Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Sharing - iCall for CRL update

Hi team,

Juste a quick sharing regarding an iCall used to update CRL periodically.

create sys icall script CRL

sys icall script CRL {
    app-service none
    definition {
        tmsh::modify sys file ssl-crl XCA_CRL.crl source-path https://dl.dropboxusercontent.com/u/xxxxxx/CA_XCA_Root.pem
    puts "loading CRL"
    }
    description none
    events none
}

create sys icall handler periodic START first-occurrence 2013-12-06:16:15:00 interval 30 script CRL

Hope this help

Warm regards,

Matt

2
Rate this Discussion
Comments on this Discussion
Comment made 30-Dec-2013 by amolari 2665
Hi Matt, is this example working with an URI (not local file)? Using a valid (verified by running curl on the CLI) URI, when i run the command tmsh modify sys file ssl-crl ABC.crl source-path http://<URI> I always get the error curl: (6) name lookup timed out I'm running v11.4 HF4 Is PEM format the only option? Many CRLs are published on in DER format... Thanks
0
Comment made 29-Sep-2015 by Konstantin Nachev 1
Can we do this via the REST API somehow?
0
Comment made 08-Mar-2016 by alejandronieto 1
This iCall calls another script for updating CRLs or this iCall update CRL periodically itself?
0
Comment made 20-Apr-2016 by Rav1G 0
Guys, I have noticed a side effect of this solution. Every time script runs you will observe a backup of *.crl file in the /config/filestore/.trash_bin_d folder. This is a standard behavior of BigIP since ver 11.0.0 . Normally this backup is triggered with actions like: - Entering the tmsh load sys config base command - Deleting a configuration-related file, such as an SSL certificate or key through the Configuration utility - and others I believe that this script triggers that behavior as well. Depending on how often your script runs and how big are the CRL files you need to watch for you HDD space. mind this
0
Comment made 13-Sep-2016 by Mrhallberg 1

Hi have you ever seen this error when the active unit are syncing the new updated crl to the standby unit? Sep 13 06:10:14 slot2/dmz-lb-test err mcpd[7141]: 01071392:3: Background command '/usr/bin/rsync --rsync-path=/usr/bin/rsync -at --blocking-io /config/big3d/ rsync://192.168.153.134/big3d' failed. The command exited with status 12. Sep 13 06:10:14 slot2/dmz-lb-test err mcpd[7141]: 01071392:3: Background command '/usr/bin/rsync --rsync-path=/usr/bin/rsync -at --blocking-io /var/named/config/ rsync://192.168.153.134/var_name' failed. The command exited with status 12.

I was trying to take this through F5 support team, but they said, we are not supporting bla bla bla :)

This is can happens randomly when syncing the new updated crl..

Thank you

0
Comment made 26-Sep-2016 by Matthieu Dierick

Hi, problem seems to be on Big3d daemon and not the iCall. Only F5 support can figure out the sync issue.

I don't see any relation with the icall in this log.

I'm sorr, I can't help you. I did a test yesterday on 11.6 and 12.x in order to validate the iCall on the latest release. And it works.

0
Comment made 26-Sep-2016 by Mrhallberg 1

I got the same issue, but none help from F5 yet. I have tried 11.6.1, not working. If I upload a big CRL file through GUI it works, also when I try to modify the one I uploaded.

The only help from F5 so far is, use OCSP :)

Havent tried 12.x yet.

0
Comment made 28-Sep-2016 by Matthieu Dierick

I suppose GTM is provisioned on your BIGIP. Can you try to test the iCall with GTM disabled? Or try on a VE Lab in order to figure out the log message.

Error is related to GTM Sync.

0
Comment made 17-Jan-2017 by Renji 1

Hi,

I use similar iCall for a bundle CRL. I use DataGroup to get the list of URL.

set current_status [tmsh::get_field_value [lindex [tmsh::get_status cm failover-status raw] 0] "status"]
#tmsh::log $current_status

if { $current_status equals "ACTIVE" }
{
    set iCallName iCall_SCRIPT_crlUpdateForClientAuth
    set dglName DGL_STR_crlListForClientAuth
    set crlName SSL_AUTH_CRL_default

    set tmpCrlPath "/tmp/${iCallName}"
    file delete -force -- $tmpCrlPath
    file mkdir $tmpCrlPath

    set crlDgl [tmsh::get_config ltm data-group internal $dglName records]

    foreach crlItem $crlDgl
    {
            tmsh::get_field_value $crlItem records crlRecords

            foreach crlRecord $crlRecords
            {
                    set crlNames [tmsh::get_name $crlRecord]
                    set crlDatas [tmsh::get_field_value $crlRecord data]

                    foreach name $crlNames data $crlDatas {
                            array set crlList [list $name $data]
                    }
            }
    }

    foreach {name data} [array get crlList]
    {
            set tmpCrl "${tmpCrlPath}/${name}.crl"

