With the API, how might you find the SSL Profiles which are not assigned to any VIP?
From tmsh I can ltm.virtual> list and see...
ltm virtual beta.riccweb.com {
destination 170.40.168.7:https
ip-protocol tcp
mask 255.255.255.255
pool wdc-riccwstst-5005
profiles {
beta.riccweb.com {
context clientside
}
http { }
tcp { }
}
source 0.0.0.0/0
vs-index 38
However, with the API I can only get as far as "" and I'm not sure if I can call a list from here... also the applied clietside SSL information is not apparently visible?
I'm afraid the API does not make this easy as far as I know. I think I've come across this kind of situation before, and You will need to perform some rather tedious crunching. You also need to adopt a policy in your environment of naming your objects in a certain way that makes this possible.
Here goes-
Prefix all profiles with the name of their type. Example, client-SSL profiles will always be called
, then when you want to find client-ssl profiles, you simply look for the profiles that have "clientssl_" in their names.clientssl_foo
- to enumerate all client-ssl profiles, you need
GET https://bigip/tm/ltm/profile/client-ssl
- save this list of all client-ssl profiles in a suitable data structure
- to enumerate all client-ssl profiles, you need
-
Enumerate all Virtual servers
GET https://bigip/tm/ltm/virtual?expandSubcollections=true
- The query parameter "expandsubcollections" adds some recursion, to keep you from having to issue too many repeated queries. Be careful though, for the size of response might be huge if you're dealing with a box with large configuration.
- You will get al the profiles for each VIP under the Virtual result's items->[indexes]->profilesReference->items[indexes] (indexes indicate this is an array you iterate over)
-
Each of the items under
is a profile, and you can simply check if the name contains "clientssl_"profilesReference
- if the name contains "client_ssl", then you can remove the item with this name from the earlier generated list of all clientssl profiles.
-
When you have iterated over all virtuals and their profiles, you know that whatever is left in your original list is the set of clientssl profiles that were not assigned.
It may be a good idea for you to raise a formal support case and make a formal Request for Enhancement, so that future versions at least make this easier by adding some "type" annotations to profiles, and virtual servers -- or some other mechanism that negates the need for users to adopt a naming convention.
A second way of doing this, that is not much better-
Enumerate all client-ssl profiles (or whatever profile you wish)
- save this list as list1
- Enumerate all virtuals (with expandSubcollections)
- for each virtual, check all listed profiles against list1, and eliminate any profiles that are found.
- repeat for each virtual until all virtuals examined, or list1 is empty.
-
Prefix all profiles with the name of their type. Example, client-SSL profiles will always be called