Lab 2.1: Intro to ASM Rest API using curl¶

Task 1 - Explore the API using curl¶

All scripts in this module are run from the cli (Terminal Emulator icon on the desktop).

Run the following command (don’t forget to use the correct password):

curl -sk -u admin:$password -X GET https://10.1.1.245/mgmt/tm/asm/policies/

The JSON output (#1) (truncated) should look something similar to:

{"kind":"tm:asm:policies:policycollectionstate","selfLink":"https://localhost/mgmt/tm/asm/policies?ver=13.1.0","totalItems":1,"items":[{"plainTextProfileReference":{"link":"https://localhost/mgmt/tm/asm/policies/u-6T62j_f0XMkjJ_s_Z-gg/plain-text-profiles?ver=13.1.0","isSubCollection":true},"dataGuardReference":{"link":"https://localhost/mgmt/tm/asm/policies/u-6T62j_f0XMkjJ_s_Z-gg/data-guard?ver=13.1.0"},"createdDatetime":"2018-05-21T04:30:17Z","databaseProtectionReference":{"link":"https://localhost/mgmt/tm/asm/policies/u-6T62j_f0XMkjJ_s_Z-gg/database-protection?ver=13.1.0"},"csrfUrlReference":{"link":"https://localhost/mgmt/tm/asm/policies/u-6T62j_f0XMkjJ_s_Z-gg/csrf-urls?ver=13.1.0","isSubCollection":true},"cookieSettingsReference":{"link":"https://localhost/mgmt/tm/asm/policies/u-6T62j_f0XMkjJ_s_Z-gg/cookie-settings?ver=13.1.0"},"versionLastChange":" Security Policy /Common/ansible1 [add] { audit: policy = /Common/ansible1, username = admin, client IP = 10.1.1.51 }","name":"ansible1"

Not terribly easy to read, however before working on the output readability, the curl options deserve some explanation.

curl -k -u admin:password -X GET https://10.1.1.245/mgmt/tm/asm/policies/

-k: This option tells curl to not verify the server’s ssl certificate, since we are connected to a BIG-IP with an untrusted cert signed by its own CA.

curl -k -u admin:password -X GET https://10.1.1.245/mgmt/tm/asm/policies/

-u: Specifies the logon credentials. A “:” is used to separate the username and passsword. The user:pass are converted into a Base64 encoded authorization header. This can be seen by adding a -vto the curl command.

curl -k -u admin:password -X GET https://10.1.1.245/mgmt/tm/asm/policies/

-X: The HTTP method/verb, since data is being retrieved, GET is used

curl -k -u admin:password -X GET https://10.1.1.245/mgmt/tm/asm/policies/

Lastly the full url to the resource.

Now run:

curl -sk -u admin:password -X GET https://10.1.1.245/mgmt/tm/asm/policies  | sed 's/,/\'$'\n/g'

The JSON output (#2) (truncated) is now more readable

{"kind":"tm:asm:policies:policycollectionstate"
"selfLink":"https://localhost/mgmt/tm/asm/policies?ver=13.1.0"
"totalItems":1
"items":[{"plainTextProfileReference":{"link":"https://localhost/mgmt/tm/asm/policies/u-6T62j_f0XMkjJ_s_Z-gg/plain-text-profiles?ver=13.1.0"
"isSubCollection":true}
"dataGuardReference":{"link":"https://localhost/mgmt/tm/asm/policies/u-6T62j_f0XMkjJ_s_Z-gg/data-guard?ver=13.1.0"}
"createdDatetime":"2018-05-21T04:30:17Z"
"databaseProtectionReference":{"link":"https://localhost/mgmt/tm/asm/policies/u-6T62j_f0XMkjJ_s_Z-gg/database-protection?ver=13.1.0"}
"csrfUrlReference":{"link":"https://localhost/mgmt/tm/asm/policies/u-6T62j_f0XMkjJ_s_Z-gg/csrf-urls?ver=13.1.0"
"isSubCollection":true}
"cookieSettingsReference":{"link":"https://localhost/mgmt/tm/asm/policies/u-6T62j_f0XMkjJ_s_Z-gg/cookie-settings?ver=13.1.0"}
"versionLastChange":" Security Policy /Common/ansible1 [add] { audit: policy = /Common/ansible1
username = admin
client IP = 10.1.1.51 }"
"name":"ansible1"

Lets decipher this JSON output (#2).

After the opening “{“, is the first key of collection “kind”. The value is “tm:asm:policies:policycollectionstate” which tells us we are looking the asm policies.

{"kind":"tm:asm:policies:policycollectionstate"}

Next is the key “selfLink” and its value of “https://localhost/mgmt/tm/asm/policies?ver=13.1.0”. This tells us how to get to the resource. Its usefulness may not be completely apprarent now, but will be in subsequent excercises. Also note that it is essentially the same url used in the curl command. The “?ver” is a parameter passed to the Rest API to request the use of API version 13.1.0. Ignore this for now.

{"selfLink":"https://localhost/mgmt/tm/asm/policies?ver=13.1.0"}

Next is the “totalItems” key which has value of 1, meaning there is one policy. Go to Security->Application Security->Security Policies in Web Gui to verify the value from your output of totalItems matches the number of asm security policies from the Web Gui.

Now onto the interesting stuff. The next key is “items” which is a nested collection of polciies, the actual ASM policies and their settings. Items contains multiple collections, that is why the value begins with a opening square bracket “[“. Remember if it is an array, it’s dynamic, you could have zero policies. The value of items contains the AWAF policy with links to its policy settings such as the link to the csrfUrlReference “https://localhost/mgmt/tm/asm/policies/u-6T62j_f0XMkjJ_s_Z-gg/csrf-urls?ver=13.1.0”

If you followed this url, of course substituting localhost for the mgmt ip of the BIGIP, you would get the setting for the csrf Url for that policy. That is the power of the link value, you can use it to get to other configuration items. Later in the class, we will go into how to get at this data programmatically. This also demonstrates that not all configuration data can be retrieved by a single query, depending on the need, you may have to make more than one HTTP request.

What about the crazy string “u-6T62j_f0XMkjJ_s_Z-gg” after /policies/ ? This is a randomly generated (as such your value will not be u-6T62j_f0XMkjJ_s_Z-gg, rather something similar) id for the ASM security policy. In other words you cannot simply access the ansible1 security policy by going to https://10.1.1.245/mgmt/tm/asm/polciies/ansible1, you have to search for the “name” key in the JSON output until it matches ansible1 to figure which generated id is ansible1.

Wouldn’t it be nice if we had something that could do the filtering for us?

We have covered a lot, time for questions and a discussion as these are all important topics.