Convert BIG-IP configs to AS3 and DO declarations
Home Page: https://clouddocs.f5.com/products/extensions/f5-automation-config-converter/latest/
License: Apache License 2.0
F5 BIG-IP Automation Config Converter (BIG-IP ACC) is an app written in Node.js that converts a BIG-IP configuration into an AS3 declaration, distributed as an easy-to-use docker image.
docker pull f5devcentral/f5-automation-config-converter:latest
docker run --rm -v "$PWD":/app/data f5-automation-config-converter:latest --ucs /app/data/<your-UCS-file>.ucs
ACC is a community-supported offering, your feedback is greatly appreciated. If you come across a bug please submit an issue to our team.
A clear and concise description of what the bug is.
Please also include information about the reproducibility and the severity/impact of the issue.
ACC generated AS3 declaration and attempt to post generated AS3 declaration results with 422 response:
{
"code": 422,
"errors": [
"/waf/http/serviceMain/virtualAddresses/0: should match format \"f5ip\""
],
"declarationFullId": "",
"message": "declaration is invalid"
}
this validation error is related to the following portion of AS3 config:
"waf": {
"class": "Tenant",
"http": {
"class": "Application",
"template": "http",
"WAF__http": {
"rules": [
{
"name": "default",
"actions": [
{
"event": "request",
"enabled": true,
"type": "http"
}
]
}
],
"strategy": "first-match",
"class": "Endpoint_Policy"
},
"pool": {
"members": [
{
"addressDiscovery": "fqdn",
"hostname": "test-hostname.local",
"servicePort": 443
}
],
"class": "Pool",
"minimumMonitors": 1,
"monitors": [
{
"bigip": "/Common/http"
}
]
},
"serviceMain": {
"remark": "http",
"layer4": "tcp",
"persistenceMethods": [
"cookie"
],
"pool": "pool",
"securityLogProfiles": [
{
"use": "/Common/Shared/Log_illegal_requests"
}
],
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_HTTP",
"profileTCP": {
"bigip": "/Common/f5-tcp-progressive"
},
"profileHTTP": {
"bigip": "/Common/http"
},
"profileBotDefense": {
"use": "/waf/Shared/ASM_policyWAF"
},
"virtualAddresses": [
"serviceAddress/0"
],
"snat": "auto",
"policyEndpoint": "/waf/http/WAF__http"
}
},
"Shared": {
"class": "Application",
"template": "shared",
"serviceAddress": {
"virtualAddress": "any/0",
"icmpEcho": "disable",
"trafficGroup": "/Common/traffic-group-1",
"class": "Service_Address"
}
}
}
and after looking at BIGIP configurations, it was discovered that AS3 declaration was generated from the following config:
ltm virtual /waf/http/serviceMain {
description http
destination /waf/serviceAddress:80
ip-protocol tcp
mask any
persist {
/Common/cookie {
default yes
}
}
policies {
/waf/http/_WAF__http { }
}
pool /waf/http/pool
profiles {
/Common/f5-tcp-progressive { }
/Common/http { }
/Common/websecurity { }
/waf/Shared/ASM_policyWAF { }
}
security-log-profiles {
"/Common/Log illegal requests"
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
ltm virtual-address /waf/serviceAddress {
address any
arp enabled
icmp-echo disabled
inherited-traffic-group true
mask any
traffic-group /Common/traffic-group-1
}
Steps to reproduce the behavior:
ltm virtual /waf/http/serviceMain {
description http
destination /waf/serviceAddress:80
ip-protocol tcp
mask any
persist {
/Common/cookie {
default yes
}
}
policies {
/waf/http/_WAF__http { }
}
pool /waf/http/pool
profiles {
/Common/f5-tcp-progressive { }
/Common/http { }
/Common/websecurity { }
/waf/Shared/ASM_policyWAF { }
}
security-log-profiles {
"/Common/Log illegal requests"
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
ltm virtual-address /waf/serviceAddress {
address any
arp enabled
icmp-echo disabled
inherited-traffic-group true
mask any
traffic-group /Common/traffic-group-1
}
"waf": {
"class": "Tenant",
"http": {
"class": "Application",
"template": "http",
"WAF__http": {
"rules": [
{
"name": "default",
"actions": [
{
"event": "request",
"enabled": true,
"type": "http"
}
]
}
],
"strategy": "first-match",
"class": "Endpoint_Policy"
},
"pool": {
"members": [
{
"addressDiscovery": "fqdn",
"hostname": "f5-waf.int.coles-dps-uat.sandbox.rmbspay.net",
"servicePort": 443
}
],
"class": "Pool",
"minimumMonitors": 1,
"monitors": [
{
"bigip": "/Common/http"
}
]
},
"serviceMain": {
"remark": "http",
"layer4": "tcp",
"persistenceMethods": [
"cookie"
],
"pool": "pool",
"securityLogProfiles": [
{
"use": "/Common/Shared/Log_illegal_requests"
}
],
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_HTTP",
"profileTCP": {
"bigip": "/Common/f5-tcp-progressive"
},
"profileHTTP": {
"bigip": "/Common/http"
},
"profileBotDefense": {
"use": "/waf/Shared/ASM_policyWAF"
},
"virtualAddresses": [
"serviceAddress/0"
],
"snat": "auto",
"policyEndpoint": "/waf/http/WAF__http"
}
},
"Shared": {
"class": "Application",
"template": "shared",
"serviceAddress": {
"virtualAddress": "any/0",
"icmpEcho": "disable",
"trafficGroup": "/Common/traffic-group-1",
"class": "Service_Address"
}
}
}
A clear and concise description of what you expected to happen.
AS3 accepts declaration and creates all needed objects
A clear and concise description of what actually happens.
Please include any applicable error output.
AS3 throws the following validation exception:
{
"code": 422,
"errors": [
"/waf/http/serviceMain/virtualAddresses/0: should match format \"f5ip\""
],
"declarationFullId": "",
"message": "declaration is invalid"
}
VELOS platform
Attaching LSN pool to “snat” field is not valid, according to the schema reference:
F5 schema-reference
Values of the "snat" field should be: "auto", "none" or "self" only.
This impacts migrations to VELOS platform, as Charon creates AS3 declaration, which cannot be loadable on it: CGNAT/lsn pool is not supported on VELOS. Loading lsn pool objects cause failure.
Steps to reproduce the behavior:
ltm virtual /Common/cgnat_vs {
creation-time 2020-11-26:03:52:47
destination /Common/10.144.18.44:0
ip-protocol tcp
last-modified-time 2020-11-26:03:52:47
mask 255.255.255.255
profiles {
/Common/tcp { }
}
source 0.0.0.0/24
source-address-translation {
pool /Common/lsn_pool_test
type lsn
}
translate-address disabled
translate-port disabled
}
ltm lsn-pool /Common/lsn_pool_test {
egress-interfaces {
/Common/vlan2
}
egress-interfaces-disabled
members {
10.10.10.0/23
}
}
Problem lies in the declaration itself, because, according to the schema reference, AS3 should not support lsn pool (so referencing such to the "snat" field is incorrect).
Charon should never reference lsn pools in AS3 declarations.
Charon references lsn pool in "snat" field.
Users and developers would like to access ACC features and functionality via other methods (command line) or within other tools. Furthermore, consuming a docker package can be a barrier for many (including customers).
Provide a programmatic way to interface with ACC (direct api via something like a nodejs npm package).
I recommend something like the F5 FAST approach. They released a 'core' npm module https://github.com/f5devcentral/f5-fast-core, which is used by the ILX RPM that is installed on TMOS. The core npm module also has a command line. So, users can just utilize the product from a simple command line (other than 'npm install f5-fast-core'), or can integrate it into any automation or solution they desire (wrap it in a REST API, or even wrap that in a gui).
Few alternatives, but to reiterate, that the current docker packaging can be a barrier to consumption for some people.
With a direct API interface, users would be able to utilize ACC functionality in any way imaged (driving further consumption).
For example, direct integration into the vscode-f5-chariot vscode extension, which could remove the need for docker all together, provide a single install package and an easy point/click interface to utilize ACC. This solution also has the benefit of being able to code a "help" function that could capture all the necessary configs/logs/output for a user to submit a bug/rfe request, further simplifying the feedback process.
https://github.com/f5devcentral/vscode-f5-chariot
Furthermore, a native command line utility can have less requirements for consumption.
Another example of a modular api tool with a command line: https://github.com/f5devcentral/f5-corkscrew#installation
As discussed in #28, starting a new issue to track special characters in data-group data values breaking conversions
Seems that special characters "some data with special !@#${}[]12345", including quotes, are currently not parsed as expected
ltm data-group internal /partition_1/string-datagroup {
records {
/api/test/app1 {}
/api/test/app2 {
data something
}
/api/test/app3 {
data "something in quotes with special stuff!@#${}[]"
}
/api/test/app4 {
data 1234x5678
}
}
type string
}
ltm data-group internal /partition_2/address_datagroup {
records {
1.1.1.1/28 {
data somedata
}
2.2.2.2/32 {
data "some data with special !@#${}[]12345"
}
3.3.3.3/24 {
data 6534cv
}
type ip
}
}
ltm data-group internal /partition_3/integer_datagroup {
records {
1 {
data 1
}
4 {
data xxx
}
5 {
data 5000
}
777 {
data 7
}
96789 {
data "some data with special !@#${}[]12345"
}
}
type integer
}{
"class": "ADC",
"schemaVersion": "3.27.0",
"id": "urn:uuid:be623a13-ce3c-4678-b296-dea9bae66ef9",
"label": "Converted Declaration",
"remark": "Auto-generated by AS3 Config Converter",
"partition_1": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"string-datagroup": {
"records": [
{
"key": "/api/test/app1",
"value": ""
},
{
"key": "/api/test/app2",
"value": ""
},
{
"key": "}",
"value": ""
},
{
"key": "/api/test/app3",
"value": ""
},
{
"key": "data \"something in quotes with special stuff!@#$",
"value": ""
},
{
"key": "/api/test/app4",
"value": ""
}
],
"keyDataType": "string",
"class": "Data_Group"
}
}
},
"partition_2": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"address_datagroup": {
"records": [
{
"key": "1.1.1.1/28",
"value": "somedata"
},
{
"key": "2.2.2.2/32",
"value": ""
},
{
"key": "3.3.3.3/24",
"value": "6534cv"
}
],
"class": "Data_Group",
"keyDataType": "string"
}
}
},
"partition_3": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"integer_datagroup": {
"records": [
{
"key": 1,
"value": "1"
},
{
"key": 4,
"value": "xxx"
},
{
"key": 5,
"value": "5000"
},
{
"key": 777,
"value": "7"
},
{
"key": 96789,
"value": ""
}
],
"keyDataType": "integer",
"class": "Data_Group"
}
}
}
}It may be worth looking at the default internal data-groups created by as3/analytics and atgTeem
When converting string and ip type data-groups, records do not get converted.
Converting integer type data-group results in a runtime error.
TMOS version: 14.1
ACC version: 1.12.0
ltm data-group internal /partition_1/string-datagroup {
records {
/api/test/app1 {}
}
type string
}
ltm data-group internal /partition_2/address_datagroup {
records {
1.1.1.1/28 {
data /
}
2.2.2.2/32 {
data /
}
3.3.3.3/24 {
data /
}
type ip
}
}
{
"class": "ADC",
"schemaVersion": "3.27.0",
"id": "urn:uuid:f8a2be46-d0b0-4451-8e5f-241cd1d1ac4a",
"label": "Converted Declaration",
"remark": "Auto-generated by AS3 Config Converter",
"partition_1": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"string-datagroup": {
"records": [
{
"key": "0",
"value": ""
}
],
"keyDataType": "string",
"class": "Data_Group"
}
}
},
"partition_2": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"address_datagroup": {
"records": [
{
"key": "0",
"value": ""
}
],
"keyDataType": "ip",
"class": "Data_Group"
}
}
}
}
[2021-05-25T12:55:25.716Z] [INFO]: ACC METADATA {
recognized: {
'ltm data-group internal /partition_1/string-datagroup': { records: '{', '/api/test/app1': {}, '}': '', type: 'string' },
'ltm data-group internal /partition_2/address_datagroup': { records: '{', type: 'ip', '}': '' }
},
supported: {
'ltm data-group internal /partition_1/string-datagroup': { records: '{', '/api/test/app1': {}, '}': '', type: 'string' },
'ltm data-group internal /partition_2/address_datagroup': { records: '{', type: 'ip', '}': '' }
},
unSupported: {},
declarationInfo: {
classes: { Data_Group: 2 },
maps: {
applications: [ '/partition_1/Shared', '/partition_2/Shared' ],
objects: [
'/partition_1/Shared/string-datagroup',
'/partition_2/Shared/address_datagroup'
],
tenants: [ '/partition_1', '/partition_2' ]
},
total: 2
}
}
[2021-05-25T13:05:19.198Z] [INFO]: f5.chariot.convert called
[2021-05-25T13:05:19.198Z] [INFO]: f5.chariot.convert text found
[2021-05-25T13:05:19.850Z] [INFO]: ACC METADATA {
recognized: {
'ltm data-group internal /partition_1/string-datagroup': {
records: '{',
'/api/test/app1': {},
'data "something in quotes with special stuff!@#$': {},
'}': '',
type: 'string'
},
'ltm data-group internal /partition_2/address_datagroup': {
records: '{',
'data "some data with special !@#$': {},
type: 'ip',
'}': ''
}
},
supported: {
'ltm data-group internal /partition_1/string-datagroup': {
records: '{',
'/api/test/app1': {},
'data "something in quotes with special stuff!@#$': {},
'}': '',
type: 'string'
},
'ltm data-group internal /partition_2/address_datagroup': {
records: '{',
'data "some data with special !@#$': {},
type: 'ip',
'}': ''
}
},
unSupported: {},
declarationInfo: {
classes: { Data_Group: 2 },
maps: {
applications: [ '/partition_1/Shared', '/partition_2/Shared' ],
objects: [
'/partition_1/Shared/string-datagroup',
'/partition_2/Shared/address_datagroup'
],
tenants: [ '/partition_1', '/partition_2' ]
},
total: 2
}
}
ltm data-group internal integer_datagroup {
records {
1 {
data 1
}
4 {
data xxx
}
5 {
data 5000
}
777 {
data 7
}
96789 {
data "some data with special !@#${}[]12345"
}
}
type integer
}
[2021-05-25T13:10:06.693Z] [INFO]: f5.chariot.convert called
[2021-05-25T13:10:06.693Z] [INFO]: f5.chariot.convert text found
[2021-05-25T13:10:06.694Z] [ERROR]: f5.chariot.convert failed with [TypeError: Cannot read property 'endsWith' of undefined
at module.exports (c:\Users\bgordon\.vscode\extensions\f5devcentral.vscode-f5-chariot-1.12.0\node_modules\f5-as3-config-converter\src\util\convert\findLocation.js:33:24)
at module.exports (c:\Users\bgordon\.vscode\extensions\f5devcentral.vscode-f5-chariot-1.12.0\node_modules\f5-as3-config-converter\src\removeIapp.js:27:21)
at Object.acc (c:\Users\bgordon\.vscode\extensions\f5devcentral.vscode-f5-chariot-1.12.0\out\accWrapper.js:68:28)
at c:\Users\bgordon\.vscode\extensions\f5devcentral.vscode-f5-chariot-1.12.0\out\extension.js:72:70
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at async c:\Users\bgordon\.vscode\extensions\f5devcentral.vscode-f5-chariot-1.12.0\out\extension.js:69:13]
string, ip and integer data-groups should not produce error and get the appropriate records as indicated in the source
"string-datagroup": {
"records": [
{
"key": "/api/test/app1",
"value": ""
},
{
"key": "/api/test/app2",
"value": "something"
},
{
"key": "/api/test/app3",
"value": "something in quotes with special stuff!@#${}[]"
},
{
"key": "/api/test/app4",
"value": "1234x5678"
}
],
"keyDataType": "string",
"class": "Data_Group"
}
As a user I want to see list of recognized and supported objects by ACC tool.
