Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

F5 APM - Google TOTP - How to write into internal data group from irule

Hello,

Can anyone help me to find how we could write into internal datagroup from irule ?

The irule look like this:

when ACCESS_POLICY_AGENT_EVENT {

if { [ACCESS::policy agent_id] eq "ga_add_secretkey" } {

set username [ACCESS::session data get session.logon.last.username]
set secretkey [ACCESS::session data get session.custom.ga_secretkey]

tmsh_modify /ltm data-group internal google_auth_keys records add {
$username { data $secretkey } }
}

}

Thank you,

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi

the Error: Receive Timeout error message is most likely caused by a malfunctioning Virtual Server / Pool / Node setup.

You may try to specify the provided IPs without any RD-suffixes (aka. %0). If this also fails, then change the IP of your Virtual Server so that you can access this IP:80 via your browser. If the browser can finally access the MGMT-UI then the iRule should be fine too.

ltm pool Pool_F5-MGMT-ETH {
    members {
        Node_F5-MGMT-ETH:https {
            address 10.13.240.99
            session monitor-enabled
            state up
        }
    }
    monitor gateway_icmp 
}

ltm virtual VS_F5-MGMT-ETH {
    destination 1.1.1.1:http
    ip-protocol tcp
    mask 255.255.255.255
    pool Pool_F5-MGMT-ETH
    profiles {
        serverssl {
            context serverside
        }
        tcp { }
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

Cheers, Kai

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Franck,

the [tmsh::modify] and several other config-plane specific commands are not available within iRules.

But you may use a [SIDEBAND] connection within an iRule pointing towards your REST-API and then execute a predefined TMSH script that changes the data-group for you as needed.

Below is a short write up for you to create a working POC...

Create a TMSH script to change the data-group

1.) Login to your F5 via SSH

2.) Execute the following command on TMSH

load sys config merge from-terminal

3.) Paste the following script into TMSH

cli script add_totp_key {
    proc script::run {} {
        set cmd "tmsh::modify /ltm data-group internal google_auth_keys \{ records add \{ [lindex $tmsh::argv 1] \{ data [lindex $tmsh::argv 2] \} \} \}"
        tmsh::log "Executing the command: $cmd"
        eval $cmd
    }
}

Note: You have to make sure that the data-group "google_auth_keys" already exists.

4.) Hit CRTL+D to save the config change

Configure a Layer4 VS:80 that points to the MGMT-ETH:443 of your F5

1.) Execute the following command on TMSH

load sys config merge from-terminal

2.) Paste the following config into TMSH

ltm pool Pool_F5-MGMT-ETH {
    members {
        Node_F5-MGMT-ETH:https {
            address x.x.x.x%1
            session monitor-enabled
            state up
        }
    }
    monitor gateway_icmp 
}

ltm virtual VS_F5-MGMT-ETH {
    destination 1.1.1.1%1:http
    ip-protocol tcp
    mask 255.255.255.255
    pool Pool_F5-MGMT-ETH
    profiles {
        serverssl {
            context serverside
        }
        tcp { }
    }
    source 0.0.0.0%1/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

Note: You have to change the node IP address to match the MGMT-IP of your LTM.

3.) Hit CRTL+D to save the config change

Write a TCL procedure to trigger a SIDEBAND connection towards your REST-API to execute the predefined TMSH script including required parameters (aka. $username and $key).

1.) Add the following procedure to your existing iRule

proc add_totp_key { virtual basic_creds username key } {
    set tcp_conn [connect -timeout 2000 -idle 2000 -status tcp_conn_status $virtual]
    if { $tcp_conn_status equals "connected" } then {
        set http_request_body "\{\"command\":\"run\",\"utilCmdArgs\":\"add_totp_key $username $key\"\}"
        set http_request "POST /mgmt/tm/cli/script/ HTTP/1.0\r\nHost: xxx\r\nAuthorization: Basic $basic_creds\r\nContent-Length: [string length $http_request_body]\r\n\r\n$http_request_body"
        send -timeout 2000 -status tcp_sent_status $tcp_conn $http_request
        if { $tcp_sent_status equals "sent" } then {
            set http_response [recv -timeout 2000 $tcp_conn]
            if { $http_response starts_with "HTTP/1.1 200" } then {
                return "Success"
            } elseif { $http_response equals "" } then {
                return "Error: Receive Timeout"
            } else {
                return "Error: API Response = $http_response"
            }
        } else {
            return "Error: Send Status = $tcp_sent_status"
        }
    } else {
        return "Error: Connection Status = $tcp_conn_status"
    }
}

2.) Modify your existing iRule to call the procedure to finally update the data-group.

when ACCESS_POLICY_AGENT_EVENT {
    if { [ACCESS::policy agent_id] eq "ga_add_secretkey" } {
        set result [call add_totp_key "VS_F5-MGMT-ETH" "[b64encode "admin:password"]" "[ACCESS::session data get session.logon.last.username]" "[ACCESS::session data get session.custom.ga_secretkey]"]
        log local0.debug "Result: $result"
    }
}

Note: You have to change the username:password value to match a admin account of your device.

Hope this helps to get the picture how to change a data-group via an iRule.

Cheers, Kai

0
Comments on this Answer
Comment made 19-Dec-2016 by Franck Marchioro 1

Hi Kai,

Thank you for your answer.

I followed your instructions 1. Paste the add_totp_key script into TMSH, and verified that the "google_auth_keys" data-group already exist -> OK 2. Paste the following config:

ltm pool Pool_F5-MGMT-ETH {
members {
    Node_F5-MGMT-ETH:https {
        address 10.13.240.99%0
        session monitor-enabled
        state up
    }
}
monitor gateway_icmp }

ltm virtual VS_F5-MGMT-ETH {
destination 1.1.1.1%0:http
ip-protocol tcp
mask 255.255.255.255
pool Pool_F5-MGMT-ETH
profiles {
    serverssl {
        context serverside
    }
    tcp { }
}
source 0.0.0.0%0/0
source-address-translation {
    type automap
}
translate-address enabled
translate-port enabled }
  1. Added the procedure "proc add_totp_key ..." to the ga_add_secretkey iRule and then modified the procedure to update the data-group

But I get this Event : Rule /Common/ga_add_secretkey : Result: Error: Receive Timeout.

Am I missing something or did something wrong ?

Thanks for your Help

0