your objects in a certain way that makes this possible.

    Here goes
    • Prefix all profiles with the name of their type. Example, client-SSL profiles will always be called 
      clientssl_foo
      , then when you want to find client-ssl profiles, you simply look for the profiles that have "clientssl_" in their names.
      • to enumerate all client-ssl profiles, you need 
        GET https://bigip/tm/ltm/profile/client-ssl
      • save this list of all client-ssl profiles in a suitable data structure
    • Enumerate all Virtual servers 
      • GET https://bigip/tm/ltm/virtual?expandSubcollections=true
      • The query parameter "expandsubcollections" adds some recursion, to keep you from having to issue too many repeated queries. Be careful though, for the size of response might be huge if you're dealing with a box with large configuration.
      • You will get al the profiles for each VIP under the Virtual result's items->[indexes]->profilesReference->items[indexes] (indexes indicate this is an array you iterate over)

    • Each of the items under 

      profilesReference
      is a profile, and you can simply check if the name contains "clientssl_"

      • if the name contains "client_ssl", then you can remove the item with this name from the earlier generated list of all clientssl profiles.

    • When you have iterated over all virtuals and their profiles, you know that whatever is left in your original list is the set of clientssl profiles that were not assigned.

    Footnote

    It may be a good idea for you to raise a formal support case and make a formal Request for Enhancement, so that future versions at least make this easier by adding some "type" annotations to profiles, and virtual servers -- or some other mechanism that negates the need for users to adopt a naming convention.

    A second way of doing this, that is not much better
    • Enumerate all client-ssl profiles (or whatever profile you wish)
      • save this list as list1
    • Enumerate all virtuals (with expandSubcollections)
    • for each virtual, check all listed profiles against list1, and eliminate any profiles that are found.
    • repeat for each virtual until all virtuals examined, or list1 is empty.
    • Curtis_Owings_2's avatar
      Curtis_Owings_2
      Icon for Nimbostratus rankNimbostratus
      Jan 06, 2016
      The (re)naming idea is solid, but I can't exactly go back now and modify hundreds of VIPs. *This* is what I needed! `GET https://bigip/tm/ltm/virtual?expandSubcollections=true` That call yields... (only the relevant bits copied) ~~~"profilesReference": { "link": "https://localhost/mgmt/tm/ltm/virtual/~Common~beta.riccweb.com/profiles?ver=11.5.3", "isSubcollection": true, "items": [ { "kind": "tm:ltm:virtual:profiles:profilesstate", "name": "beta.riccweb.com", "partition": "Common", "fullPath": "/Common/beta.riccweb.com", "generation": 1, "selfLink": "https://localhost/mgmt/tm/ltm/virtual/~Common~beta.riccweb.com/profiles/~Common~beta.riccweb.com?ver=11.5.3", "context": "clientside" }, ~~~ From here I can work on the logic. It will take several queries, but I can deal with that. Thanks!
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Jan 06, 2016

    After posting the above, it occured to me that you may be able to also use Odata queries to make the job a little easier, if you know Odata, and if you have used the suggested naming conventions.