            if { [catch {exec curl -s -4 $data > $tmpCrl} err] } {
                tmsh::log err "\[${iCallName}\] NOC: Unable to download CRL file\n$err"
                exit 1
            }

            if { ![catch {exec openssl crl -inform DER -in $tmpCrl -noout -text}] }
            {
                if { [catch {exec openssl crl -inform DER -in $tmpCrl -outform PEM -out $tmpCrl} err] } {
                    tmsh::log err "\[${iCallName}\] NOC: Unable to convert CRL file\n$err"
                    exit 1
                }
            }

            if { [catch {exec openssl crl -inform PEM -in $tmpCrl -noout -text} err] } {
                tmsh::log err "\[${iCallName}\] NOC: CRL file type is unknown\n$err"
                exit 1
            }
    }

    set crl "${tmpCrlPath}/${crlName}"
    eval exec cat [glob "${tmpCrlPath}/*.crl"] > $crl

    if { [catch {exec openssl crl -inform PEM -in $crl -noout -text} err] } {
        tmsh::log err "\[${iCallName}\] NOC: CRL file bundle type is unknown\n$err"
        exit 1
    }

    tmsh::modify sys file ssl-crl ${crlName}.crl source-path file:${crl}
    exec tmsh run /cm config-sync to-group p-hlblan

    tmsh::log notice "\[${iCallName}\] NOC: CRL file bundle was updated correctly with [array size crlList] CRL file(s)"
}

Now, I have to find how to run a config-sync from iCall because after run tmsh::modify my cluster is not anymore sync.

0

Replies to this Discussion

placeholder+image

Are you able to do a DIG on the FQDN ?? Check your DNS settings in your BIGIP.

This error seems to be a DNS resolution error : curl: (6) name lookup timed out

0
placeholder+image

yes you're right..I've figured out that the 1st DNS of 2 was unreachable. Returning the error when running the tmsh command but not curl directly from the shell. So I'm able the get the CRL but DER format is not supported. is there any option ?

0
placeholder+image

It should : http://support.f5.com/kb/en-us/solutions/public/10000/000/sol10054.html?sr=34150822

0
placeholder+image

Matthieu, would it be possible in that iCall script to create a CRL bundle (merge from 2 crls for ex)? Would be thankful for any tip.

0
Comments on this Reply
Comment made 17-Jan-2017 by Renji 1

Yes it is possible, read my previous post.

0
placeholder+image

Hi, yes you can use a merged CRL in PEM format. Supported on BIGIP.

0
placeholder+image

This looks great, but for the life of me I can't seem to get this to use source-IP for the "curl" from Route Domain 2.

Does anyone know how to specify that we use a different RD?

I can "curl" to my CRL source at the linux prompt when I use RDSH 2, but using the detail above we receive a 28 error on the curl.

I tried creating a static route in Common to use the default gateway (and thus self-ip) for RD2, but a packet capture shows SYN, SYN-ACK, RST behaviour on the connection rather than the 3WHS followed by CRL download when I use the useland curl command to the same destination.

In our setup the \Common and RD0 do not have a VLAN/Subnet to initiate traffic.

Suggestions?

0
placeholder+image

THanks for sharing, this worked great!

0
placeholder+image

This code add following features (or include features from Renji)

  • generic code with handler parameters
  • multiple CRL URLs to manage HA
  • device group synchronization
  • execute only on Active member
sys icall script CRL_UPDATE {
    app-service none
    definition {
        set CRL_NAME $EVENT::context(CRL_NAME)
        set CRL_URL $EVENT::context(CRL_URL)
        set FAILOVER_GROUP  [expr {[info exists EVENT::context(FAILOVER_GROUP)] ? $EVENT::context(FAILOVER_GROUP) : "" }]
        set iCallName iCall_CRL_$CRL_NAME

        if { [tmsh::get_field_value [lindex [tmsh::get_status cm failover-status raw] 0] "status"] equals "ACTIVE" } {
            set status 1
            tmsh::log notice "\[${iCallName}\] starting download from URL list : $CRL_URL"
            foreach url $CRL_URL {
                if { [catch {tmsh::modify sys file ssl-crl $CRL_NAME source-path $url}] } {
                    tmsh::log err "\[${iCallName}\] unable to download CRL $url"
                } else {
                    tmsh::log notice "\[${iCallName}\] CRL download successfully from : $url"
                    set status 0
                    break
                }
            }
            if {$status} {exit $status}
            if {$FAILOVER_GROUP != ""} {tmsh::run cm config-sync to-group $FAILOVER_GROUP}
        } else {
            tmsh::log notice "\[${iCallName}\] CRL not downloaded : current appliance status is [tmsh::get_field_value [lindex [tmsh::get_status cm failover-status raw] 0] "status"]"
        }
    }
    description none
    events none
}

