How to: Create a Service Chain¶
To create a service chain using the BIG-IP Next Central Manager user interface:
Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click SSL Orchestrator.
Click Service Chains from the left navigation panel.
Click Start Creating.
Add a name and description for the Service Chain.
Click Start Adding to add existing inspections services to the service chain.
Select the services you want to add to the service chain, and then Click Add to List.
Select Create if you want to create new inspection services to add them to the service chain.
Select Save. The Service Chain is created.
For next steps on adding a service chain to a policy, refer to How to: Create Security Policies section.
To create a service chain using the BIG-IP Next Central Manager API:
Before you create a service chain, you must create the services that you want to include in the service chain. Refer to the Overview: Inspection Services section for details on configuring a service.
To configure a static service chain with multiple security services, create an application with an array of configured services in the inspectionServices property.
To configure a static service chain, send a PUT request to the
/api/v1/spaces/default/security/service-chainsendpoint.
In the following example:
inspectionServices - Specifies the list of configured services through which SSL Orchestrator steers traffic.
Basic
POST /api/v1/spaces/default/security/service-chains
{
"name": "my-api-service-chain",
"inspection_services": [
"inspection-service-id",
"inspection-service-id"
]
}
Curl
CHAIN=$(cat <<EOF
{
"name": "my-api-service-chain",
"inspection_services": [
"inspection-service-id",
"inspection-service-id"
]
}
EOF
)
chain_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/security/service-chains" -d "${CHAIN}")
Ansible Reference
Execute with:
export CMPASS='mypassword'
ansible-playbook -i notahost, sslo-servicechain.yaml
---
- hosts: all
connection: local
vars:
bigip_next_cm_mgmt_ip: "10.1.1.6"
bigip_next_cm_password: "{{ lookup('ansible.builtin.env', 'CMPASS') }}"
tasks:
- name: Check if BIG-IP Next Central Manager instance is available (HTTPS responding 405 on /api/login)
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
method: GET
status_code: 405
validate_certs: false
until: json_response.status == 405
retries: 50
delay: 30
register: json_response
- name: Authenticate to BIG-IP Next CM API
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
method: POST
headers:
Content-Type: application/json
body: |
{
"username": "admin",
"password": "{{ bigip_next_cm_password }}"
}
body_format: json
timeout: 60
status_code: 200
validate_certs: false
register: bigip_next_cm_token
retries: 30
delay: 30
- name: Set the BIG-IP Next CM token
set_fact:
bigip_next_cm_token: "{{ bigip_next_cm_token.json.access_token }}"
- debug:
var: bigip_next_cm_token
- name: Get Inspection Services (filter by name "my-sslo-inlinel2")
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/security/inspection-services?filter=name+eq+%27my-sslo-inlinel2%27&select=name,id
method: GET
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
timeout: 60
status_code: 200
validate_certs: false
register: json_response
retries: 30
delay: 30
- name: Set BIG-IP Instance ID
set_fact:
insp_ids: "{{ json_response.json._embedded.inspection_services | map(attribute='id') }}"
- name: Create Service Chain (add filtered inspection services)
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/security/service-chains
method: POST
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
body: |
{
"name": "my-sslo-service-chain",
"inspection_services": {{ insp_ids }}
}
body_format: json
timeout: 60
status_code: 200
validate_certs: false
register: json_response
retries: 30
delay: 30
- debug:
var: json_response