It gives me better insight what's going on under the hood. Moreover I can also consume that data.
Currently output is:
(venv) WRW-ML-00029839:f5-bigip-journey-velos makagon$ docker run -it -v $(pwd):/code as3-charon -u /code/spdag.ucs -o /code/output
120 BIG-IP objects detected total
14 BIG-IP objects recognized by AS3
7 BIG-IP objects supported by Charon
1 AS3 stanzas generated
I'll appreciate more comprehensive tool output for recognized and supported object
it may be for example specific logs with all that objects.
Don't see any.
N/A
When using ACC to convert an app service using an iRule, ACC is generating the iRule in base64 format.
It would be better to get the iRule to generate in text format so the user can read/edit it more easily.
Manually convert the iRule in text from the base64 output and updating the as3 converted app service.
When converting an HTTPS with it's redirect (80->443), we should not create the redirect AS3 app service but use the redirect80 attribute in the Service_HTTPS class.
Steps to reproduce the behavior:
ltm virtual /tenant/app/serviceMain {
creation-time 2021-02-11:02:56:34
description demo2
destination /demo2/10.2.32.3%10:443
ip-protocol tcp
last-modified-time 2021-02-11:03:23:07
mask 255.255.255.255
persist {
/Common/cookie {
default yes
}
}
pool /demo2/demo2/Pool
profiles {
/Common/clientssl {
context clientside
}
/Common/f5-tcp-progressive { }
/Common/http { }
/Common/serverssl {
context serverside
}
}
source 0.0.0.0%10/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
ltm pool /tenant/app/Pool {
members {
/Common/1.2.3.42:80 {
address 1.2.3.42
metadata {
source {
value declaration
}
}
}
}
min-active-members 1
}
#############################################
ltm virtual /demo2/demo2/serviceMain-Redirect- {
creation-time 2021-02-11:02:56:34
description demo2
destination /demo2/10.2.32.3:80
ip-protocol tcp
last-modified-time 2021-02-11:02:56:34
mask 255.255.255.255
profiles {
/Common/f5-tcp-progressive { }
/Common/http { }
}
rules {
/Common/_sys_https_redirect
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
#############################################
{
"class": "ADC",
"schemaVersion": "3.24.0",
"id": "urn:uuid:f6ac7df8-3970-41b3-afad-4a1799e81d67",
"label": "Converted Declaration",
"remark": "Auto-generated by Project Charon",
"tenant": {
"class": "Tenant",
"app": {
"class": "Application",
"template": "https",
"serviceMain": {
"remark": "demo2",
"layer4": "tcp",
"persistenceMethods": [
"cookie"
],
"pool": "Pool",
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_HTTPS",
"serverTLS": {
"bigip": "/Common/clientssl"
},
"profileTCP": {
"bigip": "/Common/f5-tcp-progressive"
},
"profileHTTP": {
"bigip": "/Common/http"
},
"clientTLS": {
"bigip": "/Common/serverssl"
},
"redirect80": true,
"virtualAddresses": [
[
"10.2.32.3%10",
"0.0.0.0%10/0"
]
],
"virtualPort": 443,
"snat": "auto"
},
"Pool": {
"members": [
{
"addressDiscovery": "static",
"servicePort": 80,
"serverAddresses": [
"1.2.3.42"
],
"shareNodes": true
}
],
"minimumMembersActive": 1,
"class": "Pool"
},
"serviceMain-Redirect-": {
"remark": "demo2",
"layer4": "tcp",
"iRules": [
{
"bigip": "/Common/_sys_https_redirect"
}
],
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_HTTP",
"profileTCP": {
"bigip": "/Common/f5-tcp-progressive"
},
"profileHTTP": {
"bigip": "/Common/http"
},
"virtualAddresses": [
"10.2.32.3"
],
"virtualPort": 80,
"persistenceMethods": [],
"snat": "auto"
}
}
}
}
Testing this with a simple config that worked with every version until v1.11.0.
Using v1.11.0 I'm seeing the following error.
ubuntu@jumpbox:/Downloads/chacon$ sudo docker run --rm -v "$PWD":/app/data f5-as3-config-converter:v1.11.0 -o data/v14-test.json -u data/v14-test.ucs
1169 BIG-IP objects detected total
25 BIG-IP objects recognized by AS3
12 BIG-IP objects supported by ACC
5 AS3 stanzas generated
(node:1) UnhandledPromiseRejectionWarning: Error: EACCES: permission denied, open 'data/v14-test.json'
at Object.openSync (fs.js:476:3)
at Object.writeFileSync (fs.js:1467:35)
at module.exports (/app/src/main.js:122:8)
at processTicksAndRejections (internal/process/task_queues.js:93:5)
(Use node --trace-warnings ... to show where the warning was created)
(node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag --unhandled-rejections=strict (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:1) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
ubuntu@jumpbox:/Downloads/chacon$
Using every previous released vesion I get the expected json output.
ubuntu@jumpbox:/Downloads/chacon$ sudo docker run --rm -v "$PWD":/app/data f5-appsvcs-acc:1.10.0 -o data/v14-test.json -u data/v14-test.ucs
stdout: 1169 BIG-IP objects detected total
25 BIG-IP objects recognized by AS3
12 BIG-IP objects supported by Charon
4 AS3 stanzas generated
ubuntu@jumpbox:/Downloads/chacon$
The source address in BIG-IP config is not translated correctly in the AS3 declaration. Look at the 0.0.0.0%10/0 in the example below.
Steps to reproduce the behavior:
ltm virtual /tenant/app/serviceMain {
creation-time 2021-02-11:02:56:34
description demo2
destination /demo2/10.2.32.3%10:443
ip-protocol tcp
last-modified-time 2021-02-11:03:23:07
mask 255.255.255.255
persist {
/Common/cookie {
default yes
}
}
pool /demo2/demo2/Pool
profiles {
/Common/clientssl {
context clientside
}
/Common/f5-tcp-progressive { }
/Common/http { }
/Common/serverssl {
context serverside
}
}
source 0.0.0.0%10/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
ltm pool /tenant/app/Pool {
members {
/Common/1.2.3.42:80 {
address 1.2.3.42
metadata {
source {
value declaration
}
}
}
}
min-active-members 1
}
#############################################
ltm virtual /demo2/demo2/serviceMain-Redirect- {
creation-time 2021-02-11:02:56:34
description demo2
destination /demo2/10.2.32.3:80
ip-protocol tcp
last-modified-time 2021-02-11:02:56:34
mask 255.255.255.255
profiles {
/Common/f5-tcp-progressive { }
/Common/http { }
}
rules {
/Common/_sys_https_redirect
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
#############################################
{
"class": "ADC",
"schemaVersion": "3.24.0",
"id": "urn:uuid:f6ac7df8-3970-41b3-afad-4a1799e81d67",
"label": "Converted Declaration",
"remark": "Auto-generated by Project Charon",
"tenant": {
"class": "Tenant",
"app": {
"class": "Application",
"template": "https",
"serviceMain": {
"remark": "demo2",
"layer4": "tcp",
"persistenceMethods": [
"cookie"
],
"pool": "Pool",
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_HTTPS",
"serverTLS": {
"bigip": "/Common/clientssl"
},
"profileTCP": {
"bigip": "/Common/f5-tcp-progressive"
},
"profileHTTP": {
"bigip": "/Common/http"
},
"clientTLS": {
"bigip": "/Common/serverssl"
},
"redirect80": true,
"virtualAddresses": [
[
"10.2.32.3%10",
"0.0.0.0%10/0"
]
],
"virtualPort": 443,
"snat": "auto"
},
"Pool": {
"members": [
{
"addressDiscovery": "static",
"servicePort": 80,
"serverAddresses": [
"1.2.3.42"
],
"shareNodes": true
}
],
"minimumMembersActive": 1,
"class": "Pool"
},
"serviceMain-Redirect-": {
"remark": "demo2",
"layer4": "tcp",
"iRules": [
{
"bigip": "/Common/_sys_https_redirect"
}
],
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_HTTP",
"profileTCP": {
"bigip": "/Common/f5-tcp-progressive"
},
"profileHTTP": {
"bigip": "/Common/http"
},
"virtualAddresses": [
"10.2.32.3"
],
"virtualPort": 80,
"persistenceMethods": [],
"snat": "auto"
}
}
}
}
Found a reference to the original internal project name if we want to clean it up at some point.
This is ACC output. the "remark" object param
I am trying to use ACC to convert bigip.conf with ssl profile into AS3, but the output I receive contains wrong reference to the certificate - the certificate is created inside the application, and refers to cert and key files that are inside bigip /Common partition, but the profile contains broken AS3 reference.
Steps to reproduce the behavior:
Convert attached bigip.conf.txt file into AS3 using "f5devcentral/f5-as3-config-converter:1.11.0" image
Observe that generated
"testing_cert" object is placed inside the application, but
"test-iapp-1_client-ssl" profile refers to "/Common/Shared/testing_cert"
"test-iapp-1_client-ssl" should refer to "testing_cert" or "/testing_tenant/test_app/testing_cert"
Regards
bigip.conf.txt
Tried using vscode-f5-chariot (v1.12.0) to convert TMSH config into AS3. When I run the conversion over a simple virtual server with a single pool member, the member isn't part of the AS3 output.
Steps to reproduce the behavior:
ltm virtual /Common/vs_hcf_443 {
destination /Common/192.168.0.1:443
ip-protocol tcp
mask 255.255.255.255
pool /Common/hcf_80
profiles {
/Common/tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
}
ltm pool /Common/hcf_80 {
description hcf_80
members {
/Common/10.0.0.1:80 {
address 10.0.0.1
}
}
monitor /Common/http
}
ltm node /Common/10.0.0.1 {
address 10.0.0.1
}
{
"class": "ADC",
"schemaVersion": "3.27.0",
"id": "urn:uuid:d58e0962-5bce-4403-9bcf-8c863a24a181",
"label": "Converted Declaration",
"remark": "Auto-generated by AS3 Config Converter",
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"vs_hcf_443": {
"layer4": "tcp",
"pool": "hcf_80",
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_Generic",
"virtualAddresses": [
"192.168.0.1"
],
"virtualPort": 443,
"persistenceMethods": [],
"snat": "none"
},
"hcf_80": {
"remark": "hcf_80",
"members": [
{
"addressDiscovery": "static",
"servicePort": null
}
],
"monitors": [
{
"bigip": "/Common/http"
}
],
"class": "Pool"
}
}
}
}
[2021-06-03T05:40:21.412Z] [INFO]: ACC METADATA {
recognized: {
'ltm virtual /Common/vs_hcf_443': {
destination: '/Common/192.168.0.1:443',
'ip-protocol': 'tcp',
mask: '255.255.255.255',
pool: '/Common/hcf_80',
profiles: '{',
'/Common/tcp': {},
'}': '',
source: '0.0.0.0/0',
'translate-address': 'enabled',
'translate-port': 'enabled'
},
'ltm pool /Common/hcf_80': {
description: 'hcf_80',
members: '{',
'}': '',
monitor: '/Common/http'
},
'ltm node /Common/10.0.0.1': { address: '10.0.0.1' }
},
supported: {
'ltm virtual /Common/vs_hcf_443': {
destination: '/Common/192.168.0.1:443',
'ip-protocol': 'tcp',
mask: '255.255.255.255',
pool: '/Common/hcf_80',
profiles: '{',
'/Common/tcp': {},
'}': '',
source: '0.0.0.0/0',
'translate-address': 'enabled',
'translate-port': 'enabled'
},
'ltm pool /Common/hcf_80': {
description: 'hcf_80',
members: '{',
'}': '',
monitor: '/Common/http'
}
},
unSupported: { 'ltm node /Common/10.0.0.1': { address: '10.0.0.1' } },
declarationInfo: {
classes: { Pool: 1, Service_Generic: 1 },
maps: {
applications: [ '/Common/Shared' ],
objects: [ '/Common/Shared/vs_hcf_443', '/Common/Shared/hcf_80' ],
tenants: [ '/Common' ]
},
total: 2
}
}
I am expecting to see the member (10.0.0.1) as part of the AS3 pool output.
As you can see from the output there is no pool member being output. Looking at the ACC log it seems to see the pool, but it doesn't output the member IP then either?
'ltm pool /Common/hcf_80': {
description: 'hcf_80',
members: '{',
'}': '',
monitor: '/Common/http'
}
Not a problem, but it would be super handy and drive DO adoption if we had a similar function to take a TMOS config and return all the settings DO would handle. This could be a quick and easy way to templatize an F5's base/system settings and deploy more devices with the same system settings.
This may be best in another project (like ACC), or I could do something in vscode-f5/f5-corkscrew/f5-conx-core, but just wanted to get the idea out there.
Since this project is already doing TMOS->AS3 conversion, and now utilizing a REST API integration, a different API endpoint, or parameter could tell the engine to return a DO conversion instead of an AS3, could be an easy addition.
Examples below:
New API endpoint:
As existing endpoint param:
Currently, there is no alternative. DO declarations must be made by hand at some point
A small tool like this could be incredibly valuable for helping users transition to automation tools like DO. With the output from a tool like this, it would easily be converted to a FAST template and templatize/standardize deployments even more. Like ACC, this would drastically reduce the time/expertise needed to get started with DO. This could also be incorporated into workflows that assist users with migrating to next gen cloud based platforms.
A clear and concise description of what the bug is.
Please also include information about the reproducibility and the severity/impact of the issue.
I have found a weird entry in converted declaration certificate object:
"custom_ssl_cert_key": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/custom_ssl_cert_key"
},
"chainCA": {
"bigip": "none"
},
"privateKey": {
"bigip": "/Common/custom_ssl_cert_key"
}
},
Which is not loading onto destination BigIP with following error:
"iControl REST error: code: 422, message: declaration is invalid, errors: ['/Common/Shared/custom_ssl_cert_key/chainCA/bigip: should match format "f5bigip"']",
In general the thing is about the "chainCA" field.
I believe that it should point to a valid object, the "chainCA" field should be ommited.
We have done some testing and it seems that the value of chainCA from the output is exactly the value from
ltm profile server-ssl /Common/custom_ssl_server_profile {
...
chain none
...
The value "none" should be treated as a special value that should be ignored as this is what BigIP produces when creating cert from GUI when you do not select any chain
Steps to reproduce the behavior:
Convert following config:
bigip.conf.txt
Observe the following output:
...
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"custom_ssl_cert_key": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/custom_ssl_cert_key"
},
"chainCA": {
"bigip": "none"
},
"privateKey": {
"bigip": "/Common/custom_ssl_cert_key"
}
},
...
['/Common/Shared/custom_ssl_cert_key/chainCA/bigip: should match format \"f5bigip\"']",
chainCA shoud no be part of the output if the "chain" value is "none" in ltm profile in bigip.conf
Regards
When an ltm policy is converted, the required "type" property is sometimes missing in the resulting declaration.
