Forum Discussion

Nikolay_Matveev's avatar
Nikolay_Matveev
Icon for Nimbostratus rankNimbostratus
Mar 23, 2016

APM: terminate active session via API

Is it possible to obtain a list of active APM session and then terminate one of them using an API?

 

I assumed this could be done using iControl REST API but failed to find any relevant information in its user guide :(.

 

APM
application delivery
iControlREST
security

14 Replies

Sort By
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Mar 24, 2016

    Hello,

    You can show active sessions using the following script : 

    for i in $(sessiondump -list | cut -f1 -d\ ); do sessiondump -delete $i; done

    You should have a look at the sessiondump command to see if you can kill an active session.

    • Nikolay_Matveev's avatar
      Nikolay_Matveev
      Icon for Nimbostratus rankNimbostratus
      Mar 24, 2016
      Thank you Yann. I understand you refer to CLI which is not exactly what I asked about. I need to be able to obtain list of current sessions and terminate one of them using an API call (ideally using a REST API) from an external application (not on the BigIP itself). Is this possible?
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Mar 24, 2016
      Unfortunately, I think this is currently not available out of the box. But you may launch bash scripts from the rest api instead
    • Nikolay_Matveev's avatar
      Nikolay_Matveev
      Icon for Nimbostratus rankNimbostratus
      Mar 24, 2016
      Hmm... that's not very good... If a script is invoked via the REST API can its console output be returned as a result of that API call?
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Mar 24, 2016

    Hello,

    You can show active sessions using the following script : 

    for i in $(sessiondump -list | cut -f1 -d\ ); do sessiondump -delete $i; done

    You should have a look at the sessiondump command to see if you can kill an active session.

    • Nikolay_Matveev's avatar
      Nikolay_Matveev
      Icon for Nimbostratus rankNimbostratus
      Mar 24, 2016
      Thank you Yann. I understand you refer to CLI which is not exactly what I asked about. I need to be able to obtain list of current sessions and terminate one of them using an API call (ideally using a REST API) from an external application (not on the BigIP itself). Is this possible?
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Mar 24, 2016
      Unfortunately, I think this is currently not available out of the box. But you may launch bash scripts from the rest api instead
    • Nikolay_Matveev's avatar
      Nikolay_Matveev
      Icon for Nimbostratus rankNimbostratus
      Mar 24, 2016
      Hmm... that's not very good... If a script is invoked via the REST API can its console output be returned as a result of that API call?
  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Apr 14, 2016

    You can run scripts via the REST API, but I would advise caution. Any commands that need input will fail, and if the command takes a long time to complete, it may not behave as expected. Same goes for commands that run a lot of output.

     

  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    May 20, 2016

    just release in 12.1 : REST APIs for managing user sessions in APM

    New iControl REST requests make it easier to manage sessions within APM by letting you list all user sessions and retrieve session ID, user login, and IP address for each APM server. Additional APIs are available for retrieving session information based on username or client IP address and for deleting the session based on the session ID.

    {
  "kind": "tm:apm:access-info:access-infostats",
  "selfLink": "https://localhost/mgmt/tm/apm/access-info/example?ver=12.1.0",
  "propertyDescriptions": {
    "clientIp": "",
    "logonUser": ""
  },
  "naturalKeyPropertyNames": []
}
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Apr 26, 2020

    Since 13.x you can do a REST call to delete a session : curl -X DELETE https://hostname/mgmt/tm/apm/session/12345678

     

    12345678 to be replaced by your session_id

  • Vladimir_Akhmarov's avatar
    Vladimir_Akhmarov
    Icon for Cirrus rankCirrus
    Apr 26, 2020

    Hello all!

    Recently deployed such a solution:

    1. Created iCall script with session termination logic (thanks Yann)
    2. Created iCall handler with type perpetual
    3. Used iControlREST to execute iCall handler

    See Yann's article

    Create your own iCall script and handler:

    sys icall script ApmSessionPurge_script { ... }
sys icall handler perpetual ApmSessionPurge_handler { script ApmSessionPurge_script }

    In the end of "definition" section of your iCall script add below commands. This command must be used because once perpetual handler will be started someone must stop it.

    # Stop iCall handler after execution
catch {[exec -- /bin/tmsh stop sys icall handler perpetual ApmSessionPurge_handler]}

    Shell example to use iControlREST:

    BIGIP_ADDR='192.0.2.1'
BIGIP_USER='admin'
BIGIP_PSWD='admin123'
BIGIP_HDLR='ApmSessionPurge_handler'
 
BIGIP_AUTH=$(curl -sk -H 'Content-Type: application/json' -X POST -d "{'username':'"$BIGIP_USER"', 'password':'"$BIGIP_PSWD"', 'loginProviderName':'tmos'}" https://${BIGIP_ADDR}/mgmt/shared/authn/login)
# Use sed -nE below for regular Linux/MacOS
BIGIP_TOKEN=$(echo $BIGIP_AUTH | sed -nr 's/.*\"token\":\"([A-Z0-9]+)\".*/\1/p')
curl -sk -H 'Content-Type: application/json' -H "X-F5-Auth-Token: $BIGIP_TOKEN" -X POST -d "{\"command\":\"start\", \"name\":\"$BIGIP_HDLR\"}" https://${BIGIP_ADDR}/mgmt/tm/sys/icall/handler/perpetual
  • Kurt_Erickson's avatar
    Kurt_Erickson
    Icon for Employee rankEmployee
    Jun 20, 2020

    This may be an easier way.

     

    To get a list of Active access sessions:

    curl -sk -u admin:<password> -H "Content-Type: application/json" -X GET https://<apm ip address>/mgmt/tm/apm/access-info | jq -M .

    {

     "kind": "tm:apm:access-info:access-infostats",

     "selfLink": "https://localhost/mgmt/tm/apm/access-info?ver=15.1.0",

     "entries": {

      "https://localhost/mgmt/tm/apm/access-info/9c0a5b2d": {

       "nestedStats": {

        "entries": {

         "clientIp": {

          "description": "192.168.1.72"

         },

         "logonUser": {

          "description": "user1"

         }

        }

       }

      },

      "https://localhost/mgmt/tm/apm/access-info/b7c5ede0": {

       "nestedStats": {

        "entries": {

         "clientIp": {

          "description": "192.168.1.72"

         },

         "logonUser": {

          "description": "user2"

         }

        }

       }

      }

     }

    }

     

    To delete a specific Access session:

    Locate the logonUser name and the URL ending with the session id.

    curl -sk -u admin:<password> -X DELETE https://<apm ip address>/mgmt/tm/apm/session/<session id>

  • Kurt_Erickson's avatar
    Kurt_Erickson
    Icon for Employee rankEmployee
    Jun 21, 2020

    Not very pretty but this will iterate through the current access sessions and delete them:

     

    curl -sk -u admin:<password> -H "Content-Type: application/json" -X GET https://<apm ip address>/mgmt/tm/apm/access-info | jq -M . | grep https | grep -v selfLink | sed s'/\// /'g | sed s'/"/ /'g | awk '{system("curl -sk -u admin:<password> -X DELETE https://<apm ip address>/mgmt/tm/apm/session/"$7)}'