Upload SSL certificate/key via REST API
Hello All, Looking to see if anyone knows of a method of uploading certs and keys to a BIGIP unit, using a method similar to the following example, but using REST instead of the SOAP API. Example: puts bigip["Management.KeyCertificate"].certificate_import_from_pem('MANAGEMENT_MODE_DEFAULT', [ cert['cert_name'] ], [ File.open(cert['cert_file']).read ], true) puts bigip["Management.KeyCertificate"].key_import_from_pem('MANAGEMENT_MODE_DEFAULT', [ cert['cert_name'] ], [ File.open(cert['key_file']).read ], true) Thanks!
iControl REST Python Requests module
While iControl REST is great and pretty robust given how much we use it. But I come to the forum today to see if anyone has any experience with the Python requests module and the underlying urllib3 module. When I do have problems with iControl its often with things like the following: Here I've increased the timeout to 5.0 seconds but still get read timeouts. HTTPSConnectionPool(host='redacted', port=443): Read timed out. (read timeout=5.0) I also often see this message and, no I don't have a proxy in front of the F5. However, I know the the F5 proxies the REST call (Caused by ProxyError('Cannot connect to proxy.', OSError('Tunnel connection failed: 503 Service Unavailable', Thanks!
Extract content of Certificate key file with REST or Ansible
Hi Community, I'm working on an automation for renewing Certificates on multiple BIG-IP's using Ansible. As not all available Ansible F5 modules provide what is required, I'm currently using a mix of modules and REST calls (which is call from Ansible). F5 Module Index What works so far is: Create new CSR/Key on BIG-IP Get new "CA based" Cert and upload to the BIG-IP Upload the same Cert to other BIG-IP's Update SSL profiles on multiple BIG-IP's and some others tasks, like irules..etc Anyhow, what doesnt work so far is to get the content of the key which was created on the first device together with the CSR. Basically I dont have the key which needs to be uploaded to the other BIG-IP's as well. From the CLI, the following gives me what I need: cat/config/filestore/files_d/Common_d/certificate_key_d/*name.key* The problem with this is, I cant integrate it in Ansible using the bigip_command – Run TMSH and BASH commands on F5 devices module. Looks like only tmsh commands are supported even though it states BASH as well. Plus I try to avoid using this module whenever possible in a first place. Through the GUI, simple export and import on an other device - done, but obviously not automated. I have tried all possible Ansible modules as well as REST calls, but dont get the content out of the .key file. I thought that this would/should be a simple tasks. If anyone's done this using any approach please share. I could create a new key and get a cert for each device, but first try to find out if there's another way. Thanks in advance, Stefan
Partition description misbehaviour API vs GUI
Hello, we noticed strange environment with partition description on v14.1.4. I create partition with command POST https://10.10.10.10/mgmt/tm/auth/partition/ {"name":"partitiondescr","description":"neco"} I get expected response: { "kind":"tm:auth:partition:partitionstate", "name":"partitiondescr", "fullPath":"partitiondescr", "generation":3531, "selfLink":"https://localhost/mgmt/tm/auth/partition/partitiondescr?ver=14.1.4", "defaultRouteDomain":0, "description":"neco" } BUT I cannot see the description in GUI: Seems like Description in GUI is defined somewhere else than "description" in API JSON structure. Any change through API is not visible in GUI and vice versa. Do you know where I could find API key-value pair for partition description? Thank you, Zdenek
Eventd.xml file changes its enabled value from <enabled>1</enabled> to <enabled>0</enabled>
When there is a change that triggers a notification, the value of enabled changes from 1 to 0. When I edit the enabled value to 1 and restart eventd daemon - It remains same. But after triggering a change that will trigger an event, immediately the value changes to 0. Kindly advice. NOte : This set up is used by Appviewx to receive notification events.iControl soap
