API, SDK, AS3, oh my?

Question

I am looking for the best long-term, easiest to support, way to automatically manage SSL certs in Big-IP.

I found f5-sdk, but it is no longer under active development, since May 30, 2021.

I found f5-sdk-python, which seems to be a different sdk. It's under "f5devcentral" instead of "f5networks," so I guess it's community supported rather than officially supported, although both are "copyright F5 Networks, Inc." so it's confusing. It doesn't have a "no longer actively developed" banner on it, but its last commit was Apr 16, 2020. Which makes me think it is actually no longer developed.

I found f5-cli, which is based on the above f5-sdk-python. So I think it's actually no longer developed.

I found lets-encrypt-python, whic is based on BIGREST, which is a wrapper around the `requests` module using the iControl REST API. It's specifically made to address the above problems with the sdk's being unmaintained, but users need to know the API url's. I've been running into difficulties using it, because of incomplete or inaccurate documentation about the API. Specifically, the url's that are used in lets-encrypt-python, and even in the `_connect()` method of BIGREST, don't exist on my Big-IP device, so I had to create an issue, and patch BIGREST, to make BIGREST functional with my device, but then the url's in lets-encrypt-python also don't exist on my device, so I'm left to figure out the API on my own. I'm not sure if the API changed between my version of Big-IP and the author's version of Big-IP, or if we have a different device, or different licensing, or what. The only thing I'm sure about is that some of the URL's they used don't exist for me.

The iControl REST API documentation has a banner at the top, more or less encouraging users not to use it, and instead recommending using AS3. When I ignore this banner and try to use it, I find the API documentation itself has a bunch of missing or inaccurate parts, so maybe it is best to use AS3. Or maybe I should keep working on the API some more, I'm not sure.

One of the requirements for AS3 is the user must have Administrator role, basically root, on the F5. This is contrary to our organization security policy, so if we need it, I'm going to have to raise meetings with management and include our infosec group to make it happen, so I don't want to push that direction unless I know it's the right direction for us to go.

Can anyone offer advice on the best long-term, most well supported path forward?

Thank you.

dario_garrido · Answer

Hello Rahvee,
Besides what it states this AS3 requirements you provided, have you ever tried to run a certification renewal with user with role "Certificate Manager"?&nbsp;
&nbsp;

anesh · Answer

Following are cons of using AS3Additional overhead of mainting the AS3 rpm during f5 TMOS upgrades and also test the compatibility of the as3 rpm with the TMOS versionDue to imperarive model of AS3 , config pushes are slower in comparsion to using a REST API. As AS3 deploys the whole configuration on a tenant as opposed to changing only a specifc attribute in the JSON payload.there is no AS3 JSON available for deploying payloads for F5 ASM and APM, but the REST API has API's to work with both ASM and APMI would use REST API over AS3 anyday!!!&nbsp;&nbsp;

Forum Discussion

API, SDK, AS3, oh my?

2 Replies

Recent Discussions

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Embracing AS3: Foundations

Generate API SDK for F5 Distributed Cloud

F5 Python SDK Overview

AS3 Best Practice

Code comparison between deploying AS3 or FAST API Declarations with Ansible and Terraform