ASM - Rest API - sig-set ID

Question

Hi,signature-set IDs used in iControl Rest use those IDs:(either ID in a link of sig-set like: "/asm/signature-sets/XFklAdYbdN8MUWbi74WC3g", or ID of sig-set already used in policy like "/asm/policies/abcdc123/signature-sets/4IXuDlyTtr3C4d322L27nQ")&nbsp;My question is, are those IDs static, for example defined from signature-set name? Or can those IDs be changed after LB upgrade, reboot or so?I have one specific signature set (created by myself) and would like to hardocde ID of it to my code in order to quickly add it or remove from any policy.&nbsp;Thanks,Zdenek&nbsp;

satoshi_toyosa1 · Answer

Here's the steps to create the hash from the name of the ASM object.Create the MD5 digest from the name (yields 128 bits of binary data)Encode it using base64 (yields 24 characters)Trim the last two "==".For example,# echo -n /Common/sat | openssl dgst -md5 -binary | base64 | cut -c-22
9afAWDUoawpiNnfSfSGtMQObviously, because MD5 is not reversible (one-way), the hashed ID cannot be decoded back to the object name.See alsoRFC 4648 The Base16, Base32, and Base64 Data EncodingsRFC 1231 The MD5 Message-Digest Algorithm

satoshi_toyosa1 · Answer

For an entity with multiple values, you need to concatenate them with "###UNLIKELY_DELIMITER###" as the delimiter: i.e., "192.168.0.30###UNLIKELY_DELIMITER###255.255.255.255".Also, I forgot to mention one more step. Because Base64 generates characters that are not URI safe, "+" and "/" must be translated to "-" and "_" respectively: i.e., sed 'y/+\//-_/'.Here's the revised version of the steps:Create a source input string by concatenating the elements using the ###UNLIKELY_DELIMITER### delimiter.Create the MD5 digest from the source input (yields 128 bits of binary data)Encode it using base64 (yields 24 characters)Trim the last two "==" (22 characters)Transliterate "+" and "/" to "-" and "_" respectively.For example,echo -n "192.168.0.30###UNLIKELY_DELIMITER###255.255.255.255"  | openssl dgst -md5 -binary | base64 | cut -c-22 | sed 'y/+\//-_/' 
2S_b6WCJRsVKz9xgrtxYPANote that the order of elements matters (e.g., 192.168.0.30...255.255.255.255 vs. 255.255.255.255...192.168.0.30) and depends on what entity you are dealing with. You need to try out (although the complexity of a brute-force try-and-error is O(2^N), thankfully, there is not so many combinations).Cheers.

sebastien6 · Answer

All the ASM hash in URLs are MD5 hash from name of object. Only If you change the name, the hash change. Remain the same outside of that even between various version of TMOS.

sebastien6 · Answer

Cool thank you. Works fine. Per chance, do you know the way to do it for whitelist=ips?

I know the name is based on a combination of ipAddress/ipMask, as hash change if you change the ipMask.

I tried all those without success for 192.168.0.30/255.255.255.255 that should be 2S_b6WCJRsVKz9zgrtxYPA:

b'192.168.0.30/255.255.255.255'

b'/192.168.0.30/255.255.255.255'

b'/Common/whitelist-ips/192.168.0.30/255.255.255.255'

b'/Common/seb-dev-policy1/whitelist-ips/192.168.0.30/255.255.255.255'

b'/Common/seb-dev-policy1'

b'/whitelist-ips/192.168.0.30/255.255.255.255'

tried also all of them using 192.168.0.30_255.255.255.255 with no success.

sebastien6 · Answer

Thank you very much. That will help me a lot.

Forum Discussion

ASM - Rest API - sig-set ID

5 Replies

Recent Discussions

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Related Content

Beyond REST: Protecting GraphQL

iControl REST / Change a setting in ASM logging profile

iControl REST Authentication Token Management

iControl REST 101: ASM Intro

ASM logs