Issue with service class definition.

LukaszBrzoskof5 commented 3 years ago

Environment

Application Services Version: 3.31.0
BIG-IP Version: 16.1.0

Summary

Converter tool do not properly adjust class

Steps To Reproduce

Steps to reproduce the behavior:

Convert following config:


ltm node /CCP_200_11/application_1/node_1_v4 {
address 1.1.1.3
}
ltm pool /CCP_200_11/application_1/p_pool_v4_993 {
members {
    /CCP_200_11/application_1/node_2_v4:993 {
        address 1.1.1.2
    }
    /CCP_200_11/application_1/node_1_v4:993 {
        address 1.1.1.3
    }
}
monitor /Common/tcp
service-down-action reset
}
ltm virtual /CCP_200_11/application_1/vs_owa_ltm_v4_993 {
destination /CCP_200_11/application_1/10.10.11.11%200:993
ip-protocol tcp
mask 255.255.255.255
pool /CCP_200_11/application_1/p_pool_v4_993
profiles {
    /CCP_200_11/application_1/clientssl_owa_prof {
        context clientside
    }
    /Common/serverssl-insecure-compatible {
        context serverside
    }
    /Common/tcp-lan-optimized { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans {
    /Common/ccp_200_external
}
vlans-enabled
}
ltm profile client-ssl /CCP_200_11/application_1/clientssl_owa_prof {
app-service none
cert /Common/default.crt
cert-key-chain {
    exchange_Chain {
        cert /Common/default.crt
        key /Common/default.key
    }
}
defaults-from /Common/clientssl
inherit-ca-certkeychain true
inherit-certkeychain false
key /Common/default.key
passphrase none
}
ltm virtual-address /CCP_200_11/application_1/10.10.11.11%200 {
address 10.10.11.11
arp enabled
icmp-echo enabled
mask 255.255.255.255
traffic-group /Common/traffic-group-1
}
ltm node /CCP_200_11/application_1/node_2_v4 {
address 1.1.1.2
}

2. Observe the following error message:

brzosko@WRW-ML-00011994  ~/Downloads/AS3/test_manual  curl -k -u admin:admin -X POST -H "Content-Type: application/json" -H "Expect:" -d "@owa_charon_as3.json" https://10.171.22.210/mgmt/shared/appsvcs/declare | jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2267 100 511 100 1756 391 1344 0:00:01 0:00:01 --:--:-- 1735 { "results": [ { "message": "Expected 'clientssl_owa_prof' to be an absolute path. This may have happened because serverTLS was applied to a Service that does not support it.", "host": "localhost", "tenant": "CCP_200_11", "code": 422 } ], "declaration": { "class": "ADC", "schemaVersion": "3.30.0", "id": "urn:uuid:de3f3f13-1508-4d44-854f-c0d3a632a318", "label": "Converted Declaration", "remark": "Auto-generated by AS3 Config Converter", "updateMode": "selective", "controls": { "archiveTimestamp": "2021-09-28T12:38:16.046Z" } }, "code": 422 }



### Expected Behavior
See more on: https://github.com/F5Networks/f5-appsvcs-extension/issues/517

Conversion should use Service_TCP class instead Service_Generic as last one do not support TLS_Server.

### Actual Behavior
Conversion is done to Service_Generic which result in declaration deployment failure.

mdditt2000 commented 3 years ago

@LukaszBrzoskof5 service generic is fine. ACC is going to provide your with a framework which you need to customize and make the modification to deploy to AS3. I will consult the team to determine if there are any modifications.

mdditt2000 commented 3 years ago

@p-semenov-f5 did additional testing and ACC is doing the correct conversion for AS3

I also made additional testing and found that AS3 below valid for each service below with Service_Generic or Service_TCP.

{
    "class": "ADC",
    "schemaVersion": "3.31.0",
    "id": "urn:uuid:5fb664b1-457a-44e6-89f0-0e61c6a417f8",
    "label": "Converted Declaration",
    "remark": "Auto-generated by AS3 Config Converter",
    "AS3_Tenant": {
        "class": "Tenant",
        "AS3_Application": {
            "class": "Application",
            "template": "generic",
            "test_server_1": {
                "layer4": "tcp",
                "translateServerAddress": true,
                "translateServerPort": true,
                "class": "Service_Generic",
                "clientTLS": {
                    "bigip": "/Common/serverssl"
                },
                "profileTCP": {
                    "bigip": "/Common/tcp-lan-optimized"
                },
                "virtualAddresses": [
                    "10.10.23.21"
                ],
                "virtualPort": 88,
                "persistenceMethods": [],
                "snat": "auto"
            },
            "test_server_2": {
                "layer4": "tcp",
                "translateServerAddress": true,
                "translateServerPort": true,
                "class": "Service_Generic",
                "serverTLS": {
                    "bigip": "/Common/clientssl"
                },
                "profileTCP": {
                    "bigip": "/Common/tcp-lan-optimized"
                },
                "virtualAddresses": [
                    "10.10.23.22"
                ],
                "virtualPort": 88,
                "persistenceMethods": [],
                "snat": "auto"
            },
            "test_server_3": {
                "layer4": "tcp",
                "translateServerAddress": true,
                "translateServerPort": true,
                "class": "Service_Generic",
                "profileTCP": {
                    "bigip": "/Common/tcp-lan-optimized"
                },
                "virtualAddresses": [
                    "10.10.23.23"
                ],
                "virtualPort": 88,
                "persistenceMethods": [],
                "snat": "auto"
            }
        }
    }
}

So it is not hard requirement here fro service generic to not allow TLS.. I think it is not a bug.

mdditt2000 commented 3 years ago

This issue can be closed as wontfix. Working as designed.

lukaszbrzosko commented 3 years ago

Just did additional quick test it looks like problem manifest if we use defined serverTLS class like in first example:

 "certificate_default": {
                "class": "Certificate",
                "certificate": {
                    "bigip": "/Common/default.crt"
                },
                "privateKey": {
                    "bigip": "/Common/default.key"
                }
            },
            "clientssl_owa_prof": {
                "certificates": [
                    {
                        "certificate": "certificate_default"
                    }
                ],
                "class": "TLS_Server",
                "insertEmptyFragmentsEnabled": true
            }

and use it in VS config: "serverTLS": "clientssl_owa_prof",

If i use default instead:

 "serverTLS": {
                    "bigip": "/Common/clientssl"
                },

This is indeed working ok.

Then problem is related to the way serverTLS is defined.

f5devcentral / f5-automation-config-converter