on
15-Jan-2023
21:10
- edited on
17-Jan-2023
18:01
by
Leslie_Hubertus
check LTM which VS enable ssl offload and extract its ssl profile binding cert, chain information and key name, include
expirationDate, expirationString, issuer, subject
check LTM which VS enable ssl offload and extract its ssl profile binding cert, chain information, support check and extract AS3 LTM VS ssl profile
Firstly, install python f5 sdk
pip install f5-sdk
Secondly, modify the following IP, account and password corresponding to your BIGIP LTM device
mgmt = ManagementRoot('192.168.5.109', 'admin', 'xt32112300', token=True)
Finally, if the code runs no error, it will generate a "F5-LTM-SSL-XXX(date format)-NetworkMap.json" file in your local working directory
from f5.bigip import ManagementRoot
import json, time
mgmt = ManagementRoot('192.168.5.109', 'admin', 'xt32112300', token=True)
sslprofiles_clientside = []
sslprofiles_serverside = []
virtuals = mgmt.tm.ltm.virtuals.get_collection()
ltm_ssl_virtuals_list = []
for virtual in virtuals:
ssl_virtualserver = {}
if hasattr(virtual, 'subPath'):
ssl_virtualserver.update(name=virtual.name, subPath=virtual.subPath, fullPath=virtual.fullPath,
partition=virtual.partition)
else:
ssl_virtualserver.update(name=virtual.name, fullPath=virtual.fullPath, partition=virtual.partition)
sslprofiles_clientside = []
sslprofiles_serverside = []
for profile in virtual.profiles_s.get_collection():
if profile.context == 'clientside':
if hasattr(profile, 'subPath'):
sslprofiles_clientside.append(('clientside', profile.name, profile.partition, profile.subPath,
profile.fullPath))
else:
sslprofiles_clientside.append(('clientside', profile.name, profile.partition, profile.fullPath))
elif profile.context == 'serverside':
if hasattr(profile, 'subPath'):
sslprofiles_serverside.append(('serverside', profile.name, profile.partition, profile.subPath,
profile.fullPath))
else:
sslprofiles_serverside.append(('serverside', profile.name, profile.partition, profile.fullPath))
else:
continue
ssl_clientside_list = []
if len(sslprofiles_clientside) > 0:
for client_profile in sslprofiles_clientside:
client_profile_dict = {}
if len(client_profile) == 5:
ssl_pro_client = mgmt.tm.ltm.profile.client_ssls.client_ssl.load(name=client_profile[1],
partition=client_profile[2],
subPath=client_profile[3])
else:
ssl_pro_client = mgmt.tm.ltm.profile.client_ssls.client_ssl.load(name=client_profile[1],
partition=client_profile[2])
ssl_profile_clientside_cert = ssl_pro_client.cert
ssl_profile_clientside_key = ssl_pro_client.key
# ssl_profile_clientside_chain = ssl_pro_client.chain default value is 'none'
ssl_profile_clientside_chain = ssl_pro_client.chain
if len(ssl_profile_clientside_cert.split('/')) == 4:
file_client_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_clientside_cert.split('/')[-1],
partition=ssl_profile_clientside_cert.split('/')[1],
subPath=ssl_profile_clientside_cert.split('/')[2])
client_cert_detail = {
'name': file_client_ssl.name,
'partition': file_client_ssl.partition,
'subPath': file_client_ssl.subPath,
'fullPath': file_client_ssl.fullPath,
'expirationDate': file_client_ssl.expirationDate,
'expirationString': file_client_ssl.expirationString,
'issuer': file_client_ssl.issuer,
'subject': file_client_ssl.subject
}
client_profile_dict.update(name=client_profile[1],
partition=client_profile[2],
subPath=client_profile[3],
fullPath=client_profile[-1],
cert=client_cert_detail,
key=ssl_profile_clientside_key)
else:
file_client_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_clientside_cert.split('/')[-1],
partition=ssl_profile_clientside_cert.split('/')[1])
client_cert_detail = {
'name': file_client_ssl.name,
'partition': file_client_ssl.partition,
'fullPath': file_client_ssl.fullPath,
'expirationDate': file_client_ssl.expirationDate,
'expirationString': file_client_ssl.expirationString,
'issuer': file_client_ssl.issuer,
'subject': file_client_ssl.subject
}
client_profile_dict.update(name=client_profile[1],
partition=client_profile[2],
fullPath=client_profile[-1],
cert=client_cert_detail,
key=ssl_profile_clientside_key)
if ssl_profile_clientside_chain != 'none':
if len(ssl_profile_clientside_chain.split('/')) == 4:
file_clientchain_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_clientside_chain.split('/')[-1],
partition=ssl_profile_clientside_chain.split('/')[1],
