Overwriting or adding LTM SSL Traffic cert and key using iControlREST
Hi, I am trying to overwrite an existing cert and key within the LTM SSL Traffic cert and key using iControlREST. Here is the basic process, and result of each step. Upload key and cert PEM files to the uploads directory. I have tried this step both inside and outside of a transaction with the same result. This works fine. Create a transaction using the transaction REST endpoint. This works fine. Add a command to install the key over the desired SSL Traffic key referencing the local path from step 1 with the transaction id in the header. The command is set to install and from-local-file. Successfully added to the transaction commands. Add a command to install the key over the desired SSL Traffic cert referencing the local path from step 1 with the transaction id in the header. The command is set to install and from-local-file. Successfully added to the transaction commands. Get the transaction commands just to observe the contents. The commands are present, and the paths are correct per steps 3 & 4 above. Attempt to commit the transaction, and receive the failure with a message like the one below. message=transaction failed:01070712:3: file (/var/system/tmp/tmsh/GexeqO/IIS-F5v13.key) expected to exist. As you can see, F5 is looking in a different directory than specified in steps 3 & 4. I've closely examined all requests and responses using Fiddler, and there's no way to determine the randomly generated sub directory name ('GexeqO' in this particular case). It is different each transaction. Also note, this happens even when not overwriting existing entries. But I am using a transaction so that I don't get the 'key and certificate do not match' message. Any insights would be tremendously helpful. Best, Gary
How BIG-IP Token/Authentication works ?
I'm unable to find anywhere here/documentation/articles anyone that could explain a little bit better the authentication token when you get the response from the Rest. I'm sending the POST to the Rest, and the Rest is returning the Authentication. Here is an example: token : AD2GKZPXKVTE4WKJEQUZTIPOM3 name : AD2GKZPXKVTE4WKJEQUZTIPOM3 userName : admin authProviderName : tmos user : ... groupReferences : ... timeout : 1200 startTime : 2016-07-22T09:24:11.808-0500 address : 10.10.10.10 partition : [All] generation : 1 lastUpdateMicros : 1469197451807722 expirationMicros : 1469198651808000 kind : shared:authz:tokens:authtokenitemstate selfLink : https://localhost/mgmt/shared/authz/tokens/AD2GKZPXKVTE4WKJEQUZTIPOM3 Does anyone knows what is "lastUpdateMicros", "ExpirationMicros" and what is Timeout actually means ? I'm having several issues in my scripts when I call the Rest and the call just fail. If I try to get a new token the call works. I wonder if could be due the token is expired after is used once. Will the token expire only after 1200 seconds or that is not true ?
How to efficiently delete a node from LTM?
Hi, I am trying to delete a node from F5 LTM as part of our decommission process. I cannot delete a node until I remove all pool members that refer to it. The only way I know how to get pool members is to get all pools and then, for each pool, get members, and see if the IP address of a member matches. With thousands of pools we have this takes thousands of web requests. It is seriously slow even on local network but if I try to do it to our LB on another continent over 160ms round-trip link, it literally takes 15+minutes. So, is there more efficient way to delete a node? Maybe get a list of all back-references to a node? Or a list of all members of all pools in one shot? Or something else I did not think about? I am not even trying to tackle nodes used in iRules and other non-pool objects at this time (though it would be cool). I did try to delete node first and parse a 400 response but: - response only has one pool out of possibly many. - the name of the pool in response is within an arbitrary text "message" string. This string is already different between 11.4 and 11.5, and, since it is not part of API, can change at any hotfix.
iControl REST curl command to create VLAN
If you have a CURL command to create a VLAN using iControl REST which has a name, tag, and an interface assigned, can you please post it here? Here's a sample of what i'm looking for for a self IP create: curl -sk -u admin:admin https://10.0.0.20/mgmt/tm/net/self/ -H 'Content-Type: application/json' -X POST -d '{"name":"self3","address":"10.1.0.26/24","vlan":"external"}'"Ordinal" Refers to Policy Rule ID?
In the iControl Rest API, what sets the policy rule ID, is it the ordinal? I'm trying to sort the list of policies, for each new policy created that is in the last list. curl -k -X POST \ -u "${USER}:${PASS}" \ "https://bipteste/mgmt/tm/ltm/policy/~Common~Drafts~Teste_Bruno/rules" \ -H 'Accept: */*' \ -H 'Content-Type: application/json' \ -d '{ "name":"svc_teste4", "description":"teste","ordinal":0 }' I defined that svc_teste4 would be the first one on the list, but he was in the penultimate
Eventd.xml file changes its enabled value from <enabled>1</enabled> to <enabled>0</enabled>
When there is a change that triggers a notification, the value of enabled changes from 1 to 0. When I edit the enabled value to 1 and restart eventd daemon - It remains same. But after triggering a change that will trigger an event, immediately the value changes to 0. Kindly advice. NOte : This set up is used by Appviewx to receive notification events.Object path for list of partitions in python SDK
Hi all, I'm trying to get the list of partitions of a BigIP using the f5-Python-SDK. In tmsh, the objects are located under auth/partition, so e.g. "tmsh list auth partition" will list the according configuration. This is also reflected in iControl REST. Using curl, I can get that list of partitions by using the path /mgmt/tm/auth/partition as follows: $ curl -sk -u admin:xxxxxxxxxxxx https://my_bigip/mgmt/tm/auth/partition | python -mjson.tool { "items": [ { "defaultRouteDomain": 0, "description": "Repository for system objects and shared objects.", "fullPath": "Common", "generation": 1, "kind": "tm:auth:partition:partitionstate", "name": "Common", "selfLink": "https://localhost/mgmt/tm/auth/partition/Common?ver=11.6.0" }, { "defaultRouteDomain": 123, "fullPath": "my_partition1", "generation": 1, "kind": "tm:auth:partition:partitionstate", "name": "my_partition1", "selfLink": "https://localhost/mgmt/tm/auth/partition/my_partition1?ver=11.6.0" }, { "defaultRouteDomain": 456, "fullPath": "my_partition2", "generation": 1, "kind": "tm:auth:partition:partitionstate", "name": "my_partition2", "selfLink": "https://localhost/mgmt/tm/auth/partition/my_partition1?ver=11.6.0" }, ], "kind": "tm:auth:partition:partitioncollectionstate", "selfLink": "https://localhost/mgmt/tm/auth/partition?ver=11.6.0" } However, when trying to adopt that using the python SDK, I do not get the same results: >>> from f5.bigip import BigIP >>> session = BigIP('1.2.3.4', 'admin', 'xxxxxxxxxxxx') >>> for partition in session.auth.partitions.get_collection(): ... print partition.name ... Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/dist-packages/f5_sdk-0.1.5-py2.7.egg/f5/bigip/mixins.py", line 82, in __getattr__ raise AttributeError(error_message) AttributeError: '' object has no attribute 'auth' So, .auth.partitions (or .auth generally) does not seem to be the right entry point. Does anybody know: if there is a comprehensive list of mappings of tmsh / iControl REST / python SDK paths? whether the whole auth tree is still missing in the python modules and will be added later? what is the right way to get a list of partitions using the f5-python-SDK? Any help is appreciated. Many thanks in advance! Best regards Martin
