Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP
We have more than 160 BIG-IP Virtual Edition with version 15.1.10.3 build 0.0.12. We need to import, in each one, an SSL Certificate in PFX/PKCS 12 format in the path System ›› Certificate Management: Device Certificate Management: Device Certificate. We looked in the documentation and the KB but we couldn't find a way to do it. Has anyone dealt with this and have a solution to do it via Script, CLI or API? Thank you.86Views0likes1CommentError in REST https call to get the Auth token
Hi All, I am using F5 14.1.5.6 version of F5 and trying to get auth token from /mgmt/shared/authn/login But getting 401 error, please find the detailed error message. Can any one help me with this issue. [{"code":401,"message":"Unable to process request /tm/auth/source. Service is unavailable.","referer":"10.3.4.112","restOperationId":343185765,"kind":":resterrorresponse"}]Solved98Views0likes1Comment[APM] The F5 API returned the error BadRequest(400)
Hello Team , We use a tool for whitelisting the URL and IP's and push the configuration to F5 everyday . We have below error on the tool . Can we check anything on the F5 . I did not find any error message on the audit logs . Error : F5 synchronization batch reported an error while managing F5 : SendRequest: The F5 API returned the error BadRequest(400) received from the API: request failed with null exception82Views0likes1CommentF5 API Security on AWS WAF
Hello community, We have deployed multiple APIs on EKS and have exposed them using an application load balancer. I have added AWS WAF on top of the ALB. I am using XML payload in the API and for XML security, I have enabled F5 API Security managed rule for WAF. My question is: Does F5 managed rule for API Security on AWS WAF provides XML validation? If yes, what rule is that inside the managed rule set? Can we configure the F5 managed rule to check my XML payload based on regex? How can I configure it? Thanks in advance! Avinash133Views0likes1CommentNginx is only redirecting to port 8080
I have a .net 8 solution multiple APIs and I'm using docker and Nginx to host the application. please find below the full details: Dockerfile FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base WORKDIR /app EXPOSE 8080 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build ARG BUILD_CONFIGURATION=Release ... FROM build AS publish ARG BUILD_CONFIGURATION=Release RUN dotnet publish "xxx.Api/xxx.Api.csproj" -c Release -o /app/publish /p:UseAppHost=false FROM base AS final WORKDIR /app COPY --from=publish /app/publish . ENTRYPOINT ["dotnet", "xxx.Api.dll"] launchsettings.json "Docker": { "commandName": "Docker", "launchBrowser": true, "launchUrl": "{Scheme}://{ServiceHost}:{ServicePort}/swagger", "publishAllPorts": true, "useSSL": true, "sslPort": 4430, "httpPort": 8080 } nginx.conf worker_processes auto; events { worker_connections 1024; } http{ server { listen 80; server_name domain; port_in_redirect off; location /api1 { rewrite /api1(.*) $1 break; proxy_pass http://api1:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } location /api2 { rewrite /api2(.*) $1 break; proxy_pass http://api2:8081; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } docker-compose version: '3.4' services: nginx: image: nginx ports: - 80:80 volumes: - ./nginx.conf:/etc/nginx/nginx.conf:ro depends_on: - api1 - api2 api1: image: ${DOCKER_REGISTRY-}api1:latest container_name: api1 build: context: . dockerfile: api1.Api/Dockerfile ports: - "8080:8080" api2: image: ${DOCKER_REGISTRY-}api2:latest container_name: api2 build: context: . dockerfile: api2.API/Dockerfile ports: - "8081:8081" API1 that uses port 8080 loads normally but API2 that uses 8081 get error 502 gateway error. If I switch the port on those same projects than API2 loads normally and API1 stops loading. I've been trying all kinds of stuff over last 2 days and nothing seems to work. Those same projects with the same configuration were working perfectly when I was using .net 6 with the same nginx version, but when I upgraded the project to .net 8 it broke. I need your help and suggestions. Anything will be helpfull.562Views0likes2CommentsModifying multiple entries in a datagroup via api?
