For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

iCall CRL update with Route Domains and Auto-Sync

Problem this snippet solves:

iCall script to update CRL file within F5 BIG-IP when the HTTP request must run from a specific Route Domain and also uses 

logger
to write logs to the default LTM location.

The original was to also update an iFile of the CRL file for use within an iRule however I have removed that due to it being a very special case (I may add another snippet later to detail that one).

Important point here is we update the CRL file located within a folder (or partition) that was linked to a Sync-Only Device Group with auto-sync enabled e.g. CRL files are created and saved to /Common/

crl
/

This way the iCall script does not need to trigger any sort sync and the rest of the configuration can be left as manual sync.

Code :

sys icall handler periodic /Common/someCrl-CrlUpdate {
    arguments {
        {
            name rd
            value 2
        }
        {
            name url
            value https://172.31.0.1/somepath/to/crlUpdateFile.crl
        }
        {
            name host
            value somecrl.CADomein.com
        }
        {
            name folder
            value tempCrlDirectory
        }
        {
            name sslCrl
            value /Common/crl/someCrlFile.crl
        }
    }
    interval 600
    script /Common/iCallCrlUpdate
}

sys icall script /Common/iCallCrlUpdate {
    app-service none
    definition {
        set logTag "iCallCrlUpdate"
        set logLevel "notice"

        # Getting handler provided arguments
        foreach arg { rd url host folder sslCrl ifileCrl } {
            set $arg $EVENT::context($arg)
        }

        # Create a directory to save files to disk 
        set crlDir /var/tmp/$folder
        exec mkdir -p $crlDir
        exec /bin/logger -i -t $logTag -p local0.$logLevel "Running, CRL URL=$url, Host=$host, SSL CRL=$sslCrl, iFile CRL=$ifileCrl, Directory=$crlDir, rd=$rd"

        # Download CRL file from provided route domain (rd) and url arguments and save to temporary directory
        set status [exec /usr/bin/rdexec $rd /usr/bin/curl-apd -s -o $crlDir/LatestCRL.crl -w %{http_code} -H Host:$host $url]

        if {$status == 200} {
            # Update F5 SSL CRL file
            tmsh::modify sys file ssl-crl $sslCrl source-path file:$crlDir/LatestCRL.crl
            exec /bin/logger -t $logTag -p local0.$logLevel "F5 CRL files update complete."
        } else {
            exec /bin/logger -i -t $logTag -p local0.error "Command /usr/bin/rdexec $rd /usr/bin/curl-apd -s -o $crlDir/LatestCRL.crl -w '%{http_code}' -H 'Host: onsitecrl.trustwise.com' $url, failed with status=$status"
        }
    }
    description none
    events none
}

Tested this on version:

12.1
Updated Jun 06, 2023
Version 2.0
BIG-IP
crl
iCall
security
Super-NetOps
No CommentsBe the first to comment