SSL certificates Expiration
I run below SSL expiration certifiacate script on LTM with 11.x version ! /bin/bash set acceptable threshold in seconds (172800 seconds = 2 days) threshold=185920000 get today's date this_date= date +%s set path to certificates cert_path=/config/ssl/ssl.crt/ for f in $cert_path*.crt do this_cert_date_literal= openssl x509 -in $f -noout -enddate |sed s/notAfter=// this_cert_date= date -d "$this_cert_date_literal" +%s if [ $this_date -ge $(($this_cert_date - $threshold)) ] then expires_when=$(((this_cert_date - $this_date) / 60 / 60 / 24)) echo "$f is about to expire in $expires_when days" additional processing for expiring certs goes here fi done But get no output as such.Please suggest.
found error "bad option" while blocking specific user agent
Hi team, I got an error like following. Do you have any idea of this? TCL error: /Common/ua_block - bad option "--user-agent=mozilla/5.0 (x11; linux x86_64) applewebkit/537.36 (khtml, like gecko) chrome/32.0.1700.77 safari/537.36": must be -exact, -glob, -regexp, or -- while executing "switch -glob [string tolower [HTTP::header "User-Agent"]] { "sqlmap" - "havij" - "nmap" - "nessus" - "..." I think the case is like the case below... https://devcentral.f5.com/questions/switch-glob-behaviour-when-comparison-string-starts-with-a-hyphen The iRule is like following when HTTP_REQUEST { log local0. "User-Agent:[HTTP::header "User-Agent"]" switch -glob [string tolower [HTTP::header "User-Agent"]] { "*sqlmap*" - "*havij*" - "*nmap*" - "*nessus*" - "*absinthe*" - "*nikto*" - "*w3af*" - "*pangolin*" - "*bsqlbf*" - "*prog.customcrawler*" - "*sql power injector*" - "*mysqloit*" - "*netsparker*" { if { !([IP::addr [IP::client_addr] equals 192.168.XXX.XXX]) } { discard log local0. "[HTTP::header "User-Agent"] discarding." } } } } Thank you for your help.
iRule snippet insertion 11.5.1
Long story short I have an irule to insert some snippets in the HTTP response but instead of inserting the contents of the variables, it is just using the actual string text. The log output shows $y and $stream_expression values as @$head_token@$detection_snippet@ instead of the contents of those variables which check out fine in section 4. Section 5 is the problem area. Any advice would be much appreciated. Section 3: Identify Location Tokens set head_token "" End of section 3 Section 4: Identify Snippet iFiles set detection_snippet "[subst -nocommands -nobackslashes [ifile get Test_locdrive_js]]$head_token" set collection_snippet "[subst -nocommands -nobackslashes [ifile get Test_exout_js]]$head_token" set session_rst_snippet "[subst -nocommands -nobackslashes [ifile get Test_sessionrst_js]]$head_token" set uid_collect_snippet "[subst -nocommands -nobackslashes [ifile get Test_setdata_js]]$head_token" set perm_uid_snippet "[subst -nocommands -nobackslashes [ifile get Test_runvar_js]]$head_token" log local0. "Trusteer-assign snippet variables" log local0. "$head_token" log local0. "$detection_snippet" log local0. "$uri(1)" End of section 4 Section 5: Modify URL and Snippet Array array set snippet_insertion { "[subst $uri(1)]" @$head_token@$detection_snippet@ "[subst $uri(2)]" @$head_token@$uid_collect_snippet@@$head_token@$perm_uid_snippet@ } End of section 5 Do Not Modify foreach {x y} [array get snippet_insertion] { if {$loc == "[subst $x]"} { log local0. "$x" log local0. "$loc" log local0. "$y" set stream_expression $y log local0. "$stream_expression" STREAM::expression [subst $stream_expression] STREAM::enable log local0. "Trusteer enabling stream" } } } } End of 'Do Not Modify' Section End of iRule
Rewriting cache headers before they are used by BigIp
So I have a server behind BigIp that's pretty lame about letting me set cache headers... in short: I can't. So I'd like to try to set the cache headers using an iRule but have them applied before they go through the normal cache processing that BigIp can do. If the resource at http://server.com/foo.js?v=1 should be (it isn't, there's actually no cache-control header): Cache-Control: max-age=31557600, public Is it possible to create an iRule that would have the cache mechanisms currently available for caching content at the BigIp use that header, as well as apply it to any response it sends out?
