Terminating APM Sessions on BIG-IP devices using a BIG-IQ¶
Overview¶
You can use the REST API implemented on BIG-IQ to kill or terminate sessions on one or more BIG-IP devices. There are three types of actions that can be used to kill sessions.
- Kill all sessions.
- Kill sessions by user.
- Kill list of sessions.
Version Information¶
Version: BIG-IQ 6.0.0, 6.0.1
Prerequisites¶
The following prerequisites must be met to use the API to terminate sessions.
- All BIG-IP devices are operational and have the services provisioned that will be managed by the BIG-IQ Centralized Management system.
- The BIG-IQ Centralized Management system is operational, has completed the setup wizard, and completed any other needed configuration.
- Trust has been established between the BIG-IP device and the BIG-IQ Centralized Management system. The APM service is discovered for the BIG-IP in BIG-IQ Centralized Management system.
- The APM Configuration is imported, if the access group name needs to be used as input criteria.
- Set up a Data Collection Device to your BIG-IQ Cluster. Please refer to the article “Managing a Data Collection Device Cluster section in the BIG-IQ Planning and Implementing an F5 BIG-IQ Centralized Management Deployment” guide on www.support.f5.com and “Add a Data Collection Device to your BIG-IQ Cluster” article on www.devcentral.f5.com.
- To kill access sessions, users need the necessary RBAC permissions for the “Access_Manager” role.
Required Information¶
In addition to the prerequisites, provide the following to kill access sessions.
- BIG-IP device references - BIG-IP device references on which access sessions are to be killed.
- Cluster Names – Cluster names used in BIG-IQ for the BIG-IP devices in which the Access sessions to be killed reside.
- Access Group Names - Access Group names under which the BIG-IP devices (in which the Access sessions to be killed resides) are managed.
- User Name - User name of the user who has established the APM sessions.
- Sessions - List of session ids that needs to be killed per BIG-IPdevice.
Actions¶
Using the BIG-IQ public API, users can complete the following actions to collect necessary information and kill sessions based on different kill session actions.
Retrieve information on managed BIG-IP devices and from the response:
- Find the cluster name of a device.
- Find the device reference of a device.
- Find the Access group name of a device
Retrieve list of sessions alive on the managed BIG-IP devices.
- Kill sessions based on three types of actions.
Get information on managed BIG-IP devices¶
To find managed BIG-IP devices, users must use the “MachineId Resolver” API. This API lists all managed device in the system.
GET: https:///mgmt/cm/system/machineid-resolver
Response¶
{
"items":[
{
"uuid":"98901455-6384-47cd-bc41-00a39dfe338f",
"deviceUri":"https://10.192.123.69:443",
"machineId":"98901455-6384-47cd-bc41-00a39dfe338f",
"state":"ACTIVE",
"address":"10.255.4.124",
"httpsPort":443,
"hostname":"bluebigipveha1.labf.com",
"version":"12.1.0",
"product":"BIG-IP",
"edition":"Final",
"build":"0.0.1354",
"restFrameworkVersion":"12.1.0-0.0.1354",
"managementAddress":"10.192.123.69",
"mcpDeviceName":"/Common/bluebigipveha1",
"trustDomainGuid":"5189f81c-96be-4449-b4110050560102e7",
"properties":{
"cm:gui:module":[
"Access",
"BigIPDevice",
"adc"
],
"modules":[
"All Access managed BIG-IP devices"
],
"cm-adccore-allbigipDevices":{
"supportsBadgerEnhs":true,
"supportsRest":true,
"supportsAlpineEnhs":true,
"lastDiscoveredDateTime":"2016-11-10T19:06:14.804Z",
"imported":true,
"clusterName":"BlueCluster",
"restrictsPortTranslationStatelessVirtual":true,
"requiresDhcpProfileInDhcpVirtualServer":true,
"importStatus":"FINISHED",
"discoveryStatus":"FINISHED",
"importedDateTime":"2016-11-10T19:14:39.003Z",
"lastUserDiscoveredDateTime":"2016-11-10T19:06:14.804Z",
"modules":[
"All Access managed BIG-IP devices"
],
"cm:gui:module":[
"Access",
"BigIPDevice",
"adc"
],
"discovered":true,
"supportsClassification":true
},
"cm-bigip-allBigIpDevices":{
"shared:resolver:device-groups:discoverer":"d5d58cdd-f5b5-4379-9d12-08e28253a16f",
"cm:gui:module":[
"BigIPDevice"
],
"modules":[
]
},
"cm-bigip-allDevices":{
"shared:resolver:device-groups:discoverer":"d5d58cdd-f5b5-4379-9d12-08e28253a16f",
"cm:gui:module":[
],
"modules":[
]
},
"cm-access-allBigIpDevices":{
"discovered":true,
"imported":true,
"clusterName":"BlueCluster",
"supportsRest":true,
"supports_13_0_Enhs":false,
"supportsCascadeEnhs":true,
"lastDiscoveredDateTime":"2016-11-10T19:15:18.963Z",
"lastUserDiscoveredDateTime":"2016-11-10T19:15:18.963Z",
"cm:access:access-group-name":"TestGroup",
"cm:access:source-device":true,
"cm:access:access-group-device-link":"https://localhost/mgmt/shared/resolver/device-groups/CA/devices/98901455-6384-47cd-bc41-00a39dfe338f",
"cm:access:import-version":"12.1.0",
"cm:access:access-group-link":"https://localhost/mgmt/shared/resolver/device-groups/TestGroup",