We have a datagroup with entries like this: domain1.com := virtual /Common/www.domain1.com_vs_443 domain2.com := virtual /Common/www.domain2.com_vs_443 domain3.com := virtual /Common/www.domain3.com_vs_443 And so forth. This datagroup gets used by an iRule for re-routing traffic based on SNI. I need to be able to make an HTTP call to the F5 to remap these to put up a mainteance page. So in other words I want to modify the above to: domain1.com := virtual /Common/maintenance.domain1.com_vs_443 domain2.com := virtual /Common/maintenance.domain2.com_vs_443 domain3.com := virtual /Common/maintenance.domain3.com_vs_443 I figured out that I can make a curl request as such to delete entries from the datagroup: curl -ku "admin:superS3cret" -X PATCH -H 'Content-type: application/json' -d '{ "name":"dummy" }' https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options=records%20delete%20%7B%20www.domain1.com,www.domain2.com,www.domain3.com%20%7D |jq . And via this articlehttps://community.f5.com/t5/technical-forum/add-new-key-into-data-group-without-updating-entire-list-using/td-p/272699I was able to determine we could add a key using this: curl -ku "admin:superS3cret" -X PATCH -H 'Content-type: application/json' -d '{ "name":"dummy" }' 'https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options=records%20add%20%7b%20www.domain1.com%20%7b%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain1.com_vs_443%22%20%7d%20%7d' |jq . However then I have to have one HTTP Request per domain. If I need to repoint 20 sites for example I have to make 20 different requests instead of one request with all domains. Is there a way to add multiple records at once? I tried something like this: curl -ku "admin:superS3cret" -X PATCH -H 'Content-type: application/json' -d '{ "name":"dummy" }' 'https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options%3Drecords%20add%20%7B%20www.domain1.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain1.com_vs_443%22%20%7D%20domain1.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain1.com_vs_443%22%20%7D%20www.domain2.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain2.com_vs_443%22%20%7D%20www.domain3.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain3.com_vs_443%22%20%7D%20www.domain4.com%20%7B%20data%20%22virtual%20%2FCommon%2Fmaintenance.domain4.com_vs_443%22%20%7D%7D' |jq . Here's the URL HTML decoded (so its easier to read): https://lb1.internal.local/mgmt/tm/ltm/data-group/internal/dummy?options=records add { www.domain1.com { data "virtual /Common/maintenance.domain1.com_vs_443" } domain1.com { data "virtual /Common/maintenance.domain1.com_vs_443" } www.domain2.com { data "virtual /Common/maintenance.domain2.com_vs_443" } www.domain3.com { data "virtual /Common/maintenance.domain3.com_vs_443" } www.domain4.com { data "virtual /Common/maintenance.domain4.com_vs_443" }} However I get this error: { "code": 400, "message": "one or more properties must be specified", "errorStack": [], "apiError": 26214401 } I haven't been able to figure out if adding multiple records isn't supported or if I have the syntax wrong and frankly the documentation here:https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_ltm_data-group_internal.htmland here:https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/ltm/ltm_data-group_internal.htmlisn't super clear. Frankly the fact that patch doesn't just modify entries sent seems like a bug to me and using ?options record add seems like a hack. Alternatively is there some way to run a modify instead of running delete and then add? That would be even more efficient (less HTTP calls) and less opportunity for a call to fail. I know I can just get all records, modify them and then post all records back. The trouble with that approach is that then I'm touching records I really don't want to touch and having to do some sort of regex replace. This seems like it could have the potential to accidentally modify records I don't want to modify if my regex isn't very explicit. I would prefer a more targeted approach which only modifies the records that need modifying and that touches nothing else. ThanksSolved816Views0likes9CommentsASM block page for use with API waf policy
Hey all! I´ve setup a asm waf policy for a webservice that handels api calls. But the standard response on a block is a 200 OK with the block webpage, which works great if a person can see it on the screen.. when it´s an api call the service just gets a <!DO (the first characters of the webpage) and a 200 OK. What I want to do I just return a 403 / 503 (or something like that) and just respond with the support ID in a header back to the source. I´ve got most of it figured out, except the header part... So... doesnt anyone know a good way for me to insert a support ID to a header response back to the client?Solved1.7KViews0likes17CommentsModify SSL profiles via REST API
Hi wiz's I have been spending some time on automating certificate maintenance. This has brought my attention to this documentation: https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_ltm_profile_client-ssl.html In the table descriping "cert", "chain" and "key" it states in the notes that they are depricated and I should use certKeyChain option instead. However no matter what I construct of calls which makes changes to an already existing clientssl profile (PATCH and PUT) I'm told: {"code":403,"message":"Operation is not supported on component /ltm/profile/client-ssl.","errorStack":[],"apiError":1} Example code: curl -sk -H "X-F5-Auth-Token: $TOKEN" -X PATCH https://$f5/mgmt/tm/ltm/profile/client-ssl/ --header 'Content-Type: application/json' --data-raw '{ "name":"sletmig", "certKeyChain":[{"name":"default","cert":"hest.dk_2023","key":"hest.dk_2023","chain":"My_CA"}] }' {"code":403,"message":"Operation is not supported on component /ltm/profile/client-ssl.","errorStack":[],"apiError":1} I can make the change via this syntax: curl -sk -H "X-F5-Auth-Token: $TOKEN" -X PATCH https://$f5/mgmt/tm/ltm/profile/client-ssl/~Common~sletmig -H "Content-Type: application/json" -d '{ "key":"/Common/hest.dk_2023", "cert":"/Common/hest.dk_2023", "chain":"/Common/My_CA" }'|jq Do I read the documentation wrong or am I missing something else? JRahm any hints?Solved918Views1like5Comments