The handler is created with following command line

create sys icall handler periodic CRL_MYCA_HANDLER { first-occurrence 2018-09-01:16:15:00 interval 30 script CRL_UPDATE arguments { { name FAILOVER_GROUP value "failover-group"} { name CRL_NAME value /Common/MYCA.crl} { name CRL_URL value "http://myca1.company.local/CRL/MYCA.crl http://myca2.company.local/CRL/MYCA.crl" } } }
0
placeholder+image

Here is a iApp template to configure iCall CRL update from WebUI

#TMSH-VERSION: 14.0.0.1

cli admin-partitions {
    update-partition Common
}
sys application template /Common/automated_crl_update {
    actions {
        definition {
            html-help {
            }
            implementation {
                foreach item $::crl_configuration__url_list {
array set item_array [lindex $item 0]
lappend url_list $item_array(url)
}
if { ![info exists ::crl_config_sync__device_group] } {set ::crl_config_sync__device_group ""}

set script {
    if { [tmsh::get_field_value [lindex [tmsh::get_status cm failover-status raw] 0] "status"] equals "ACTIVE" } {
        set status 1
        tmsh::log notice "\[iCallName\] starting download from URL list : CRL_URL_LIST"
        foreach url {CRL_URL_LIST} {
            if { [catch {tmsh::modify sys file ssl-crl CRL_NAME source-path $url}] } {
                tmsh::log err "\[iCallName\] unable to download CRL $url"
            } else {
                tmsh::log notice "\[iCallName\] CRL download successfully from : $url"
                set status 0
                break
            }
        }
        if {$status} {exit $status}
        if {"FAILOVER_GROUP" != ""} {tmsh::run cm config-sync to-group FAILOVER_GROUP}
    } else {
        tmsh::log notice "\[iCallName\] CRL not downloaded : current appliance status is [tmsh::get_field_value [lindex [tmsh::get_status cm failover-status raw] 0] "status"]"
    }
}
set script [string map [list FAILOVER_GROUP $::crl_config_sync__device_group CRL_URL_LIST $url_list CRL_NAME $::crl_configuration__name iCallName f5.automated_crl_update__${tmsh::app_name}] $script]
iapp::conf create sys icall script f5.automated_crl_update__${tmsh::app_name} definition \{ $script \}
set cdate [clock format [clock seconds] -format "%Y-%m-%d:%H:%M"]

tmsh::create sys file ssl-crl /Common/$::crl_configuration__name source-path [lindex $url_list 0]

iapp::conf create sys icall handler periodic f5.automated_crl_update__${tmsh::app_name}-handler \{ \
interval $::crl_configuration__interval \
first-occurrence $cdate:00 \
script f5.automated_crl_update__${tmsh::app_name} \}
            }
            macro {
            }
            presentation {
                section deployment_info {
    message deployment_info_first_time "This iApp configure automatic download from URL."
}
section crl_configuration {
    string name display "large"
    table url_list {
        string url display "xlarge"
    }
    string interval display "small" default "30" validator "NonNegativeNumber"
}
section crl_config_sync {
    choice enabled default "false" {"true", "false"} 
    optional (enabled == "true") {
        choice device_group display "xxlarge" tcl {
            package require iapp 1.3.0
            set ::choices [iapp::get_items cm device-group]
            return [iapp::safe_display ::choices]
        }
    }
}
text {
    deployment_info "Deployment Information"
    deployment_info.deployment_info_first_time "First Time Deployment:"
    crl_configuration "CRL Configuration"
    crl_configuration.name "CRL name"
    crl_configuration.url_list "CRL addresses"
    crl_configuration.url_list.url "URL"
    crl_configuration.interval "Interval (seconds)"
    crl_config_sync "Configuration synchronization"
    crl_config_sync.enabled "Enable synchronization after update"
    crl_config_sync.device_group "Device group to synchronize"
}
            }
            role-acl none
            run-as none
        }
    }
    description none
    ignore-verification false
    requires-bigip-version-max none
    requires-bigip-version-min 11.5.4
    requires-modules none
    signing-key none
    tmpl-checksum none
    tmpl-signature none
}
0
placeholder+image

I have done something similar and shared it here: Snippet - iCall CRL update with Route Domains and Auto-Sync

Similar issue to many around DNS so added a direct IP and Host header option within curl.

Also allows for the use within different route domains.

Finally if you create your CRL files within a folder linked to a Sync-Only device group you can auto-sync changes outside of none shared configuration (which is normally part of a Sync-Failover Device Group with Auto-Sync disabled)

0
placeholder+image

Hi Thanks for the script ! When I try to paste it and save it is saying : Syntax Error: "sys" unexpected argument There were errors. Continue editing(y) or discard changes(n) (y/n) y

I used a tmsh command to create it and then delete the inside content and add your script! edit sys icall script aaa_script

Thanks for the help!

0