Running BASH commands via REST API
I am trying to run bash commands via the REST API but am getting an error. When trying to use the following syntax I am getting a 403 running with Admin authentication... GET: https://F5LTM/mgmt/tm/util/bash Output: {"code":403,"message":"Operation is not allowed on component /util/bash.","errorStack":[]} Does anyone know if this is possible, or have any syntax examples of how to run bash commands? I assume you need to submit a post request, but I am not sure how to structure the syntax in the body of the request and cannot find any examples.
REST API access right
Hi all, We're running F5 LTM (version 14.1.4.x) and sorry for any newbie question. We're trying to perform some tasks through REST API to the LTM: 1. Check system status, e.g. curl -ks -H "Content-Type: application/json" -u admin:admin "https://192.168.1.1/mgmt/tm" -d "{\"command\":\"show\", \"utilCmdArgs\":\"-c 'cm failover-status'\"}" 2. Perform failover, e.g. curl -ks -H "Content-Type: application/json" -u admin:admin "https://192.168.1.1/mgmt/tm" -d "{\"command\":\"run\", \"utilCmdArgs\":\"-c 'sys failover standby'\"}" We don't want to expose admin password in any script, while authentication token seems only valid for 10 hours at most and not suitable to be used in cronjobs. We create user for this specific purpose with user role Resource Administrator who can perform the task through ssh or GUI. However, both commands can run as that specific user (testuser1) in tmsh interactively, but fail when running through curl with error: {"code":401,"message":"Authorization failed: user=https://localhost/mgmt/shared/authz/users/testuser1 resource=/mgmt/tm verb=POST uri:http://localhost:8100/mgmt/tm referrer:192.168.1.8 sender:192.168.1.8","referer":"192.168.1.8","restOperationId":2225072,"kind":":resterrorresponse"} I'm afraid we've something missed or setting up based on wrong concept... Would anyone please help? Thanks and Rgds /st wongGetting active pool member connections using Python
If I want to see all of the client connections connecting to a pool member from the CLI I can do something like a "show sys connection ss-server-addr 1.2.3.4". I can also do this using Postman mapping to ";, but I cannot figure out how to do this via Python. Using Python if I try to connect to "bigip.sys.raw" I do not see a module called "connection" or anything similar. Does anyone know how, or have some sample code on how to accomplish this? Thanks!
How to attach TCP profile for server/client individually via REST API?
Hi, I was trying to attach the TCP profile to virtual server by REST API. But now what I only can do is to specify the context to "all", then call PATCH on /tm/ltm/virtual/VIRTUALNAME. The content is: {"ipProtocol":"tcp","profilesReference":{"items":[{"kind":null,"name":"VIRTUALNAME","partition":null,"fullPath":null,"generation":0,"selfLink":null,"context":"all"}]}} "Context = all" means I am setting both of the client and server side at the same time. But I would like to set them separately to two different profiles, then I tried context = clientside or context = serverside. Then an error like "Less than the required minimum number of profiles found on VIRTUALNAME: Exactly 1 of (UDP Profile (serverside), TCP Profile (serverside), SCTP Profile (serverside))" was returned. Looks like when only setting clientside/serverside profile, F5 will delete both profiles for clientside and serverside firstly, then update the user's profile. But at that time, the profile is only for server or client, the other part of the profile has been deleted in the previous step, which led to this error. Could anyone help figure out if I am doing in the incorrect way? Or if this might be a bug of setting TCP profiles? Heap thanks.
PowerShell - How to modify system iFile?
