Forum Discussion

Faintly_Lucky's avatar
Faintly_Lucky
Icon for Nimbostratus rankNimbostratus
Jan 28, 2013

Error while establishing device trust

Not sure what's going on here. Any ideas?

 

Thanks in advance,

 

Chris

 

[chris@luckylx02 bin]$ f5bdt2 "$sglb" "$mg2" "$b1n" "$b2n"

 

SOAP-ENV:Server Exception caught in Management::urn:iControl:Management/Trust::add_authority_device()

 

Exception: Common::OperationFailed

 

primary_error_code : 16908289 (0x01020001)

 

secondary_error_code : 0

 

error_string : Trust daemon returned an error: Could not examine network interfaces: CsO/w78D

 

 

 

 

 

Code:

 

 

$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}=0;

 

use SOAP::Lite;

 

use MIME::Base64;

 

BEGIN { push (@INC, '/home/chris'); }

 

use iControlTypeCast;

 

$sHost = $ARGV[1];

 

my $sUID = admin;

 

my $sPWD = $ARGV[0];

 

my $b1n = $ARGV[2];

 

my $b2n = $ARGV[3];

 

 

----------------------------------------------------------------------------

 

checkResponse makes sure the error isn't a SOAP error

 

----------------------------------------------------------------------------

 

sub checkResponse() {

 

my ($soapResponse) = (@_);

 

if ( $soapResponse->fault )

 

{

 

print $soapResponse->faultcode, " ", $soapResponse->faultstring, "\n";

 

exit();

 

}

 

}

 

sub buildtrust {

 

$soapResponse =

 

$dtrmgmt->add_authority_device

 

(

 

SOAP::Data->name (address => 10.255.255.3),

 

SOAP::Data->name ( username => admin ),

 

SOAP::Data->name ( password => XXXXXXXX ),

 

SOAP::Data->name ( device_object_name => "$b1n" ),

 

SOAP::Data->name ( browser_cert_serial_number => "" ),

 

SOAP::Data->name ( browser_cert_signature => "" ),

 

SOAP::Data->name ( browser_cert_sha1_fingerprint => "" ),

 

SOAP::Data->name ( browser_cert_md5_fingerprint => "" ),

 

);

 

&checkResponse($soapResponse);

 

 

$soapResponse =

 

$dgmgmt->create

 

(

 

SOAP::Data->name (device_groups => [sg-sf] ),

 

SOAP::Data->name ( type => [DGT_FAILOVER] ),

 

);

 

&checkResponse($soapResponse);

 

$soapResponse =

 

$dgmgmt->add_device

 

(

 

SOAP::Data->name (device_groups => [sg-sf] ),

 

SOAP::Data->name ( devices => [$b1n , $b2n] ),

 

);

 

&checkResponse($soapResponse);

 

}

 

$dtrmgmt = SOAP::Lite

 

-> uri('urn:iControl:Management/Trust')

 

-> readable(1)

 

-> proxy("");

 

eval {

 

$dtrmgmt->transport->http_request->header( 'Authorization' => 'Basic '

 

. MIME::Base64::encode("$sUID:$sPWD", ''));

 

};

 

$dgmgmt = SOAP::Lite

 

-> uri('urn:iControl:Management/DeviceGroup')

 

-> readable(1)

 

-> proxy("");

 

eval {

 

$dgmgmt->transport->http_request->header( 'Authorization' => 'Basic '

 

. MIME::Base64::encode("$sUID:$sPWD", ''));

 

};

 

Main Program Logic

 

&buildtrust;

 

 

 

[chris@luckylx02 bin]$ f5bdt2 "$sglb" "$mg2" "$b1n" "$b2n"

 

SOAP-ENV:Server Exception caught in Management::urn:iControl:Management/Trust::add_authority_device()

 

Exception: Common::OperationFailed

 

primary_error_code : 16908289 (0x01020001)

 

secondary_error_code : 0

 

error_string : Trust daemon returned an error: Could not examine network interfaces: CsO/w78D

 

 

 

dev
devops
iControl

8 Replies

Sort By
  • Faintly_Lucky's avatar
    Faintly_Lucky
    Icon for Nimbostratus rankNimbostratus
    Jan 29, 2013
    Here's what I got out of the LTM log:

     

     

    Jan 29 11:33:06 thnlb2 err devmgmtd[7300]: com.f5.devmgmt.server.Server$ClientDispatcher.run(Server.java:290): Handler threw server exception: [STACK TRACE: {com.f5.devmgmt.client.ServerException: Could not examine network interfaces: CsO/w78B}{ at com.f5.devmgmt.server.Server.isSelfAddress(Server.java:654)}{ at com.f5.devmgmt.server.Server.validateNotSelfAddress(Server.java:677)}{ at com.f5.devmgmt.server.handler.impl.trust.AddAuthority.(AddAuthority.java:76)}{ at com.f5.devmgmt.server.handler.impl.trust.AddAuthoritySyncHandler.execute(AddAuthoritySyncHandler.java:48)}{ at com.f5.devmgmt.server.handler.trust.AddAuthoritySyncHandlerBase.dispatch(AddAuthoritySyncHandlerBase.java:33)}{ at com.f5.devmgmt.server.Server$ClientDispatcher.run(Server.java:284)}{ at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)}{ at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)}{ at java.lang.Thread.run(Unknown Source)}]

     

     

    I'm guessing that I should open a support case on this, but I'd like confirmation that this is an internal issue and not one that exists between my keyboard and my chair before I do so.

