Publish Virtual-SSLProfile-Certicate Relation
Problem this snippet solves:
The idea behind this code is to create a list of dependencies between
- Virtuals
- SSL Profiles
- Certificates
The output will be in CSV format.
How to use this snippet:
The code is written using TMSH from BASH, so you can run this code directly from BASH in your F5 box.
# cat > my_script.sh
<paste the code here>
<control + D>
# chmod u+x my_script.sh
# ./my_script.sh
The output will be prompted in CSV format separately by some headers
************ LIST OF VIRTUAL SERVERS ************
Common/http_vs;Common/clientssl;Common/serverssl
[...]
************ LIST OF CLIENT SSL PROFILES ************
Common/clientssl;Common/default.crt;none;Common/default.key;DEFAULT;none
[...]
************ LIST OF CLIENT SSL PROFILES (IN USE) ************
Common/clientssl
[...]
************ LIST OF SERVER SSL PROFILES ************
Common/serverssl;none;none;none;DEFAULT;none
[...]
************ LIST OF SERVER SSL PROFILES (IN USE) ************
Common/serverssl
[...]
************ LIST OF CERTIFICATES ************
Common/default.crt;Jun 24 15:03:51 2027 GMT
[...]
************ LIST OF CERTIFICATES (IN USE) ************
Common/default.crt
[...]
Code :
#---------------------------------------------------------------------------------------------- # LIST OF EXISTING PROFILES sslprof_c=$( tmsh -q -c "cd / ; list ltm profile client-ssl recursive" | grep "profile" | awk '{ print $4 }' | tr '\n' ' ' ) sslprof_s=$( tmsh -q -c "cd / ; list ltm profile server-ssl recursive" | grep "profile" | awk '{ print $4 }' | tr '\n' ' ' ) # LIST OF VIRTUALS BY PROFILE vs_sslprof_c=$( tmsh -q -c "cd / ; list ltm virtual recursive profiles { $(echo $sslprof_c) }" ) vs_sslprof_s=$( tmsh -q -c "cd / ; list ltm virtual recursive profiles { $(echo $sslprof_s) }" ) # LIST OF PROFILES BY CERTIFICATE pf_sslprof_c=$( tmsh -q -c "cd / ; list ltm profile client-ssl recursive { cert chain key defaults-from ciphers }" ) pf_sslprof_s=$( tmsh -q -c "cd / ; list ltm profile server-ssl recursive { cert chain key defaults-from ciphers }" ) # LIST OF CERTIFICATES sslcert=$( tmsh -q -c "cd / ; list sys file ssl-cert recursive expiration-string" ) # LIST OF PROFILES IN USE check_vs_sslprof_c=$( echo "$vs_sslprof_c" | grep -A1 "profiles {" | grep -v "profiles" | grep "[a-zA-Z]" | awk '{ print $1 }' | sort | uniq ) check_vs_sslprof_s=$( echo "$vs_sslprof_s" | grep -A1 "profiles {" | grep -v "profiles" | grep "[a-zA-Z]" | awk '{ print $1 }' | sort | uniq ) #---------------------------------------------------------------------------------------------- T1C1=$( echo "$vs_sslprof_c" | grep "virtual" | awk '{ print $3 }' ) T1C2=$( echo "$vs_sslprof_c" | grep -A1 "profiles" | grep -v "profiles {" | grep "[a-zA-Z]" | sed "s/profiles//" | awk '{ print $1 }' ) T1C3=$( echo "$vs_sslprof_s" | grep -A1 "profiles" | grep -v "profiles {" | grep "[a-zA-Z]" | sed "s/profiles//" | awk '{ print $1 }' ) echo -e "************ LIST OF VIRTUAL SERVERS ************" paste -d ';' <( echo "$T1C1" ) <( echo "$T1C2" ) <( echo "$T1C3" ) #---------------------------------------------------------------------------------------------- T2C1=$( echo "$pf_sslprof_c" | grep "profile " | awk '{ print $4 }' ) T2C2=$( echo "$pf_sslprof_c" | grep "cert " | awk '{ print $2 }' ) T2C3=$( echo "$pf_sslprof_c" | grep "chain " | awk '{ print $2 }' ) T2C4=$( echo "$pf_sslprof_c" | grep "key " | awk '{ print $2 }' ) T2C5=$( echo "$pf_sslprof_c" | grep "ciphers " | awk '{ print $2 }' ) T2C6=$( echo "$pf_sslprof_c" | grep "defaults-from " | awk '{ print $2 }' ) echo -e "************ LIST OF CLIENT SSL PROFILES ************" paste -d ';' <( echo "$T2C1" ) <( echo "$T2C2" ) <( echo "$T2C3" ) <( echo "$T2C4" ) <( echo "$T2C5" ) <( echo "$T2C6" ) echo -e "************ LIST OF CLIENT SSL PROFILES (IN USE) ************" echo "$check_vs_sslprof_c" #---------------------------------------------------------------------------------------------- T3C1=$( echo "$pf_sslprof_s" | grep "profile " | awk '{ print $4 }' ) T3C2=$( echo "$pf_sslprof_s" | grep "cert " | awk '{ print $2 }' ) T3C3=$( echo "$pf_sslprof_s" | grep "chain " | awk '{ print $2 }' ) T3C4=$( echo "$pf_sslprof_s" | grep "key " | awk '{ print $2 }' ) T3C5=$( echo "$pf_sslprof_s" | grep "ciphers " | awk '{ print $2 }' ) T3C6=$( echo "$pf_sslprof_s" | grep "defaults-from " | awk '{ print $2 }' ) echo -e "************ LIST OF SERVER SSL PROFILES ************" paste -d ';' <( echo "$T3C1" ) <( echo "$T3C2" ) <( echo "$T3C3" ) <( echo "$T3C4" ) <( echo "$T3C5" ) <( echo "$T3C6" ) echo -e "************ LIST OF SERVER SSL PROFILES (IN USE) ************" echo "$check_vs_sslprof_s" #---------------------------------------------------------------------------------------------- T4C1=$( echo "$sslcert" | grep "ssl-cert" | awk '{ print $4 }' ) T4C2=$( echo "$sslcert" | grep "expiration-string" | awk -F "\"" '{ print $2 }' ) echo -e "************ LIST OF CERTIFICATES ************" paste -d ';' <( echo "$T4C1" ) <( echo "$T4C2" ) echo -e "************ LIST OF CERTIFICATES (IN USE) ************" #---------------------------------------------------------------------------------------------- if [[ "$check_vs_sslprof_c" ]] ; then # CHECKING IF THERE ARE CLIENT CERTS IN USE check_cert_sslprof_c=$( tmsh -q -c "cd / ; list ltm profile client-ssl recursive $( echo "$check_vs_sslprof_c" | tr '\n' ' ' ) { cert chain }" | grep -e "cert" -e "chain" | awk '{ print $2 }' | grep -v "none" | sort | uniq ) fi if [[ "$check_vs_sslprof_s" ]] ; then # CHECKING IF THERE ARE SERVER CERTS IN USE check_cert_sslprof_s=$( tmsh -q -c "cd / ; list ltm profile server-ssl recursive $( echo "$check_vs_sslprof_s" | tr '\n' ' ' ) { cert chain }" | grep -e "cert" -e "chain" | awk '{ print $2 }' | grep -v "none" | sort | uniq ) fi sslcert_active=$( awk 'NF' <(echo "$check_cert_sslprof_c" ; echo "$check_cert_sslprof_s" | sort | uniq ) ) echo "$sslcert_active" #----------------------------------------------------------------------------------------------
Tested this on version:
12.1