subPath=ssl_profile_clientside_chain.split('/')[2])
client_chain_detail = {
'name': file_clientchain_ssl.name,
'partition': file_clientchain_ssl.partition,
'subPath': file_clientchain_ssl.subPath,
'fullPath': file_clientchain_ssl.fullPath,
'expirationDate': file_clientchain_ssl.expirationDate,
'expirationString': file_clientchain_ssl.expirationString,
'issuer': file_clientchain_ssl.issuer,
'subject': file_clientchain_ssl.subject
}
client_profile_dict.update(chain=client_chain_detail)
else:
file_clientchain_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_clientside_chain.split('/')[-1],
partition=ssl_profile_clientside_chain.split('/')[1])
client_chain_detail = {
'name': file_clientchain_ssl.name,
'partition': file_clientchain_ssl.partition,
'fullPath': file_clientchain_ssl.fullPath,
'expirationDate': file_clientchain_ssl.expirationDate,
'expirationString': file_clientchain_ssl.expirationString,
'issuer': file_clientchain_ssl.issuer,
'subject': file_clientchain_ssl.subject
}
client_profile_dict.update(chain=client_chain_detail)
if len(client_profile_dict) > 0:
ssl_clientside_list.append(client_profile_dict)
if len(ssl_clientside_list) > 0:
ssl_virtualserver.update(clientside=ssl_clientside_list)
# print(ssl_virtualserver)
# ltm_ssl_virtuals_list.append(ssl_virtualserver)
ssl_serverside_list = []
if len(sslprofiles_serverside) > 0:
for server_profile in sslprofiles_serverside:
server_profile_dict = {}
if len(server_profile) == 5:
ssl_pro_server = mgmt.tm.ltm.profile.server_ssls.server_ssl.load(name=server_profile[1],
partition=server_profile[2],
subPath=server_profile[3])
else:
ssl_pro_server = mgmt.tm.ltm.profile.server_ssls.server_ssl.load(name=server_profile[1],
partition=server_profile[2])
ssl_profile_serverside_cert = ssl_pro_server.cert
ssl_profile_serverside_key = ssl_pro_server.key
# ssl_profile_serverside_chain = ssl_pro_server.chain default value is 'none'
ssl_profile_serverside_chain = ssl_pro_server.chain
if len(ssl_profile_serverside_cert.split('/')) == 4:
file_server_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_serverside_cert.split('/')[-1],
partition=ssl_profile_serverside_cert.split('/')[1],
subPath=ssl_profile_serverside_cert.split('/')[2])
server_cert_detail = {
'name': file_server_ssl.name,
'partition': file_server_ssl.partition,
'subPath': file_server_ssl.subPath,
'fullPath': file_server_ssl.fullPath,
'expirationDate': file_server_ssl.expirationDate,
'expirationString': file_server_ssl.expirationString,
'issuer': file_server_ssl.issuer,
'subject': file_server_ssl.subject
}
server_profile_dict.update(name=server_profile[1],
partition=server_profile[2],
subPath=server_profile[3],
fullPath=server_profile[-1],
cert=server_cert_detail,
key=ssl_profile_serverside_key)
elif len(ssl_profile_serverside_cert.split('/')) == 3:
file_server_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_serverside_cert.split('/')[-1],
partition=ssl_profile_serverside_cert.split('/')[1])
server_cert_detail = {
'name': file_server_ssl.name,
'partition': file_server_ssl.partition,
'fullPath': file_server_ssl.fullPath,
'expirationDate': file_server_ssl.expirationDate,
'expirationString': file_server_ssl.expirationString,
'issuer': file_server_ssl.issuer,
'subject': file_server_ssl.subject
}
server_profile_dict.update(name=server_profile[1],
partition=server_profile[2],
fullPath=server_profile[-1],
cert=server_cert_detail,
key=ssl_profile_serverside_key)
else:
server_profile_dict.update(name=server_profile[1],
partition=server_profile[2],
fullPath=server_profile[-1],
cert=None,
key=None)
if ssl_profile_serverside_chain != 'none':
if len(ssl_profile_serverside_chain.split('/')) == 4:
file_serverchain_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_serverside_chain.split('/')[-1],
partition=ssl_profile_serverside_chain.split('/')[1],
subPath=ssl_profile_serverside_chain.split('/')[2])
server_chain_detail = {
'name': file_serverchain_ssl.name,
'partition': file_serverchain_ssl.partition,
'subPath': file_serverchain_ssl.subPath,
'fullPath': file_serverchain_ssl.fullPath,
'expirationDate': file_serverchain_ssl.expirationDate,
'expirationString': file_serverchain_ssl.expirationString,
'issuer': file_serverchain_ssl.issuer,
'subject': file_serverchain_ssl.subject
}
server_profile_dict.update(chain=server_chain_detail)
else:
