extract LTM VS ssl profile binding cert and key information to generate a json with python f5-sdk
Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.
Short Description
check LTM which VS enable ssl offload and extract its ssl profile binding cert, chain information and key name, include
expirationDate, expirationString, issuer, subject
Problem solved by this Code Snippet
check LTM which VS enable ssl offload and extract its ssl profile binding cert, chain information, support check and extract AS3 LTM VS ssl profile
How to use this Code Snippet
Firstly, install python f5 sdk
pip install f5-sdk
Secondly, modify the following IP, account and password corresponding to your BIGIP LTM device
mgmt = ManagementRoot('192.168.5.109', 'admin', 'xt32112300', token=True)
Finally, if the code runs no error, it will generate a "F5-LTM-SSL-XXX(date format)-NetworkMap.json" file in your local working directory
Code Snippet Meta Information
- Version:1.0
- Coding Language:python
Full Code Snippet
from f5.bigip import ManagementRoot
import json, time
mgmt = ManagementRoot('192.168.5.109', 'admin', 'xt32112300', token=True)
sslprofiles_clientside = []
sslprofiles_serverside = []
virtuals = mgmt.tm.ltm.virtuals.get_collection()
ltm_ssl_virtuals_list = []
for virtual in virtuals:
ssl_virtualserver = {}
if hasattr(virtual, 'subPath'):
ssl_virtualserver.update(name=virtual.name, subPath=virtual.subPath, fullPath=virtual.fullPath,
partition=virtual.partition)
else:
ssl_virtualserver.update(name=virtual.name, fullPath=virtual.fullPath, partition=virtual.partition)
sslprofiles_clientside = []
sslprofiles_serverside = []
for profile in virtual.profiles_s.get_collection():
if profile.context == 'clientside':
if hasattr(profile, 'subPath'):
sslprofiles_clientside.append(('clientside', profile.name, profile.partition, profile.subPath,
profile.fullPath))
else:
sslprofiles_clientside.append(('clientside', profile.name, profile.partition, profile.fullPath))
elif profile.context == 'serverside':
if hasattr(profile, 'subPath'):
sslprofiles_serverside.append(('serverside', profile.name, profile.partition, profile.subPath,
profile.fullPath))
else:
sslprofiles_serverside.append(('serverside', profile.name, profile.partition, profile.fullPath))
else:
continue
ssl_clientside_list = []
if len(sslprofiles_clientside) > 0:
for client_profile in sslprofiles_clientside:
client_profile_dict = {}
if len(client_profile) == 5:
ssl_pro_client = mgmt.tm.ltm.profile.client_ssls.client_ssl.load(name=client_profile[1],
partition=client_profile[2],
subPath=client_profile[3])
else:
ssl_pro_client = mgmt.tm.ltm.profile.client_ssls.client_ssl.load(name=client_profile[1],
partition=client_profile[2])
ssl_profile_clientside_cert = ssl_pro_client.cert
ssl_profile_clientside_key = ssl_pro_client.key
# ssl_profile_clientside_chain = ssl_pro_client.chain default value is 'none'
ssl_profile_clientside_chain = ssl_pro_client.chain
if len(ssl_profile_clientside_cert.split('/')) == 4:
file_client_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_clientside_cert.split('/')[-1],
partition=ssl_profile_clientside_cert.split('/')[1],
subPath=ssl_profile_clientside_cert.split('/')[2])
client_cert_detail = {
'name': file_client_ssl.name,
'partition': file_client_ssl.partition,
'subPath': file_client_ssl.subPath,
'fullPath': file_client_ssl.fullPath,
'expirationDate': file_client_ssl.expirationDate,
'expirationString': file_client_ssl.expirationString,
'issuer': file_client_ssl.issuer,
'subject': file_client_ssl.subject
}
client_profile_dict.update(name=client_profile[1],
partition=client_profile[2],
subPath=client_profile[3],
fullPath=client_profile[-1],
cert=client_cert_detail,
key=ssl_profile_clientside_key)
else:
file_client_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_clientside_cert.split('/')[-1],
partition=ssl_profile_clientside_cert.split('/')[1])
client_cert_detail = {
'name': file_client_ssl.name,
'partition': file_client_ssl.partition,
'fullPath': file_client_ssl.fullPath,
'expirationDate': file_client_ssl.expirationDate,
'expirationString': file_client_ssl.expirationString,
'issuer': file_client_ssl.issuer,
'subject': file_client_ssl.subject
}
client_profile_dict.update(name=client_profile[1],
partition=client_profile[2],
fullPath=client_profile[-1],
cert=client_cert_detail,
key=ssl_profile_clientside_key)
if ssl_profile_clientside_chain != 'none':
if len(ssl_profile_clientside_chain.split('/')) == 4:
