I was asked if SA can send commands to a F5 load balancer? I was thinking about using one of my Windows jump boxes to send commands but… anything I send from a Windows workstation will need the F5 passwords in the action script. I will never get away with this.
If I can get this to work we will be able to take servers off line to patch without any loss of services.
Any ideas?
Frank Cruson
Hi Frank,
Yes, it is possible, but requires some work. We hit the same problem ourselves all the time, and the way we work around this is with the use of Advanced Parameter forms in our fixlet description sections. Take a look at some of our fixlets - fixlet #554 on the SA site would be one such example. The advanced parameter JavaScript library is made available by fixlet #1826 on the BES Support site.
For the sensitive fields, the plan engine uses the <SecureParameter> element in the action XML it generates for the step when creating the action on the system. This way, the password does not appear in the actionscript, nor in the list of action parameters in the console.
You can find out more about this by visiting this page:
https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/Tivoli%20Endpoint%20Manager/page/Creating%20parameterized%20fixlets
Cheers,
Paul.
Hi Frank
If you can drive the F5 API from a computer that has the BigFix agent then you can do it.
As @Paul_Curran says you can secure the F5 credentials with our Mailbox and secure parameters feature.
Just to provide some additional info relative to the security concerns about including passwords in actionscript, the use of secure parameters will ensure that the password is protected in transit (on relays, over the wire, etc). It also means that the values will be in encrypted form if someone were to look at the actionscript on the endpoint. But the endpoint also has the key necessary to decrypt the secure parameters, so if someone has admin authority on the endpoint, they would have access to everything needed to decrypt and see the value of the secure parameter.
I still agree that this is the right approach to automate the F5 (or any other 3rd-party component via API), but you may need to still limit admin access to the jump box, or see if the F5 allows for certificate-based authentication for it’s API.
Hi Paul,
Thanks for the information!!! We are on not on the latest version of SA. Our latest upgrade was back on 9/22/15. I do not see the fixlets listed #1826 or #554. Are these ones I need to download and install?
Frank
Hi Frank,
Fixlet #1826 is actually on the BES Support site, so you should have access to that, but fixlet #554 would be new in our latest release from last Friday:
Neither fixlet really have an installable component - in fact fixlet #1826 is really just a wrapper around the JS content (if you export the fixlet and look at it in a text editor, you’ll see what I mean). Save the JS content to a separate file and then take a look at the guide in the link I posted above for how to use it.
I can send you fixlet #554 in a message separately so you can take a look at it as an example of how the library can be used until you upgrade and have access to it yourself.
Cheers,
Paul.
yes, please send me #554. I have someone here that would like to see an example.
Thank you
Frank