Forum Discussion

Buddy_Edwards_1's avatar
Buddy_Edwards_1
Icon for Nimbostratus rankNimbostratus
Sep 09, 2016

Get ClientSSL and ServerSSL profiles using the Rest API

I've written the following script so that I can document at a high level the VIPs that I have created without having to dig into them every time I need to know pools, irules, members, etc... the problem I have is that I need to know which SSL Cert Profiles are in use for both Client and Server and I can't seem to figure out a way to do it based on the virtual server. Does anyone know of a way to do this using the Rest API? I've read through the ll.5 icontrol rest document but can't seem to find where the ClientSSL and ServerSSL profiles are located.

 Create a policy to trust all Certs
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

$Credential = Get-Credential
$LoadBalancer = "x.x.x.x"
$VSURL = "https://$LoadBalancer/mgmt/tm/ltm/virtual"
$PoolURL = "https://$LoadBalancer/mgmt/tm/ltm/pool"
$ClientSSLURL = "https://$LoadBalancer/mgmt/tm/ltm/clientssl"
$VSRegEx = "(?<=/virtual/)(.*)(?=\?)"
$ExportFile = "./F5Export.csv"

 Lookup Virtual Servers
$VirtualServerLookup = Invoke-RestMethod $VSURL -Credential $Credential
foreach ($VSLookup in $VirtualServerLookup.Items)
{
    $VirtualServerLog = ""
    $VirtualServer = [regex]::match($VSLookup.selfLink, $VSRegEx)
    $VirtualServerURL = "$VSURL/$VirtualServer"
     Lookup Virtual Server Information
    $VS = Invoke-RestMethod $VirtualServerURL -Credential $Credential
    $VSName = $VS.Name
    $VSDestination = $VS.Destination
    $VSRules = $VS.Rules
    $VSEnabled = $VS.Enabled
    $VSPersist = $VS.Persist.Name
    $VSPool = $VS.Pool
    Write-Host "          Name: $VSName" -ForegroundColor Green
    Write-Host "           VIP: $VSDestination"
    $VirtualServerLog += "$VSName,"
    $VirtualServerLog += "$VSDestination,"
    foreach ($VSRule in $VSRules)
    {
        Write-Host "          Rule: $VSRule"
        $VirtualServerLog += "$VSRule,"
    }
    Write-Host "       Enabled: $VSEnabled"
    $VirtualServerLog += "$VSEnabled,"
    foreach ($Persist in $VSPersist)
    {
        Write-Host "   Persistance: $Persist"
        $VirtualServerLog += "$Persist,"
    }
foreach ($Pool in $VSPool)
    {
        $PoolLookup = $Pool -replace "/","~"
        $PoolSearch = Invoke-RestMethod $PoolURL/$PoolLookup -Credential $Credential
        $PoolName = $PoolSearch.Name
        $PoolPartition = $PoolSearch.Partition
        Write-Host "          Pool: $Pool"
        Write-Host "     Pool Name: $PoolName"
        Write-Host "Pool Partition: $PoolPartition"
        $VirtualServerLog += "$Pool,"
        $VirtualServerLog += "$PoolName,"
        $VirtualServerLog += "$PoolPartition,"
         Lookup Member Information
        $MemberSearch =
        Invoke-RestMethod "$PoolURL/$PoolLookup/members/" -Credential $Credential
            foreach ($Member in $MemberSearch.Items)
                {
                $MemberName = $Member.Name
                $MemberAddress = $Member.Address
                $MemberState = $Member.State
                $MemberMonitor = $Member.Monitor
                $MemberSession = $Member.Session
                Write-Host "   Member Name: $MemberName IP Address:$MemberAddress"
            $VirtualServerLog += "$MemberName,"
            $VirtualServerLog += "$MemberAddress,"
            $VirtualServerLog += "$MemberState,"
            $VirtualServerLog += "$MemberMonitor,"
            $VirtualServerLog += "$MemberSession,"
                }


    }
    $VirtualServerLog | Out-File $ExportFile -Append
    Write-Host ""
}

2 Replies

  • You're looking for the profile associated with the virtual server. They are in a subcollection.

    This GET https://192.168.153.234/mgmt/tm/ltm/virtual/testssl

    gives me

      "profilesReference": {
    "link": "https://localhost/mgmt/tm/ltm/virtual/~Common~testssl/profiles?ver=12.1.0",
    "isSubcollection": true
    

    }

    so if I then send GET to that:

    https://192.168.153.234/mgmt/tm/ltm/virtual/~Common~testssl/profiles

    I get the following:

        {
      "kind": "tm:ltm:virtual:profiles:profilescollectionstate",
      "selfLink": "https://localhost/mgmt/tm/ltm/virtual/~Common~testssl/profiles?ver=12.1.0",
      "items": [
        {
          "kind": "tm:ltm:virtual:profiles:profilesstate",
          "name": "clientssl",
          "partition": "Common",
          "fullPath": "/Common/clientssl",
          "generation": 284,
          "selfLink": "https://localhost/mgmt/tm/ltm/virtual/~Common~testssl/profiles/~Common~clientssl?ver=12.1.0",
          "context": "clientside"
        },
        {
          "kind": "tm:ltm:virtual:profiles:profilesstate",
          "name": "serverssl",
          "partition": "Common",
          "fullPath": "/Common/serverssl",
          "generation": 284,
          "selfLink": "https://localhost/mgmt/tm/ltm/virtual/~Common~testssl/profiles/~Common~serverssl?ver=12.1.0",
          "context": "serverside"
        },
    
  • Using James' information, this is a single-line (with a couple pre-configured conditions) that I used to verify the expected Server-side SSL profiles were assigned on a list of VIPs configured with a particular pool name pattern (where the pool names are POOL_200 or POOL_210):

    Get-VirtualServer | ? Pool -match '.*/POOL_2[0,1]0' | Select Name,Pool,@{Name="ServerProfile"; Expression={ ( Invoke-RestMethod -Uri ( $_.profilesReference.link -replace "localhost", "" ) -Credential $cred ).items | ? context -eq serverside | Select -ExpandProperty Name } }
    

    The pre-configured conditions were a stored credential (

    $cred = Get-Credential 
    ) adequate for authenticating with the LTM and the establishment of the F5 session using the stored credential (
    New-F5Session -LTMName  -LTMCredentials $cred
    ). The stored credential is used again in the inline
    Invoke-RestMethod
    in the command.

    The result looked something like this:

    name   pool              ServerProfile
    ----   ----              -------------
    VIP_A  /Common/POOL_200  serverssl-custom
    VIP_B  /Common/POOL_210  serverssl-custom
    VIP_C  /Common/POOL_210  serverssl-custom
    VIP_D  /Common/POOL_200  serverssl-custom
    VIP_E  /Common/POOL_210  serverssl-custom
    

    You could change

    context -eq serverside
    to
    context -eq clientside
    to see that profile or otherwise change the selection to suit.