Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

TMOS 14.x.x iApp Templates

alanjohnson7467
Altocumulus
Altocumulus

After recently upgrading part of our LTM environment to TMOS 14.1.4 I've discovered that our primarily used iApp template is now broken. The root issue is the implementation for client-ssl and cert/key/chain. My template is using deprecated commands. As such attempting to reconfigure any iApp service created under this template fails.

Error Message: 01b4002b:3: Client SSL profile (/<partition>/<ssl_profile>): the profile has no RSA c...

I was wondering if anyone had any suggestions on how I might modify our existing template to use the preferred cert-key-chain command. Here's a snippet:

#Creating new Client SSL Profile
set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl \
defaults-from $::ssl__parent \
key $::ssl__key \
cert $::ssl__cert \
chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] ]

 

I realize that legacy iApp is going away. My organization is working towards migrating to FAST, but we are a long way out from accomplishing that. So I'm needing a band-aid for our old template for the time being.

 

1 REPLY 1

alanjohnson7467
Altocumulus
Altocumulus

I was able to find a fix for my issues by using the following:

 

set is_v13_1 [iapp_tmos_version >= 13.1]

#Creating new Client SSL Profile
set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl\
defaults-from $::ssl__parent \
[expr { $is_v13_1 ? "cert-key-chain add \{ default \{" : "" }] \
key $::ssl__key \
cert $::ssl__cert \
chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] \
[expr { $is_v13_1 ? "\}\}" : "" }] \ ]

 

 

...our full set of client SSL profile setup looks like this:

set is_v13_1 [iapp_tmos_version >= 13.1]

#################################
# Client SSL Profile Setup
#################################
if { ([iapp_is ::application__ssl_option "bridge"]) || ([iapp_is ::application__ssl_option "offload"]) } {
if { [iapp_is ::ssl__client_ssl_profile $::CREATE_NEW_ANSWER] } {
#Creating new Client SSL Profile
set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl\
defaults-from $::ssl__parent \
[expr { $is_v13_1 ? "cert-key-chain add \{ default \{" : "" }] \
key $::ssl__key \
cert $::ssl__cert \
chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] \
[expr { $is_v13_1 ? "\}\}" : "" }] \ ]


} else {
#Using existing Client SSL Profile
set client_ssl $::ssl__client_ssl_profile
}
} else {
set client_ssl "none"
}
if { $client_ssl == "none" } {
set vs_clientssl " "
} else {
set vs_clientssl "$client_ssl \{ context clientside \} "