Forum Discussion

Eric_Frankenfie's avatar
Eric_Frankenfie
Icon for Nimbostratus rankNimbostratus
Feb 25, 2015

Get Profile_Type_Client_SSL from Virtual Server

I am trying to retrieve the client SSL profile from a list of virtual servers, but I am having difficulties. Any help would be greatly appreciated

 

Here is what I have so far:

 

Get list of virtual servers

 

$vs_list = (Get-F5.iControl).LocalLBVirtualServer.get_list()

 

Get profiles associated with each virtual server

 

$vs_profile_list = (Get-F5.iControl).LocalLBVirtualServer.get_profile($vs_list)

 

I tried this, but get 0 results (GetF5.iControl).LocalLBVirtualServer.get_profile($vs_list).PROFILE_TYPE_CLIENT_SSL

 

6 Replies

  • Hi eric,

    there is no specific filter for client-ssl profile. You can probably parse based on a good naming convention.

    Here is a sample to dump all profiles of a specific virtual via iControl REST (just replace the virtual server name in the self link, please):
    curl -s -k -u admin:admin -H "Content-Type: application/json" -X GET https://localhost/mgmt/tm/ltm/virtual/~Common~vs_101_8081/profiles?\$select=name  | grep -ioP '(?<=\{"name":")[^"]+(?="\})'
    

    Sorry for not being able to support you regarding the legacy iControl.

    Thanks, Stephan
  • Maybe I am approaching this incorrectly.

     

    I am trying to list all certificates expiring in the next 30 days, their respective profiles, and the virtual servers using those profiles.

     

    We are running 10.2.4, so I think the legacy iControl is my only option.

     

  • Hi eric,

    the following one is a quick shot to map virtual > client-ssl profile > cert in use > cert expiration for all virtual servers.

    It does not display information selectivly.

    Challenge here is to convert the OpenSSL date output into universal format to match versus current date. Found a script for that but had no time yet to implement this function.

    Try this, please (for v10 only):
    !/bin/bash
     Script to map virtual server > client-ssl profile > ssl certificate > expiration date
     version: 0.01
     author: Stephan Manthey
     tested for TMOS v10.2.4 only
     not supporting certificate bundles
     not including chain / intermediate certificates
     (TMOS v11 stores certs in filestore and provides tmsh commands for cert data!)
     usage: 
     - copy i.e. to /var/tmp/map_virtual_certs
     - run chmod +x /var/tmp/map_virtual_certs
     - run command /var/tmp/map_virtual_certs
    
     create sed dictionary to map certificates and expiration date
    for cert in /config/ssl/ssl.crt/*.crt
        do echo -n "$cert;" | sed -r 's/config/ssl/ssl.crt/g;s(.*)s/;\1/;\1g'
        openssl x509 -noout -enddate -in $cert | sed -r 'snotAfter=g;s$;/gg'
    done > /var/tmp/ssl-cert-exp-dict
    
     create list of client-ssl profiles 
    tmsh list ltm profile client-ssl | \
    awk '/^ltm profile client-ssl/ {print ";" $4 ";"}' > /var/tmp/client-ssl-list
    
     create sed dictionary to map client-ssl profiles and used certs
    
    tmsh list ltm profile client-ssl cert | tr -d "\n{" | tr "}" "\n" | \
    tr -s '[[:blank:]]' | awk '{print "s/;" $4 ";/;" $4 ";" $6 ";/g"}' > /var/tmp/client-ssl-cert-dict
    
     create sed dictionary to replace profile list in virtual servers by client-ssl profiles only
    tmsh list ltm profile client-ssl | \
    awk '/^ltm profile client-ssl/ {print "s/^([^;]+).*;" $4 ";.*$/\\1;" $4 ";/g"}' > /var/tmp/client-ssl-dict 
    
     apply dictionaries to virtual servers
    
    tmsh list ltm virtual profiles | grep -vE '^[[:blank:]]+(profiles \{|\}|context)' | \
    tr -d "\n\{" | tr "}" "\n" | tr -s '[[:blank:]]' | \
    sed -r 's/^ltm virtual //g;s/[[:blank:]]$//g;s/$/;/g' | tr '[[:blank:]]' ';' | \
    grep -f /var/tmp/client-ssl-list | sed -r -f /var/tmp/client-ssl-dict | \
    sed -r -f /var/tmp/client-ssl-cert-dict | sed -r -f /var/tmp/ssl-cert-exp-dict
    
     remove temp files
    rm -f /var/tmp/ssl-cert-exp-dict /var/tmp/client-ssl-list /var/tmp/client-ssl-cert-dict /var/tmp/client-ssl-dict 2>/dev/null
    

    Thanks, Stephan

  • Hi eric,

    thanks to F.Barth for providing an easy to use solution to convert date into standard format.