Steps to reproduce the behavior:
Convert following config:
ltm policy /Common/xyz {
controls { asm }
requires { http }
rules {
default {
actions {
0 {
asm
enable
policy /Common/abc
}
}
}
}
strategy /Common/first-match
}
asm policy /Common/abc {
active
encoding utf-8
policy-template POLICY_TEMPLATE_FUNDAMENTAL
}
"xyz": {
"rules": [
{
"name": "default",
"actions": [
{
"event": "request",
"enabled": true
}
]
}
],
"strategy": "first-match",
"class": "Endpoint_Policy"
}
Posting this to AS3 results in a validation error because the "type" property is missing.
The result should instead be:
"xyz": {
"rules": [
{
"name": "default",
"actions": [
{
"event": "request",
"type": "waf",
"enabled": true
}
]
}
],
"strategy": "first-match",
"class": "Endpoint_Policy"
}
Error when running against my UCS file. Reproducible on demand. The tool will complete if I limit it to one virtual server. Created F5 support case C3561341 to upload the UCS file in question.
Steps to reproduce the behavior:
$ sudo podman run --pull=never --rm -v "$PWD":/app/data f5-as3-config-converter:v1.11.0 -o data/shdc-viprion02.json -u data/MyUCS-2021_04_27-06_00.ucs
at findSchemaDefault (/app/src/removeDefaultValues.js:40:30)
at /app/src/removeDefaultValues.js:62:33
at Array.forEach (<anonymous>)
at matchDefaults (/app/src/removeDefaultValues.js:60:10)
at /app/src/removeDefaultValues.js:80:20
at Array.forEach (<anonymous>)
at findProfiles (/app/src/removeDefaultValues.js:76:10)
at /app/src/removeDefaultValues.js:78:24
at Array.forEach (<anonymous>)
at findProfiles (/app/src/removeDefaultValues.js:76:10)
(Use `node --trace-warnings ...` to show where the warning was created)
(node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:1) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
No node errors in output.
Command fails with no output to file. STDERR is listed above.
# cat /VERSION
Product: BIG-IP
Version: 15.0.0
Build: 0.0.1216
Sequence: 15.0.0-0.0.1216.0
BaseBuild: 0.0.1216
Edition: Final
Date: Fri Dec 21 13:14:33 PST 2018
Built: 181221131433
Project: tmos-infra-fwdproxy
Changelist: 2822513
JobID: 1077985
Run converter on what looks to be reasonable input. Process hangs and has to be manually killed.
Steps to reproduce the behavior:
ltm pool /Common/pool_1234 {
members {
/Common/10.10.20.4:80 {
address 10.10.20.4
}
}
}
ltm profile http /Common/http_1234 {
app-service none
defaults-from http
}
ltm virtual /Common/virtual_1234 {
destination 10.10.10.10:80
ip-protocol tcp
mask 255.255.255.255
pool /Common/pool_1234
profiles {
/Common/http_1234 { }
tcp { }
}
}
<crickets>
Run to completion, generate reasonable output.
Process hangs, have to go to another window and docker kill it.
Unsupported collection is not returned even though verbose flag is sent
Start the container
docker run -it -p 8080:8080 f5-as3-config-converter:1.11.0-RC1 serve
send a request passing attached bigip.conf file:
bigip.conf.zip
curl -X POST http://localhost:8080/as3converter -F conf=@trunk/Applications/application_1/Virtuals/test-iapp-1_vs/bigip.conf -F verbose=true > output
Observe that output does not have "unsupported" list
Observe that the file pointed by unsupported is not empty:
(venv) WRW-ML-00029839:as3-charon makagon$ docker exec -it 13f6294bbbe3 cat /tmp/tmp-1-ExMRWP22io33/unsupported { "ltm node /tenant_1/application_1/6.6.7.7": { "address": "6.6.7.7" } }
I have problem with 1.12 and 1.11 version of the ACC and possibly also previous ones.
Converting bigip.conf.txt
Results with a Virtual server with wrong reference to the profile.
Inside the configuration, VS is in partition "tenant2" and the SSL profile is placed inside /Common/Shared tenant.
Unfortunately, the reference from VS to the profile does not include "/Common/Shared" prefix:
"tenant_2": {
"class": "Tenant",
"application_2": {
"class": "Application",
"template": "generic",
"VS_app2": {
...
"class": "Service_TCP",
"serverTLS": "custom_ssl_client_profile",
"clientTLS": "custom_ssl_server_profile",
...
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
...
"custom_ssl_client_profile": {
"certificates": [
...
},
"custom_ssl_server_profile": {
"clientCertificate": [
...
Expected behaviour would be to reference serverTLS and clientTLS with full prefix:
"tenant_2": {
"class": "Tenant",
"application_2": {
"class": "Application",
"template": "generic",
"VS_app2": {
...
"class": "Service_TCP",
"serverTLS": "/Common/Shared/custom_ssl_client_profile",
"clientTLS": "/Common/Shared/custom_ssl_server_profile",
...
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
...
"custom_ssl_client_profile": {
"certificates": [
...
},
"custom_ssl_server_profile": {
"clientCertificate": [
...
If virtual is enabled on a vlan: vlans { /Common/vlan_internal }, Charon does not convert the property allowVlans, instead it uses it's value as a key:
"vlans": {
"/Common/vlan_internal": ""
},
Steps to reproduce the behavior:
ltm profile server-ssl /tenant_1/application_1/server_ssl_test {
app-service none
cert /Common/custom_ssl_cert_key
defaults-from /Common/serverssl
key /Common/custom_ssl_cert_key
options { dont-insert-empty-fragments passive-close no-tlsv1.3 }
passphrase $M$I4$Ftgl+XHx+VhP9W2VCi/97Q==
}
ltm profile client-ssl /tenant_1/application_1/client_ssl_test {
app-service none
cert-key-chain {
custom_ssl_cert_key_0 {
cert /Common/custom_ssl_cert_key
key /Common/custom_ssl_cert_key
passphrase $M$3e$P98aLvQuJRUt116g32xh5Q==
}
}
defaults-from /Common/clientssl
inherit-ca-certkeychain true
inherit-certkeychain false
options { dont-insert-empty-fragments no-tlsv1.3 tls-rollback-bug }
}
ltm virtual-address /tenant_1/application_1/10.144.18.33 {
address 10.144.18.33
arp enabled
mask 255.255.255.255
traffic-group /Common/traffic-group-1
}
ltm node /tenant_1/application_1/node_10.10.10.3 {
address 10.10.10.3
}
ltm node /Common/node_10.10.10.5 {
address 10.10.10.5
}
sys file ssl-cert /Common/custom_ssl_cert_key {
cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:custom_ssl_cert_key_253744_1
revision 1
source-path /var/run/key_mgmt/5xTWQ0/ssl.crt/custom_ssl_cert_key
}
ltm virtual /tenant_1/application_1/VS_https {
creation-time 2021-08-12:06:48:20
description "Standard Virtual enabled on 443 with ssl profiles and custom cert/key"
destination /tenant_1/application_1/10.144.18.33:443
ip-protocol tcp
last-modified-time 2021-08-12:06:48:20
mask 255.255.255.255
pool /tenant_1/application_1/https_pool
profiles {
/tenant_1/application_1/client_ssl_test {
context clientside
}
/Common/http { }
/Common/httpcompression { }
/tenant_1/application_1/server_ssl_test {
context serverside
}
/Common/tcp { }
}
source 0.0.0.0/24
translate-address enabled
translate-port enabled
vlans {
/Common/vlan_internal
}
}
ltm node /tenant_1/application_1/node_10.10.10.2 {
address 10.10.10.2
}
sys file ssl-key /Common/custom_ssl_cert_key {
cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:custom_ssl_cert_key_253741_1
revision 1
source-path /var/run/key_mgmt/SvhNPi/ssl.key/custom_ssl_cert_key
}
ltm pool /tenant_1/application_1/https_pool {
members {
/tenant_1/application_1/node_10.10.10.2:443 {
address 10.10.10.2
}
/tenant_1/application_1/node_10.10.10.3:443 {
address 10.10.10.3
}
/Common/node_10.10.10.4:443 {
address 10.10.10.4
}
/Common/node_10.10.10.5:443 {
address 10.10.10.5
}
}
monitor /Common/https
}
ltm node /Common/node_10.10.10.4 {
address 10.10.10.4
}
{
"code": 422,
"message": "Invalid data property: /Common/vlan_internal"
}
Use allowVlans key with vlan name as a value.
When running the conversion against a ucs file it does not seem to finish - no visible output (I let it run for more than 6 hours before killing it).
docker run --rm -v "$PWD":/app/data f5-as3-config-converter:v1.13.0 -o data/as3_conversion_test.json -u data/test.ucs
Observed the following:
No output at all - process just keeps running
docker.cli process does not seem to use any CPU.
Finishes after less than an hour (?).
Does not finish.
When bot-defense profiles are converted, the declaration contains the profileBotDefense property in the appropriate Service classes, but as an object with the "use" property instead of "bigip". "use" implies that the definition is within the declaration. Since AS3 does not support bot-defense definitions, it cannot be in the declaration. The following is required:
Steps to reproduce the behavior:
security bot-defense asm-profile /Common/xyz {
app-service none
}
ltm virtual /Common/abc {
destination /Common/10.0.11.22:80
ip-protocol tcp
profiles {
/Common/xyz { }
/Common/serverssl {
context serverside
}
/Common/tcp { }
/Common/websecurity { }
}
}
"profileBotDefense": {
"use": "/Common/Shared/xyz"
}
This is invalid because AS3 does not support "use" with "profileBotDefense".
As discussed, please export a function in the base node project to allow for direct api access in vscode-f5-chariot.
Here is how I am re-wrapping the ACC functionality for the extension: https://github.com/f5devcentral/vscode-f5-chariot/blob/main/src/accWrapper.ts
Right now, the function just takes in the raw tmos config (no archive extraction), sets some ACC parsing options, and return the declaration output with metadata.
If there are other things that we need to added to the output for your troubleshooting, please add them as part of the return. The extension can log the metadata as needed.
This will allow me to import your latest ACC function to the vscode-f5-chariot project and quickly release updates. Thanks.
const config = {
ucs: false,
container: false,
disableAnalytics: false,
recognized: true,
recognizedObjects: true,
supported: true,
supportedObjects: true,
unsupported: true,
unsupportedObjects: true,
summary: true,
debug: true,
showExtended: true
}; return {
declaration,
metaData: {
recognized: as3Json,
supported: supportedJson,
unSupported: unsupportedObj,
declarationInfo,
}
};ACC 1.12
According to AS3 schema, inside "TLS_Client" class, field "clientCertificate" should be string, but 1.12 ACC produces a list of strings.
Take a look at field "clientCertificate" under this link:
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html?highlight=tls_client#tls-client
Try to convert the following config:
bigip.conf.txt
...
"custom_ssl_server_profile": {
"clientCertificate": [
"custom_ssl_cert_key"
],
"ciphers": "DEFAULT",
"class": "TLS_Client"
},
...
...
"custom_ssl_server_profile": {
"clientCertificate": "custom_ssl_cert_key",
"ciphers": "DEFAULT",
"class": "TLS_Client"
},
...
Performed "Convert With ACC" using F5 ACC Chariot extension v1.11.0 on the app.conf below, and getting a resulting declaration missing any SSL profile reference. The SSL profile config is not in the unsupported section of logging:
ltm virtual /Common/application1.prestonashworth.com_443 {
creation-time 2020-01-18:17:56:36
destination /Common/10.10.0.101:443
ip-protocol tcp
last-modified-time 2021-02-04:22:18:00
mask 255.255.255.255
pool /Common/app1.service_discovery.app/app1.service_discovery_pool
profiles {
/Common/application1.prestonashworth.com_2020 {
context clientside
}
/Common/http { }
/Common/tcp { }
}
rules {
/Common/SSL_client_ciphers_selected
}
serverssl-use-sni disabled
source 0.0.0.0/0
translate-address enabled
translate-port enabled
}
ltm pool /Common/app1.service_discovery.app/app1.service_discovery_pool {
app-service /Common/app1.service_discovery.app/app1.service_discovery
load-balancing-mode least-connections-member
members {
/Common/172.28.0.154:80 {
address 172.28.0.154
description i-06939aaacd7c6321d-private
}
/Common/172.28.0.25:80 {
address 172.28.0.25
description i-088eeb216d051cf4c-private
}
/Common/172.28.0.32:80 {
address 172.28.0.32
description i-05b86bb44a52c3dfa-private
}
/Common/172.28.0.93:80 {
address 172.28.0.93
description i-08bd9d9e449d8517c-private
}
}
monitor /Common/http
}
ltm profile client-ssl /Common/application1.prestonashworth.com_2020 {
app-service none
cert-key-chain {
application1_application1_0 {
cert /Common/application1.crt
chain /Common/application1.crt
key /Common/application1.key
}
}
defaults-from /Common/clientssl
inherit-ca-certkeychain true
inherit-certkeychain false
}
ltm rule /Common/SSL_client_ciphers_selected {
when HTTP_REQUEST {
log local0.notice "[SSL::cipher version] - Client [IP::client_addr]:[TCP::client_port] -> HostHeaderName/URI [HTTP::host][HTTP::uri] -"
}
}
This is the debug log output (with F5 Extension setting Log level set to verbose and NGINX log level set to debug):
[2021-05-24T21:05:03.496Z] [INFO]: f5.chariot.convert called
[2021-05-24T21:05:03.496Z] [DEBUG]: f5.chariot.convert text found
[2021-05-24T21:05:04.277Z] [DEBUG]: ACC METADATA {
recognized: {
'ltm virtual /Common/application1.prestonashworth.com_443': {
'creation-time': '2020-01-18:17:56:36',
destination: '/Common/10.10.0.101:443',
'ip-protocol': 'tcp',
'last-modified-time': '2021-02-04:22:18:00',
mask: '255.255.255.255',
pool: '/Common/app1.service_discovery.app/app1.service_discovery_pool',
profiles: '{',
'/Common/http': {},
'/Common/tcp': {},
'}': '',
rules: '{',
'/Common/SSL_client_ciphers_selected': '',
'serverssl-use-sni': 'disabled',
source: '0.0.0.0/0',
'translate-address': 'enabled',
'translate-port': 'enabled'
},
'ltm profile client-ssl /Common/application1.prestonashworth.com_2020': {
'app-service': 'none',
'cert-key-chain': '{',
'}': '',
'defaults-from': '/Common/clientssl',
'inherit-ca-certkeychain': 'true',
'inherit-certkeychain': 'false'
},
'ltm rule /Common/SSL_client_ciphers_selected': 'when HTTP_REQUEST {\r\n' +
' log local0.notice "[SSL::cipher version] - Client [IP::client_addr]:[TCP::client_port] -> HostHeaderName/URI [HTTP::host][HTTP::uri] -"\r\n' +
'}\r'
},
supported: {
'ltm virtual /Common/application1.prestonashworth.com_443': {
'creation-time': '2020-01-18:17:56:36',
destination: '/Common/10.10.0.101:443',
'ip-protocol': 'tcp',
'last-modified-time': '2021-02-04:22:18:00',
mask: '255.255.255.255',
pool: '/Common/app1.service_discovery.app/app1.service_discovery_pool',
profiles: '{',
'/Common/http': {},
'/Common/tcp': {},
'}': '',
rules: '{',
'/Common/SSL_client_ciphers_selected': '',
'serverssl-use-sni': 'disabled',
source: '0.0.0.0/0',
'translate-address': 'enabled',
'translate-port': 'enabled'
},
'ltm profile client-ssl /Common/application1.prestonashworth.com_2020': {
'app-service': 'none',
'cert-key-chain': '{',
'}': '',
'defaults-from': '/Common/clientssl',
'inherit-ca-certkeychain': 'true',
'inherit-certkeychain': 'false'
},
'ltm rule /Common/SSL_client_ciphers_selected': 'when HTTP_REQUEST {\r\n' +
' log local0.notice "[SSL::cipher version] - Client [IP::client_addr]:[TCP::client_port] -> HostHeaderName/URI [HTTP::host][HTTP::uri] -"\r\n' +
'}\r'
},
unSupported: {
'ltm pool /Common/app1.service_discovery.app/app1.service_discovery_pool': {
'app-service': '/Common/app1.service_discovery.app/app1.service_discovery',
'load-balancing-mode': 'least-connections-member',
members: '{',
'}': '',
monitor: '/Common/http'
}
},
declarationInfo: {
classes: { iRule: 1, Service_Generic: 1 },
maps: {
applications: [ '/Common/Shared' ],
objects: [
'/Common/Shared/application1.prestonashworth.com_443',
'/Common/Shared/SSL_client_ciphers_selected'
],
tenants: [ '/Common' ]
},
total: 2
}
}
And this is the resulting declaration:
{
"class": "ADC",
"schemaVersion": "3.26.0",
"id": "urn:uuid:313786db-56e1-4c36-b3b7-cd96d6035720",
"label": "Converted Declaration",
"remark": "Auto-generated by AS3 Config Converter",
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"application1.prestonashworth.com_443": {
"layer4": "tcp",
"pool": "/Common/app1.service_discovery.app/app1.service_discovery_pool",
"iRules": [
{
"use": "0"
}
],
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_Generic",
"virtualAddresses": [
"10.10.0.101"
],
"virtualPort": 443,
"persistenceMethods": [],
"snat": "none"
},
"SSL_client_ciphers_selected": {
"class": "iRule",
"iRule": {
"base64": "d2hlbiBIVFRQX1JFUVVFU1Qgew0KICAgIGxvZyBsb2NhbDAubm90aWNlICJbU1NMOjpjaXBoZXIgdmVyc2lvbl0gLSBDbGllbnQgW0lQOjpjbGllbnRfYWRkcl06W1RDUDo6Y2xpZW50X3BvcnRdIC0+IEhvc3RIZWFkZXJOYW1lL1VSSSBbSFRUUDo6aG9zdF1bSFRUUDo6dXJpXSAtIg0KfQ0="
}
}
}
}
}
When ACC recognizes same names of objects (of different types), it adds a suffix, e.g.: "_virtual_dup", which results in an invalid name on BIG-IP in some cases (eg. virtual server's name: "10.10.10.10" is valid on BIG-IP, but "10.10.10.10_virtual_dup" is not).
