C3D and header insert
Have a F5 that is a WAF so is performing the break and inspect on user web traffic sending through the ASM module. Since the customers backend requires a user certificate I explained to the user there are two options that can be utilized. Option 1 (preferred) the F5 prompts the user for their certificate, then the F5 performs a header insert to the backend systems (Apache) and then it is up to the customer to extract the certificate from the incoming packets. The user certificate will be the original user certificate (not modified). The backend servers must not send the "certificate request" or else the SSL negotiation will be terminated because the F5 will send a self signed cert. Option 2 (less preferred) is C3D. The customer puts the F5 certificate that will be used for signing into their backend store as a trusted CA. When the user connects the F5 prompts the user for their certificate. Then the F5 communicates to the backend server and the backend send the "certificate request". F5 will resign the user certificate and send the certificate with the F5 being the certificate signer. Customer said their Apache must prompt for the certificate, so have C3D setup on the F5 and the F5 is sending the resigned user certificate. When the customer Apache server sends that resigned certificate to the Oracle backend the Oracle refuses the certificate because the customer is storing the original user certificate in the Oracle backend. I asked why does the Oracle backend need the full certificate, the Oracle can be configured to just use the CN from the certificate. Customer answer is because that is how it works. So now the customer wants to utilize C3D and have the F5 perform a header insert of the user original certificate, I am not sure if that can be done. Even then just does not make any sense and makes things more complicated than required.Solved2.2KViews0likes6CommentsThe best book or article you've read lately that impacts your day-to-day?
Rereading The Culture Map by Erin Meyer helped remind me of some of the things I need to keep in mind when working with a global audience like the users on DevCentral. What's a book or article you've read in the last year or two, which has most strongly influenced how you do your day-to-day work?2.1KViews2likes10CommentsHow I configure syslog included specific string at /var/log/ltm ?
here is our syslog configuration sys syslog { auth-priv-from notice auth-priv-to emerg clustered-host-slot enabled clustered-message-slot disabled console-log enabled cron-from warning cron-to emerg daemon-from notice daemon-to emerg description none include none iso-date disabled kern-from debug kern-to emerg local6-from notice local6-to emerg mail-from notice mail-to emerg messages-from notice messages-to warning remote-servers { remotesyslog1 { description none host X.X.X.X local-ip X.X.X.X remote-port 514 } } user-log-from notice user-log-to emerg } And i want configure syslog to include specific string on /var/log/ltm how I can do this plz help me2.1KViews0likes13CommentsUse the REST proxy on the BIG-IQ system ERROR
Hello, I'm working in a local environment trying to use the REST proxy on the BIG-IQ system with the objective of acquire certain info of a BIG-IP. Once I've obtained the BIG-IQ token, discovered the BIG-IP device, enabled the REST-PROXY feature and obtained the BIG-IP uuid (4ad12733-95ea-47b0-a562-dd6ac6da5adc), which basically consists on following the steps found on that websiteEnabling BIG-IQ Centralized Management as a REST proxy for BIG-IP devices (f5.com);it is time to confirm that the BIGIP has been discovered and included into the BIGIP devices group with the code below. headers = { 'X-F5-Auth-Token': f'{token}' } # Request to confirm that the BIGIP was discovered and is included in the cm-bigip-allDevices group url_id = "https://192.168.1.44/mgmt/shared/resolver/device-groups/cm-bigip-allDevices/devices/4ad12733-95ea-47b0-a562-dd6ac6da5adc" response_id = requests.get(url_id, auth=HTTPBasicAuth('admin', 'psw'), headers=headers, verify=False) The problem is that whenI execute that, there is an output variable that states that "state": "PENDING", when that should be "state": "ACTIVE".Why? Do I left something? Am I doing something wrong? Thanks in advanceSolved2.1KViews0likes5CommentsHappy Star Trek Day!
Today is Star Trek Day! I know there's got to be at least one or two Trekkies in the community so let's celebrate 56 years of Star Trek together. Get in the comments and tell us your favorite Star Trek series and favorite quote (if you have one). I loveStar Trek: The Next Generation (TNG) ever since I devoured my dad's TNG VHS tapes one summer as a teenager. I was hooked. My favorite quote is from Captain Jean-Luc Picard: "It is possible to commit no mistakes and still lose. That is not a weakness. That is life." Even if we try our best and do everything right, something unexpected can happen to push us off course. Losing is a part of life, just like winning. It's ok to fail and learn from it. Have a great Star Trek Day, everyone!2KViews2likes2CommentsRouter/mesh recs?
Hi DevCentral community, it's your friendly neighborhood content manager! My ancient router is struggling to keep up with my work from home/ stream everything / play every video game lifestyle. Anyone have recommendations for a new router or router/mesh combo? Thanks in advance!1.8KViews2likes13CommentsF5 API access from java certificate error
Hi All, I am accessing the F5 API from java, but I get the certificate error on the http request: Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target But I have downloaded the certificate from the F5 portal and imported in the local java keystore. sudo keytool -importcert -alias f5_api domain -file f5_api_com.crt -keystore cacerts Still i get the above error. Please let me know I am missing anything. Thanks!1.8KViews0likes13CommentsMitigate the Spring Framework (Spring4Shell) and Spring Cloud Vulnerabilities with BIG-IP
UPDATE from F5 Support:Mitigate the Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities with the BIG-IP system You should consider using this procedure under the following condition: You want to secure your applications against the Spring Framework (CVE-2022-22965 aka Spring4Shell) and Spring Cloud vulnerability CVE-2022-22963 with the BIG-IP system. Note: F5 is still actively monitoring the situation and will update this article and/or signatures when more specific information becomes available. Description You can use the BIG-IP system to mitigate the impact of the Spring4Shell and Spring Cloud vulnerabilities in your infrastructure. For more information about these vulnerabilities, refer to K11510688: Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963. Prerequisites You must meet the following prerequisite to use this procedure: To use the BIG-IP ASM/Advanced WAF mitigation, your BIG-IP system must be licensed and provisioned for the BIG-IP ASM/Advanced WAF module. Spring Framework RCE (Spring4Shell): CVE-2022-22965 Spring Framework DoS: CVE-2022-22950 Spring Cloud RCE: CVE-2022-22963 Impact For products withNonein theVersions known to be vulnerablecolumn, there is no impact. For products with**in the various columns, F5 is still researching the issue and will update this article after confirming the required information. F5 Support has no additional information about this issue. AskF5 Article -Spring Framework (Spring4Shell) and Spring Cloud vulnerabilities CVE-2022-22965, CVE-2022-22950, and CVE-2022-22963 F5 Labs Article:What Are The Spring4Shell Vulnerabilities?1.7KViews3likes2Comments201 Recommendations for Study
Hello mates, I am a new member of the forum😀 I have to retake my 201 exam again in February and it´s been a while since the last time I touch a F5 device. I tried to look for the PDF which, as I remember, it was pretty solid material for the exam and the last time, I was able to pass the exam at the first attempt by only using the study guide and a F5 device I had on the lab. But I´ve seen recently that the guide is not longer available where it was: https://clouddocs.f5.com/training/community/f5cert/html/class3/class3.html May you kindly recommend me documentation and good material for my study. Much appreciate it! Regards,1.6KViews0likes6Comments