unable to verify the first certificate with node.js
I am trying to read a datagroup using node.js and am receiving the message "unable to verify the first certificate". I have confirmed the command manually with curl and it does return the datagroup as expected: curl -sk -uadmin:admin -v https://127.0.0.1/mgmt/tm/ltm/data-group/internal/~acc~dgroup result: …"records":[{"name":"test","data":"test"}] f5_data_group.js has the following var bigip = new iControl({ host: '127.0.0.1', proto: 'https', port: '443', username: 'admin', pass: 'admin', strict: 'false', debug: 'true' }); var dgPath = '/ltm/data-group/internal/~acc~dgroup'; exports.getDataGroup = function(callback) { bigip.list(dgPath, function(err, res) { console.log( 'bigip.list dgPath:',dgPath,'err:',err); callback(res); }); }; Console.log is giving the following message: plugin[/acc/f5_mfa_plugin.f5_mfa_extension] bigip.list dgPath: /ltm/data-group/internal/~acc~dgroup err: { [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE' } I assume it might have to do with using self signed certificate on the big-ip however strict is set to false above. Any suggestions? APM 12.1.2
IRULE DEVELOPMENT COURSE
Hi FOLKS , How good is the irule development course ? should I consider taking 3-day class training or there are other resource over internet or any book from F5 I should consider ? Also , is it worth deep diving with irule which uses TCL scripting as oppose to irule-LX which is java based ? I believe this is the roadway F5 now considering for future by using irule LX . Please advise ! Thanks
NPM Package Installation Error
Hi everyone! I wanted to ask about an error which I have encountered. It has to something with file system being only read - only. I have shared the error below. Anyone kind of help will be highly appreciated. npm ERR! Linux 3.10.0-514.26.2.el7.ve.x86_64 npm ERR! argv "/usr/bin/node" "/usr/bin/.npm__" "install" "-g" "feo" "--save" npm ERR! node v6.9.1 npm ERR! npm v3.10.8 npm ERR! path /usr/lib/node_modules npm ERR! code EROFS npm ERR! errno -30 npm ERR! syscall access npm ERR! rofs EROFS: read-only file system, access '/usr/lib/node_modules' npm ERR! rofs This is most likely not a problem with npm itself npm ERR! rofs and is related to the file system being read-only. npm ERR! rofs npm ERR! rofs Often virtualized file systems, or other file systems npm ERR! rofs that don't support symlinks, give this error. npm ERR! Please include the following file with any support request: npm ERR! /var/ilx/workspaces/Common/ilxws_Demo/extensions/ilxex_Demo/npm-debug.log
How to update data-group using iRules LX
I created the following code with iRules LX. The code does not work properly. The log is output up to "console.log('getDataGroup start');". Does anyone know how to check if icontrol is successfully connecting to BIG-IP? List() of iControl doesn't seem to work properly. iRule --------------------------------------------- when ACCESS_POLICY_AGENT_EVENT { switch [ACCESS::policy agent_id] { .... .... "add_user" { set ilx_handle [ILX::init "f5_mfa_plugin" "f5_mfa_extension"] set user [ACCESS::session data get session.logon.last.username] set sec [ACCESS::session data get session.custom.otp.secret] log local0.info "INFO: f5_mfa.tcl - user:$user secret:$sec" if {[catch {set result [ILX::call $ilx_handle -timeout 10000 addUser $user $sec]} result]} { log local0.error "ERROR: f5_mfa.tcl - Client - [IP::client_addr], ILX failure: $result" return } log local0.info "user:$result" } } } iRuleLX: index.js --------------------------------------------- var f5 = require('f5-nodejs'); var User = require('./f5_user').User; var ilx = new f5.ILXServer(); ilx.listen(); ilx.addMethod('addUser', function(req,res) { console.log("START: addMethod", req.params()[0], req.params()[1]); var user = new User(req.params()[0]); user.secret = req.params()[1]; user.add(function(response) { res.reply(response); }); }); iRuleLX: user.js --------------------------------------------- var dg = require('./f5_data_group'); exports.User = function(name) { var self = this; self.name = name; self.enrolled = false; self.secret = ""; this.methods = {}; /** * add a user to the data group * * @return {Boolean} user added */ this.add = function(callback){ console.log('user.add start'); if(typeof this.secret === undefined) { console.error('you have to set a secret before calling add'); callback(false); } console.log(self.name, self.secret); dg.put(self.name, self.secret, function(status) { if(status) { self.enrolled = true; } callback(true); }); }; }; iRuleLX: f5_data_group.js --------------------------------------------- var iControl = require('icontrol'); var util = require('util'); // set API connection and authentication var bigip = new iControl({ host: '127.0.0.1', proto: 'https', port: '443', username: 'admin', pass: 'admin', strict: 'true', debug: 'true' }); var dgPath = '/ltm/data-group/internal/~Common~token_keys'; var exports = module.exports = {}; //ignore self signed certificate process.env.NODE_TLS_REJECT_UNAUTHORIZED = "0"; bigip.strict = false; /** * return dta group * * @param {Function} callback */ exports.getDataGroup = function(callback) { console.log('getDataGroup start'); bigip.list(dgPath, function(err, res) { callback(res); }); }; /** * add key:data pair to the data group * * @param {String} key * @param {String} data * @param {Function} callback */ exports.put = function (key, data, callback) { console.log('put data-group key:', key, 'data:', data); exports.getDataGroup(function(res) { // add new user to the object stack // make sure the data group isn't empty if (typeof res.records !== 'undefined') { // make sure user doesn't already exist var isset = false; for(var record in res.records) { if(res.records[record].name == key) { // user exists, update secret res.records[record].data = data; isset = true; break; } } if(!isset) { // user doesn't exist, add them res.records.push({"name": key, "data": data}); } } else { res.records = [{"name": key, "data": data}]; } // populate the arguments for the http post args = { data: { records: res.records }, header: { "Content-Type": "application/json" } }; bigip.modify(dgPath, args, function(err, res) { callback(data); }); }); };
iRules LX for APM password reset
We are attempting to use APM as a Self-Service Password Reset resolution. I can modify Active Directory attributes than to this article https://devcentral.f5.com/s/articles/apm-cookbook-modify-ldap-attribute-values-using-iruleslx-21850 , however, has anyone used iRules LX to reset a password. I'll validate the user first with other methods but want to reset a forgotten password rather than the APM built-in Kerberos API reset with the current password to update to a new one. Thanks
iRule ReWrite - Inserting JSON Parameter into Request + Removing Same JSON Parameter from Response
Looking to leverage an iRule to Dynamically insert a JSON Parameter into an HTTP payload and then scrub it in the response back to the client. However, we want to inspect the Payload and only perform this action when a specific JSON Parameter value exsits. Example: When JSON Key/Value of "Animal": "Dog" exists, Dynamically insert new Parameter of "Color": "Brown". The server(pool member) would see this new parameter and act on it, but in the HTTP response to the client, the new parameter is not in the payload. Do iRules know how to handle and work with JSON specifically? Is an LX iRule going to be need to do this advanced rewrite? Thanks!HMAC Authentication using F5
We are trying to use the below iRule, as mentioned in the link https://devcentral.f5.com/codeshare/akamai-g20-header-authentication, which apparently is not working as the CRYTO::sign returns a hash which is a binary blob but the normal hashing outside is in string format HMAC generated using this link : https://www.freeformatter.com/hmac-generator.html The Implementation is that we send a Signature and data header to f5 and the signature header is generated (using the data sent + the URL of the request) with a secret key in client side. Once F5 gets these two headers, it should set the data header + path into a variable and sign it with HMAC SHA256 algo and the secret key present in F5. Then the hash sent by the client and the hash generated will be matched to see if they are the same. Else the request will be dropped. iRule: when HTTP_REQUEST { if {[HTTP::header exists "X-Akamai-G2O-Auth-Data"] && [HTTP::header exists "X-Akamai-G2O-Auth-Sign"]} { set secret_key "pass" log local0. "$secret_key" set data "[HTTP::header value "X-Akamai-G2O-Auth-Data"][HTTP::Path]" log local0. "$data" set signature "[HTTP::header value "X-Akamai-G2O-Auth-Sign"]" log local0. "$signature" set signed_data [CRYPTO::sign -alg hmac-sha256 -key $secret_key $data] log local0. "$signed_data" if { $signed_data eq $signature } { log local0. "Signatures match" } } }Irule to divert traffic - Not working
Can someone please review my code? rule jiradivertingtraffic{ when HTTP_REQUEST { log local0. "Request: [HTTP::host]" log local0. "Request: [HTTP::uri]" log local0. "Request: [HTTP::path]" if { [string tolower [HTTP::host]] equals "jiratest.corp.chartercom.com" } { if {[string tolower [HTTP::uri]] contains "/rest"} { pool JIRA-test-pool } } else { if { [string tolower [HTTP::host]] not equals "jiratest.corp.chartercom.com" } { if { [string tolower [HTTP::path]] equals "/login.jsp"} { pool JIRA-test-pool } } else { pool JIRA-test-external-pool } } } }
