Publish Virtual-SSLProfile-Certicate Relation
Problem this snippet solves:
The idea behind this code is to create a list of dependencies between
- Virtuals
- SSL Profiles
- Certificates
The output will be in CSV format.
How to use this snippet:
The code is written using TMSH from BASH, so you can run this code directly from BASH in your F5 box.
# cat > my_script.sh
<paste the code here>
<control + D>
# chmod u+x my_script.sh
# ./my_script.sh
The output will be prompted in CSV format separately by some headers
************ LIST OF VIRTUAL SERVERS ************
Common/http_vs;Common/clientssl;Common/serverssl
[...]
************ LIST OF CLIENT SSL PROFILES ************
Common/clientssl;Common/default.crt;none;Common/default.key;DEFAULT;none
[...]
************ LIST OF CLIENT SSL PROFILES (IN USE) ************
Common/clientssl
[...]
************ LIST OF SERVER SSL PROFILES ************
Common/serverssl;none;none;none;DEFAULT;none
[...]
************ LIST OF SERVER SSL PROFILES (IN USE) ************
Common/serverssl
[...]
************ LIST OF CERTIFICATES ************
Common/default.crt;Jun 24 15:03:51 2027 GMT
[...]
************ LIST OF CERTIFICATES (IN USE) ************
Common/default.crt
[...]
Code :
#----------------------------------------------------------------------------------------------
# LIST OF EXISTING PROFILES
sslprof_c=$( tmsh -q -c "cd / ; list ltm profile client-ssl recursive" | grep "profile" | awk '{ print $4 }' | tr '\n' ' ' )
sslprof_s=$( tmsh -q -c "cd / ; list ltm profile server-ssl recursive" | grep "profile" | awk '{ print $4 }' | tr '\n' ' ' )
# LIST OF VIRTUALS BY PROFILE
vs_sslprof_c=$( tmsh -q -c "cd / ; list ltm virtual recursive profiles { $(echo $sslprof_c) }" )
vs_sslprof_s=$( tmsh -q -c "cd / ; list ltm virtual recursive profiles { $(echo $sslprof_s) }" )
# LIST OF PROFILES BY CERTIFICATE
pf_sslprof_c=$( tmsh -q -c "cd / ; list ltm profile client-ssl recursive { cert chain key defaults-from ciphers }" )
pf_sslprof_s=$( tmsh -q -c "cd / ; list ltm profile server-ssl recursive { cert chain key defaults-from ciphers }" )
# LIST OF CERTIFICATES
sslcert=$( tmsh -q -c "cd / ; list sys file ssl-cert recursive expiration-string" )
# LIST OF PROFILES IN USE
check_vs_sslprof_c=$( echo "$vs_sslprof_c" | grep -A1 "profiles {" | grep -v "profiles" | grep "[a-zA-Z]" | awk '{ print $1 }' | sort | uniq )
check_vs_sslprof_s=$( echo "$vs_sslprof_s" | grep -A1 "profiles {" | grep -v "profiles" | grep "[a-zA-Z]" | awk '{ print $1 }' | sort | uniq )
#----------------------------------------------------------------------------------------------
T1C1=$( echo "$vs_sslprof_c" | grep "virtual" | awk '{ print $3 }' )
T1C2=$( echo "$vs_sslprof_c" | grep -A1 "profiles" | grep -v "profiles {" | grep "[a-zA-Z]" | sed "s/profiles//" | awk '{ print $1 }' )
T1C3=$( echo "$vs_sslprof_s" | grep -A1 "profiles" | grep -v "profiles {" | grep "[a-zA-Z]" | sed "s/profiles//" | awk '{ print $1 }' )
echo -e "************ LIST OF VIRTUAL SERVERS ************"
paste -d ';' <( echo "$T1C1" ) <( echo "$T1C2" ) <( echo "$T1C3" )
