Security Certificate Inventory and Management
Hello! Several years ago, I was tasked with oversight for our security certificate inventory and management after we encountered unintended outages because no change management was in place to insure everyone was on the same page. Our change management process is considerably better as we're using actual change requests instead email. 😃 Our previous security certificate inventory was a privately held spreadsheet by the person managing most of our certificate renewals and update. If our Nagios admin cannot configure an alert to check a cert, we're at risk of missing a certificate expiration. We have self signed certificates as well as certificates purchased from vendors. We're now relying on report from Nagios based on certificate checks configured by our Nagios admin. This data goes into Splunk and I receive a weekly report with certificate data. I'm using a MS Team channel that includes systems admins as well as database and application development resources. I alert the group when a certificate or certificates are expiring in 30 days. I've been told that no certificate renewals can be done more than 30 days prior to expiration. In short, I nag until someone submits a change request with a scheduled maintenance window to update the certificate(s) prior to expiration. Although our current process is much better than when I first became involved, improvement is needed so I'm asking for suggestions/recommendations. What security certificate inventory management solutions are you using? What are your security certificate management processes? Thank you! Jodi32Views0likes1CommentLog message code list?
SOL16197: Reviewing BIG-IP log files describes local traffic log message format as: Message code is split into: Message code: The code that is associated with the message. The code is comprised of the following sub-codes: Product Code: The first two hex digits form the product code. For example, 0x01 is the BIG-IP product code. Subset Code: The third and fourth hex digits are the subset code. For example, 0x2a is the subset code for LIBHAL. Message Number: The next four digits form the message number within a module. Severity Level: The last digit between the colon symbols is the severity level, with 0 being the highest severity level. Are the Product and Subset codes listed anywhere? Would help in processing log messages further in Splunk or similar tool.661Views0likes5CommentsUpload SSL certificate/key via REST API
Hello All, Looking to see if anyone knows of a method of uploading certs and keys to a BIGIP unit, using a method similar to the following example, but using REST instead of the SOAP API. Example: puts bigip["Management.KeyCertificate"].certificate_import_from_pem('MANAGEMENT_MODE_DEFAULT', [ cert['cert_name'] ], [ File.open(cert['cert_file']).read ], true) puts bigip["Management.KeyCertificate"].key_import_from_pem('MANAGEMENT_MODE_DEFAULT', [ cert['cert_name'] ], [ File.open(cert['key_file']).read ], true) Thanks!2.8KViews0likes10CommentsHow do I record the IP assigned to a client after login?
Hello, I need to record clients' IP address assigned by network access. I searched on Ask f5 it looks like that the variable "session.assigned.clientip" is what I need. So I tried to use an irule to get it but failed. Here is my irule: when ACCESS_SESSION_STARTED { set user [ACCESS::session data get "session.logon.last.username"] set client [IP::client_addr] set assignip [ACCESS::session data get "session.assigned.clientip"] log local0. "LOGON:$user login successful from $client, assigned $assignip" } I have tried other events like ACCESS_POLICY_AGENT_EVENT, ACCESS_POLICY_COMPLETED but haven't worked either. Does anyone know how can I log the clients' IP address assigned by network access. I will appreciate it!Solved1.3KViews0likes13CommentsDisplay LTM connections??
I am very new to F5 Big IP, mainly worked with Cisco CSMs and Citrix NetScaler load balancers in the past.....what I am trying to find is how to display what hosts are connected to a particular virtual server, what pool member it's getting routed to and what SNAT address the source is being assigned, etc. WHat I have is a pair of F5 Big IP 4200s set up in a HA configuration. Thanks for any help...JeffSolved14KViews0likes16CommentsHealth Monitors
Hi, I have created a health monitor with the following config: Interval 5 Timeout 16 Send String GET /test/test.jsp Receive String HTTP 1\.(0|1) 200 Reverse No Transparent No Alias address ALL Alias Service Port ALL But whne I go to add it to a specific node choosing NODE SPECIFIC I cannot see the monitor I created inside the list. Do I need to do anything else to make the monitor a node specific one? Thanks.762Views0likes16CommentsHow to add F5 vendor specific Radius attirbutes to Windows 2008 NPS to authorize external users to different roles
I am running bigip 11.4.1 on a 3900 that is licensed for LTM and ASM with client authentication. I am able to configure user authentication to a Windows NPS radius server and have all external users all get authenticated to the windows radius and authorized to the same default external user role. (This is purely for user login access to the BIG-IP managment interface via a browser). I would now like to create four new Windows user groups: F5-Admin, F5-resource-admin, F5-operator, F5-guest. The goal is to have the Windows NPS radius server return the F5 vendor specific attribute "F5-LTM-User-Role" with the appropriate values for the four roles I need. I have the document: "http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14324.html". It is not clear to me how to add the role attributes to windows 2008 NPS such that the new role attribute will be returned to the F5 after successful authentication. It is also not clear how to configure the F5 to then take the returned role attribute for the user and over-ride (ignore) the default external role setting. thank you for your help.1.8KViews0likes6Comments