Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Modifying SSL Profile via REST API

Go to solution
Bastian123234_2
Nimbostratus
Nimbostratus

‎19-Jul-2017 00:32 - last edited on ‎22-Nov-2022 15:37 by Fog

Hello everyone,

 

Iam currently testing the REST API and having trouble with some simple changes on a SSL profile. Iam using local authentication, trying to modify a certificate used in a test profile, however iam getting an error. I do not find any documentation regarding the issue, hence i hope someone here could point me to the right direction.

 

My code looks as following (By the way, iam using Ruby.). Basically it is just pushing the data. I got the format via a GET request to be sure to have the right format. The values i changed in this request are: "certKeyChain" => "name", "cert" and "key".

 

@session = RestClient::Resource.new('https://10.70.235.105/mgmt/tm', :verify_ssl => false, :user => "admin", :password => "admin")  open session


c = {"kind"=>"tm:ltm:profile:client-ssl:client-sslstate",
 "name"=>"test_bastian",
 "partition"=>"Common",
 "fullPath"=>"/Common/test_bastian",
 "generation"=>1702,
 "selfLink"=>
  "https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~test_bastian?ver=12.1.2",
 "alertTimeout"=>"indefinite",
 "allowDynamicRecordSizing"=>"disabled",
 "allowExpiredCrl"=>"disabled",
 "allowNonSsl"=>"disabled",
 "authenticate"=>"once",
 "authenticateDepth"=>9,
 "cacheSize"=>262144,
 "cacheTimeout"=>3600,
 "cert"=>"/Common/new_test.crt",
 "certReference"=>
  {"link"=>
    "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"},
 "certExtensionIncludes"=>["basic-constraints", "subject-alternative-name"],
 "certLifespan"=>30,
 "certLookupByIpaddrPort"=>"disabled",
 "chain"=>"/Common/new_test.crt",
 "chainReference"=>
  {"link"=>
    "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"},
 "ciphers"=>"DEFAULT",
 "defaultsFrom"=>"/Common/clientssl",
 "defaultsFromReference"=>
  {"link"=>
    "https://localhost/mgmt/tm/ltm/profile/client-ssl/~Common~clientssl?ver=12.1.2"},
 "forwardProxyBypassDefaultAction"=>"intercept",
 "genericAlert"=>"enabled",
 "handshakeTimeout"=>"10",
 "inheritCertkeychain"=>"false",
 "key"=>"/Common/new_test.key",
 "keyReference"=>
  {"link"=>
    "https://localhost/mgmt/tm/sys/file/ssl-key/~Common~new_test.key?ver=12.1.2"},
 "maxActiveHandshakes"=>"indefinite",
 "maxAggregateRenegotiationPerMinute"=>"indefinite",
 "maxRenegotiationsPerMinute"=>5,
 "maximumRecordSize"=>16384,
 "modSslMethods"=>"disabled",
 "mode"=>"enabled",
 "tmOptions"=>["dont-insert-empty-fragments"],
 "peerCertMode"=>"ignore",
 "peerNoRenegotiateTimeout"=>"10",
 "proxySsl"=>"disabled",
 "proxySslPassthrough"=>"disabled",
 "renegotiateMaxRecordDelay"=>"indefinite",
 "renegotiatePeriod"=>"indefinite",
 "renegotiateSize"=>"indefinite",
 "renegotiation"=>"enabled",
 "retainCertificate"=>"true",
 "secureRenegotiation"=>"require",
 "sessionMirroring"=>"disabled",
 "sessionTicket"=>"disabled",
"sessionTicketTimeout"=>0,
 "sniDefault"=>"false",
 "sniRequire"=>"false",
 "sslForwardProxy"=>"disabled",
 "sslForwardProxyBypass"=>"disabled",
 "sslSignHash"=>"any",
 "strictResume"=>"disabled",
 "uncleanShutdown"=>"enabled",
 "certKeyChain"=>
  [{"name"=>"default",
    "cert"=>"/Common/default.crt",
    "certReference"=>
     {"link"=>
       "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"},

    "chain"=>"",
    "chainReference"=>
     {"link"=>
       "https://localhost/mgmt/tm/sys/file/ssl-cert/~Common~new_test.crt?ver=12.1.2"},
    "key"=>"/Common/default.key",
    "keyReference"=>
     {"link"=>
       "https://localhost/mgmt/tm/sys/file/ssl-key/~Common~new_test.key?ver=12.1.2"}}]} build data

c = c.to_json
push_profile = @session["ltm/profile/client-ssl/~Common~" + profile].put(c, :content_type => :json)  push data

When running the script, i get the following errors:

 

RestClient.put "https://10.70.235.105/mgmt/tm/ltm/profile/client-ssl/~Common~test_bastian", 2467 byte(s) length, "Accept"=>"*/*", "Accept-Encoding"=>"gzip, deflate", "Content-Length"=>"2467", "Content-Type"=>"application/json", "User-Agent"=>"rest-client/2.0.2 (linux-gnu x86_64) ruby/2.4.1p111"
 => 400 BadRequest | application/json 145 bytes
{"code":400,"message":"010717e7:3: cert-key-chain and profile cert, key or chain options cannot be input together.","errorStack":[],"apiError":3}

would be nice to get some feedback 🙂

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
Bastian123234_2
Nimbostratus
Nimbostratus

‎19-Jul-2017 23:50 - last edited on ‎05-Jun-2023 22:36 by Fog

thanks for your feedback PK, but i found the issue:

  • first of all, I pulled the whole profile, changed the settings and pushed it again. This does not work. You have to push only the values you want change, in this case "cert", "key", and "chain".
  • second: i tried to change the mentioned values in "certKeyChain", however there are other key/value pairs within the hash I needed to change. It is a bit confusing, since they have the same name, and from my point of view, it makes more sense that the ones in the certKeyChain are the correct ones, but this is not the case.

so all i had to push is:

{"cert"=>"/Common/new_test.crt",
 "key"=>"//Common/new_test.key",
 "chain"=>"/Common/new_test.crt"}

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
P_K
Altostratus
Altostratus

‎19-Jul-2017 11:44 - last edited on ‎05-Jun-2023 15:10 by Fog

"certKeyChain"=>

[{"name"=>"default",

"cert"=>"/Common/default.crt", 
// this should be new_test.crt

"certReference"=>
0 Kudos

Go to solution
Bastian123234_2
Nimbostratus
Nimbostratus

‎19-Jul-2017 23:50 - last edited on ‎05-Jun-2023 22:36 by Fog

thanks for your feedback PK, but i found the issue:

  • first of all, I pulled the whole profile, changed the settings and pushed it again. This does not work. You have to push only the values you want change, in this case "cert", "key", and "chain".
  • second: i tried to change the mentioned values in "certKeyChain", however there are other key/value pairs within the hash I needed to change. It is a bit confusing, since they have the same name, and from my point of view, it makes more sense that the ones in the certKeyChain are the correct ones, but this is not the case.

so all i had to push is:

{"cert"=>"/Common/new_test.crt",
 "key"=>"//Common/new_test.key",
 "chain"=>"/Common/new_test.crt"}
0 Kudos

Go to solution
qbolbk59
Nimbostratus
Nimbostratus
In response to Bastian123234_2

‎21-Feb-2022 02:19

@Bastian123234_2  

Thanks for the solution. However this is not working for me if i just send the payload you mentioned. I get an error "one or more configuration identifiers must be provided". Not sure what's missing. Any idea ?

Also, in your request, where do you specify which SSL profile you need to update since it's neither mentioned in the payload not in your url ?

 

0 Kudos
Copyright © 2023 Khoros, LLC