Forum Discussion

Curtis_Owings_2's avatar
Curtis_Owings_2
Icon for Nimbostratus rankNimbostratus
Jan 06, 2016
Solved

With the API, how might you find the SSL Profiles which are not assigned to any VIP?

From tmsh I can ltm.virtual> list and see... ltm virtual beta.riccweb.com { destination 170.40.168.7:https ip-protocol tcp mask 255.255.255.255 pool wdc-riccwstst-5005 profile...
BIG-IP
devops
iControlREST
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Jan 06, 2016

    I'm afraid the API does not make this easy as far as I know. I think I've come across this kind of situation before, and You will need to perform some rather tedious crunching. You also need to adopt a policy in your environment of naming your objects in a certain way that makes this possible.

    Here goes
    • Prefix all profiles with the name of their type. Example, client-SSL profiles will always be called 
      clientssl_foo
      , then when you want to find client-ssl profiles, you simply look for the profiles that have "clientssl_" in their names.
      • to enumerate all client-ssl profiles, you need 
        GET https://bigip/tm/ltm/profile/client-ssl
      • save this list of all client-ssl profiles in a suitable data structure
    • Enumerate all Virtual servers 
      • GET https://bigip/tm/ltm/virtual?expandSubcollections=true
      • The query parameter "expandsubcollections" adds some recursion, to keep you from having to issue too many repeated queries. Be careful though, for the size of response might be huge if you're dealing with a box with large configuration.
      • You will get al the profiles for each VIP under the Virtual result's items->[indexes]->profilesReference->items[indexes] (indexes indicate this is an array you iterate over)

    • Each of the items under 

      profilesReference
      is a profile, and you can simply check if the name contains "clientssl_"

      • if the name contains "client_ssl", then you can remove the item with this name from the earlier generated list of all clientssl profiles.

    • When you have iterated over all virtuals and their profiles, you know that whatever is left in your original list is the set of clientssl profiles that were not assigned.

    Footnote

    It may be a good idea for you to raise a formal support case and make a formal Request for Enhancement, so that future versions at least make this easier by adding some "type" annotations to profiles, and virtual servers -- or some other mechanism that negates the need for users to adopt a naming convention.

    A second way of doing this, that is not much better
    • Enumerate all client-ssl profiles (or whatever profile you wish)
      • save this list as list1
    • Enumerate all virtuals (with expandSubcollections)
    • for each virtual, check all listed profiles against list1, and eliminate any profiles that are found.
    • repeat for each virtual until all virtuals examined, or list1 is empty.
BinaryCanary_19's avatar
BinaryCanary_19
Historic F5 Account

I'm afraid the API does not make this easy as far as I know. I think I've come across this kind of situation before, and You will need to perform some rather tedious crunching. You also need to adopt a policy in your environment of naming your objects in a certain way that makes this possible.

Here goes
  • Prefix all profiles with the name of their type. Example, client-SSL profiles will always be called 
    clientssl_foo
    , then when you want to find client-ssl profiles, you simply look for the profiles that have "clientssl_" in their names.
    • to enumerate all client-ssl profiles, you need 
      GET https://bigip/tm/ltm/profile/client-ssl
    • save this list of all client-ssl profiles in a suitable data structure
  • Enumerate all Virtual servers 
    • GET https://bigip/tm/ltm/virtual?expandSubcollections=true
    • The query parameter "expandsubcollections" adds some recursion, to keep you from having to issue too many repeated queries. Be careful though, for the size of response might be huge if you're dealing with a box with large configuration.
    • You will get al the profiles for each VIP under the Virtual result's items->[indexes]->profilesReference->items[indexes] (indexes indicate this is an array you iterate over)

  • Each of the items under 

    profilesReference
    is a profile, and you can simply check if the name contains "clientssl_"

    • if the name contains "client_ssl", then you can remove the item with this name from the earlier generated list of all clientssl profiles.

  • When you have iterated over all virtuals and their profiles, you know that whatever is left in your original list is the set of clientssl profiles that were not assigned.

Footnote

It may be a good idea for you to raise a formal support case and make a formal Request for Enhancement, so that future versions at least make this easier by adding some "type" annotations to profiles, and virtual servers -- or some other mechanism that negates the need for users to adopt a naming convention.

A second way of doing this, that is not much better
  • Enumerate all client-ssl profiles (or whatever profile you wish)
    • save this list as list1
  • Enumerate all virtuals (with expandSubcollections)
  • for each virtual, check all listed profiles against list1, and eliminate any profiles that are found.
  • repeat for each virtual until all virtuals examined, or list1 is empty.
Curtis_Owings_2's avatar
Curtis_Owings_2
Icon for Nimbostratus rankNimbostratus
Jan 06, 2016
The (re)naming idea is solid, but I can't exactly go back now and modify hundreds of VIPs. *This* is what I needed! `GET https://bigip/tm/ltm/virtual?expandSubcollections=true` That call yields... (only the relevant bits copied) ~~~"profilesReference": { "link": "https://localhost/mgmt/tm/ltm/virtual/~Common~beta.riccweb.com/profiles?ver=11.5.3", "isSubcollection": true, "items": [ { "kind": "tm:ltm:virtual:profiles:profilesstate", "name": "beta.riccweb.com", "partition": "Common", "fullPath": "/Common/beta.riccweb.com", "generation": 1, "selfLink": "https://localhost/mgmt/tm/ltm/virtual/~Common~beta.riccweb.com/profiles/~Common~beta.riccweb.com?ver=11.5.3", "context": "clientside" }, ~~~ From here I can work on the logic. It will take several queries, but I can deal with that. Thanks!