Modify SSL profiles via REST API

lnxgeek · ‎08-Oct-2023

Hi wiz's

I have been spending some time on automating certificate maintenance.

This has brought my attention to this documentation: https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_ltm_profile_client-ssl.html

In the table descriping "cert", "chain" and "key" it states in the notes that they are depricated and I should use certKeyChain option instead.

However no matter what I construct of calls which makes changes to an already existing clientssl profile (PATCH and PUT) I'm told:

{"code":403,"message":"Operation is not supported on component /ltm/profile/client-ssl.","errorStack":[],"apiError":1}

Example code:

curl -sk -H "X-F5-Auth-Token: $TOKEN" -X PATCH https://$f5/mgmt/tm/ltm/profile/client-ssl/ --header 'Content-Type: application/json' --data-raw '{                  
    "name":"sletmig",                                                                             
    "certKeyChain":[{"name":"default","cert":"hest.dk_2023","key":"hest.dk_2023","chain":"My_CA"}]
}'
{"code":403,"message":"Operation is not supported on component /ltm/profile/client-ssl.","errorStack":[],"apiError":1}

I can make the change via this syntax:

curl -sk -H "X-F5-Auth-Token: $TOKEN" -X PATCH  https://$f5/mgmt/tm/ltm/profile/client-ssl/~Common~sletmig   -H "Content-Type: application/json" -d '{
  "key":"/Common/hest.dk_2023",
  "cert":"/Common/hest.dk_2023",
  "chain":"/Common/My_CA"
  }'|jq

Do I read the documentation wrong or am I missing something else?

@JRahm any hints?

JRahm · ‎09-Oct-2023

Hi @lnxgeek that's correct, you can't PATCH a collection, just the resources within that collection. From that doc, the methods support are shown one the resource, not the collection:

Resource URI
/mgmt/tm/ltm/profile/client-ssl/~resource id
Resource Methods
OPTIONS, GET, PUT, PATCH, DELETE, POST

Let me know if I'm misunderstanding the issue. Also, check your DM, I sent you something that might be of interest to you, but I'm equally interested in your test feedback if you have the time to check it out.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

View solution in original post

JRahm · ‎09-Oct-2023

Hi @lnxgeek that's correct, you can't PATCH a collection, just the resources within that collection. From that doc, the methods support are shown one the resource, not the collection:

Resource URI
/mgmt/tm/ltm/profile/client-ssl/~resource id
Resource Methods
OPTIONS, GET, PUT, PATCH, DELETE, POST

Let me know if I'm misunderstanding the issue. Also, check your DM, I sent you something that might be of interest to you, but I'm equally interested in your test feedback if you have the time to check it out.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

lnxgeek · ‎09-Oct-2023

Hi @JRahm

In that context it make sense.

But does that mean that my working example (don't know what to call it 😀) shouldn't be considered deprecated?

I don't want to work down a future dead end 😆

JRahm · ‎10-Oct-2023

What version of TMOS are you running? If you've tested on 17.1.x and it's working, it will go away on BIG-IP. That said, the APIs for BIG-IP Next are different and will connect to Central Manager, not the Next instances directly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

lnxgeek · ‎10-Oct-2023

It is 17.1 I'm using.

I guess I have to get started with NEXT in my lab to be ready for the new shiny tool 😆

JRahm · ‎10-Oct-2023

For sure! Labbing it up myself for the last couple of weeks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
https://twitter.com/jasonrahm
https://www.youtube.com/devcentral

DevCentral

Modify SSL profiles via REST API

Register For AppWorld 2024

F5 Receives Six Trust Radius
Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

DevCentral

Modify SSL profiles via REST API

Register For AppWorld 2024

F5 Receives Six Trust Radius Best of 2023 Awards

F5 XC WAF

F5 BIG-IP

F5 Receives Six Trust Radius
Best of 2023 Awards