    Here is an updated version displaying only virtuals with certs to expire within defined period of time.

    You can run the script from CLI along with a parameter to specify number of days for warning period (default of 30).
    !/bin/bash
     Script to map virtual server > client-ssl profile > ssl certificate > expiration date
     version: 0.02
     author: Stephan Manthey
     tested for TMOS v10.2.4 only
     not supporting certificate bundles
     not including chain / intermediate certificates
     (TMOS v11 stores certs in filestore and provides tmsh commands for cert data!)
     usage: 
     - copy i.e. to /var/tmp/map_virtual_certs
     - run chmod +x /var/tmp/map_virtual_certs
     - run command /var/tmp/map_virtual_certs
     changes, fixes (v0.02): 
     - modified date format
     - selective output of virtual servers with certs to expire withing warning period
     - command line parameter to enter days for warning period (default value: 30)
       (i.e. ./map_virtual_certs 60)
    
     enable debugging (set -x)
     set -x
    
     set number of days to warn
    remainingdays=$1
    if [ -z ${remainingdays} ]
    then
       remainingdays=30
    fi
    
    remainingseconds=$((${remainingdays} * 86400)) 
    
     get current date
    currdate=`date +%s`
    
     set warning time period
    warningtime=$((${currdate} + ${remainingseconds}))
    
     create sed dictionary to map certificates and expiration date
    for cert in /config/ssl/ssl.crt/*.crt
    do
        echo -n "$cert" | sed -r 's/config/ssl/ssl.crt/g;s/(.*)/s;\1;;\1;/g'
        openssl x509 -noout -enddate -in $cert | awk -F '=' '{print $2}' | \
        xargs -I{} date -d {} +%Y/%m/%d | sed -r 's/$/;g/g'
    done > /var/tmp/ssl-cert-exp-dict
    
     verify cert expiration within warning time period
    for cert in /config/ssl/ssl.crt/*.crt
    do
        expirationtime=`openssl x509 -enddate -in $cert | awk -F '=' '{print $2}' | xargs -I{} date -d {} +%s`
        if [ "${expirationtime}" -lt "${warningtime}" ]
        then
            echo ";$cert;" | sed -r 's/config/ssl/ssl.crt/g;'
        fi
    done > /var/tmp/ssl-cert-warning-list
    
     create list of client-ssl profiles 
    tmsh list ltm profile client-ssl | \
    awk '/^ltm profile client-ssl/ {print ";" $4 ";"}' > /var/tmp/client-ssl-list
    
     create sed dictionary to map client-ssl profiles and used certs
    tmsh list ltm profile client-ssl cert | tr -d "\n{" | tr "}" "\n" | \
    tr -s '[[:blank:]]' | awk '{print "s/;" $4 ";/;" $4 ";" $6 ";/g"}' > /var/tmp/client-ssl-cert-dict
    
     create sed dictionary to replace profile list in virtual servers by client-ssl profiles only
    tmsh list ltm profile client-ssl | \
    awk '/^ltm profile client-ssl/ {print "s/^([^;]+).*;" $4 ";.*$/\\1;" $4 ";/g"}' > /var/tmp/client-ssl-dict 
    
     apply dictionaries to virtual servers
    tmsh list ltm virtual profiles | grep -vE '^[[:blank:]]+(profiles \{|\}|context)' | \
    tr -d "\n\{" | tr "}" "\n" | tr -s '[[:blank:]]' | \
    sed -r 's/^ltm virtual //g;s/[[:blank:]]$//g;s/$/;/g' | tr '[[:blank:]]' ';' | \
    grep -f /var/tmp/client-ssl-list | sed -r -f /var/tmp/client-ssl-dict | \
    sed -r -f /var/tmp/client-ssl-cert-dict | grep -f /var/tmp/ssl-cert-warning-list | \
    sed -r -f /var/tmp/ssl-cert-exp-dict
    
     remove temp files
    rm -f /var/tmp/ssl-cert-exp-dict /var/tmp/client-ssl-list /var/tmp/client-ssl-cert-dict \
    /var/tmp/client-ssl-dict /var/tmp/ssl-cert-warning-list 2>/dev/null
    

    Thanks, Stephan

    PS: Designed to work on v10 only!