Openssl commands

Some Useful Openssl Commands

http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip9_0cli/BIG_IP9_0XCLIGuide2-5-1.html

Read content of a cert:

openssl x509 -text -in server.crt

Read content of a CSR:

openssl req -in server.csr -noout –text

Check a key to see if a key has a password:

openssl rsa -in keyfile.key    [if it prompts for a password, the key was created with a password]

Check if a cert and key match:

The md5sum from both the below commands should be same for them to be a pair

openssl x500 -noout -modulus -in server.crt | openssl md5

openssl rsa -noout -modulus -in keyfile.key | openssl md5

Creating a self signed ssl certificates:

Create a private key:

openssl genrsa -des3 -out server.key  2048   [we can chose to use a password or not while creating key,  

                                                      if password  is not required, just click enter and don’t input any password] 

Generating  a certificate signing request (CSR):                          

openssl req -new -key server.key -out server.csr

               

It prompts for the following:

Country Name (2 letter code) [GB]:

State or Province Name (full name) [Berkshire]:

Locality Name (eg, city) [Newbury]:

Organization Name (eg, company) [My Company Ltd]:

Organizational Unit Name (eg, section) []:

Common Name (eg, application’s name or your server's hostname) []:

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Creating the certificate:

openssl x509 -req -days <no.of days> -in server.csr -signkey server.key -out server.crt

Example:  If a certificate valid for one year is needed the relevant command would be as under:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Testing an SSL connection with openssl:

If there is a VIP or a server ip configured on a port with ssl certifcates attached to it, telnet cannot be used to test content on it (for checking ECV monitors) like normal http VIPs/server IPs. In these cases openssl can be used, thus:

openssl s_client –connect <ip>:<port>

This will open an SSL connection to the client reading the certificate in it. At the prompt we can input the GET string, HOST string etc., to test the content on the VIP/server ip.

 --------------------------------------------------------------------------------------------------------------------------

Getting the certificate dates

echo | openssl s_client -connect remotedeposit-cit2.bankofamerica.com:443 2>/dev/null | openssl x509 -noout -dates

or  

curl -kv https://abc.example.com 2>&1 | grep expire

 

GUI | https is giving error on F5

you can try restarting the httpd and tomcat services by running the following commands:

# bigstart stop httpd

# bigstart restart tomcat

# bigstart start httpd

F5 imp commands

Frequently used Command in day to day operation : V 9.X and 10.X


top - To check CPU states , Memory , Swap

df  -  to check disk utilization

du –sH * -  to check the size of files in particular directory. E.g.   give cd /var > then give du –sH *  It will show the disk size of all the files inside var.

b interface show – to get all interface up/down status

b vlan show – to check vlan member , related trunk , interface and also more important traffic on particular interface in (pkts,bits,errs) format.

b fo show – to check failover active time

ifconfig – to check interface configuration. Like Ethernet port , IP, subnet mask.

b mgmt route – to get the gateway of the device

b mgmt show – management IP and netmask.

route – to check routing details
netstat –nr – similar like route with some more details.

tar zcvf /shared/tmp/logs_C1424418.tgz /var/log/*    --  To tar the logs and send it to f5

Transaction | changes via Transaction

It takes a high load on the  CPU if you do changes via command like directly , rather than using transaction.
As per F5 recommendation , we should be using Transaction which gives less load on CPU.

[root@testbox:Active] config #tmsh

root@testbox(Active)(/Common)(tmos)#cli

root@testbox(Active)(/Common)(tmos.cli)# create transaction

[batch mode]root@testbox(Active)(/Common)(tmos.cli)#/gtm

[batch mode]root@testbox(Active)(/Common)(tmos.gtm)#
/////give commands///

(tmos.cli)# list transaction

(tmos.cli)# submit transaction

Egress Vlan

http://www.ibmsystemsmag.com/aix/tipstechniques/applicationdevelopment/Understanding-802-1q-VLANs/

====================================================================

VLANs (short for virtual LANs) are used to divide networks into smaller, more manageable chunks. This helps to reduce the size of the broadcast domain and helps with security through isolation. Essentially, there are two types of VLAN specifications for Ethernet:

·         Port-based VLAN. A defined VLAN based on the port number of the switch. This is easy to configure but often limited to one single switch.

·         802.1q Tag VLAN. In 802.1q, the VLAN information is written into the Ethernet packet itself. Each packet carries a VLAN ID, called a tag. This allows VLANs to be configured across multiple switches. Note that it’s possible for VLAN tags to be stripped by H/W and/or S/W.

When using 802.1q, four bytes are added to the Ethernet frame, of which 12 bits are used for the VLAN ID. Theoretically, there can be up to 4096 VLANs per network.

An Ethernet packet that contains a VLAN ID is called a tagged packet. Conversely, an Ethernet packet with no VLAN ID is called an untagged packet. Typically all packets leave untagged, unless tagged by the adapter prior to arriving at the switch port.

Egress and Ingress Rules

Egress rules determine which frames can be transmitted out of a port, based on the Egress List of the VLAN associated with it. Each VLAN has an Egress List that specifies the ports out of which frames can be forwarded, and specifies whether the frames will be transmitted as tagged or untagged frames.

Ingress rules are a means of filtering out undesired traffic on a port. When Ingress Filtering is enabled, a port determines if a frame can be processed based on whether the port is on the Egress List of the VLAN associated with the frame.

When an untagged packet arrives at the switch port, the switch will write a VLAN ID into the header of the frame according to the PVID (port VLAN) port definition. Typically, most switches today have all ports are set to a default PVID of 1. . When a tagged frame arrives at a switch port the tag is respected.

A VID defines the member of a port group. A packet can only travel inside a member port when the member port is part of a VID port group.

checking the sync group devices for GTM

1. you can dig your wideip url / alias from the GTM and find the NS servers .

or if its external , you can go to windows command prompt :
go to nslookup
set type=ns
then give your alias or wideip name

2. Login to GTM via GUI -- go to System -- Device certificate -- Trusted device certificate , all the GTM mentioned there will be in sync .

3. Try to grep it from log
 less /var/log/gtm | grep -i sync

CPU | Memory | TMM

for version 9.X and 10.X

bigpipe global is the command to check , how much memory is captured by TMM

~ # bigpipe global | grep TMM
+-> TMM traffic --
    |     TMM cycles (total, idle, sleep) = (0, 0, 0)

It's possible that you may see high CPU while checking with top command , but it the memory may be occupied by TMM and mostly will be in idle state , which is normal.

= = = = = = = = = =  = = = = = = = = = = = = = = = =  = = == = = = 

GTM - virtual server for wideip having issue

1.  Turn on debug logs using the following bigpipe commands:

b db GTM.DebugProbeLogging enable
b db GTM.QueryLogging enable
b db Log.Big3d.Level debug

2.  Copy/Paste the following tcpdump command:

tcpdump -ni  0.0 -s0 port 53 -w /var/tmp/capture_dns_query.dmp

3.  While the tcpdump is running, query the WideIP from a different device than the GTM making sure you are using the listener address of the GTM.  For example:

dig +short example.wideip.domain.com @<listener-ip>

Perform the query several times

4.  Control-C from the tcpdump

5.  Turn off debug logs using the following bigpipe commands:

b db GTM.DebugProbeLogging disable
b db GTM.QueryLogging disable
b db Log.Big3d.Level notice

6.  Create a tar file of /var/log/gtm 

tar czf /var/tmp/C1415078_gtm_logs.tgz /var/log/gtm

if you want to share it with someone.

7. so now you need to review two things

one is the capture
second the logs