Balanced

Brain dump for at least semi-good ideas

Using F5 REST API with roles

I recently learned that with version 12 comes the possibility to use roles with the REST API, but only when using token based authentication.

That’s fantastic! Finally there is a secure way of using the REST API without handing over administrative access.

Adding an example in Powershell and a link to an article on Devcentral about how to do it in Python.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
	
$User = "myGuestUser"
$Password = "password"
	
#Create the string that is converted to Base64
$pair = $user + ":" + $Password

#Encode the string to base64
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))

#Add the "Basic prefix"
$basicAuthValue = "Basic $encodedCreds"

#Prepare the headers
$headers = @{
	"Authorization" = $basicAuthValue
	"Content-Type" = "application/json"
}

#Create the body of the post
$body = @{"username" = $User; "password" = $Password; "loginProviderName" = "tmos" }

#Convert the body to Json
$body = $Body | ConvertTo-Json

$response  = Invoke-WebRequest -Method "POST" -Headers $headers -Body $body -Uri "https://myltm/mgmt/shared/authn/login" 

#Extract the token from the response
$token = ($response.content | ConvertFrom-Json).Token.token

#Prepare a dictionary with the token
$headers = @{
	"X-F5-Auth-Token" = $token;
}

#Get a list of the ssl profiles of the box
$Response = Invoke-WebRequest -Method "GET" -Headers $headers -Uri "https://myltm.domain.local/mgmt/tm/ltm/profile/client-ssl"
$Profiles = ($response.Content | ConvertFrom-Json).items

Updating with code from the Powershell Guru Joel Newton on how to patch the token to make it valid for 10 hours instead of the default 20 minutes:

#####
#Setup
$LTMName = 'myltm'
$SecPswd = ConvertTo-SecureString "PlainTextPassword" -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential "username", $SecPswd

$AuthURL = "https://$LTMName/mgmt/shared/authn/login"
$JSONBody = @{username = $Credentials.username; password=$Credentials.GetNetworkCredential().password; loginProviderName='tmos'} | ConvertTo-Json
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession

#Request the token
$Result = Invoke-RestMethod -Method POST -Uri $AuthURL -Body $JSONBody -Credential $Credentials -ContentType 'application/json'
$Token = $Result.token.token
#Add the token to our session
$session.Headers.Add('X-F5-Auth-Token', $Token)

#A UUID is returned by LTM v11.6. This is needed for modifying the token.
#For v12+, the name value is used.
if ($Result.token.uuid){
    $TokenReference = $Result.token.uuid;
} else {
    $TokenReference = $Result.token.name;
}

#If we want the token to be valid for a length other than the default of 20 minutes, this is how we modify it
#NB: Max value is 36000 seconds (10 hours)
#Let's set it to 1 hour
$TokenLifespan = 3600
$Body = @{ timeout = $TokenLifespan } | ConvertTo-Json
$Headers = @{
'X-F5-Auth-Token' = $Token
}

Invoke-RestMethod -Method Patch -Uri https://$LTMName/mgmt/shared/authz/tokens/$TokenReference -Headers $Headers -Body $Body -WebSession $session | Out-Null

# Add token expiration time to session
$ts = New-TimeSpan -Minutes ($TokenLifespan/60)
$date = Get-Date -Date $Result.token.startTime
$ExpirationTime = $date + $ts
$session.Headers.Add('Token-Expiration', $ExpirationTime)

I also recommend checking out Joels Powershell module at the Devcentral codeshare!

Synergy effect of running BigIPReport

This could be useful depending on your environment. Bigipreport let’s you find things, but it can only go so far.

If you want to do a bit more advanced searches you can use the built in functions in powershell to convert json into objects. The beauty with powershell objects is that you can easily run queries against them.

Attaching a few examples to get you going:

#Create new webclient object
$WebClient = New-Object System.Net.WebClient
#Enable integrated authentication
$WebClient.UseDefaultCredentials = $true
#Get the json objects
$Virtualservers = ($WebClient.DownloadString("https://bigipreport.mydomain.local/json/virtualservers.json")) | ConvertFrom-Json
$rules = ($WebClient.DownloadString("https://bigipreport.mydomain.local/json/irules.json")) | ConvertFrom-Json
$pools = ($WebClient.DownloadString("https://bigipreport.mydomain.local/json/pools.json")) | ConvertFrom-Json
$monitors = ($WebClient.DownloadString("https://bigipreport.mydomain.local/json/monitors.json")) | ConvertFrom-Json

#The data group lists can be a pain to convert if you have identical data save the case of the characters. If that's the case you need to replace the duplicates before using ConvertFrom-Json
$datagrouplists = ($WebClient.DownloadString("https://bigipreport.mydomain.local/json/datagrouplists.json")) | ConvertFrom-Json
  
#Get which virtual servers that has a specific rule
$Virtualservers | Where-Object { $_.irules -contains "/Mypartition/rulename" } | select name
 
#Find all monitors with dk in the name and no receive string. Show columns name, interval and load balancer
$monitors | Where-Object { $_.name.contains("dk") -and $_.receivestring -eq "" } |  select name, interval, loadbalancer

 

BigipReport 4.2.0

Now with virtual server details and some bug fixes. Please note that you must update your config file too (or add the irules section added in the latest version).

Since devcentral is broken I’m posting an update here instead.

Read More

Setting up F5 APM with Google Authenticator

Setting up a secure VPN is easier than you might think. With F5 APM and Google authenticator you’re up and running soon.

There is an article on devcentral doing this but I thought it could be a bit simpler so I wrote my own. Tested on version 12 but should be more or less applicable to version 11 as well. Please let me know if there’s any differences and I’ll update the article.

Read More

Tampermonkey – F5 Case creation

Old script does not work anymore since F5 changed their support portal. New script is available here.

Bigip Report installation instructions

New and better instructions for Bigip report can be found here.

 

VMware server home lab

This post will hopefully help anyone wanting a decent home lab and avoid some of the pitfalls.

Read More

Helping headers

Since we rely so heavily on the load balancers to handle part of the application logic the line between application servers and network equipment is blurred out. URIs and headers may change, and pools might be chosen depending on many different factors.

To add some transparence here I would recommend using the loadbalancer to give the users of your company additional information if they need it.

Read More

Purging Limelight CDN items with Powershell

Taking care of the CDN can be a hassle sometimes. Unless you implement the perfect system with unique keys for every item update you will need to purge content once in a while.

We asked for some guiding from Limelight but they did not have any example for Powershell themselves so I had to translate the existing one from Perl. Hardest part was the authentication and getting the hash right but with some help from the nice people at stackoverflow it worked out in the end.

Kudos also to Limelight for having a good API documentation.

As always, if you improve it then please share it.

Contributions is always appreciated!

Read More

F5 LTM Web UI Tweaks

The F5 Web UI usability has not improved that much in a long time. Version 12 is starting to do things about it, but it’s too early to adopt unless you absolutely need some of its features.

The script is using Tampermonkey, a client side script engine, to add functionality to the F5 UI.

Read More

Page 2 of 2

Powered by WordPress & Theme by Anders Norén