Steps to reproduce the behavior:
ltm virtual /tenant_2/application_2/10.33.192.133 {
destination /tenant_2/application_2/10.33.192.133:53
ip-protocol udp
mask 255.255.255.255
profiles {
/Common/dns { }
/Common/udp_gtm_dns { }
}
source 0.0.0.0/0
translate-address disabled
translate-port disabled
}
ltm virtual-address /tenant_2/application_2/10.33.192.133 {
address 10.33.192.133
arp enabled
icmp-echo enabled
mask 255.255.255.255
traffic-group /Common/traffic-group-local-only
}
"tenant_2": {
"class": "Tenant",
"application_2": {
"class": "Application",
"template": "generic",
"10.33.192.133_virtual_dup": {
"layer4": "udp",
"translateServerAddress": false,
"translateServerPort": false,
"class": "Service_Generic",
"profileDNS": {
"bigip": "/Common/dns"
},
"virtualAddresses": [
"10.33.192.133"
],
"virtualPort": 53,
"persistenceMethods": [],
"snat": "none"
}
}
}
which fails to deploy:
"time": "2021-05-25T15:38:12.588553Z",
"message": "Failed to deploy AS3 declaration\nTraceback (most recent call last):\n File \"/migrate/journeys/backend/task.py\", line 200, in deploy_config\n deploy_declaration(output_as3_path, destination)\n File \"/migrate/journeys/utils/as3_ops.py\", line 254, in deploy_declaration\n raise AS3DeclarationDeploymentError(icr_output)\njourneys.errors.AS3DeclarationDeploymentError: iControl REST error: code: 422, message: declaration is invalid, errors: ['/tenant_2/application_2: propertyName \"10.33.192.133_virtual_dup\" should match pattern \"^[A-Za-z]([0-9A-Za-z_.-]{0,188}[0-9A-Za-z_.])?$\"']",
So the pattern of virtual server's name is still invalid.
Because BIG-IP allows IP addresses as objects' names (for virtual server, pools, monitors) and also allows saving objects with the same names (but different types, eg. ltm virutal /Common/test and ltm pool /Common/test), we should expect that customers will see such errors quite commonly.
The solution would be to add prefixes (which start with a letter) instead of suffixes, eg. "virtual_dup_10.33.192.133" instead of "10.33.192.133_virtual_dup" and re-naming objects which start with a number.
ACC adds a suffix to a duplicated virtual object's name, which does not improve customer experience (who will still see an invalid name error).
It seems that ACC Charon handles the allowVlans inappropriately
Produced output looks like:
"allowVlans": [
{
"use": "/Common/Shared/vlan1"
}
]
While the AS3 examples looks from (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/declarations/miscellaneous.html#virtual-service-allowing-only-specific-vlans) like:
“allowVlans”: [
{ “bigip”:”/Common/internal-sales” },
{ “bigip”:”/Common/internal-marketing” }
]
In addition – the object "/Common/Shared/vlan1" is not defined anywhere in the output declaration, and inside the UCS it looks like this:
net vlan /Common/vlan1 {
cmp-hash default
tag 4094
}
ACC should populate the "allowVlans" property with a { "bigip": "...." } format as described in the ACC documentation.
ACC populates the "allowVlans" property with a { "use": "..." } reference. Such a pointer should not be allowed since AS3 does not configure VLANS. (VLAN configuration is done by Declarative Onboarding.)
Attempting to convert a TCP profile using the VScode F5 Extension with the ACC Chariot extension fails to convert and throws an error and nothing is converted
Steps to reproduce the behavior:
ltm profile tcp mytcp-progressive {
app-service none
auto-proxy-buffer-size enabled
auto-receive-window-size enabled
auto-send-buffer-size enabled
congestion-control woodside
defaults-from tcp
init-cwnd 16
init-rwnd 16
nagle auto
proxy-buffer-high 262144
proxy-buffer-low 196608
push-flag auto
receive-window-size 131072
send-buffer-size 262144
}
[2021-08-25T21:29:38.352Z] [INFO]: f5.chariot.convert text found
[2021-08-25T21:29:38.353Z] [ERROR]: f5.chariot.convert failed with [TypeError: Cannot read property 'endsWith' of undefined
at module.exports (/Users/gerace/.vscode/extensions/f5devcentral.vscode-f5-chariot-1.13.0/node_modules/f5-as3-config-converter/src/util/convert/findLocation.js:33:24)
at module.exports (/Users/gerace/.vscode/extensions/f5devcentral.vscode-f5-chariot-1.13.0/node_modules/f5-as3-config-converter/src/removeIapp.js:27:21)
at mainRunner (/Users/gerace/.vscode/extensions/f5devcentral.vscode-f5-chariot-1.13.0/node_modules/f5-as3-config-converter/src/main.js:50:28)
at Object.mainAPI (/Users/gerace/.vscode/extensions/f5devcentral.vscode-f5-chariot-1.13.0/node_modules/f5-as3-config-converter/src/main.js:175:30)
at /Users/gerace/.vscode/extensions/f5devcentral.vscode-f5-chariot-1.13.0/out/extension.js:76:62
at processTicksAndRejections (internal/process/task_queues.js:93:5)
at async /Users/gerace/.vscode/extensions/f5devcentral.vscode-f5-chariot-1.13.0/out/extension.js:67:20]
An AS3 declaration with the TCP profile is to be created.
Nothing is outputted and an error occurs in output window.
Currently in a spot where config contains a list of unnamed maps as shown below, only the last one is being added in the output as3 declaration. I currently know of only one as3-supported field formatted like this - in ltm profile fix; unsure if there are any other.
Steps to reproduce the behavior:
ltm profile fix /datagroups/application_1/profileFIXcustom {
app-service none
defaults-from /Common/fix
description none
error-action drop-connection
full-logon-parsing false
message-log-publisher /Common/local-db-publisher
quick-parsing true
report-log-publisher /Common/local-db-publisher
response-parsing true
sender-tag-class {
{
sender-id RefInternalDG
tag-map-class /Common/dataGroupRefInternal
}
{
sender-id RefExternalDG
tag-map-class /Common/dataGroupRefExternal
}
}
statistics-sample-interval 45
}
{
"class": "ADC",
"schemaVersion": "3.29.0",
"id": "urn:uuid:2fe3e5cd-cde9-4558-9480-8387f6fa9950",
"label": "Converted Declaration",
"remark": "Auto-generated by AS3 Config Converter",
"datagroups": {
"class": "Tenant",
"application_1": {
"class": "Application",
"template": "generic",
"profileFIXcustom": {
"parentProfile": {
"bigip": "/Common/fix"
},
"remark": "none",
"errorAction": "drop-connection",
"fullLogonParsingEnabled": false,
"messageLogPublisher": {
"bigip": "/Common/local-db-publisher"
},
"quickParsingEnabled": true,
"reportLogPublisher": {
"bigip": "/Common/local-db-publisher"
},
"responseParsingEnabled": true,
"senderTagMappingList": [
{
"senderId": "RefExternalDG",
"tagDataGroup": {
"use": "/Common/Shared/dataGroupRefExternal"
}
}
],
"statisticsSampleInterval": 45,
"class": "FIX_Profile"
}
}
}
}Notice how the SenderTagMappingList field contains only one entry.
SenderTagMappingList should include references to both data groups.
<...>
"senderTagMappingList": [
{
"senderId": "RefInternalDG",
"tagDataGroup": {
"use": "/Common/Shared/dataGroupRefInternal"
}
},
{
"senderId": "RefExternalDG",
"tagDataGroup": {
"use": "/Common/Shared/dataGroupRefExternal"
}
}
],
<...>Only one key is included as shown in the example above above.
Note how in the 'recognized' (parsed?) config json returned via the api, only one field is present as well:
<...>
"recognized": {
"ltm profile fix /tenant_1/application_1/profileFIXcustom": {
"app-service": "none",
"defaults-from": "/Common/fix",
"description": "none",
"error-action": "drop-connection",
"full-logon-parsing": "false",
"message-log-publisher": "/Common/local-db-publisher",
"quick-parsing": "true",
"report-log-publisher": "/Common/local-db-publisher",
"response-parsing": "true",
"sender-tag-class": {
"": {
"sender-id": "RefExternalDG",
"tag-map-class": "/tenant_1/application_1/dataGroupRefExternal"
}
},
"statistics-sample-interval": "45"
},
}
<...>
Likely just an issue with the parser overwriting 'duplicate' empty keys in the sender-tag-class collection.
PEM property
Steps to reproduce the behavior:
ltm virtual /tenant_1/application_1/test_vs {
description "Created by Web Configuration Utility for PEM Listener test_vs"
destination /tenant_1/application_1/0.0.0.0:80
ip-protocol udp
mask any
profiles {
/Common/classification_pem {
context clientside
}
/tenant_1/application_1/test_pem_profile {
context clientside
}
/Common/udp_decrement_ttl { }
}
source 10.10.10.100/32
source-address-translation {
pool /Common/CGNAT_pool
type lsn
}
translate-address disabled
translate-port enabled
vlans-enabled
}
ltm virtual-address /tenant_1/application_1/0.0.0.0 {
address any
arp disabled
icmp-echo disabled
mask any
traffic-group /Common/traffic-group-1
}
pem profile radius-aaa /tenant_1/application_1/test_radius_profile {
app-service none
defaults-from /Common/radiusaaa
description "Created by Web Configuration Utility for PEM Control Virtual /Common/radiusacct"
password calypso
shared-secret xxx
}
pem profile spm /tenant_1/application_1/test_pem_profile {
app-service none
description "Created by Web Configuration Utility for PEM Listener ..."
fast-pem disabled
fast-vs-name none
global-policies-high-precedence {
/Common/Parental_policy
}
}
Declaration created by Charon:
"test_pem_profile": {
"remark": "xxx",
"connectionOptimizationEnabled": false,
"connectionOptimizationService": {
"use": "none" # invalid reference
},
"policiesGlobalHighPrecedence": [
{
"bigip": "/Common/Shared/Parental_policy"
}
],
"class": "Enforcement_Profile"
},
Error returned:
{
"code": 422,
"errors": [
"/tenant_1/application_1/test_pem_profile/connectionOptimizationService/use: contains path to non-existent object none"
],
"declarationFullId": "",
"message": "declaration is invalid"
}
Not sure, but "connectionOptimizationService": { "use": "none" } is invalid.
When running the command without virtual server filter:
docker run --rm -v "$PWD":/app/data f5-as3-config-converter:v1.13.0 -o data/as3_conversion_test_dev.json -u data/as3_conversion_test.ucs
...
2021-07-23 17:24:15 WARN ERROR! DUPLICATE OBJECT NAME DETECTED:
2021-07-23 17:24:15 WARN tlsstats-verf.cybersecurity.ubc.ca exists as both Certificate and Certificate
(node:1) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'properties' of undefined
at findSchemaDefault (/app/src/removeDefaultValues.js:32:39)
at /app/src/removeDefaultValues.js:64:33
at Array.forEach (<anonymous>)
at matchDefaults (/app/src/removeDefaultValues.js:62:10)
at /app/src/removeDefaultValues.js:82:20
at Array.forEach (<anonymous>)
at findProfiles (/app/src/removeDefaultValues.js:78:10)
at /app/src/removeDefaultValues.js:80:24
at Array.forEach (<anonymous>)
at findProfiles (/app/src/removeDefaultValues.js:78:10)
(Use `node --trace-warnings ...` to show where the warning was created)
(node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2)
(node:1) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
When running f5-as3-config-converter with virtual server:
docker run --rm -v "$PWD":/app/data f5-as3-config-converter:v1.13.0 -o data/as3_conversion_test_dev.json -u data/as3_conversion_test.ucs -v RMT_LABS.443 -a app_01
...
2021-07-23 17:43:31 WARN ERROR! DUPLICATE OBJECT NAME DETECTED:
2021-07-23 17:43:31 WARN tlsstats-verf.cybersecurity.ubc.ca exists as both Certificate and Certificate
2021-07-23 17:43:31 ERROR Error extracting application. Please email us at [email protected] and include the following error:
2021-07-23 17:43:31 ERROR Cannot read property 'Shared' of undefined
Always.
No error.
Different errors depending on filter parameters.
I ran it from an extracted UCS. If needed I can provide you with the bigip.conf (to F5 email).
