Ruby and iControl: Distilling SSL Certificate Information from SOAP::Mapping::Objects

We hope by now that you have gotten a running start with our Ruby iControl libraries. We have posted a few other Tech Tips on Ruby and iControl,  but have not touched on the retrieval of information from the BIG-IP. In this Tech Tip, we will discuss this how to handle the information returned as SOAP::Mapping::Objects.

SOAP::Mapping::Objects are used by the Ruby iControl library to return data requested from the BIG-IP. In this example, we will be working with SSL certificate information and formatting it into a readable format for our system administrator. The objective of this script was to provide an alternative to the GUI for checking certificates and displaying weak key as well as those that have expired or will be expiring soon.

CertificateInformation Structure

In our script, we make an iControl call using the Management::KeyCertificate::get_certificate_list method to retrieve all of the ‘MANAGEMENT_MODE_DEFAULT’ certificates or those that are used in SSL profiles.

bigip["Management.KeyCertificate"].get_certificate_list("MANAGEMENT_MODE_DEFAULT")

This call will then return an array of CertificateInformation [] structures in the form of a SOAP::Mapping::Object, which behaves much like an array of hashes for the Rubyist. We will then loop through the array of structure and built a hash of values to be formatted for output. For instance, if we wanted to retrieve the serial number of a particular certificate, we would retrieve it like so:

certs = bigip["Management.KeyCertificate"].get_certificate_list("MANAGEMENT_MODE_DEFAULT")
serial_number = certs[3]['certificate']['serial_number']

This will return the certificate serial number of the 4th (offset of 3, makes it the fourth position) certificate in the array of CertificateInformation. We continue this procedure with other data while formatting it for output. In this script we are color-coding weak and expired/expiring certificates:

def format_text(text, code)
  "#{code}#{text}\e[00m"
end

def red(text)
  format_text(text, "\e[01;31m")
end

def green(text)
  format_text(text, "\e[01;32m")
end

def yellow(text)
  format_text(text, "\e[01;33m")
end

def key_strength_label(key_length)
  case(key_length)
    when 0..1023
      red("low")
    when 1024..2047
      yellow("medium")
    else
      green("strong")
  end
end
certs = bigip["Management.KeyCertificate"].get_certificate_list("MANAGEMENT_MODE_DEFAULT")
puts "Size: #{certs[1]['certificate']['bit_length']}"
puts "Strength: #{key_strength_label(certs[1]['certificate']['bit_length'].to_i)}"

This bit of code makes the public key strength of the certificate easily spotted and discernable for anyone reviewing this data. The resulting output would be the key size and strength of the 2nd certificate in the array and would look as such:

Size: 1024
Strength: (medium)

If you download the full ssl-certificate-report.rb tool, you can peruse through the code to see how we retrieve, format, and output the rest of the data.

Using ssl-certifcate-report.rb

Understanding how to extract data from SOAP::Mapping::Objects will aid you in writing your own Ruby iControl scripts, however the ssl-certificate-reports script is a great tool by itself. It can act as a single pain of glass for querying a number of BIG-IPs without having to navigate through the GUI on each of them. The tool expects at least 2 options: the BIG-IP address and username (you’ll be prompted for a password). There are a number of other options that can also be provided as shown below:

% ssl-certificate-report.rb -h
  ssl-certificate-report.rb -b  -u 
    -b (--bigip-address)   BIG-IP management-accessible address
    -u (--bigip-user)      BIG-IP username
    -p (--bigip-pass)      BIG-IP password (will prompt if left blank
    -n (--cert-name)       name of certificate to display (display all by default)
    -l (--cert-list)       list of certificates managed by the BIG-IP
    -d (--watermark-days)  certificates expiring inside this number of days will be marked as "expiring soon", default is 30 days
    -c (--no-color)        disable color coding for the shell (useful if piping output to less or are using Windows)
    -v (--verbose)         show all certificate information (brief by default)
    -h (--help)            shows this help/usage dialog

Here is an example of the output when I run the script on a particular certificate and enable verbosity:

Conclusion

We hope that this Tech Tip will help you in managing your SSL certificates as well as retrieve useful data from the SOAP objects used in the Ruby iControl library. Managing SSL certificates for a large organization can be a job all its own, having the right tools can cut down on the legwork substantially. If you have any questions regarding this code or working with the Ruby iControl Library be sure to post it in the iControl forum.

The full application code can be downloaded from the code share: SSLCertificateReport

Published Mar 02, 2011
Version 1.0
application delivery
code
dev
devops
iControl
iRules
isv
news
security
tech tip

Was this article helpful?

No CommentsBe the first to comment