02-Feb-2022 14:20
After recently upgrading part of our LTM environment to TMOS 14.1.4 I've discovered that our primarily used iApp template is now broken. The root issue is the implementation for client-ssl and cert/key/chain. My template is using deprecated commands. As such attempting to reconfigure any iApp service created under this template fails.
I was wondering if anyone had any suggestions on how I might modify our existing template to use the preferred cert-key-chain command. Here's a snippet:
#Creating new Client SSL Profile
set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl \
defaults-from $::ssl__parent \
key $::ssl__key \
cert $::ssl__cert \
chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] ]
I realize that legacy iApp is going away. My organization is working towards migrating to FAST, but we are a long way out from accomplishing that. So I'm needing a band-aid for our old template for the time being.
03-Feb-2022 08:48
I was able to find a fix for my issues by using the following:
set is_v13_1 [iapp_tmos_version >= 13.1]
#Creating new Client SSL Profile
set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl\
defaults-from $::ssl__parent \
[expr { $is_v13_1 ? "cert-key-chain add \{ default \{" : "" }] \
key $::ssl__key \
cert $::ssl__cert \
chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] \
[expr { $is_v13_1 ? "\}\}" : "" }] \ ]
...our full set of client SSL profile setup looks like this:
set is_v13_1 [iapp_tmos_version >= 13.1]
#################################
# Client SSL Profile Setup
#################################
if { ([iapp_is ::application__ssl_option "bridge"]) || ([iapp_is ::application__ssl_option "offload"]) } {
if { [iapp_is ::ssl__client_ssl_profile $::CREATE_NEW_ANSWER] } {
#Creating new Client SSL Profile
set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl\
defaults-from $::ssl__parent \
[expr { $is_v13_1 ? "cert-key-chain add \{ default \{" : "" }] \
key $::ssl__key \
cert $::ssl__cert \
chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] \
[expr { $is_v13_1 ? "\}\}" : "" }] \ ]
} else {
#Using existing Client SSL Profile
set client_ssl $::ssl__client_ssl_profile
}
} else {
set client_ssl "none"
}
if { $client_ssl == "none" } {
set vs_clientssl " "
} else {
set vs_clientssl "$client_ssl \{ context clientside \} "