Cannot load an AS3 declaration generated by ACC on the system which UCS was used to generate the declaration
Steps to reproduce the behavior:
#TMSH-VERSION: 12.1.5.1
apm report default-report {
report-name sessionReports/sessionSummary
user /Common/admin
}
ltm default-node-monitor {
rule none
}
ltm node /Common/10.20.1.11 {
address 10.20.1.11
}
ltm node /Common/10.20.1.12 {
address 10.20.1.12
}
ltm node /Common/10.20.1.13 {
address 10.20.1.13
}
ltm pool /Common/https_pool {
load-balancing-mode ratio-member
members {
/Common/10.20.1.11:443 {
address 10.20.1.11
}
/Common/10.20.1.12:443 {
address 10.20.1.12
}
/Common/10.20.1.13:443 {
address 10.20.1.13
ratio 7
}
}
monitor /Common/https and /Common/https_443 and /Common/https_head_f5
}
ltm virtual /Common/https_vs {
destination /Common/10.10.1.117:443
ip-protocol tcp
mask 255.255.255.255
pool /Common/https_pool
profiles {
/Common/html { }
/Common/http { }
/Common/oneconnect { }
/Common/rewrite-uri-translation { }
/Common/tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
ltm virtual-address /Common/10.10.1.117 {
address 10.10.1.117
arp enabled
icmp-echo enabled
mask 255.255.255.255
traffic-group /Common/traffic-group-1
}
ltm data-group internal /Common/____appsvcs_declaration-1608050029234 {
description "f5 AS3 declaration (see info in record 0)"
records {
0 {
data "date^2020-12-15T16:33:49.234Z|id^urn:uuid:8b22407b-9daa-42ce-ad95-4b4b309bf968|tenants^|blocks^1"
}
1 {
data eNodjztvAyEQhP/KidpYHODH0UXnNlIKK0U6HpscDgfWApYiy/89a5c738yO5s58srUyw95OM9uw6hdY7SdgjSWTqrZSbQWBGOjqmE3vMZijk1KLg+NTsJZr6YHbMO24dtopMbnvaX+kULIOEuXmkm+ADcJwAupD257fNwypC3+f5b0V/gMZCJHL/Q0fWC7g2zAvFl/efg3E3ksA8ldIBOMNCPiSG5ZEG+7Mol9IPccVarPrlaxSSMFHycfdedwbpYyeaJP6Yo/HPxQCT4Q=
}
}
type integer
}
ltm data-group internal /Common/____appsvcs_declaration-1608058432196 {
description "f5 AS3 declaration (see info in record 0)"
records {
0 {
data "date^2020-12-15T18:53:52.196Z|id^urn:uuid:8b22407b-9daa-42ce-ad95-4b4b309bf968|tenants^|blocks^1"
}
1 {
data eNodj7tuwzAMRX/F0BwZsmy1trbCWQtkCDp0oyS2VitLgR4BgiD/XqYj7znkBe/MBiiFafZ2XNmBFbvhDh+Yi0+R0rGXYy8IeEdTy1G35p2ejZSTeDV8cQB8khY5uEXxyUxmFIv5Wl5mWgpgMNDemuIVc0XXHZH6MtTn9QPL1JV/n+WtJv6NEQmRZW7dKacftLVbN8j/brs4Yu/JIfkFA0F/RQI2xZpToB/uDLLdKD37HUuF/UKqFFLwQfJBnYdZq1Er2Q+L+mSPxx8ULE+J
}
}
type integer
}
ltm data-group internal /Common/____appsvcs_declaration-1608106682997 {
description "f5 AS3 declaration (see info in record 0)"
records {
0 {
data "date^2020-12-16T08:18:02.997Z|id^urn:uuid:8b22407b-9daa-42ce-ad95-4b4b309bf968|tenants^|blocks^1"
}
1 {
data eNodj7tuwzAMRX/F0BwZsuwmlrbCWQNkCDp004OtlcpSQEkBiiD/XqYj7znkBR/MRVMK0+z9uLAdK26FzXwAlpATpWMvx14QCJ6mhkm3FryerZSTOFiuvDF8kg648eqNT3ayo1D2S+1nWorGQqS9Jac7YAXfHYH60NTX9R1D6sKfV3mrmX9DAkJk2d/ujPkKrnbLavDfbTdP7JQ9kF8gEgx3IOByqpgj/fBgBt1K6SVsUKrZbqRKIQUfJB/2FzHrYdZC9kodPtnz+QcURk+P
}
}
type integer
}
ltm data-group internal /Common/____appsvcs_declaration-1608268473447 {
description "f5 AS3 declaration (see info in record 0)"
records {
0 {
data "date^2020-12-18T05:14:33.447Z|id^urn:uuid:8b22407b-9daa-42ce-ad95-4b4b309bf968|tenants^|blocks^1"
}
1 {
data eNodj7tuwzAMRX/F0BwZsqQ0trbCWQt0CDp004OJlcpWQEkBiiD/XqYj7znkBR/MJ1sKM+z9OLMdK36B1X4Blpg3SlUvVS8IxEBTw820FoMZnZRaHByfgrVcSw/chmnPtdNOicmdp7eRlpJ1kGhvztsdsELojkB9aOvr+o4hdeHPq7zVzC+wASGy3G/3ifkKvnbzYvHfbbdA7CMHIL9AIhjvQMDnrWJO9MODWfQLpae4Qql2vZEqhRR8kHwYT2JvBm2U6rU+fLPn8w8T80+E
}
}
type integer
}
ltm data-group internal /Common/appsvcs/dataStore {
records {
as3_async_records0 {
data eNrtlk1v3DYQhv8KsRdfTC8/JVG3wknaAi0awEYPzQYFP0aWWopURWlRI/B/LyVtkm0Qo5cucvHeVu+MNPPOw5F27z4cdkH3cNjVh50D4pzjChPCFBamLLGiqsLGaKGpsVZxc9hdH3ZT10OadD/kNFqQipKKEVUKkrV8fZrTej8b+8HDBGvOCGn20yJ8OAsSjG3aEEOCTbTRwScJxjGOS+S7w25/G/s+hv1dq0dw+3aahvT7MdUotXH2DrX6CGiEv+Yuy2gY4wDj9IiuEoxHGO9/urs67N5fL31ar0c9dTG8mb3/0a3VrlXmvpJ++GjHpzDUJdSFo/Zdjn16ero+t41LTXhpLC4Yb7Bw0uCKymwgYSUR3JYNfc62oqiy1+x/se1z5DLU80ZudQhxys7oc1eaOL7Wtr1CsUFzcNB0Adz6zDamaU300Wq//VvKh6DDJmyDWK9+ntbqyrd47hczPVHkddr8/O7V7ZqRbAu9/hXGtAXlyd0wfkNWsdsgmMdQz3Pn6sowJkhpsHJaY8EsYO2UzKdCGE6UaVRRrYleG/Cn4kLGbMrovTovZh1Ur8c/t2LmKeIHCJDlHGke0dsx/gF2QreZ6lP8PLis/rx1mAsHnwO6I5waD9MY/QkJPdo2K/dnaB12jDCCKcO0uCdVTauasBulyt8Wdv9t3RcoV5QVTrIyZ+oMMAWBjSobzG1FiooCcEq+inImWZUFk+WFN0Ajj6H5uAAyU03n4W7o90P0ne0gfe+j0f6H7qF9O4IFB8HCnuznBDVajNNdSGjQU4umiEIMGP7uUgZsQtGsU1hv9Pg6ZEot9LBwd4GVAU5wmdcF5qxZ6OIWG+1ktj2DxSnVWvPnfK54SQX7Nj7X6JcAy8GdWkiA3kjURzd7SCgAuLSYamA568duOWTgajRAfxELKZhSltpionk+lqLI76lCSNwolZ0UdrHp6xbKSjBFmXjZui9b9yJbV97nlSt5LdkNVfK/ty5rmJVcUlwAc1iU+eNL27LClErLrTN5IRTPoJy/HoSqiheUX1C+FMpFzXktVO6Uryjn3/vdP2XI/3c=
}
}
type string
}
ltm data-group internal /Common/appsvcs/settings {
records {
asyncTaskStorage0 {
data eNpTSkksSdRNL8ovLVACABrSBDk=
}
burstHandlingEnabled0 {
data eNpLS8wpTgUABhYCDA==
}
}
type string
}
ltm data-group internal /Common/atgTeem/datastore {
records {
decc0d99-bd8d-50c9-877b-39830cd0fca40 {
data eNoll8UOrVyChd/l5s6oBLdKaoAf3A46w92dTr97n/5rtEeEDVnyrf/5M6/NmeyFWjx//v3nr/73yP8WLObdPcpmuhT2PbaNrLOFxXYsHcR9FzO5UcmieKKzqHUFKcJeCiueBMLBDgAxJ/eqiyheQWFMAMDvMWIfF8TulKi7jJesZ80hXWDyVPPxVznwHFSTmlS89SffA1+vUnRMgsFb4euN/CZaMl+7hmsj9Ow91uu80D14Y1saYKe96rbo44QOxCawOC4NSsoZxyWBMkp/zOs8HRYMzxqRrTYd7dxUGgsHRNcEVpTwtbSxwuV41apj+LkbSia1p8h5dqfkKkBbzmpsVMvKvWtSjnpplRi5GzOwECWWk7JdRuLAm/wLqFBB3mx9WhL3cbFviQvkeS9Jo9E+OFUtE7SQ68rJYUms7IJSZ8Qtm16t6IMYSqoGMgKUsM/1+T2YgAAjUQOoRwhE/2IeSb6FFg21U/ncdkCw6qUQO0sTiE+soPoe9XQwwraJHRq8pRy6Xd8dF1zDZEvKHc11bMkaGHi+lZttno4KHfWurPCFh8rvJ3cZRbx7i9suOl4/7nWwlryHVPiu6ZzS8OPDSIgS+mLPHCyq+rcgKvlxmdYNfRphnDjaxhbPTT9oAX7IjGoIoMfuUp7usLsO+UF0Z7yatkN6WJy4Lb1zFM4sZN7ONbfnemzmwT0yaKvi0idJlOr1EvevRD/K2xWAvuVHO3zQvV9uOWMi8KMZ8UhZCkGYNawQkhl6csFC//nXT7J29zd+W00lNH12rtfB6NKrXKJl+4uHgS6FOTV1JJi7Qcoj4CaB/ZtifCuz6UQQXp+NIWB50dWOL2bmUeG6YJyFoEhYyEQ/6c8k+grwifNPy4G0CvXipF73ebENwK3CpJJh8hl5yVSYNcyXj3+k41GPszVxMWLoBoy2EcCosVqlwa4PWYV/DQUbKcmHbLny4vp8cSM1AVQxovva1d8JxVNjp1uIHvlkHSLHXfcdkNoF+F38Ni0CJMZ7CvgSmBvFCQJpTKyClZyjFrLk2B0tqoSn1D0IxEL8+8luObLPsbDKdCzhiot16Hs0lH+r99tZ3v0G8Cc53PmQhUMzwkYOQ+Ot7lQe2jYeUXR37IEiH0X5mZkFsFQePU4l86kz0+oSqRTvSHB+GHq2wPOrddnbPAAErMaDrmFlDsvhadiKZJmf0GokkV39BBV2LRBvzQivcOMVg/gO6oi8WR6grP0Jqc3cHHl08s3O6bDRz1cpa+v7/R4Iylv80qoZw5inV5nLt4kjHhnOxGzL1YFCKK/nIHfFoOWMG8Pxpf+E28V34JG8/awE6UV4HC0tu2UIbpiiDzCCzqDeldpY5GMWyajYk2BVsLF1k89aCR4aCHw+t/zu9wLtad3+zOQQ1jd+FIkXrE9HdyNxWpUGx9RcypkzuIH9mXHChfIFV0kta29tKe/URbVvjWTCP5KV3r+kQxIINqecRODfhN0gAokDpOUe3cpLmaoPOnBJG7Oe4mfZTH4PSnqE7vQ2jwsTbi1cpTywZMMm/miMlWzzOBJMb0QqPT/q+mtr2+yV3XFAS+K4Ayhftzw+MtGGe9FGz8/0pSZ8/ERjs9zbt5V6/TsI5et5rAhegfgchgY5PsXcqO6Of7Nq4LMRfF8O7wHTZRAVXoPk9oAhiKH0IrVv+QoUKq/rgATYqu08vb7Lowb8/tV2BGAY0e4NJhPD3GmtuvB5UxYyh0qCG1xMSYjP6Uy4aM4tfo5zJnW71k/uLSBc0sU5QPGuaCteI8kWAyVPFtckeCtwX/ha31mVbSQYKHRGepU7zaL9ehV3Eku0DU+b6I0JHrnx+F9mGDqprgnmrie0Zx46fURdbsg8mjOh4UN9FwkbxAvoG1rHcwbOwlkN29fFjdrjoeQR20VFmtGkaMnNq+fpiFx40qxnpBXi6f3SkL3RleernMXQL8qe0psjWnfMPHSrp+fmcToAkCqu7ILIvEJBarHvoUFkv3fO7r1PHO+q9434XQUqfFZeQ64v/n6jX/w6vgM8IITo1ntdy76gCgwmjcD16rwydt/Mv2bimkWSzba0HYkdZ7GpKd0U215rU3920MplsNmHwtVU8cHdt6PoQeeAllmmPak1lSjlk+p1i+ARicG/ZoEBkx21tMJP/R/JQvNfi27cZvvIYjXeRq/elE8b+dpHQtu9bInks+wU8hmIfDzAiytPX+Xe/XmVqkUhHWaSO92EBWVhwQyozM3KRMza6QqRiihS77x/HN/dmA+BAMbIHmS8J8au4aLdOeyzuaO2JQfXTjdfvEAXUIs3We0EC4DhGlkIoc0d2HOmpq8rFBsNx1n+hHILHXeD0A5hoNzeht8JaimiwxsuI1qdK+Ulp6KCCUokO47P3sr5HUlF0ytqKsHLXVSqKsYiTJNjtCQT/lhDLvV1TWmpV5QoPwY8aWomy/AIx0mlFh+RLkTtMfKKhcqRhJaqkHVw4ms4Ut5yFFNLHIS8O3KPNUlb6TmXtqnhD6Y+jG7xOAikZ6wl3t4L//nzrz9Zse5N2WQ/PPsvm73D34occMfaGqytY6KnbZjWSLZ29pQI3Rlyf3BUTZN7zgqA9ZGCxTCPsgJ1xLu8zNBhRdD3gN4bFXxz2q3pdd/IcDTBX9OATYsejWKfnOmcVnaV029KVbwXCcDy4w7fNHhTcMNgDbBqcaSfE1Z+B3fAk5aB8GgyP5+TmgT2UWuRNT8TZGl98yi0gC8JbxqMLpgOhBDIvyAhHWMHhEQ7FdmhfMKKcATQ2CTtcguyoHZ6aiznBuyE4vfqqua0d049D5UO6OmyLE5t24zZFz+RByLqJ2ai77B67oJ9Fl0UUT9yhAj7AMF+cIMIRxooACUw/BpWGFt8hN6qEcHC3UNLUH+skHR4EGNWbSg3Slb1CTw/fmKnrOAbLpLlO9YAwF0xCshOEAQ6WUyoW203XJmufKI8xoHAx2eSR4sFBjF4+Ax90EQX3zHn/Kuwjhw9I/fz6ytZ7UwO29IjzZQqABwU7S0gtLoSfLvCLPd7muhdWkrIjPslWRwmbhWYcbdrozLiZ50Wj56liZLUcXp8Dq4uVuaVG9kvkWURymiiA5W1/C+3a/4vrOSSMrmVRQggXDKSonYCFVnMMfDUUffk0zjCK895sJnJJwFbtphLAN/Tx3dmqxjVvftYa5SHExPkk75Gk3dJImGNmXrT9/HxhhToQMjvOqVkBckCI/Dr7khLGB9rC35BxYLUP6lBj3/NgQzopte87Wiv/KIPrFmbRxiN+tpQ3vmUK3Z/GmtlfpXmWDxz7TgdWSl5UbYsamt1M0O/MqdskrXzFLz5u8yXu3nuR1naA1Hu2oIKnrYkxu8KMep4c7WKt21oUWNhADG7k6HYp6bmbF6yVdDHc6nB/sj0a3uIcOJj+k16D+CEsQmzD59+kyve6xRlW672GjxHaBv0MEcZXTYVaIZITh7mX5cvBzKdca6EIDhxX0FAzSggP82gv5kGY4l27agrboCDffBKvwQJf+6+jSf1ZQEWztUffF7/H9d7VSz2fBzhAHizRebFsZvRqlK8vNaFiafgfidbqC5Ep7I8GKxyFu3pLwt39xHzFaJvkKjeqAvWMZGOyYRKjs8Sk2qVneMobeR3HrrCu6lB5LZDoxyK7Fr1hnYXZ9iZBVmSH+RyNvZBNC42rpu29VyZPQ210bMyDckw8Fy++hdoIPViu1NmvPJB75yHLXCs58TVbqca+qoODZQuUfo3j1BPDF0JfKJVwGTbhokseWYduTT7VyxY9QYZ0ceYcWg0Bl4WL7q88Ft+owv3camuL22JZx7tKgH6nFYbtMQfHMA5LAljQiRBHOoJg7oO6tDCMJ0V33v+zcneZ6q1Olww+uSro/HRpuPaEnFy/6Q0MZwZVfdKiMKlxol4oBio5aS1TfcWx7x39tEiQRg077+SFeC/sW1YgeNKWAP5tAVRlehUX7dPWMqhzWb6VkwwDZO0v5NJWeC3X3yosKDwNzfvesGA98AVx7n5U2NjmU5WiWzYlaDseZfp7STMBB8Yn/nELkZfPRTzNwyWj+QQqYB8EUDSEM9Dn5FQxFibFoVIWvHQzq+0SBIGfMjP52FIPvF6Qa9QuDvEEKHxn9Kl+dmx4E75kxWtnqVV5WoyFvqAxvViXsJ94ZVPYmBTQZe5znZ5qaOAyV1K8ZISw1XNP0ST5ua6TFFa0yBKf6JH3RGXGaLUBjwy8a8bLfif/unI50sExjMJUxIkVIzZBFGmGvI+5UfoU1vIKS6aRQp3huRWBYYW2FzsGnVDWKu8BLUnaeLOoIsr8HVlUIRfobaxcR7CB5xa0qMuHQXmR03Vz5WhRg89dCvL27Sxnu3GXLBPTO9q5h0lrKF8+y795pBcTTJwbjAj6BL14OTXKmy2YK1NN+ItSHtWTZAPJylOMTgfZ9OYTwjqdTnGDmULpavHAPt6E6XZFmgO3vDDy7buqFPwfJhNcj9Bjt/2Ww8r+7bQJTWnL+jxT36+ObQ/cj79CCmtWvttXNqvqTFrfst6FRihAEIK5if6cxVIaN6ZDKvzYsiCZDdzIM+g38+/gandgAHUVtJcLv78vvjnGPn5ykUXXiho4sYkhCOpDYoa1NBDKLRSaWiOw4LG/VeyUfMXpzQidAiOpr2zpyrtsuegLV4VZwUC4Ytqf+Twyejjq3/NGz23Z8rokmJjRY+K1tETvxolB/4t/CvCGIRUdDvaq6RhONfGvHPF49zLbCMpaV+eAHZUVA0wsdZsMjsflHiUSurrqvZwt2R0BqhgLzgIKZWiGTMZ8XdV/tpQtgD2oGj5lQuOKu4a/AocEZ+K8lhr8ud//w9ZWCvA
}
}
type string
}
net ipsec ike-daemon /Common/ikedaemon {
log-publisher /Common/default-ipsec-log-publisher
}
pem global-settings analytics { }
security dos udp-portlist /Common/dos-udp-portlist {
list-type exclude-listed-ports
}
security firewall config-change-log {
log-publisher /Common/local-db-publisher
}
sys ecm cloud-provider /Common/aws-ec2 {
description "The aws-ec2 parameters"
property-template {
account { }
availability-zone {
valid-values { a b c d }
}
instance-type {
valid-values { t2.micro t2.small t2.medium m3.medium m3.large m3.xlarge m3.2xlarge c3.large c3.xlarge c3.2xlarge c3.4xlarge c3.8xlarge r3.large r3.xlarge r3.2xlarge r3.4xlarge r3.8xlarge }