#----------------------------------------------------------------------------------------------
T2C1=$( echo "$pf_sslprof_c" | grep "profile " | awk '{ print $4 }' )
T2C2=$( echo "$pf_sslprof_c" | grep "cert " | awk '{ print $2 }' )
T2C3=$( echo "$pf_sslprof_c" | grep "chain " | awk '{ print $2 }' )
T2C4=$( echo "$pf_sslprof_c" | grep "key " | awk '{ print $2 }' )
T2C5=$( echo "$pf_sslprof_c" | grep "ciphers " | awk '{ print $2 }' )
T2C6=$( echo "$pf_sslprof_c" | grep "defaults-from " | awk '{ print $2 }' )
echo -e "************ LIST OF CLIENT SSL PROFILES ************"
paste -d ';' <( echo "$T2C1" ) <( echo "$T2C2" ) <( echo "$T2C3" ) <( echo "$T2C4" ) <( echo "$T2C5" ) <( echo "$T2C6" )
echo -e "************ LIST OF CLIENT SSL PROFILES (IN USE) ************"
echo "$check_vs_sslprof_c"
#----------------------------------------------------------------------------------------------
T3C1=$( echo "$pf_sslprof_s" | grep "profile " | awk '{ print $4 }' )
T3C2=$( echo "$pf_sslprof_s" | grep "cert " | awk '{ print $2 }' )
T3C3=$( echo "$pf_sslprof_s" | grep "chain " | awk '{ print $2 }' )
T3C4=$( echo "$pf_sslprof_s" | grep "key " | awk '{ print $2 }' )
T3C5=$( echo "$pf_sslprof_s" | grep "ciphers " | awk '{ print $2 }' )
T3C6=$( echo "$pf_sslprof_s" | grep "defaults-from " | awk '{ print $2 }' )
echo -e "************ LIST OF SERVER SSL PROFILES ************"
paste -d ';' <( echo "$T3C1" ) <( echo "$T3C2" ) <( echo "$T3C3" ) <( echo "$T3C4" ) <( echo "$T3C5" ) <( echo "$T3C6" )
echo -e "************ LIST OF SERVER SSL PROFILES (IN USE) ************"
echo "$check_vs_sslprof_s"
#----------------------------------------------------------------------------------------------
T4C1=$( echo "$sslcert" | grep "ssl-cert" | awk '{ print $4 }' )
T4C2=$( echo "$sslcert" | grep "expiration-string" | awk -F "\"" '{ print $2 }' )
echo -e "************ LIST OF CERTIFICATES ************"
paste -d ';' <( echo "$T4C1" ) <( echo "$T4C2" )
echo -e "************ LIST OF CERTIFICATES (IN USE) ************"
#----------------------------------------------------------------------------------------------
if [[ "$check_vs_sslprof_c" ]] ; then
# CHECKING IF THERE ARE CLIENT CERTS IN USE
check_cert_sslprof_c=$( tmsh -q -c "cd / ; list ltm profile client-ssl recursive $( echo "$check_vs_sslprof_c" | tr '\n' ' ' ) { cert chain }" | grep -e "cert" -e "chain" | awk '{ print $2 }' | grep -v "none" | sort | uniq )
fi
if [[ "$check_vs_sslprof_s" ]] ; then
# CHECKING IF THERE ARE SERVER CERTS IN USE
check_cert_sslprof_s=$( tmsh -q -c "cd / ; list ltm profile server-ssl recursive $( echo "$check_vs_sslprof_s" | tr '\n' ' ' ) { cert chain }" | grep -e "cert" -e "chain" | awk '{ print $2 }' | grep -v "none" | sort | uniq )
fi
sslcert_active=$( awk 'NF' <(echo "$check_cert_sslprof_c" ; echo "$check_cert_sslprof_s" | sort | uniq ) )
echo "$sslcert_active"
#----------------------------------------------------------------------------------------------Tested this on version:
12.1Published May 30, 2019
Version 1.0
Dario_Garrido
Noctilucent
NoctilucentDario_GarridoNoctilucent
NoctilucentNo CommentsBe the first to comment