need help creating an iRule
hi all, Hope you all doing well. Could someone help me with creating an iRule? I would like to create an iRule which will forward all http/https request to go to a URL. For example: abc.com www.abc.com http://abc.com etcc. will all go to https://www.abc.com Here's the current iRule i have but it's re-directing all traffic to https://abc.com . I need it all to go to https://www.abc.com instead. when HTTP_REQUEST { Check if the host starts with www. if {[string tolower [HTTP::host]] starts_with "www."}{ Redirect with the www. prefix removed to the same URI HTTP::redirect "https://[string range [HTTP::host] 4 end][HTTP::uri]" } } Thank you very much for your assistance, JTCan't open java applet component when connecting to the application through Load balancer F5
Hi We have one new building and the workstations are connected to our network. There is two systems that has java applet components that when clicked, it does not load the java applet. But when connecting to the application server node directly, these java applet components are opened. Al other buildings in other locations are working fine even through the current F5. Only this site has the issue !!! Our collegues checked for the workstation configurations and also bring one workstation to our IT department building and connected to same applications through the same F5, it Worked without any issues. I have one system for Oracle applications 12.1 that I enabled the java debugging console. The output showed exception network: Connecting http://hrms.domain.org:8080/ with proxy=DIRECT java.lang.InterruptedException at java.lang.Object.wait(Native Method) at sun.plugin2.message.Queue.waitForMessage(Unknown Source) at sun.plugin2.message.Pipe.receive(Unknown Source) at sun.plugin2.main.client.MessagePassingExecutionContext.doCookieOp(Unknown Source) at sun.plugin2.main.client.MessagePassingExecutionContext.getCookie(Unknown Source) at sun.plugin2.main.client.PluginCookieSelector.getCookieFromBrowser(Unknown Source) at com.sun.deploy.net.cookie.DeployCookieSelector.getCookieInfo(Unknown Source) at com.sun.deploy.net.cookie.DeployCookieSelector.get(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.setCookieHeader(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.writeRequests(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at com.sun.deploy.net.DownloadEngine.getJarFileWithoutCache(Unknown Source) at com.sun.deploy.net.DownloadEngine.downloadJarWithoutCache(Unknown Source) at sun.plugin.PluginURLJarFileCallBack$2.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source) at sun.net.www.protocol.jar.URLJarFile.retrieve(Unknown Source) at sun.net.www.protocol.jar.URLJarFile.getJarFile(Unknown Source) at sun.net.www.protocol.jar.JarFileFactory.get(Unknown Source) at sun.net.www.protocol.jar.JarURLConnection.connect(Unknown Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.connect(Unknown Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFileInternal(Unknown Source) at sun.plugin.net.protocol.jar.CachedJarURLConnection.getJarFile(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.getJarFile(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.access$1000(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.DeployURLClassPath$JarLoader.ensureOpen(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$JarLoader.(Unknown Source) at com.sun.deploy.security.DeployURLClassPath$3.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source) at com.sun.deploy.security.DeployURLClassPath.getLoader(Unknown Source) at com.sun.deploy.security.DeployURLClassPath.getResource(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader$2.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at sun.plugin2.applet.Plugin2ClassLoader.findClassHelper(Unknown Source) at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source) at java.lang.ClassLoader.loadClass(Unknown Source) at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source) at sun.plugin2.applet.Plugin2Manager.createApplet(Unknown Source) at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source) at java.lang.Thread.run(Unknown Source) network: Cookie service is not available - use cache to determine "Cookie" network: Connecting http://hrms.domain.org:8080/OA_JAVA/oracle/apps/fnd/jar/fndewt.jar with cookie "HRPROD=rClRylxIBeH_r2yj3qbDh_n8:S; BIGipServerPool-NDC-HRMS-8080=269161644.16415.0000; oracle.uix=0^^GMT+3:00^p" network: Downloading resource: http://hrms.domain.org:8080/OA_JAVA/oracle/apps/fnd/jar/fndewt.jar Content-Length: 2,241,848 Content-Encoding: null We are using BIG-IP 11.0.0 Build 8037.0 Final The issue only happen for that building, all other buildings connecting the same F5 are working fine without any issues. When opening the page directly from the application server, like http://node1.domain.org:8080 , the java applet is downloadable and can be displayed. Kindly advice Thank you C.Exchange 2010 SP3, iApp template 2012_04_06 and Big IP 11.4.1 Build 608.0 - EWS issue