}
region {
valid-values { us-east-1 us-west-1 us-west-2 sa-east-1 eu-west-1 eu-central-1 ap-southeast-2 ap-southeast-1 ap-northeast-1 }
}
}
}
sys ecm cloud-provider /Common/dnet {
description "The dnet parameters"
}
sys ecm cloud-provider /Common/vsphere {
description "The vsphere parameters"
property-template {
cloud-host-ip { }
dhcp-network-name { }
end-point-url { }
node-name { }
}
}
sys software update {
auto-check enabled
auto-phonehome enabled
frequency weekly
}
wom endpoint-discovery { }
curl -k -u <username>:<password> -X POST -H 'Content-Type: application/json' -H 'Expect:' -d @<acc_output.json> https://<source_ip>/mgmt/shared/appsvcs/declare
{"results":[{"message":"Cannot read property 'forEach' of undefined","host":"localhost","tenant":"Common","code":422},{"message":"Cannot read property 'forEach' of undefined","host":"localhost","tenant":"Common","code":422}],"declaration":{"class":"ADC","schemaVersion":"3.23.0","id":"urn:uuid:633df1ae-3f23-46ff-bd5b-37b5c8ba6fe0","label":"Converted Declaration","remark":"Auto-generated by Project Charon","updateMode":"selective","controls":{"archiveTimestamp":"2020-12-18T05:08:22.300Z"}},"code":422}
Status code returned: 200, declaration loaded
{"results":[{"message":"Cannot read property 'forEach' of undefined","host":"localhost","tenant":"Common","code":422},{"message":"Cannot read property 'forEach' of undefined","host":"localhost","tenant":"Common","code":422}],"declaration":{"class":"ADC","schemaVersion":"3.23.0","id":"urn:uuid:633df1ae-3f23-46ff-bd5b-37b5c8ba6fe0","label":"Converted Declaration","remark":"Auto-generated by Project Charon","updateMode":"selective","controls":{"archiveTimestamp":"2020-12-18T05:08:22.300Z"}},"code":422}
The steps to reproduce are the same
#TMSH-VERSION: 12.1.3.5
apm report default-report {
report-name sessionReports/sessionSummary
user /Common/admin
}
ltm default-node-monitor {
rule none
}
ltm node /Common/10.20.1.14 {
address 10.20.1.14
monitor /Common/icmp
}
ltm pool /Common/https_pool {
members {
/Common/10.20.1.14:443 {
address 10.20.1.14
}
}
monitor /Common/http
}
ltm virtual /Common/https_vs {
destination /Common/10.10.1.112:443
ip-protocol tcp
mask 255.255.255.255
pool /Common/https_pool
profiles {
/Common/fips_clientssl {
context clientside
}
/Common/fips_serverssl {
context serverside
}
/Common/tcp { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
ltm virtual-address /Common/10.10.1.112 {
address 10.10.1.112
arp enabled
icmp-echo enabled
mask 255.255.255.255
traffic-group /Common/traffic-group-1
}
ltm data-group internal /Common/____appsvcs_declaration-1607956478535 {
description "f5 AS3 declaration (see info in record 0)"
records {
0 {
data "date^2020-12-14T14:34:38.535Z|id^urn:uuid:189cf825-2730-4c21-8059-69b06a2cbe4a|tenants^|blocks^1"
}
1 {
data eNodj71uwzAMhF/F0BwZ+nNqeyuctUCHoEM3WWJrpbIUUFKAIsi7lynAhffd8cA7c9GWwmb2elrYgRW3wW4/AEvIiVTdK90LAsHT1jDNrQU/y3FyX6MauHrRghunJB/FMPHjtIqjVW4FYykU7QqRcktON8AKvjsB9aGtz+sHhtSFP8/yVjP/hgSEyLX+du+YL+Bqt2wW/73t6om9ZQ/kLxAJhhsQcDlVzJF+uDOLbiP1HHYo1e5XsiqhBJeKS3OWZtY0Yz9o88kejz+Cs07B
}
}
type integer
}
ltm data-group internal /Common/appsvcs/dataStore {
records {
as3_async_records0 {
data eNrFksFOhDAQhl+F9OLFbqBAgb2Z1aOJB+NB8TC0g6ClJW0xMcZ3t7SbuG8g4TLz/T/zTyl5+e6JhgV7cuwJ5zXvOgmUiZLRqhNIQTY1rVnZ8mEsmrxre3LdEz8v6Dwsa7AVPG+6mlcNZ7wMLPT95uL3hFlWhR6jx6LblN/B94WoYiyx1WiHCf4p93RhkoO3FPAEWhufWQSZrdasaP1XdjUaewdiusrMmG1a4jhrlHHmZJyPRmUEqFTt8VGDTuBklsXo2BVGYkr0c/1Pc19DKVEosODnHe/HEUqXzvPm9hQdTky4wBNal0Q9KQ+sPOQRzjJ2NquP2zbLY9F2YmxZTVlT5rQSrKBtXneUd0POgYkBK4hGBQOqczj9GVZEmd1ehok/agH7kcJs3tA31BhwUA5f2YM17yh8dprAnvXbKgO9TxuG4KiCYP7E8+LaW6POVwKsmAJ5vLhaPWE5y2nBaFE9FtWxDG97qMvquSc/+/NKfgGmnuRb
}
}
type string
}
ltm data-group internal /Common/appsvcs/settings {
records {
burstHandlingEnabled0 {
data eNpLS8wpTgUABhYCDA==
}
}
type string
}
ltm data-group internal /Common/atgTeem/datastore {
type string
}
ltm profile client-ssl /Common/fips_clientssl {
alert-timeout indefinite
allow-dynamic-record-sizing disabled
allow-non-ssl disabled
app-service none
cache-size 262144
cache-timeout 3600
cert /Common/default.crt
cert-key-chain {
default {
cert /Common/default.crt
key /Common/default.key
}
}
chain none
ciphers DEFAULT
defaults-from /Common/clientssl
generic-alert enabled
handshake-timeout 10
inherit-certkeychain false
key /Common/default.key
max-active-handshakes indefinite
max-aggregate-renegotiation-per-minute indefinite
max-renegotiations-per-minute 5
maximum-record-size 16384
mod-ssl-methods disabled
mode enabled
options { dont-insert-empty-fragments }
passphrase none
peer-no-renegotiate-timeout 10
proxy-ssl disabled
proxy-ssl-passthrough disabled
renegotiate-max-record-delay indefinite
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
secure-renegotiation require
server-name none
session-mirroring disabled
session-ticket disabled
session-ticket-timeout 0
sni-default false
sni-require false
ssl-sign-hash any
strict-resume disabled
unclean-shutdown enabled
}
ltm profile server-ssl /Common/fips_serverssl {
alert-timeout indefinite
app-service none
cache-size 262144
cache-timeout 3600
chain none
ciphers DEFAULT
defaults-from /Common/serverssl
generic-alert enabled
handshake-timeout 10
max-active-handshakes indefinite
mod-ssl-methods disabled
mode enabled
options { dont-insert-empty-fragments }
proxy-ssl disabled
proxy-ssl-passthrough disabled
renegotiate-period indefinite
renegotiate-size indefinite
renegotiation enabled
secure-renegotiation require-strict
server-name none
session-mirroring disabled
session-ticket disabled
sni-default false
sni-require false
ssl-forward-proxy disabled
ssl-forward-proxy-bypass disabled
ssl-sign-hash any
strict-resume disabled
unclean-shutdown enabled
}
net ipsec ike-daemon /Common/ikedaemon {
log-publisher /Common/default-ipsec-log-publisher
}
pem global-settings analytics { }
security dos udp-portlist /Common/dos-udp-portlist {
list-type exclude-listed-ports
}
security firewall config-change-log {
log-publisher /Common/local-db-publisher
}
sys ecm cloud-provider /Common/aws-ec2 {
description "The aws-ec2 parameters"
property-template {
account { }
availability-zone {
valid-values { a b c d }
}
instance-type {
valid-values { t2.micro t2.small t2.medium m3.medium m3.large m3.xlarge m3.2xlarge c3.large c3.xlarge c3.2xlarge c3.4xlarge c3.8xlarge r3.large r3.xlarge r3.2xlarge r3.4xlarge r3.8xlarge }
}
region {
valid-values { us-east-1 us-west-1 us-west-2 sa-east-1 eu-west-1 eu-central-1 ap-southeast-2 ap-southeast-1 ap-northeast-1 }
}
}
}
sys ecm cloud-provider /Common/dnet {
description "The dnet parameters"
}
sys ecm cloud-provider /Common/vsphere {
description "The vsphere parameters"
property-template {
cloud-host-ip { }
dhcp-network-name { }
end-point-url { }
node-name { }
}
}
sys software update {
auto-check enabled
auto-phonehome enabled
frequency weekly
}
wom endpoint-discovery { }
The monitors used in this application might not be supported by ACC
Steps to reproduce the behavior:
ltm node /tenant_2/application_2/10.1.20.104 {
address 10.1.20.104
metadata {
references {
value 1
}
}
}
ltm node /tenant_2/application_2/10.1.20.103 {
address 10.1.20.103
metadata {
references {
value 1
}
}
}
ltm virtual-address /tenant_2/application_2/10.1.10.114 {
address 10.1.10.114
arp enabled
inherited-traffic-group true
mask 255.255.255.255
traffic-group /Common/traffic-group-1
}
ltm profile tcp-analytics /tenant_2/application_2/Analytics_TCP_Profile {
app-service none
collect-city enabled
collect-continent enabled
collect-country enabled
collect-nexthop enabled
collect-post-code enabled
collect-region enabled
collect-remote-host-ip enabled
collect-remote-host-subnet enabled
collected-by-client-side enabled
collected-by-server-side enabled
collected-stats-external-logging disabled
collected-stats-internal-logging enabled
description none
external-logging-publisher none
}
ltm pool /tenant_2/application_2/Pool {
members {
/tenant_2/application_2/10.1.20.103:80 {
address 10.1.20.103
monitor min 1 of {
/Common/tcp
}
metadata {
source {
value declaration
}
}
}
/tenant_2/application_2/10.1.20.104:80 {
address 10.1.20.104
monitor min 1 of {
/Common/tcp
}
metadata {
source {
value declaration
}
}
}
}
min-active-members 1
monitor min 1 of {
/Common/tcp
}
}
ltm virtual /tenant_2/application_2/serviceMain {
creation-time 2020-10-29:21:49:58
description myTcpApp1
destination /tenant_2/application_2/10.1.10.114:80
ip-protocol tcp
last-modified-time 2020-11-02:15:56:08
mask 255.255.255.255
persist {
/Common/source_addr {
default yes
}
}
pool /tenant_2/application_2/Pool
profiles {
/Common/f5-tcp-progressive { }
/tenant_2/application_2/Analytics_TCP_Profile { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
[2021-02-12T17:20:27.035Z] DEBUG: Docker command failed, output, [Error: Command failed: docker run --rm -v /Users/jouhannet/Documents/git:/app/data f5-appsvcs-charon:1.9.0 -o data/converted.as3.json -c data/toConvert.conf --unsupported --unsupported-objects unSupported.json
at checkExecSyncError (child_process.js:639:11)
at Object.execSync (child_process.js:675:15)
at Object.execSync (electron/js2c/asar_bundle.js:5:12113)
at /Users/jouhannet/.vscode/extensions/f5devcentral.vscode-f5-chariot-0.4.0/out/extension.js:79:34
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:97:5)] {
status: 1,
signal: null,
output: [
null,
<Buffer 45 72 72 6f 72 20 63 6f 6e 76 65 72 74 69 6e 67 20 69 6e 70 75 74 20 66 69 6c 65 2e 20 50 6c 65 61 73 65 20 65 6d 61 69 6c 20 75 73 20 61 74 20 73 6f ... 740 more bytes>,
<Buffer >
],
pid: 71079,
stdout: <Buffer 45 72 72 6f 72 20 63 6f 6e 76 65 72 74 69 6e 67 20 69 6e 70 75 74 20 66 69 6c 65 2e 20 50 6c 65 61 73 65 20 65 6d 61 69 6c 20 75 73 20 61 74 20 73 6f ... 740 more bytes>,
stderr: <Buffer >
}
When using Journeys App + ACC
Error converting input file. Please email us at [email protected] and include the following error:
TypeError: origObj[minMonitor].map is not a function
at Object.customPostHandling (/app/src/maps/custom/pool.js:86:56)
at module.exports (/app/src/converter.js:275:57)
at module.exports (/app/src/main.js:58:23)
at /app/serve:98:15
at processTicksAndRejections (node:internal/process/task_queues:93:5)
Server listening on http://localhost:8080 ... -- this line is from my API wrapper
Conversion should succeed.