Hi! Trying to import a key/certificate with the iControl SOAP powershell snapin, but I get these errors: Exception calling "key_import_from_pem_v2" with "6" argument(s): "Exception caught in Management::urn:iControl:Management/KeyCertificate::key_import_from_pem_v2() Exception: Common::OperationFailed primary_error_code : -14 (0xFFFFFFF2) secondary_error_code : 0 error_string : Keys do not match" At C:\Scripts\LetsencryptQA\letsencrypt1.1.ps1:418 char:90 + ... rt_from_pem_v2($ManagementModetype, @($KeyName), @($StringPem), $Secu ... + ~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : SoapHeaderException And for the certificate Exception calling "certificate_import_from_pem" with "4" argument(s): "Exception caught in Management::urn:iControl:Management/KeyCertificate::certificate_import_from_pem() Exception: Common::OperationFailed primary_error_code : -14 (0xFFFFFFF2) secondary_error_code : 0 error_string : Keys do not match" At C:\Scripts\LetsencryptQA\letsencrypt1.1.ps1:441 char:103 + ... om_pem($ManagementModetype, @($CertificateName), @($StringPem), $true ... + ~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : SoapHeaderException ` **Importing the key with another name works though**, which would indicate that the key exists somewhere. However: `list sys file ssl-key | grep name Nothing list sys file ssl-cert | grep name Nothing ls -alR | grep name Nothing And nothing in the GUI certificate list under any partition. I have also: Done a mcpd reload and restarted the device. Manually imported the certificate and key in the Web UI (works, but then I can t reproduce the error) Any clever ideas? /Patrik
F5 LTM customized Packet cloning
Hello every body I have an application using SMPP, SMPP is TCP based protocol and it establish sessions to send traffic, SMPP has unique command IDs to Establish session and tear them up, below image is simple protocol flow: In below example in packet 8 in attached tcpdump, you will see under SMPP (Short Message Peer to Peer) layer a command ID: 0x00000009 which represent bind command (establish a connection/SMPP session). What I need to similar to customized clone pool concept but on pool member level and on certain condition, I need an iRule or may be an iCall procedure to check for SMPP bind command by scanning packet PDU, similar example is below: https://devcentral.f5.com/questions/balancing-smpp-traffic-based-on-recipient-address when CLIENT_ACCEPTED { set s_seq_idx 1 set first_bind_resp 1 set smsc1 set smsc2 TCP::collect } when CLIENT_DATA { while { [TCP::payload length] > 16 } { binary scan [TCP::payload] IH8IIa* len oper status seq p if { [TCP::payload length] < $len &&} // We need here to add check for bind command id as well { TCP::collect $len return } My challenge is to replicate SMPP bind packet to all available pool members in certain pool 😃 , Once SMPP Bind packet is replicated, as result we will get established SMPP sessions with all available pool members, and F5 LTM then will be able to load-balance other incoming traffic with all pool members as far as connection is established. If concept is OK, the rest is not challenging as we need to consider other bind command IDs to be replicated (0x00000001, 0x00000002 and 0x00000009), and of course we need to replicate unbind as well 0x00000006 if possible. Thank you so much in advance. Sincerely, SAMBIG-IP : iControl : LocalLBDataGroupFile.set_local_path() : swap large file under load
F5 BIG-IP v11.4.1 (Build 635.0) LTM on ESXi I have a .NET C app that uses iControl to perform following sequence : • transfer data-file to staging location on BIG-IP device • recache data-group with contents of this data-file The specific iControl API used for the recache is : LocalLBDataGroupFile.set_local_path() This operation has been 100% consistently successful in non-prod environments with very low traffic to perform data-group-file updates of up to 2M records. Non-prod config : single stand-alone device ( no HA pair ). The operation has also been 100% consistently successful in prod environments with high traffic to update a non-live data-group-file up to 300K records. Prod config : HA pair consisting of 2-node sync-failover device-group with auto-sync disabled. NOTE: By "live data-group-file" I mean an enabled virtual-server has an assigned iRule that references the data-group ( performs matches against data-group maps ). By "non-live data-group-file" I mean that the data-group exists but either is not referenced by any iRules, or iRules that reference it currently are not assigned to any enabled virtual-server. Here is where the problem occurs : When the operation is run in prod environments with high traffic (40-60% baseline cpu utilization, 200-400 Mbps baseline throughput) to update a live data-group-file ( 100K+ records ) the iRule fails. Exactly how the iRule fails is unknown and currently