file_serverchain_ssl = mgmt.tm.sys.file.ssl_certs.ssl_cert.load(
name=ssl_profile_serverside_chain.split('/')[-1],
partition=ssl_profile_serverside_chain.split('/')[1])
server_chain_detail = {
'name': file_serverchain_ssl.name,
'partition': file_serverchain_ssl.partition,
'fullPath': file_serverchain_ssl.fullPath,
'expirationDate': file_serverchain_ssl.expirationDate,
'expirationString': file_serverchain_ssl.expirationString,
'issuer': file_serverchain_ssl.issuer,
'subject': file_serverchain_ssl.subject
}
server_profile_dict.update(chain=server_chain_detail)
if len(server_profile_dict) > 0:
ssl_serverside_list.append(server_profile_dict)
if len(ssl_serverside_list) > 0:
ssl_virtualserver.update(serverside=ssl_serverside_list)
if 'clientside' in ssl_virtualserver.keys() or 'serverside' in ssl_virtualserver.keys():
# print(ssl_virtualserver)
ltm_ssl_virtuals_list.append(ssl_virtualserver)
print(ltm_ssl_virtuals_list)
with open(r"./F5-LTM-SSL-{}-NetworkMap.json".format(time.strftime("%Y-%m-%d", time.localtime())), "w") as f:
f.write(json.dumps(ltm_ssl_virtuals_list, indent=4, ensure_ascii=False))
test json result:
[
{
"name": "APP-017-SPECIAL_Dining2_8030_Internet_97.49_18031",
"fullPath": "/Common/APP-017-SPECIAL_Dining2_8030_Internet_97.49_18031",
"partition": "Common",
"serverside": [
{
"name": "serverssl",
"partition": "Common",
"fullPath": "/Common/serverssl",
"cert": null,
"key": null
}
]
},
{
"name": "service",
"subPath": "TEST_Service_Https_MultiAddr_Local",
"fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/service",
"partition": "Sample_cert_06",
"clientside": [
{
"name": "pTlsServer_Local",
"partition": "Sample_cert_06",
"subPath": "TEST_Service_Https_MultiAddr_Local",
"fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/pTlsServer_Local",
"cert": {
"name": "tlsserver_local_cert.crt",
"partition": "Sample_cert_06",
"subPath": "TEST_Service_Https_MultiAddr_Local",
"fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsserver_local_cert.crt",
"expirationDate": 1519588224,
"expirationString": "Feb 25 19:50:24 2018 GMT",
"issuer": "CN=sample.example.net,O=f5_Networks,L=Seattle,ST=Washington,C=US",
"subject": "CN=sample.example.net,O=f5_Networks,L=Seattle,ST=Washington,C=US"
},
"key": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsserver_local_cert.key",
"chain": {
"name": "tlsserver_local_cert-bundle.crt",
"partition": "Sample_cert_06",
"subPath": "TEST_Service_Https_MultiAddr_Local",
"fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsserver_local_cert-bundle.crt",
"expirationDate": 1522351285,
"expirationString": "Mar 29 19:21:25 2018 GMT",
"issuer": "emailAddress=somebody@somewhere.org,CN=test_CA_bundle,OU=Test,O=F5,L=Seattle,ST=Washington,C=US",
"subject": "emailAddress=somebody@somewhere.org,CN=test_CA_bundle,OU=Test,O=F5,L=Seattle,ST=Washington,C=US"
}
}
],
"serverside": [
{
"name": "pTlsClient_Local",
"partition": "Sample_cert_06",
"subPath": "TEST_Service_Https_MultiAddr_Local",
"fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/pTlsClient_Local",
"cert": {
"name": "tlsclient_local_cert.crt",
"partition": "Sample_cert_06",
"subPath": "TEST_Service_Https_MultiAddr_Local",
"fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsclient_local_cert.crt",
"expirationDate": 1519588224,
"expirationString": "Feb 25 19:50:24 2018 GMT",
"issuer": "CN=sample.example.net,O=f5_Networks,L=Seattle,ST=Washington,C=US",
"subject": "CN=sample.example.net,O=f5_Networks,L=Seattle,ST=Washington,C=US"
},
"key": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsclient_local_cert.key",
"chain": {
"name": "tlsclient_local_cert-bundle.crt",
"partition": "Sample_cert_06",
"subPath": "TEST_Service_Https_MultiAddr_Local",
"fullPath": "/Sample_cert_06/TEST_Service_Https_MultiAddr_Local/tlsclient_local_cert-bundle.crt",
"expirationDate": 1522351285,
"expirationString": "Mar 29 19:21:25 2018 GMT",
"issuer": "emailAddress=somebody@somewhere.org,CN=test_CA_bundle,OU=Test,O=F5,L=Seattle,ST=Washington,C=US",
"subject": "emailAddress=somebody@somewhere.org,CN=test_CA_bundle,OU=Test,O=F5,L=Seattle,ST=Washington,C=US"
}
}
]
}
]
Hi @xuwen - this is great! FYI - I cleared some of the extra spaces that snuck in when you used the text editor, but I didn't change any of the actual content. Just tried to make it easier to read without lots of extra page breaks. 🙂