AS3 conversion fails.
ACC currently does not track state of pool members. Also, after the conversion it lumps all pool members together and it is not possible to manage the state of individual pool members together.
As an example, this is how currently it converts the pool members.
The downside of this is that you can only enable or disable all pool members at once.
I propose that we convert it (if not by default, have an option or flag) as follows. In this case we can enable or disable individual pool members.
We should also ensure that the pool members which are disabled prior to the conversion, should remain disabled after.
Inside UCS/config file, there might be passwords and passphrases. AS3 schema also allows them.
Example for password
ltm monitor https /Common/test_monitor_password {
adaptive disabled
defaults-from /Common/https
destination *:*
interval 5
ip-dscp 0
password $M$OC$bN53XhCrVMTvO2+ZlApH7A== <========== password
recv none
recv-disable none
send "GET /\r\n"
time-until-up 0
timeout 16
username test <======= username
}
Example for passphrase
sys file ssl-key /Common/f5_api_com.key {
cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:f5_api_com.key_62549_1
passphrase $M$ar$kSub6Kj+2ZgPVwjyu+1JcVQpqQXjUl/qz+y83S25DopF5Seq0QyAFOD9TjD9SnmQZ/GN1HSIBZCA/eI/kJHvJuvV2I0jJQZu8bbykERsfPU=
revision 1
source-path file:///config/ssl/ssl.key/f5_api_com.key
}
The passwords/passphrases are added to output objects according to AS3 schema:
"monitorLDAP_nonDefault1": {
"class": "Monitor",
"username": "Adm-nM+nkey", <===== username
"passphrase": {
"ciphertext": "ZjVmNQ==", <===== password
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0", <======= see below
"ignoreChanges": true
},
"base": "dc=bigip-test,dc=org",
"filter": "objectClass=employee"
},
"webcert1": {
"class": "Certificate",
"remark": "replace these with real certificates and keys",
"certificate": "...",
"chainCA": "...",
"privateKey": "...",
"passphrase": {
"ciphertext": "ZjVmNQ==", <===== password
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0" <======= see below
}
},
According to:
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#monitor-radius-passphrase "protected" field description:
So as I understand it - if there is "$M$" prefix inside the password content, which indicates that SecureVault is used to encrypt the value, then:
"protected"="eyJhbGciOiJkaXIiLCJlbmMiOiJmNXN2In0"
else:
"protected"="eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0"
Regards
Declaration created by ACC is invalid: virtual server contains duplicated items.
Steps to reproduce the behavior:
This is a client UCS archive which cannot be disclosed. Please reach out to @[email protected]
Invalid declaration created by Charon:
"virt_test": {
"layer4": "udp",
"translateServerAddress": false,
"translateServerPort": false,
"class": "Service_Forwarding",
"profileL4": {
"use": "/Common/Shared/fasL4_timeout"
},
"forwardingType": "ip",
"virtualAddresses": [
[
"0.0.0.0/0",
"10.10.0.0/16"
],
[
"0.0.0.0/0",
"10.10.0.0/16"
]
],
"virtualPort": 53,
"allowVlans": [
{
"bigip": "/Common/test_vlan"
}
]
},
Error:
{
"code": 422,
"errors": [
"/tenant_1/application_1/virt_test/virtualAddresses: should NOT have duplicate items (items ## 0 and 1 are identical)"
],
"declarationFullId": "",
"message": "declaration is invalid"
}
There should be no virtual address duplication in the AS3 declaration.
"virt_test": {
"layer4": "udp",
"translateServerAddress": false,
"translateServerPort": false,
"class": "Service_Forwarding",
"profileL4": {
"use": "/Common/Shared/fasL4_timeout"
},
"forwardingType": "ip",
"virtualAddresses": [
[
"0.0.0.0/0",
"10.10.0.0/16"
],
[
"0.0.0.0/0", # needs to be removed
"10.10.0.0/16" # needs to be removed
]
],
"virtualPort": 53,
"allowVlans": [
{
"bigip": "/Common/test_vlan"
}
]
},
BIG-IP configuration based on AS3 declaration:
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/examples.html#example-2-https-application (config moved to a partition by PerApp) converted with Charon fails to deploy.
Steps to reproduce the behavior:
ltm virtual /tenant1/service {
creation-time 2021-09-06:03:31:41
description Shared
destination /tenant1/192.0.2.11:443
ip-protocol tcp
last-modified-time 2021-09-06:03:31:41
mask 255.255.255.255
persist {
/Common/cookie {
default yes
}
}
pool /tenant1/web_pool
profiles {
/tenant1/webtls {
context clientside
}
/Common/f5-tcp-progressive { }
/Common/http { }
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
ltm virtual /tenant1/service-Redirect- {
creation-time 2021-09-06:03:31:41
description Shared
destination /tenant1/192.0.2.11:80
ip-protocol tcp
last-modified-time 2021-09-06:03:31:41
mask 255.255.255.255
profiles {
/Common/f5-tcp-progressive { }
/Common/http { }
}
rules {
/Common/_sys_https_redirect
}
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
ltm virtual-address /tenant1/192.0.2.11 {
address 192.0.2.11
arp enabled
inherited-traffic-group true
mask 255.255.255.255
traffic-group /Common/traffic-group-1
}
ltm profile client-ssl /tenant1/webtls {
alert-timeout indefinite
allow-expired-crl disabled
app-service none
authenticate once
c3d-drop-unknown-ocsp-status drop
c3d-ocsp none
ca-file none
cache-timeout 3600
cert-key-chain {
set0 {
cert /tenant1/webcert.crt
key /tenant1/webcert.key
passphrase $M$3v$NTE9bBCq+4OO98/qOCXFIw==
}
}
cert-lookup-by-ipaddr-port disabled
cipher-group none
ciphers DEFAULT
client-cert-ca none
crl-file none
description none
hostname-whitelist none
inherit-ca-certkeychain false
inherit-certkeychain false
mode enabled
ocsp-stapling disabled
options { dont-insert-empty-fragments no-tlsv1.3 }
peer-cert-mode ignore
renegotiation enabled
retain-certificate true
server-name none
sni-default true
sni-require false
ssl-c3d disabledsys
ssl-forward-proxy disabled
ssl-forward-proxy-bypass disabled
}
sys file ssl-cert /tenant1/webcert.crt {
cache-path /config/filestore/files_d/Common_d/certificate_d/:Common:Shared:webcert.crt_65092_1
revision 1
source-path file:/var/config/rest/downloads/_Common_Shared_webcert.crt
}
sys file ssl-key /tenant1/webcert.key {
cache-path /config/filestore/files_d/Common_d/certificate_key_d/:Common:Shared:webcert.key_65094_2
passphrase $M$FW$4CI8auriSvbQj/TUPxmyeA==
revision 2
source-path file:/var/config/rest/downloads/_Common_Shared_webcert.key
}
Charon output:
{
"class": "ADC",
"schemaVersion": "3.23.0",
"id": "urn:uuid:613651f1-511e-445e-b31e-141c6fbb2967",
"label": "Converted Declaration",
"remark": "Generated by Project Journeys",
"tenant_1": {
"class": "Tenant",
"application_1": {
"class": "Application",
"template": "generic",
"web_pool": {
"loadBalancingMode": "predictive-node",
"members": [
{
"addressDiscovery": "static",
"servicePort": 80,
"serverAddresses": [
"192.0.2.12",
"192.0.2.13"
],
"shareNodes": true
}
],
"class": "Pool",
"minimumMonitors": 1,
"monitors": [
{
"bigip": "/Common/http"
}
]
},
"webcert": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/webcert.crt"
},
"privateKey": {
"bigip": "/Common/webcert.key"
}
},
"webtls": {
"certificates": [
{
"certificate": "webcert"
}
],
"ciphers": "DEFAULT",
"remark": "none",
"forwardProxyBypassAllowlist": "none",
"enabled": true,
"class": "TLS_Server"
},
"service": {
"remark": "Shared",
"layer4": "tcp",
"persistenceMethods": [
"cookie"
],
"pool": "web_pool",
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_HTTPS",
"profileTCP": {
"bigip": "/Common/f5-tcp-progressive"
},
"profileHTTP": {
"bigip": "/Common/http"
},
"serverTLS": "webtls",
"virtualAddresses": [
"192.0.2.11"
],
"snat": "auto"
}
}
}
}{
"code": 422,
"errors": [
"/tenant_1/application_1/webtls/forwardProxyEnabled: should be equal to constant true"
],
"declarationFullId": "",
"message": "declaration is invalid"
}
Declaration should deployable.
Original declaration of the SSL client profile:
"webtls": {
"class": "TLS_Server",
"certificates": [{
"certificate": "webcert"
}]
},
Charon output:
"webtls": {
"certificates": [
{
"certificate": "webcert"
}
],
"ciphers": "DEFAULT",
"remark": "none",
"forwardProxyBypassAllowlist": "none",
"enabled": true,
"class": "TLS_Server"
},
There are some additional properties like: "forwardProxyBypassAllowlist". It should not be present at all, if value is 'none' (if it's present, forwardProxyBypassEnabled needs to be added as well, see https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#tls-server, but anyhow "none" value in that case is incorrect).
Removing forwardProxtBypassAllowlist generates another problem:
{
"code": 422,
"errors": [
"/tenant_1/application_1/webtls: should NOT have additional properties"
],
"declarationFullId": "",
"message": "declaration is invalid"
}
which is caused by the invalid property: "enabled", which does not exist for TLS_Server. (https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#tls-server)
The below example is trying to convert a basic HTTPS app service with a client-ssl profile referenced with cert, keys and chain in /Common. The AS3 config converted references the cert, key and chain in an object which does not exist (/Common/Shared/wildcard_demo_com_nov-2021).
The SSL cert and key should ALWAYS be referenced in the /Common partition as 99% of customers manage their certificates and keys outside the AS3 declaration using a PKI (such as Venafi, let's encrypt, etc...). Certificate and Keys should never be converted in PEM format.
Steps to reproduce the behavior:
ltm virtual /afbpath_demo_com/npt_tcp_443_vs/serviceMain {
connection-limit 10000
creation-time 2020-09-16:10:14:01
description npt_tcp_443_vs
destination /afbpath_demo_com/1.1.1.92:443
ip-protocol tcp
last-modified-time 2020-09-16:10:14:01
mask 255.255.255.255
pool /afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_tcp_443_pool
profiles {
/Common/demo-https { }
/Common/demo-tcp-lan {
context serverside
}
/Common/demo-tcp-progressive {
context clientside
}
/Common/wildcard.demo.com_clientssl {
context clientside
}
/afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_serverssl {
context serverside
}
}
source 0.0.0.0/0
source-address-translation {
pool /afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_snatpool
type snat
}
translate-address enabled
translate-port enabled
}
ltm pool /afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_tcp_443_pool {
load-balancing-mode predictive-member
members {
/Common/10.92.224.37:443 {
address 10.92.224.37
metadata {
source {
value declaration
}
}
}
}
monitor min 1 of { /afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_monitor }
service-down-action reset
}
ltm profile http /Common/demo-https {
app-service none
defaults-from /Common/demo-http
hsts {
mode enabled
}
proxy-type reverse
}
ltm profile tcp /Common/demo-tcp-lan {
app-service none
defaults-from /Common/f5-tcp-lan
}
ltm profile tcp /Common/demo-tcp-progressive {
app-service none
defaults-from /Common/f5-tcp-progressive
}
ltm profile client-ssl /Common/wildcard.demo.com_clientssl {
app-service none
cert-key-chain {
wildcard_demo_com_nov-2021_DigiCertSHA2SecureServerCA-2020_0 {
cert /Common/wildcard_demo_com_nov-2021
chain /Common/DigiCertSHA2SecureServerCA-2020
key /Common/wildcard_demo_com_nov-2021
}
}
defaults-from /Common/demo_cipher
inherit-ca-certkeychain true
inherit-certkeychain false
}
ltm snatpool /afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_snatpool {
members {
/afbpath_demo_com/npt_tcp_443_vs/2.2.2.92
}
}
{
"class": "ADC",
"schemaVersion": "3.24.0",
"id": "urn:uuid:8e2c85fd-2292-4acd-a696-4cc2ec65a94a",
"label": "Converted Declaration",
"remark": "Auto-generated by Project Charon",
"afbpath_demo_com": {
"class": "Tenant",
"npt_tcp_443_vs": {
"class": "Application",
"template": "https",
"serviceMain": {
"maxConnections": 10000,
"remark": "npt_tcp_443_vs",
"layer4": "tcp",
"pool": "afbpath_demo_com_npt_tcp_443_pool",
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_HTTPS",
"profileHTTP": {
"use": "/Common/Shared/demo-https"
},
"profileTCP": {
"egress": {
"use": "/Common/Shared/demo-tcp-lan"
},
"ingress": {
"use": "/Common/Shared/demo-tcp-progressive"
}
},
"serverTLS": "wildcard.demo.com_clientssl",
"redirect80": true,
"virtualAddresses": [
"1.1.1.92"
],
"virtualPort": 443,
"persistenceMethods": [],
"snat": {
"use": "/afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_snatpool"
}
},
"afbpath_demo_com_npt_tcp_443_pool": {
"loadBalancingMode": "predictive-member",
"members": [
{
"addressDiscovery": "static",
"servicePort": 443,
"serverAddresses": [
"10.92.224.37"
],
"shareNodes": true
}
],
"serviceDownAction": "reset",
"class": "Pool",
"minimumMonitors": 1,
"monitors": [
{
"use": "/afbpath_demo_com/npt_tcp_443_vs/afbpath_demo_com_npt_monitor"
}
]
},
"afbpath_demo_com_npt_snatpool": {
"snatAddresses": [
"2.2.2.92"
],
"class": "SNAT_Pool"
}
}
},
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"demo-https": {
"hstsInsert": true,
"proxyType": "reverse",
"class": "HTTP_Profile"
},
"demo-tcp-lan": {
"class": "TCP_Profile"
},
"demo-tcp-progressive": {
"class": "TCP_Profile"
},
"wildcard.demo.com_clientssl": {
"certificates": [
{
"certificate": "/Common/Shared/wildcard_demo_com_nov-2021"
}
],
"class": "TLS_Server",
"tls1_0Enabled": true,
"tls1_1Enabled": true,
"tls1_2Enabled": true,
"tls1_3Enabled": false,
"singleUseDhEnabled": false,
"insertEmptyFragmentsEnabled": true
}
}
}
}
The SSL cert and key should ALWAYS be referenced in the /Common partition as 99% of customers manage their certificates and keys outside the AS3 declaration using a PKI (such as Venafi, let's encrypt, etc...)
