Nimbostratus
Thanks in advance to anyone who can help.
Cirrostratus
Else, you could use cron on the GTM to call a shell script which creates the UCS and then copies it off to a remote SSH/SCP server. I have a rough example I was working on a while back on another computer which does the latter. I'll dig around for it and post it later.
Anyone else have more polished solutions for this using shell or iControl scripts? I'd be curious to see what others are using.
Aaron
Cirrostratus
Attached is the UCS backup and export script I was testing. It has some added functionality you wouldn't need on a GTM, but it should work as it is.
It runs on the BIG-IP and creates a UCS archive in the /var/local/ucs directory with the format: HOSTNAME_VERSION_DATE.ucs. It was written for a customer who was using ASM on some of their units. So it checks to see if another script which exports the ASM security policies to a separate tar archive is present on the unit. If it is, the policy export script is run. If it isn't present, then the UCS backup script just creates a UCS archive and attempts to SCP it to a remote server.
Here are the configuration requirements:
!/usr/bin/perl
BIG-IP configuration save and export
v1.0.5 - 06 Aug 2007
Objectives:
- Create a configuration backup of the BIG-IP to a UCS file
- Create a backup of the active ASM security policies if the unit has ASM enabled
- Copy the backup files to a remote host via SCP
Tested on BIG-IP and BIG-IP ASM versions: 9.2.4, 9.4.1
Configuration requirements:
1. SSH public key authentication must be configured so that the SCP user (defined by SCP_USER in this script)
can SSH/SCP from this BIG-IP to a remote SSHD server without password prompts.
By default, this script uses the existing root SSH private/public key pair from /var/ssh/root/
"identity" (private key) and "identity.pub" (public).
To configure password-less authentication, append the client "identity.pub" key from the BIG-IP
to the authorized_hosts file in the SCP server's SCP user home directory
~/.ssh/authorized_hosts
You could also generate your own key using the following steps:
a. On the BIG-IP, generate a new public and private key pair:
ssh-keygen -t rsa -b 2048 -C `hostname` -f ~/.ssh/`hostname`
(Do not enter a passphrase)
b. On the BIG-IP, change the permissions on the keys to root read/write access only:
chmod 600 ~/.ssh/`hostname`*
c. Copy the ~/.ssh/`hostname`.pub public key from the BIG-IP to the SCP server and
append the key to the ~/.ssh/authorized_keys file:
cat ~/.ssh/`hostname`.pub | ssh SCP_SERVER 'cat >> ~/.ssh/authorized_keys'
d. Verify public key authorization is configured so that you aren't prompted for a password:
ssh -i /path/to/ssh.key SCP_USERNAME@SCP_HOST
2. For units with ASM licensed, a copy of the all_policy_export.pl script should be saved
and configured in this script as:
ALL_POLICY_EXPORT_SCRIPT => '/path/to/all_policy_export.pl'
Aaron Hooley - (hooley at gmail dot com)
The ASM policy export script is in the codeshare (Click here).
I tested this quite a bit, but I'm no Perl expert. Let me know if you try it and run into any issues or have suggestions.
Thanks,
Aaron