Verify change in behavior for (major) software updates
Dear all, I can remember there was a cool feature within ihealth, where you could perform some kind of simulation for a software update and the output was telling you, which of your configuration items needs to be adjusted before/after the change and where is a change in behavior. This was removed I think already several years ago 😞 Therefor my question, is there something similar available or what's the latest recommendation from F5 for a major software update (e.g. from 13.1.5 to 16.x) to check any "conflicts" with the existing configuration. Thank you! Regards Stefan 🙂
Run mkdir over iControl REST for disappearing /var/config/rest/downloads/tmp
Hello, I am currently writing the code for automating our ssl cert deployment among other things. I upload files to the Bigip device to shared/file-transfer/uploads/ This only works when the directory /var/config/rest/downloads/tmp exists. I noticed this periodically is removed again. Is there a way I can run an mkdir over REST to fix this? Regards
Trouble with Smart Card Login to the F5 Web Management UI
I've read https://devcentral.f5.com/questions/smart-card-login-to-f5-web-management and https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-12-0-0/6.html but I'm having trouble getting smart cards to work to login to the web management console of the F5 itself. We are a Active Directory shop (2012), and if we need to tweak our Smart Card certs for this, we can. I can get the management site to verify the client cert, but no authentication happens--you just land at the login page (where you can enter name/password, and it successfully authenticates, but that defeats the purpose). I've uploaded our internal root CA certificate to the Apache Certificates store, and configured httpd as follows (note: the GUI for cert-LDAP piece ALWAYS turns on OCSP checking, regardless of the setting--this is really annoying): sys httpd { auth-pam-idle-timeout 1800 log-level debug ssl-ca-cert-file /Common/InternaCA-cert ssl-ciphersuite DEFAULT:!3DES:!LOW:!MD5:!EXPORT ssl-verify-client require ssl-verify-depth 20 } And then have tried several variations on the following (the subject of our Smart Card certs is the DistinguishedName, and we have the userPrincipalName in the subject alternate name-these accounts don't have email addresses). The accounts/domains are sanitized in the code below: auth cert-ldap system-auth { bind-dn "CN=LDAP Runner,OU=Other,OU=Users-Internal,DC=contoso,DC=com" bind-pw BINDPASSWORD check-roles-group enabled debug enabled login-attribute sAMAccountName login-name userPrincipalName search-base-dn OU=Users-Internal,DC=Contoso,DC=com servers { dc8.contoso.com } ssl-cname-field san-other ssl-cname-otheroid 1.3.6.1.4.1.311.20.2.3 sso on } I've tried combinations of the CN and OID for the UPN. Watching the tcpdump traffic, I can see that there's no LDAP traffic at all (unless you enter the user name and password in the forms). The httpd logs aren't showing anything that seems useful, though lots and lots of: Sep 23 18:04:30 F502EU err httpd[21790]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure Which corresponsds to lots and lots of: Sep 23 19:10:19 F502EU err httpd[22289]: [error] [client 127.0.0.1] AUTHCACHE PAM: user 'admin' - not authenticated: Authentication failure Sep 23 19:10:19 F502EU info httpd(pam_audit)[22289]: User=admin tty=(unknown) host=127.0.0.1 failed to login after 1 attempts (start="Fri Sep 23 19:10:17 2016" end="Fri Sep 23 19:10:19 2016"). What am I missing?
ltm profile client-ssl: Show all custom profiles in all partitions
I need to update the intermediate CA cert on many custom (non-system default) client SSL profiles across many partitions. Each partition has many client SSL profiles (in addition to the default system profile). I need to get a list of all of them so that I can modify the name of the intermediate cert, then using the CLI, enter that updated config back into the BIG-IP LTM. Is there a way to show the config for all of the custom built client SSL profiles in all partitions, or at least in a given partition, like the output format shown below for the system profile? # show running-config ltm profile client-ssl all ltm profile client-ssl crypto-server-default-clientssl { app-service none cache-size 0 cert default.crt cert-key-chain { default { cert default.crt key default.key } } chain none cipher-group none ciphers DHE-RSA-AES256-GCM-SHA384 } } chain none cipher-group none ciphers DHE-RSA-AES256-GCM-SHA384 defaults-from clientssl inherit-ca-certkeychain false inherit-certkeychain true key default.key passphrase none renegotiate-period 21600 }
BIG-IP use of "Network > DNS Resolver"
Hi guys, I was searching for a longer time now to find a useful description of the DNS resolver feature in the BIG-IP (no, I'm not talking about DNS a.k.a. GTM). The feature can be found in "Network > DNS Resolver". The configuration is pretty straight-forward, but unfortunately it seems that there is no documentation for this feature. I wasn't able to find anything useful. The only article on DevCentral, talking about this functionality was in https://devcentral.f5.com/questions/how-does-network-gt-gt-dns-resolver-work-47805, but the description is not really satisfying. My questions are: * What is the feature used for? (I know, that there are some modules, that rely on configured DNS resolver) * Why do we need this? * Is there a list of modules, which already use the DNS resolver feature instead of DNS system configuration? * Is there any documentation, not talking about DNS module, related to DNS resolver? I appreciate any answers or discussions. Best regards, svsF5 and SafeNet HSM integration
As f5 doc suggest we can use fipskey.nethsm to create key/CSR/certificate as below: Generating a key/certificate using the fipskey.nethsm utilityBefore you generate a key/certificate, make sure that the SafeNet Luna SA client is running on the BIG-IP® system.You can use the fipskey.nethsm utility to generate private keys and self-signed certificates on the BIG-IP system.Display the available options.fipskey.nethsm --helpGenerate the key, using any options you need.fipskey.nethsm --genkey -o This example generates the three files that follow: fipskey.nethsm --genkey -o siterequest /config/ssl/ssl.key/siterequest.key /config/ssl/ssl.csr/siterequest.csr /config/ssl/ssl.crt/siterequest.crt The key is saved in /config/ssl/ssl.key/.key. The certificate request is saved in /config/ssl/ssl.csr/.csr. The self-signed certificate is saved in /config/ssl/ssl.crt/.crt. After you generate keys and certificates, you need to add the local key to the BIG-IP configuration using tmsh. The local key points to the HSM key, which resides in the HSM. I am a bit of confused with the above. My question is: is "siterequest.key" local key which is used by F5 LTM to access the real private key stored on HSM.APM Policy to auto-connect VPN and then open webtop
Hello Devs! I'm trying to design a policy that a client would auto connect to the VPN and the webtop, with the internal apps links, did not have the VPN link. Let me show an image: I was able to configure the auto-connect part, but the "Corporate VPN" link is still showing on the webtop. I wish it was gone/hidden. My policy is as follows: This policy is type SSL-VPN. I tested as type "All" and with this configuration: The configuration inside the "landing page" is as follows: Any thoughts? I just want to auto-connect on the VPN and show only the "Portal Green" icon. Corporate VPN should be hidden (or not even there). Thanks! RafaelTLS record layer version
Dears, As mentioned in the article https://support.f5.com/csp/article/K53037818 .. TLS servers compliant with the TLS1.2 specification must accept any value as the record layer version number for ClientHello. It also mentioned that "When you encounter issues with SSL handshakes failing due to the record layer version in the ClientHello message, you should first review the configuration on the TLS server." As of now, we would like to know where can we see the configuration of TLS record layer version in F5 Client SSL Profile. Thanks in Advance. Mohammed Shiraz