"wildcard.demo.com_clientssl": {
"class": "TLS_Server",
"certificates": [
{
"certificate": "/Common/Shared/wildcard_demo_com_nov-2021"
}
]
},
"wildcard_demo_com_nov-2021": {
"class": "Certificate",
"privateKey": {
"bigip": "/Common/wildcard_demo_com_nov-2021"
},
"certificate": {
"bigip": "/Common/wildcard_demo_com_nov-2021"
},
"chain": {
"bigip": "/Common/DigiCertSHA2SecureServerCA-2020"
}
}
Charon wrongly convers VS property: vlans-enabled to vlansEnabled instead of allowVlans
Steps to reproduce the behavior:
ltm virtual /tenant_1/application_1/test_vs {
description "Created by Web Configuration Utility for PEM Listener test_vs"
destination /tenant_1/application_1/0.0.0.0:80
ip-protocol udp
mask any
profiles {
/Common/classification_pem {
context clientside
}
/tenant_1/application_1/test_profile {
context clientside
}
/Common/udp_decrement_ttl { }
}
source 10.10.10.100/32
source-address-translation {
pool /Common/cgnat-pool
type lsn
}
translate-address disabled
translate-port enabled
vlans-enabled
}
{
"code": 422,
"message": "Invalid data property: vlansEnabled"
}
when deploying generated declaration:
"test_vs": {
"remark": "Created by Web Configuration Utility for PEM Listener test_vs",
"layer4": "udp",
"translateServerAddress": false,
"translateServerPort": true,
"vlansEnabled": "",
"class": "Service_Generic",
"profileClassification": {
"bigip": "/Common/classification_pem"
},
"profileEnforcement": {
"use": "/tenant_1/application_1/test_profile"
},
"virtualAddresses": [
[
"0.0.0.0/0",
"10.10.10.100/32"
]
],
"virtualPort": 80,
"persistenceMethods": []
},
Instead vlansEnabled, charon should use: allowVlans as per documentation for Service_Generic: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#service-generic
Charon converts vlans-enabled to vlansEnabled instead of allowVlans property.
translateServerAddress, translateServerPort, layer4 and snat being by default set to true in the AS3 schema, so they should not be added into the generated AS3 declaration by ACC.
Steps to reproduce the behavior:
ltm virtual /Common/BCA_VS_FTP {
creation-time 2021-02-01:19:22:20
destination /Common/10.8.239.182:21
ip-protocol tcp
last-modified-time 2021-02-01:19:25:14
mask 255.255.255.255
pool /Common/BCA_Pool_FTP
profiles {
/Common/Epic_TCP {
context clientside
}
/Common/f5-tcp-wan {
context serverside
}
}
rules {
/Common/BCA_FTP_Whitelist
}
serverssl-use-sni disabled
source 0.0.0.0/0
source-address-translation {
type automap
}
translate-address enabled
translate-port enabled
}
"BCA_VS_FTP": {
"layer4": "tcp",
"pool": "BCA_Pool_FTP",
"iRules": [
{
"use": "/Common/Shared/BCA_FTP_Whitelist"
}
],
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_TCP",
"profileTCP": {
"ingress": {
"use": "/Common/Shared/Epic_TCP"
}
},
"virtualAddresses": [
"10.8.239.182"
],
"virtualPort": 21,
"persistenceMethods": [],
"snat": "auto"
},
"translateServerAddress": true,, "translateServerPort": true,, "layer4": "tcp", and "snat": "auto" should not be included in the output
see AS3 schema reference https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.html#service-tcp.
"translateServerAddress": true,, "translateServerPort": true,, "layer4": "tcp", and "snat": "auto" are included in the generated AS3 declaration by ACC.
I am trying to convert my UCS file for the first time on my Redhat 7.8 box but I constantly getting this extracting error.
The UCS file should be ok. I sent the file to my F5 account rep and he is able to convert it.
Steps to reproduce the behavior:
Run the command:
sudo docker run --rm -v "$PWD":/app/data f5-as3-config-converter:v1.14.0 -o data/test.json -u data/uw2-arm-cld-01-ltm-qut-a0_before_AS3.ucs
I also tried different paths. Is the path here for the UCS file "data/xxx" the path for my OS, or the path inside the docker image?
Please help. Thanks!
sudo docker run --rm -v "$PWD":/app/data f5-as3-config-converter:v1.14.0 -o /home/difzhao/test.json -u /home/difzhao/uw2-arm-cld-01-ltm-qut-a0_before_AS3.ucs
I expect a converted JSON file to be generated
2021-09-01 23:02:47 ERROR Error extracting specified UCS, please check the filepath.
It would be easier for F5 PS and Sales team to use the tool if it could take qkview as an input.
Add option to take a qkview as an input in addition of the conf/SC or UCS.
Attempting to convert a configuration file, I receive a "cannot read property '' of undefined. I removed an irule line that referenced the vs-name in question and reran the acc. this time, I received:
2021-07-07 17:52:44 ERROR Error parsing input file. Please email us at [email protected] and include the following error:
(node:1) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'length' of undefined
at groupObjects (/app/src/parse.js:182:52)
at module.exports (/app/src/parse.js:262:27)
at mainRunner (/app/src/main.js:40:18)
at main (/app/src/main.js:129:30)
at Object. (/app/init.js:27:8)
at Module._compile (internal/modules/cjs/loader.js:1085:14)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1114:10)
at Module.load (internal/modules/cjs/loader.js:950:32)
at Function.Module._load (internal/modules/cjs/loader.js:790:14)
at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:76:12)
(Use node --trace-warnings ... to show where the warning was created)
(node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag --unhandled-rejections=strict (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2)
(node:1) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
As it occurs every time with this configuration, I am happy to provide the bigip.conf file or the full UCS. I cannot suggest otherwise how to reproduce.
When Charon creates tenant/application, certs and iRules have full path references inside the same tenant ("certificate": "tenant_2/application_2/certificate_default"), which causes deployment error.
"tenant_2": {
"class": "Tenant",
"application_2": {
"class": "Application",
"template": "generic",
"certificate_default": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/default.crt"
},
"privateKey": {
"bigip": "/Common/default.key"
}
},
"prof-clientssl": {
"certificates": [
{
"certificate": "tenant_2/application_2/certificate_default"
}
],
"class": "TLS_Server",
"insertEmptyFragmentsEnabled": true
},
"VS-test": {
"layer4": "tcp",
"iRules": [
{
"use": "/tenant_2/application_2/failover-irule"
}
],
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_HTTPS",
"serverTLS": "prof-clientssl",
"profileHTTP": {
"bigip": "/Common/http"
},
"profileTCP": {
"bigip": "/Common/tcp"
},
"redirect80": false,
"virtualAddresses": [
"10.146.146.146"
],
"persistenceMethods": [],
"snat": "none",
"allowVlans": [
{
"bigip": "/Common/vlan-test"
}
]
},
"failover-irule": {
"class": "iRule",
"iRule": {
"base64": "NotAllowedToBeDisclosed"
}
}
}
},
(icr_output)\njourneys.errors.AS3DeclarationDeploymentError: iControl REST error: code: 422, message: declaration is invalid, errors: ['/tenant_2/application_2/prof-clientssl/certificates/0/certificate: contains path to non-existent object tenant_2']",
Steps to reproduce the behavior:
ltm virtual /tenant_2/application_2/VS-test {
destination /tenant_2/application_2/10.146.146.146:443
ip-protocol tcp
mask 255.255.255.255
profiles {
/tenant_2/application_2/prof-clientssl {
context clientside
}
/Common/http { }
/Common/tcp { }
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans {
/Common/vlan-test
}
vlans-enabled
}
ltm virtual-address /tenant_2/application_2/10.146.146.146 {
address 10.146.146.146
arp enabled
icmp-echo enabled
mask 255.255.255.255
traffic-group /Common/traffic-group-1
ltm profile client-ssl /tenant_2/application_2/prof-clientssl {
app-service none
cert /Common/default.crt
cert-key-chain {
default {
cert /Common/default.crt
key /Common/default.key
}
}
chain none
defaults-from /Common/clientssl
inherit-certkeychain true
key /Common/default.key
sni-default true
}
(icr_output)\njourneys.errors.AS3DeclarationDeploymentError: iControl REST error: code: 422, message: declaration is invalid, errors: ['/tenant_2/application_2/prof-clientssl/certificates/0/certificate: contains path to non-existent object tenant_2']",
Declaration should look like this:
"tenant_2": {
"class": "Tenant",
"application_2": {
"class": "Application",
"template": "generic",
"certificate_default": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/default.crt"
},
"privateKey": {
"bigip": "/Common/default.key"
}
},
"prof-clientssl": {
"certificates": [
{
"certificate": "certificate_default" # instead of: "certificate": "tenant_2/application_2/certificate_default"
}
],
"class": "TLS_Server",
"insertEmptyFragmentsEnabled": true
},
"VS-test": {
"layer4": "tcp",
"iRules": [
{
"use": "failover-irule" # instead of: "use": "/tenant_2/application_2/failover-irule"
}
],
"translateServerAddress": true,
"translateServerPort": true,
"class": "Service_HTTPS",
"serverTLS": "prof-clientssl",
"profileHTTP": {
"bigip": "/Common/http"
},
"profileTCP": {
"bigip": "/Common/tcp"
},
"redirect80": false,
"virtualAddresses": [
"10.146.146.146"
],
"persistenceMethods": [],
"snat": "none",
"allowVlans": [
{
"bigip": "/Common/vlan-test"
}
]
},
"failover-irule": {
"class": "iRule",
"iRule": {
"base64": "NotAllowedToBeDisclosed"
}
}
}
},
When virtuals have ltm policies attached, the resulting AS3 config is an Endpoint_Policy class object in /Common/Shared and a "policyEndpoint" property in the Service class object. ACC is specifying policyEndpoint without "Shared" (the Application class name). i.e. "policyEndpoint": "/Common/xxx" should be "policyEndpoint": "/Common/Shared/xxx"
When passing ltm node to ACC converter, I got this as unsupported- I figured it out by altering the code and forcing printing unsupported obejcts to output, because of the first issue
Steps to reproduce the behavior:
bigip.conf.zip
Convert attached bigip.conf to observe the issue
docker run --rm -v "$PWD":/app/data f5-as3-config-converter:1.11.0-RC1 -o test.json -c /data/bigip.conf --unsupported
"ltm node" should not be classified as unsupported
docker run --rm -v C:\Docker-F5\app\data:/app/data f5-as3-config-converter:v1.14.0 -o data/output.json -c data/input.conf
or
docker run --rm -v C:\Docker-F5\app\data:/app/data f5-as3-config-converter:v1.14.0 -o data/output.json -u data/input.ucs
Steps to reproduce the behavior:
1. Attempt to run either of the following commands:
docker run --rm -v C:\Docker-F5\app\data:/app/data f5-as3-config-converter:v1.14.0 -o data/output.json -c data/input.conf
or
docker run --rm -v C:\Docker-F5\app\data:/app/data f5-as3-config-converter:v1.14.0 -o data/output.json -u data/input.ucs
(node:1) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'properties' of undefined
at findSchemaDefault (/app/src/removeDefaultValues.js:32:39)
at /app/src/removeDefaultValues.js:64:33
at Array.forEach (<anonymous>)
at matchDefaults (/app/src/removeDefaultValues.js:62:10)
at /app/src/removeDefaultValues.js:83:20
at Array.forEach (<anonymous>)
at findProfiles (/app/src/removeDefaultValues.js:79:10)
at /app/src/removeDefaultValues.js:81:24
at Array.forEach (<anonymous>)
at findProfiles (/app/src/removeDefaultValues.js:79:10)
(Use `node --trace-warnings ...` to show where the warning was created)
(node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2)
(node:1) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
Conversion json is created.
Conversion fails.
(node:1) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'properties' of undefined
at findSchemaDefault (/app/src/removeDefaultValues.js:32:39)
at /app/src/removeDefaultValues.js:64:33
at Array.forEach ()
at matchDefaults (/app/src/removeDefaultValues.js:62:10)
at /app/src/removeDefaultValues.js:83:20
at Array.forEach ()
at findProfiles (/app/src/removeDefaultValues.js:79:10)
at /app/src/removeDefaultValues.js:81:24
at Array.forEach ()
at findProfiles (/app/src/removeDefaultValues.js:79:10)
(Use node --trace-warnings ... to show where the warning was created)
(node:1) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag --unhandled-rejections=strict (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 2)
(node:1) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
ACC returns an empty certificate object for certificates other than default one.
Steps to reproduce the behavior:
Convert following config:
example.txt
Observe the following output:
(No error is issued)
Expected output would be something like:
"Symantec_Class_3_Extended_Validation_SHA256_SSL_CA_2023": {
"class": "Certificate",
"certificate": {
"bigip": "/Common/warenkorb.otto.de-2018.crt"
},
"privateKey": {
"bigip": "/Common/warenkorb.otto.de-2017.key"
}
}
"warenkorb_otto_de_2018": {
"class": "Certificate"
},
"Symantec_Class_3_Extended_Validation_SHA256_SSL_CA_2023": {
"class": "Certificate"
},
VELOS platform
If an object has a description, it is translated into "remark" in AS3 declaration.
Description of the object in BIG-IP does not have a specific format, but the "remark" field does.
It leads to a situations when the AS3 declaration cannot be deployed successfully, because an error occurs.
Steps to reproduce the behavior:
ltm virtual /Common/pem_listeners_ANY_IP {
creation-time 2020-11-26:03:53:43
**description** "Created by Web Configuration Utility for PEM Listener pem_listeners"
destination /Common/10.144.18.36:0
last-modified-time 2020-11-26:03:53:43
mask 255.255.255.255
profiles {
/Common/classification_pem {
context clientside
}
/Common/ipother { }
/Common/pem_listeners_pem_profile {
context clientside
}
}
source 0.0.0.0/24
translate-address enabled
translate-port disabled
}
ltm rule /Common/validation_rule {
when CLIENT_ACCEPTED {
set hsludp {[HSL::open -proto UDP -pool /Common/just_pool]
}
}
No error from Charon - Charon successfully translates config into AS3, because it does not validate remark format.
Error while deploying AS3 declaration:
Thu, 28 Jan 2021 15:33:11 GMT - warning: [appsvcs] {"status":422,"message":"declaration is invalid","errors":["/tenant1/application_1/pem_listeners_L4_2/remark: should match format \"f5remark\""],"level":"warning"}
{
"code": 422,
"errors": [
"/tenant1/application_1/pem_listeners_L4_2/remark: should match format \"f5remark\""
],
"declarationFullId": "",
"message": "declaration is invalid"
}
Charon should validate "Description" properties of the config objects .
Charon does not validate "Description" properties and translates it into "remark" fields, creating invalid declaration.
FYI: invalid description in the example is created automatically by the BIG-IP configuration Utility.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.