APM: terminate active session via API

Nikolay_Matveev · ‎23-Mar-2016

Is it possible to obtain a list of active APM session and then terminate one of them using an API?

I assumed this could be done using iControl REST API but failed to find any relevant information in its user guide :(.

Yann_Desmarest · ‎24-Mar-2016

Hello,

You can show active sessions using the following script :

for i in $(sessiondump -list | cut -f1 -d\ ); do sessiondump -delete $i; done

You should have a look at the sessiondump command to see if you can kill an active session.

Nikolay_Matveev · ‎24-Mar-2016

Thank you Yann. I understand you refer to CLI which is not exactly what I asked about. I need to be able to obtain list of current sessions and terminate one of them using an API call (ideally using a REST API) from an external application (not on the BigIP itself). Is this possible?

Yann_Desmarest · ‎24-Mar-2016

Unfortunately, I think this is currently not available out of the box. But you may launch bash scripts from the rest api instead

Nikolay_Matveev · ‎24-Mar-2016

Hmm... that's not very good... If a script is invoked via the REST API can its console output be returned as a result of that API call?

Yann_Desmarest_ · ‎24-Mar-2016

Hello,

You can show active sessions using the following script :

for i in $(sessiondump -list | cut -f1 -d\ ); do sessiondump -delete $i; done

You should have a look at the sessiondump command to see if you can kill an active session.

Nikolay_Matveev · ‎24-Mar-2016

Thank you Yann. I understand you refer to CLI which is not exactly what I asked about. I need to be able to obtain list of current sessions and terminate one of them using an API call (ideally using a REST API) from an external application (not on the BigIP itself). Is this possible?

Yann_Desmarest_ · ‎24-Mar-2016

Unfortunately, I think this is currently not available out of the box. But you may launch bash scripts from the rest api instead

Nikolay_Matveev · ‎24-Mar-2016

Hmm... that's not very good... If a script is invoked via the REST API can its console output be returned as a result of that API call?

JoshBecigneul · ‎14-Apr-2016

You can run scripts via the REST API, but I would advise caution. Any commands that need input will fail, and if the command takes a long time to complete, it may not behave as expected. Same goes for commands that run a lot of output.

Arnaud_Lemaire · ‎20-May-2016

just release in 12.1 : REST APIs for managing user sessions in APM

New iControl REST requests make it easier to manage sessions within APM by letting you list all user sessions and retrieve session ID, user login, and IP address for each APM server. Additional APIs are available for retrieving session information based on username or client IP address and for deleting the session based on the session ID.

{
  "kind": "tm:apm:access-info:access-infostats",
  "selfLink": "https://localhost/mgmt/tm/apm/access-info/example?ver=12.1.0",
  "propertyDescriptions": {
    "clientIp": "",
    "logonUser": ""
  },
  "naturalKeyPropertyNames": []
}

Yann_Desmarest · ‎26-Apr-2020

Since 13.x you can do a REST call to delete a session : curl -X DELETE https://hostname/mgmt/tm/apm/session/12345678

12345678 to be replaced by your session_id

Vladimir_Akhmarov · ‎26-Apr-2020

Hello all!

Recently deployed such a solution:

Created iCall script with session termination logic (thanks Yann)
Created iCall handler with type perpetual
Used iControlREST to execute iCall handler

See Yann's article

Create your own iCall script and handler:

sys icall script ApmSessionPurge_script { ... }
sys icall handler perpetual ApmSessionPurge_handler { script ApmSessionPurge_script }

In the end of "definition" section of your iCall script add below commands. This command must be used because once perpetual handler will be started someone must stop it.

# Stop iCall handler after execution
catch {[exec -- /bin/tmsh stop sys icall handler perpetual ApmSessionPurge_handler]}

Shell example to use iControlREST:

BIGIP_ADDR='192.0.2.1'
BIGIP_USER='admin'
BIGIP_PSWD='admin123'
BIGIP_HDLR='ApmSessionPurge_handler'
 
BIGIP_AUTH=$(curl -sk -H 'Content-Type: application/json' -X POST -d "{'username':'"$BIGIP_USER"', 'password':'"$BIGIP_PSWD"', 'loginProviderName':'tmos'}" https://${BIGIP_ADDR}/mgmt/shared/authn/login)
# Use sed -nE below for regular Linux/MacOS
BIGIP_TOKEN=$(echo $BIGIP_AUTH | sed -nr 's/.*\"token\":\"([A-Z0-9]+)\".*/\1/p')
curl -sk -H 'Content-Type: application/json' -H "X-F5-Auth-Token: $BIGIP_TOKEN" -X POST -d "{\"command\":\"start\", \"name\":\"$BIGIP_HDLR\"}" https://${BIGIP_ADDR}/mgmt/tm/sys/icall/handler/perpetual

Kurt_Erickson · ‎20-Jun-2020

This may be an easier way.

To get a list of Active access sessions:

curl -sk -u admin:<password> -H "Content-Type: application/json" -X GET https://<apm ip address>/mgmt/tm/apm/access-info | jq -M .

{

"kind": "tm:apm:access-info:access-infostats",

"selfLink": "https://localhost/mgmt/tm/apm/access-info?ver=15.1.0",

"entries": {

"https://localhost/mgmt/tm/apm/access-info/9c0a5b2d": {

"nestedStats": {

"entries": {

"clientIp": {

"description": "192.168.1.72"

},

"logonUser": {

"description": "user1"

}

},

"https://localhost/mgmt/tm/apm/access-info/b7c5ede0": {

"nestedStats": {

"entries": {

"clientIp": {

"description": "192.168.1.72"

},

"logonUser": {

"description": "user2"

}

To delete a specific Access session:

Locate the logonUser name and the URL ending with the session id.

curl -sk -u admin:<password> -X DELETE https://<apm ip address>/mgmt/tm/apm/session/<session id>

Kurt_Erickson · ‎21-Jun-2020

Not very pretty but this will iterate through the current access sessions and delete them:

curl -sk -u admin:<password> -H "Content-Type: application/json" -X GET https://<apm ip address>/mgmt/tm/apm/access-info | jq -M . | grep https | grep -v selfLink | sed s'/\// /'g | sed s'/"/ /'g | awk '{system("curl -sk -u admin:<password> -X DELETE https://<apm ip address>/mgmt/tm/apm/session/"$7)}'

DevCentral

APM: terminate active session via API

MFA required on DevCentral