     

     

    Thanks,

     

     

    Chris
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Jan 29, 2013

    Which method is returning the error, the call to add_authority_device(), create(), or add_device()? From the code it looks good since I don't know what you are passing in for parameters, not sure where the "CsO/w78B" interface is coming from. Have you gone through the same process in the GUI with the same parameters and does that work?

     

  • Faintly_Lucky's avatar
    Faintly_Lucky
    Icon for Nimbostratus rankNimbostratus
    Jan 29, 2013
    Joe:

     

    From what I'm seeing in the debugs, it definitely appears to be the add_authority_device call. My response checking subroutine exits if there's an error, and the debugs confirm that it's the only call that's been made.

     

     

    I haven't done it in the GUI, though I have successfully done it via TMSH utilizing the "tmsh modify cm trust-domain Root ca-devices add { 10.255.255.3 } username admin password XXXXXXXX name XXXXXXXX" command. It works like a charm and establishes trust between the two devices, creates the other device, and adds it to the device_trust_group device-group all in one command. At that point, I issue a second TMSH command to create the sg-sf sync-failover group and add the devices to it. In the GUI, it appears to follow the same process: Device Trust>Peer List>Add. Provide IP, admin user name, and admin password, then click retrieve device info.

     

     

    Are you saying that there are calls that I need to make prior to making the add_authority_device call? If so, could you please elaborate? This is the last piece of a rapid deployment framework that I've written for v10/11 new customer deployments (Managed Services Provider) and I'd much rather use iControl to establish trust rather than script it out in expect.

     

     

    I really appreciate you taking the time to respond and help me figure out what's going on.

     

     

    Chris
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Jan 29, 2013

    In looking at the server code, it looks like your value for "address" is getting garbled at some point. Not sure if it's on the client side, or on the server. The one thing that sticks out is that you aren't enclosing your "string" values with quotes, specifically for the "address" parameter. Just for kicks, could you try surrounding the strings with quotes?

     

     

    $soapResponse =

     

    $dtrmgmt->add_authority_device

     

    (

     

    SOAP::Data->name (address => "10.255.255.3"),

     

    SOAP::Data->name ( username => "admin" ),

     

    SOAP::Data->name ( password => "XXXXXXXX" ),

     

    SOAP::Data->name ( device_object_name => "$b1n" ),

     

    SOAP::Data->name ( browser_cert_serial_number => "" ),

     

    SOAP::Data->name ( browser_cert_signature => "" ),

     

    SOAP::Data->name ( browser_cert_sha1_fingerprint => "" ),

     

    SOAP::Data->name ( browser_cert_md5_fingerprint => "" ),

     

    );

     

    And see if that takes care of it. It could be that SOAP::Lite is doing something wonky with the value 10.255.255.3 and not passing it as a string but converting it somehow.

     

    If that doesn't work for you, could you enable SOAP::Lite tracing and look for what's passed in the SOAPRequest for the address parameter? Toss this at the top of your script when you import the SOAP::Lite lib and that will dump the full request/response to the console.

     

     

    use SOAP::Lite + trace => qw(method debug);

     

    Hopefully the string enclosing will work, but if not the trace should get us a little further.

     

    -Joe

     

  • Joe_Pruitt's avatar
    Joe_Pruitt
    Jan 29, 2013

    OK, I'm almost 100% sure that enclosing the strings will solve the problem. I tried another iControl call with SOAP::Lite to a method that took an IP address. When I passed the string as

     

    SOAP::Data->name(self_ips => ["10.255.255.3"])

     

    it passed in the trace correctly,

     

    [self_ips ...="" soapenc:arraytype="xsd:string[1]"][item xsi:type="xsd:string"]10.255.255.3[/item][/self_ips]

     

    But, when I omitted the quotes

     

    SOAP::Data->name(self_ips => [10.255.255.3])

     

    it was converted into Base64binary

     

    [self_ips ...="" soapenc::arraytype="xsd:base64Binary[1]"][item xsi:type="xsd:base64Binary"]CsO/w78D[/item][/self_ips]

     

    The "CsO/w78D" is the error you were getting for an invalid address.

     

    -Joe

     

  • Faintly_Lucky's avatar
    Faintly_Lucky
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2013
    Joe,

     

     

    Thank you very much for helping out with this. I'll modify my code and let you know what happens. I can't believe that I missed that in the debugs.

     

     

    Looks like this will turn out to be a PEBKAC error after all :/

     

     

    Chris
  • Faintly_Lucky's avatar
    Faintly_Lucky
    Icon for Nimbostratus rankNimbostratus
    Jan 30, 2013
    Joe,

     

     

    It was indeed the quoting.

     

     

    Once that part of the script was working, I also had some problems getting the devices added to the device group after it was created, but I was able to figure it out.

     

     

    I'll be making a submission to the code share within a the next few days based upon this script.

     

     

    Once again, thank you very much for your help.

     

     

    Chris