file_clientchain_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_clientside_chain.split('/')[-1],
partition=ssl_profile_clientside_chain.split('/')[1],
subPath=ssl_profile_clientside_chain.split('/')[2])
client_chain_detail = {
'name': file_clientchain_ssl.name,
'partition': file_clientchain_ssl.partition,
'subPath': file_clientchain_ssl.subPath,
'fullPath': file_clientchain_ssl.fullPath,
'expirationDate': file_clientchain_ssl.expirationDate,
'expirationString': file_clientchain_ssl.expirationString,
'issuer': file_clientchain_ssl.issuer,
'subject': file_clientchain_ssl.subject
}
client_profile_dict.update(chain=client_chain_detail)
else:
file_clientchain_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_clientside_chain.split('/')[-1],
partition=ssl_profile_clientside_chain.split('/')[1])
client_chain_detail = {
'name': file_clientchain_ssl.name,
'partition': file_clientchain_ssl.partition,
'fullPath': file_clientchain_ssl.fullPath,
'expirationDate': file_clientchain_ssl.expirationDate,
'expirationString': file_clientchain_ssl.expirationString,
'issuer': file_clientchain_ssl.issuer,
'subject': file_clientchain_ssl.subject
}
client_profile_dict.update(chain=client_chain_detail)
if len(client_profile_dict) > 0:
ssl_clientside_list.append(client_profile_dict)
if len(ssl_clientside_list) > 0:
ssl_virtualserver.update(clientside=ssl_clientside_list)
# print(ssl_virtualserver)
# ltm_ssl_virtuals_list.append(ssl_virtualserver)
ssl_serverside_list = []
if len(sslprofiles_serverside) > 0:
for server_profile in sslprofiles_serverside:
server_profile_dict = {}
if len(server_profile) == 5:
ssl_pro_server = mgmt.tm.ltm.profile.server_ssls.server_ssl.load(name=server_profile[1],
partition=server_profile[2],
subPath=server_profile[3])
else:
ssl_pro_server = mgmt.tm.ltm.profile.server_ssls.server_ssl.load(name=server_profile[1],
partition=server_profile[2])
ssl_profile_serverside_cert = ssl_pro_server.cert
ssl_profile_serverside_key = ssl_pro_server.key
# ssl_profile_serverside_chain = ssl_pro_server.chain default value is 'none'
ssl_profile_serverside_chain = ssl_pro_server.chain
if len(ssl_profile_serverside_cert.split('/')) == 4:
file_server_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_serverside_cert.split('/')[-1],
partition=ssl_profile_serverside_cert.split('/')[1],
subPath=ssl_profile_serverside_cert.split('/')[2])
server_cert_detail = {
'name': file_server_ssl.name,
'partition': file_server_ssl.partition,
'subPath': file_server_ssl.subPath,
'fullPath': file_server_ssl.fullPath,
'expirationDate': file_server_ssl.expirationDate,
'expirationString': file_server_ssl.expirationString,
'issuer': file_server_ssl.issuer,
'subject': file_server_ssl.subject
}
server_profile_dict.update(name=server_profile[1],
partition=server_profile[2],
subPath=server_profile[3],
fullPath=server_profile[-1],
cert=server_cert_detail,
key=ssl_profile_serverside_key)
elif len(ssl_profile_serverside_cert.split('/')) == 3:
file_server_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_serverside_cert.split('/')[-1],
partition=ssl_profile_serverside_cert.split('/')[1])
server_cert_detail = {
'name': file_server_ssl.name,
'partition': file_server_ssl.partition,
'fullPath': file_server_ssl.fullPath,
'expirationDate': file_server_ssl.expirationDate,
'expirationString': file_server_ssl.expirationString,
'issuer': file_server_ssl.issuer,
'subject': file_server_ssl.subject
}
server_profile_dict.update(name=server_profile[1],
partition=server_profile[2],
fullPath=server_profile[-1],
cert=server_cert_detail,
key=ssl_profile_serverside_key)
else:
server_profile_dict.update(name=server_profile[1],
partition=server_profile[2],
fullPath=server_profile[-1],
cert=None,
key=None)
if ssl_profile_serverside_chain != 'none':
if len(ssl_profile_serverside_chain.split('/')) == 4:
file_serverchain_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_serverside_chain.split('/')[-1],
partition=ssl_profile_serverside_chain.split('/')[1],
subPath=ssl_profile_serverside_chain.split('/')[2])
server_chain_detail = {
'name': file_serverchain_ssl.name,
'partition': file_serverchain_ssl.partition,
'subPath': file_serverchain_ssl.subPath,
'fullPath': file_serverchain_ssl.fullPath,
'expirationDate': file_serverchain_ssl.expirationDate,
'expirationString': file_serverchain_ssl.expirationString,
'issuer': file_serverchain_ssl.issuer,
'subject': file_serverchain_ssl.subject
}