As per subject, is this combination supported? When using APM and Outlook anywhere I am having the following problem: Dec 12 10:06:31 lhr4-lb-01 debug tmm3[9610]: 01490000:7: Enable ECA: select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010 -application_combined_https Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid argument (/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010-applicat ion_combined_https) Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid metadata (select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2 010-application_combined_https) Dec 12 10:06:31 lhr4-lb-01 debug tmm2[9610]: 01490000:7: Matches RPC Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid argument (/exchange/exchange-2010-application.app/exch_ntlm_exchange-2010-applicat ion_combined_https) Dec 12 10:06:31 lhr4-lb-01 err eca[7202]: 0162000e:3: Invalid metadata (select_ntlm:/exchange/exchange-2010-application.app/exch_ntlm_exchange-2 010-application_combined_https) Looking at this script block, is the object_name correctly formatted in the iApp template? Ntlm-auth requires a specially-named prefix to match a system irule. if { $key == "ntlm,ntlm-auth,combined_https" || $key == "ntlm,ntlm-auth,oa_https" || $key == "ntlm,ntlm-auth,edge" } { regsub ".app/exchange" $object_name \ ".app/exch_ntlm_${app}" object_name }
I need to know how we can alter the default behaviour of Icontrol api, when setting SSL configuration
Its very uncomfortable to use iControl api in an application which is installed in websphere. Reason being below code in Interfaces.java: //------------------------------------------------------------------- // Constructor //------------------------------------------------------------------- public Interfaces() { System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore"); XTrustProvider.install(); } public Interfaces(String hostname, String username, String password) { System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore"); XTrustProvider.install(); initialize(hostname, username, password); } public Interfaces(String hostname, long port, String username, String password) { System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore"); XTrustProvider.install(); initialize(hostname, port, username, password); } As you can see api automatically sets truststore path (System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore");) , It alters default behavior of Websphere. We get following error: [9/19/13 10:47:27:638 MST] 00000022 SystemOut O ; nested exception is: java.net.SocketException: java.lang.Exception: Truststore file does not exist: /home/wsadmin/.keystore We have explicitly set keystore for websphere but still its looking into /home/wsadmin as this is getting set in interface. java. So in short is there any way to unset 'System.setProperty("javax.net.ssl.trustStore", System.getProperty("user.home") + "/.keystore");'
Load Balancing IBM VIPA
We are trying to load balance IBM VIPA hosts which are essentially already load balanced. Our intent is to locally load balance two or more VIPA hosts to create more redundancy and capacity and use GTM for global redundancy. My understanding of the VIPA configuration is that the VIPA address is a virtual IP address which is bound to one of two physical interfaces addresses. When it's bound to "A" interface and that fails, it binds itself to the "B" interface. In testing it appears to assume the MAC address of the physical interface in which it is bound and does not have it's own MAC. So when there is a failure, (I assume) it sends a gratuitous ARP and, after a 2-3 second blip, the client sessions are reconnected where they left off. This works as described with a router between the client and hosts. With a VIPA host behind an LTM, the same VIPA fail-over scenario causes the client connections to be reset and then they must create new connections which is not desirable for obvious reasons. There may be a simple answer to make this work with F5 but so far I haven't found it. So I'm wondering if anyone has done this before. If so, and you had the same issue, how did you resolve it?