v11.1–Add Signatures or Checksums to iRules via an iApp

iApps, introduced in v11, have a primary function in controlling the object creation and management for an application delivered by BIG-IP. As discussed previously, however, anything that can be accomplished in TMSH can be done in an iApp, so what better way to quickly generate checksums on iRules than via an iApp. New in v11.1, you can add either a checksum or a digital signature to an iRule (but not both). For iRules that have been signed or had a checksum applied, there will be a line immediately following the final line of code (the last closing curly brace):

#Checksum

definition-checksum <checksum>

#Signature

definition-signature <signature>

The GUI iRules listing will show the verification status of each iRule (see below in Figure 1):

Note that the iRules that are F5 Verified are signed in-house by F5 with the f5-irule certificate. The private key is not distributed with your BIG-IP installation. To sign your own iRules, create a certificate (self signed or otherwise) or just use one on your system. I’d recommend creating one specific for signing iRules so you can distribute amongst all the pairs that will receive iRules that need verification. For this exercise, I created a 10-yr self signed cert called iRulesSignature with throwaway common name and other details. To sign an iRule in the GUI, check the checkbox to the left of the iRule in the iRules listing and then click the Add Signature button at the bottom of the screen as shown in Figure 2.

Select the appropriate key and then click the Add Signature button at the button of the screen as show in Figure 3.

The process is the same as in Figure 2 for the checksum, though the Add Checksum button should be selected instead. There is a pop-up window (see Figure 4 below) confirming the checksum, but no additional configuration parameters are presented before the checksum is applied.

A few quick notes before moving on.

  1. There is no remove signature or checksum button. To do this, just enter the iRule and remove the definition-<checksum|signature> line at the bottom of the iRule.
  2. You can replace/overwrite checksums with checksums and signatures with signatures, but you can’t cross the streams. Attempting to apply a signature to an iRule with a checksum will fail (and vice versa). If you want to sign an iRule with a checksum, remove the checkum first.
  3. You can add a checksum to multiple iRules concurrently, but signing multiple iRules in one pass is not currently supported.

Building the iApp

Now that the basics of iRules signatures and checksums have been addressed, I can build an iApp that will prompt a user to select checksum or signature, prompt for the key if signing, and then prompt for the iRules. The presentation layer (APL) code for this is below, followed by the result of this code in Figure 5 (checksum) and Figure 6 (signature).

section genInfo {
  choice sig_or_csum default "Checksum" { "Checksum", "Signature" }
  optional (sig_or_csum == "Signature") {
    choice sigKey tcl {
      set objs [tmsh::get_config /sys crypto key]
      foreach obj $objs {
        append results [tmsh::get_name $obj]
        append results "\n"
      }
      return $results
    }
  }
  multichoice iRulesList tcl {
    set objs [tmsh::get_config /ltm rule]
    foreach obj $objs {
      append results [tmsh::get_name $obj]
      append results "\n"
    }
    return $results
  }
}
text {
  genInfo "Add Signature or Checksum to iRules"
  genInfo.sig_or_csum "Please select Signature or Checksum."
  genInfo.sigKey "Please select the key for iRule signature."
  genInfo.iRulesList "Please select one or more iRules."
}

 

Now that the presentation layer is complete, all that remains is the tmsh scripting to take the information from the GUI and apply it to the system. The tmsh command to create the signature or checksum is

tmsh generate /ltm checksum|signature <rule>  [signing-key <key>]

This is easy in the shell, but in the scripting language there is not currently a tmsh::generate command, so I’ll need to use exec to call back into the shell as a workaround. With the exec command, every object separated by whitespace must be wrapped in quotes, as shown below in the implementation section of the iApp:

if { $::genInfo__sig_or_csum == "Checksum" } {
  foreach obj $::genInfo__iRulesList {
    #puts "Checksum for $obj"
    exec "tmsh" "generate" "ltm" "rule" "checksum" $obj
  }
} elseif { $::genInfo__sig_or_csum == "Signature" } {
  foreach obj $::genInfo__iRulesList {
    #puts "Signature for $obj with key $::genInfo__sigKey"
    exec "tmsh" "generate" "ltm" "rule" "signature" $obj "signing-key" $::genInfo__sigKey
  }
}

I always start with puts instead of the actual execution of tmsh commands so I know what the presentation layer is actually passing to the implementation scripts. The output of puts is /var/tmp/scriptd.out. To make this iApp more complete, you could load the contents of each iRule and strip any previous signature or checksum before applying a new one. I’ll send the latest DevCentral t-shirt to the first submission with this enhancement. Until then, happy coding!

This template is available in the iApp wiki: Add a Signature or Checksum to Multiple iRules

Published Dec 19, 2011
Version 1.0
  • Important safety tip: You can't add a checksum to an iRule that you created in the same iApp -- it will give you an error. What you can do is create shell script, and call that from within your iApp. It would be a simple script that sleeps for 2 or 3 seconds, then runs the 'tmsh generate ...' command. Its not pretty, but it works for me.