server_profile_dict.update(chain=server_chain_detail)
else:
file_serverchain_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_serverside_chain.split('/')[-1],
partition=ssl_profile_serverside_chain.split('/')[1])
server_chain_detail = {
'name': file_serverchain_ssl.name,
'partition': file_serverchain_ssl.partition,
'fullPath': file_serverchain_ssl.fullPath,
'expirationDate': file_serverchain_ssl.expirationDate,
'expirationString': file_serverchain_ssl.expirationString,
'issuer': file_serverchain_ssl.issuer,
'subject': file_serverchain_ssl.subject
}
server_profile_dict.update(chain=server_chain_detail)
if len(server_profile_dict) > 0:
ssl_serverside_list.append(server_profile_dict)
if len(ssl_serverside_list) > 0:
ssl_virtualserver.update(serverside=ssl_serverside_list)
if 'clientside' in ssl_virtualserver.keys() or 'serverside' in ssl_virtualserver.keys():
# print(ssl_virtualserver)
ltm_ssl_virtuals_list.append(ssl_virtualserver)
print(ltm_ssl_virtuals_list)
with open(r"./F5-LTM-SSL-{}-NetworkMap.json".format(time.strftime("%Y-%m-%d", time.localtime())), "w") as f:
f.write(json.dumps(ltm_ssl_virtuals_list, indent=4, ensure_ascii=False))
Updated Jan 18, 2023
Version 4.0
xuwen
Cumulonimbus
Cumulonimbus- xuwen
test json result:
[ { "name": "APP-017-SPECIAL_Dining2_8030_Internet_97.49_18031", "fullPath": "/Common/APP-017-SPECIAL_Dining2_8030_Internet_97.49_18031", "partition": "Common", "serverside": [ { "name": "serverssl", "partition": "Common", "fullPath": "/Common/serverssl", "cert": null, "key": null } ] }, { "name": "service", "subPath": "TEST_Service_Https_MultiAddr_Local", "fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/service", "partition": "Sample_cert_06", "clientside": [ { "name": "pTlsServer_Local", "partition": "Sample_cert_06", "subPath": "TEST_Service_Https_MultiAddr_Local", "fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/pTlsServer_Local", "cert": { "name": "tlsserver_local_cert.crt", "partition": "Sample_cert_06", "subPath": "TEST_Service_Https_MultiAddr_Local", "fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsserver_local_cert.crt", "expirationDate": 1519588224, "expirationString": "Feb 25 19:50:24 2018 GMT", "issuer": "CN=sample.example.net,O=f5_Networks,L=Seattle,ST=Washington,C=US", "subject": "CN=sample.example.net,O=f5_Networks,L=Seattle,ST=Washington,C=US" }, "key": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsserver_local_cert.key", "chain": { "name": "tlsserver_local_cert-bundle.crt", "partition": "Sample_cert_06", "subPath": "TEST_Service_Https_MultiAddr_Local", "fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsserver_local_cert-bundle.crt", "expirationDate": 1522351285, "expirationString": "Mar 29 19:21:25 2018 GMT", "issuer": "emailAddress=somebody@somewhere.org,CN=test_CA_bundle,OU=Test,O=F5,L=Seattle,ST=Washington,C=US", "subject": "emailAddress=somebody@somewhere.org,CN=test_CA_bundle,OU=Test,O=F5,L=Seattle,ST=Washington,C=US" } } ], "serverside": [ { "name": "pTlsClient_Local", "partition": "Sample_cert_06", "subPath": "TEST_Service_Https_MultiAddr_Local", "fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/pTlsClient_Local", "cert": { "name": "tlsclient_local_cert.crt", "partition": "Sample_cert_06", "subPath": "TEST_Service_Https_MultiAddr_Local", "fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsclient_local_cert.crt", "expirationDate": 1519588224, "expirationString": "Feb 25 19:50:24 2018 GMT", "issuer": "CN=sample.example.net,O=f5_Networks,L=Seattle,ST=Washington,C=US", "subject": "CN=sample.example.net,O=f5_Networks,L=Seattle,ST=Washington,C=US" }, "key": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsclient_local_cert.key", "chain": { "name": "tlsclient_local_cert-bundle.crt", "partition": "Sample_cert_06", "subPath": "TEST_Service_Https_MultiAddr_Local", "fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsclient_local_cert-bundle.crt", "expirationDate": 1522351285, "expirationString": "Mar 29 19:21:25 2018 GMT", "issuer": "emailAddress=somebody@somewhere.org,CN=test_CA_bundle,OU=Test,O=F5,L=Seattle,ST=Washington,C=US", "subject": "emailAddress=somebody@somewhere.org,CN=test_CA_bundle,OU=Test,O=F5,L=Seattle,ST=Washington,C=US" } } ] } ] Hi xuwen - this is great! FYI - I cleared some of the extra spaces that snuck in when you used the text editor, but I didn't change any of the actual content. Just tried to make it easier to read without lots of extra page breaks. 🙂