I use PowerShell to upload a text file containing a number of parameters that I want to use in an existing iRule. Through the web-gui I have already created an iFile named 'iFileApiKeys'. In PowerShell I use this procedure to upload the text file: $length = "0-" + ($fileContent.Length - 1) + "/" + $fileContent.Length $headers = @{ "Content-Range" = $length} $uploadResult = Invoke-WebRequest $URL -Method POST -Headers $headers -InFile $filePathPlusTextfile - ContentType "multipart/form-data" -TimeoutSec 20 -Credential $mycreds | ConvertFrom-Json Write-Host "Upload Result:" Write-Host $uploadResult According to the 'uploadResult' the file ends up in the folder:'var/config/rest/downloads/iFileApiKeys.txt' on my F5 LTM Using 'SuperPutty' I can via tmos (tmsh) modify the existing system iFile by executing: `tmos> modify /sys file ifile iFileApiKeys source-path file:///var/config/rest/downloads/iFileApiKeys.txt My problem is that I can't seem to find the correct PowerShell command to achieve the same result as the tmos (tmsh) command does. I want to use and actually think I should use: `Invoke-Webrequest -Method Put` I've been trying to emulate an example taken from a Jason Rahm post on this site: https://devcentral.f5.com/articles/getting-started-with-icontrol-working-with-the-system-20592 Like this: $sysIfilePath = "/mgmt/tm/sys/file/ifile/iFileApiKeys" `$sysPath = "https://" + $host_address + $sysIfilePath $updateresult = Invoke-WebRequest -Method Put -Uri $sysPath -Headers $headers -Credential $mycreds -Body $body But this command fails unfortunately, My assumption is that I don't fill $headers and/or $body with the correct values. When executing a GET for my sys iFile object the result is: ``{"kind":"tm:sys:file:ifile:ifilestate","name":"iFileApiKeys","fullPath":"iFileApiKeys","generation":10970077,"selfLink":"https://localhost/mgmt/tm/sys/file/ifile/iFileApiKeys?ver=13.1.0.2","chec ksum":"SHA1:878:52a261b5a113db5c9421a54e1e8b5685e7da7a4d","createTime":"2018-11-26T22:52:08Z","createdBy":"per.eriksson","lastUpdateTime":"2018-12-08T19:49:15Z","mode":33188,"revision":24,"size" :878,"sourcePath":"file:///var/config/rest/downloads/iFileApiKeys.txt","updatedBy":"per.eriksson"} Anyone out there that can point me in the right direction on how to update my sys iFile using PowerShell? Thank you! /PerAPM SSO with Atlassian Jira, Confluence and Sharepoint
Hi, For one of our clients we are trying to realize a single sign on solution on our F5 for Atlassian Jira, Confluence, Stash and Sharepoint. To this end we have created a virtual server with an APM policy of type LTM-APM. All websites are published through one and the same Virtual Server. We filter host-headers (HTTP::host) in order to decide which backend server traffic needs to be forwarded to and use different SSO Configurations for connecting to the backend. In addition we used a community iRule to provide for Sharepoint-office integration SSO (as provided here: https://devcentral.f5.com/codeshare/apm-sharepoint-authentication) with some tweaks. Although SSO works we're still struggling with issues that we've not yet been able to resolve and we think are related to the fact that especially Jira and Confluence are stateful HTML5 applications with ajax. This in combination with the fact that there is no integration between the F5 and the backend webservers. These problems are giving me a headache. I've already searched devcentral but have been unable to find a solution for our problems. Amongst others the following problems are encountered: When a logged on user is inactive for some time he runs into an APM session inactivity timeout (F5 side) and the session is deleted from the session table; This shouldn't be a problem in a normal situation, but the webapplication clientside does not signal the user that the session expired. Now when the user comes back again and clicks somewhere on the webpage 1 of 2 things may happen: a. The user clicks a link which fires a javascript/ajax/restapi-call; this script may perform a call to the backend server, is blocked by the F5 and redirected to a login page in the background. For the user this means an unresponsive webapplication with a doughnut or an error on the screen (without the F5 in between the user would also get an 'error', but with a possibility to copy data that will be lost and a link to the logon page). For the user the webapplication is broken at this point. b. The user clicks a link that will actively fire a redirect to the F5 login page. This is desirable behaviour from our point of view, but... In comes the next issue... After a re-login via APM the user is redirected back to the landing-page that initiated the APM_SESSION_STARTED event. Because the webapplication fires all kinds of requests from the client to the server more often than not this process erroneously redirects the user to some page belonging to the rest api or a javascript on the webserver. When redirected to javascript the user sees javascript, when to the rest api it's even more jibberish. There some other issues too but my post is getting too long i guess so i'll leave them for a different post. We thought of several solutions but up until now none of them really seem to work satisfactory: Javascript injection (something like this: https://devcentral.f5.com/questions/ltm-apm-session-expired-detection) to detect APM session timeout and actively redirect the user. This however would not solve incorrect redirect behaviour mentioned in my second statement; in addition Auto redirect on inactivity would eventually also timeout on the APM loginform after which the original landing page is no longer available; Auto logout on serverside; This is a problem however if user is still working in different browser-tab in another application and the application timing out redirects the user to the logon page, which in turn is being detected by the F5, hereby unintentionally killing the APM session altogether and requiring an 'active' user to re-login and potentially losing work; Redirect to a default page (for the second issue); this solution is not acceptable to our client; Sending heartbeats to always keep the session alive; this would however circumvent active security policies and therefore is not acceptable; Using Client Initiated forms based auth and only enable APM for login pages; this seems to work somewhat (inactivity timeout on the serverside provides for the desired behaviour), however, after the first login APM is never being hit again causing an inactivity timeout in no time. The main goal is to provide a seamless SSO-experience for the users. Any thoughts to resolve these issues would really be appreciated. Thanks, Mark