is under investigation by F5 Support, however here are some data-points : • the file-transfer and data-group recache iControl calls return success to the C caller • requests that the iRule normally conditionally rewrites to various backend pools no longer arrive at those servers • BIG-IP logs contain zero errors related to either the iControl operation of the iRule • public client requests that should be processed by the iRule display generic Akamai 500 error-pages NOTE: I have a test that removes Akamai from the equation, but have not yet had an opportunity to run it. My understanding is that LocalLBDataGroupFile.set_local_path() was re-designed/coded for 11.4 and was lab-tested up to 1M records. However, I wonder if any testing was performed in an environment with significant load ? Through trial-and-error I discovered the following workaround (for an HA pair only) : • create a/b pair of data-groups and corresponding set of a/b iRules that are identical except that "a" iRule references "a" data-group, and "b" iRule references "b" data-group • on active node, initially configure virtual-server to use "a" iRule • use C application to update "b" data-group-file ( NOTE: possibly this could also be accomplished via the admin browser, but above 100K records the time-lags and potential impact on prod operations become concerning. ) • if now swap-in "b" iRule to virtual-server ( effectively swapping-in "b" data-group ) the irule will begin to behave strangely (requests swallowed and never routed to backend pool although no errors present in LTM logs) • however, the following "trick" seems to work : sync active to standby promote standby to active on new active, swap-in "b" iRule to the virtual-server reboot new standby* sync new active to new standby Somehow the sync operation "cures" the issues induced by swapping the live iRule to point to a just-updated data-group. So in summary it seems that for a high-load environment attempting to swap new contents into a live data-group somehow induces a failure-case for iRule lookups against that data-group. The failure symptoms are identical both for the technique of re-caching the live data-group with new contents ( iControl API LocalLBDataGroupFile.set_local_path() ), and for the iRule a/b swap technique. However, an active-to-standby sync operation seems to "cure" whatever bad-state the data-group has been put into. Can anyone provide insights as to why swapping-in new contents to a large data-group-file associated with an iRule assigned to a VIP under heavy load would cause iRule data-group lookup failures ?
Creating and managing priority groups with iControl
I am attempting to configure a special load balancing strategy that will be based on priority groups. Essentially I want my pool of n-nodes to have 2 priority groups (PGs): blue and green. Each PG has n/2 pool members in it (hence if the pool has 10 nodes, 5 are in the "blue" PG and 5 are in the "green" PG). At any given time, one of the two PGs will have a higher priority (blue or green). I simply want the PG with the higher priority to be served traffic (and, within the PG, all nodes being round robined). Hence, if the blue PG has a priority value of, say, 4, and green's value is 2, then F5 should only serve traffic to the blue PG nodes, and should round robin within that PG. If the priorities/values for the PGs are swapped, and now green's value is 4 and blue's value is 2, now only the green nodes are served traffic, and in round robin fashion. Etc. To do this I need to: Programmatically create the blue/green PGs in the first place Programmatically set the priorities of each PG (say, initialize blue to 4 and green to 2) Programmatically get the priorities of each PG I found this article which I believe helps me accomplish the last two items (except I do have a question about it), but am still at a loss as to how to programmatically create PGs and assign nodes to them. So I ask: * What iControl API methods do I engage to create PGs and assign nodes to them? * If LocalLBPool.set_member_priority is what I need to set PG priorities, I'm confused about the args I should be passing into it. I would have expected the argument to take the name of the PG to set the priority for. Instead it takes a list of pool names, and respective nodes and priorities to set within those pools. This leads me to believe that PGs are more of a UI construct (in the F5 web app), and that the iControl API just sets priorities individually. Any thoughts/ideas about my questions?
