Forum Discussion

alanjohnson7467's avatar
Feb 02, 2022

TMOS 14.x.x iApp Templates

After recently upgrading part of our LTM environment to TMOS 14.1.4 I've discovered that our primarily used iApp template is now broken. The root issue is the implementation for client-ssl and cert/key/chain. My template is using deprecated commands. As such attempting to reconfigure any iApp service created under this template fails.

Error Message: 01b4002b:3: Client SSL profile (/<partition>/<ssl_profile>): the profile has no RSA cert/key pair that can be modified. To add RSA cert/key, please use [cert-key-chain add]. (f5.com)

I was wondering if anyone had any suggestions on how I might modify our existing template to use the preferred cert-key-chain command. Here's a snippet:

#Creating new Client SSL Profile
set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl \
defaults-from $::ssl__parent \
key $::ssl__key \
cert $::ssl__cert \
chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] ]

 

I realize that legacy iApp is going away. My organization is working towards migrating to FAST, but we are a long way out from accomplishing that. So I'm needing a band-aid for our old template for the time being.

 

1 Reply

  • I was able to find a fix for my issues by using the following:

     

    set is_v13_1 [iapp_tmos_version >= 13.1]

    #Creating new Client SSL Profile
    set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl\
    defaults-from $::ssl__parent \
    [expr { $is_v13_1 ? "cert-key-chain add \{ default \{" : "" }] \
    key $::ssl__key \
    cert $::ssl__cert \
    chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] \
    [expr { $is_v13_1 ? "\}\}" : "" }] \ ]

     

     

    ...our full set of client SSL profile setup looks like this:

    set is_v13_1 [iapp_tmos_version >= 13.1]

    #################################
    # Client SSL Profile Setup
    #################################
    if { ([iapp_is ::application__ssl_option "bridge"]) || ([iapp_is ::application__ssl_option "offload"]) } {
    if { [iapp_is ::ssl__client_ssl_profile $::CREATE_NEW_ANSWER] } {
    #Creating new Client SSL Profile
    set client_ssl [iapp_conf create ltm profile client-ssl ${app}_c-ssl\
    defaults-from $::ssl__parent \
    [expr { $is_v13_1 ? "cert-key-chain add \{ default \{" : "" }] \
    key $::ssl__key \
    cert $::ssl__cert \
    chain [expr { [iapp_is ::ssl__chain $::DO_NOT_USE_ANSWER] ? "none" : $::ssl__chain }] \
    [expr { $is_v13_1 ? "\}\}" : "" }] \ ]


    } else {
    #Using existing Client SSL Profile
    set client_ssl $::ssl__client_ssl_profile
    }
    } else {
    set client_ssl "none"
    }
    if { $client_ssl == "none" } {
    set vs_clientssl " "
    } else {
    set vs_clientssl "$client_ssl \{ context clientside \} "