Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

TMOS 14.x.x iApp Templates

alanjohnson7467
Cirrus
Cirrus

‎02-Feb-2022 14:20

After recently upgrading part of our LTM environment to TMOS 14.1.4 I've discovered that our primarily used iApp template is now broken. The root issue is the implementation for client-ssl and cert/key/chain. My template is using deprecated commands. As such attempting to reconfigure any iApp service created under this template fails.

Error Message: 01b4002b:3: Client SSL profile (/<partition>/<ssl_profile>): the profile has no RSA c...

I was wondering if anyone had any suggestions on how I might modify our existing template to use the preferred cert-key-chain command. Here's a snippet:

#Creating new Client SSL Profile
set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl \
defaults-from $::ssl__parent \
key $::ssl__key \
cert $::ssl__cert \
chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] ]

 

I realize that legacy iApp is going away. My organization is working towards migrating to FAST, but we are a long way out from accomplishing that. So I'm needing a band-aid for our old template for the time being.

 

Labels:
0 Kudos
1 REPLY 1

alanjohnson7467
Cirrus
Cirrus

‎03-Feb-2022 08:48

I was able to find a fix for my issues by using the following:

 

set is_v13_1 [iapp_tmos_version >= 13.1]

#Creating new Client SSL Profile
set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl\
defaults-from $::ssl__parent \
[expr { $is_v13_1 ? "cert-key-chain add \{ default \{" : "" }] \
key $::ssl__key \
cert $::ssl__cert \
chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] \
[expr { $is_v13_1 ? "\}\}" : "" }] \ ]

 

 

...our full set of client SSL profile setup looks like this:

set is_v13_1 [iapp_tmos_version >= 13.1]

#################################
# Client SSL Profile Setup
#################################
if { ([iapp_is ::application__ssl_option "bridge"]) || ([iapp_is ::application__ssl_option "offload"]) } {
if { [iapp_is ::ssl__client_ssl_profile $::CREATE_NEW_ANSWER] } {
#Creating new Client SSL Profile
set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl\
defaults-from $::ssl__parent \
[expr { $is_v13_1 ? "cert-key-chain add \{ default \{" : "" }] \
key $::ssl__key \
cert $::ssl__cert \
chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] \
[expr { $is_v13_1 ? "\}\}" : "" }] \ ]


} else {
#Using existing Client SSL Profile
set client_ssl $::ssl__client_ssl_profile
}
} else {
set client_ssl "none"
}
if { $client_ssl == "none" } {
set vs_clientssl " "
} else {
set vs_clientssl "$client_ssl \{ context clientside \} "

0 Kudos
Copyright © 2023 Khoros, LLC