"importedDateTime":"2016-11-10T19:17:04.459Z",
"discoveryStatus":"FINISHED",
"importStatus":"FINISHED",
"cm:gui:module":[
"Access"
],
"modules":[
"All Access managed BIG-IP devices"
]
},
"cm-bigip-cluster_BlueCluster":{
"clusterName":"BlueCluster",
"shared:resolver:device-groups:discoverer":"da4a4ca7-19f9-4a31-a1c2-004d5557ff10",
"cm:gui:module":[
],
"modules":[
]
},
"cm-access-allDevices":{
"clusterName":"BlueCluster",
"cm:gui:module":[
"Access"
],
"modules":[
"All Access managed BIG-IP devices"
]
},
"TestGroup":{
"discovered":true,
"imported":false,
"supportsRest":true,
"supports_13_0_Enhs":false,
"supportsCascadeEnhs":true,
"discoveryStatus":"FINISHED",
"lastDiscoveredDateTime":"2016-10-26T04:15:56.356Z",
"lastUserDiscoveredDateTime":"2016-10-26T04:15:56.356Z",
"cm:access:all-bigip-device-link":"https://localhost/mgmt/shared/resolver/device-groups/cm-access-allBigIpDevices/devices/98901455-6384-47cd-bc41-00a39dfe338f",
"cm:access:import-version":"12.1.0",
"cm:access:source-device":true,
"cm:gui:module":[
"Access"
],
"modules":[
"All Access managed BIG-IP devices"
]
},
"cm-adccore-allDevices":{
"cm:gui:module":[
],
"modules":[
]
}
},
"isClustered":false,
"isVirtual":true,
"isLicenseExpired":false,
"slots":[
{
"volume":"HD1.1",
"product":"BIG-IP",
"version":"12.1.0",
"build":"0.0.1354",
"isActive":true
},
{
"volume":"HD1.3",
"product":"BIG-IP",
"version":"12.0.0",
"build":"0.0.606",
"isActive":false
}
],
"generation":67,
"lastUpdateMicros":1479332833705505,
"kind":"shared:resolver:device-groups:restdeviceresolverdevicestate",
"selfLink":"https://localhost/mgmt/cm/system/machineid-resolver/98901455-6384-47cd-bc41-00a39dfe338f"
}
],
"generation":0,
"lastUpdateMicros":0,
"selfLink":"http://localhost:8100/cm/system/machineid-resolver/?$filter=%27address%27+eq+%2710.192.123.198%27"
}
Find Cluster Name of a device that is part of Cluster from GET “MachineId Resolver” API response¶
{
"properties":{
"cm-access-allBigIpDevices":{
"clusterName":"BlueCluster"
}
}
}
Find device reference of a device from GET “MachineId Resolver” API response¶
{
"selfLink":"http://localhost:8100/cm/system/machineid-resolver/?$filter=%27address%27+eq+%2710.192.123.198%27"
}
Find Access Group Name of the device from GET “MachineId Resolver” API response¶
{
"properties":{
"cm-access-allBigIpDevices":{
"cm:access:access-group-name":"TestGroup"
}
}
}
Kill All Sessions¶
To kill all sessions, “action” must be set to “KILL_ALL_SESSIONS” and must have at least one of the “accessGroupNames”, “clusterNames”, or “deviceRefernces” filters. They can be obtained from “Get information on managed BIG-IP devices”.
POST: https:///mgmt/cm/access/tasks/kill-sessions
Body of POST data for the Kill Sessions worker.
{
"action":"KILL_ALL_SESSIONS",
"accessGroupNames":[
"TestGroup1"
],
"clusterNames":"['ca-cluster']",
"deviceReferences":[
{
"link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
}
]
}
Response¶
{
"action":" KILL_ALL_SESSIONS",
"currentStep":"RESOLVE_DEVICES",
"accessGroupNames":[
"TestGroup1"
],
"clusterNames":"['ca-cluster']",
"deviceReferences":[
{
"link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
}
],
"generation":4,
"id":"1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
"identityReferences":[
{
"link":"https://localhost/mgmt/shared/authz/users/admin"
}
],
"kind":"cm:access:tasks:kill-sessions:accesskillsessionstaskitemstate",
"lastUpdateMicros":1479242595185322,
"name":"kill-access-sessions",
"ownerMachineId":"adf1e56b-bf8c-472a-9b2d-e2dd7199ffbd",
"selfLink":"https://localhost/mgmt/cm/access/tasks/kill-sessions/1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
"startDateTime":"2016-11-15T12:42:31.294-0800",
"status":"FINISHED",
"userReference":{
"link":"https://localhost/mgmt/shared/authz/users/admin"
},
"username":"admin"
}
Kill Sessions by User¶
To kill sessions by user, “action” must be set to “KILL_BY_USER” and must have at least one of the “accessGroupNames”, “clusterNames”, or “deviceRefernces” filters. They can be obtained from “Get information on managed BIG-IP devices”.
POST: https:///mgmt/cm/access/tasks/kill-sessions
Body of POST data for the Kill Sessions worker.
{
"action":"KILL_BY_USER",
"userName":"user2",
"accessGroupNames":[
"TestGroup1"
],
"clusterNames":"['ca-cluster']",
"deviceReferences":[
{
"link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
}
]
}
Response¶
{
"action":"KILL_BY_USER",
"currentStep":"RESOLVE_DEVICES",
"accessGroupNames":[
"TestGroup1"
],
"clusterNames":"['ca-cluster']",
"deviceReferences":[
{
"link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
}
],
"generation":4,
"id":"1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
"identityReferences":[
{
"link":"https://localhost/mgmt/shared/authz/users/admin"
}
],
"kind":"cm:access:tasks:kill-sessions:accesskillsessionstaskitemstate",
"lastUpdateMicros":1479242595185322,
"name":"kill-access-sessions",
"ownerMachineId":"adf1e56b-bf8c-472a-9b2d-e2dd7199ffbd",
"selfLink":"https://localhost/mgmt/cm/access/tasks/kill-sessions/1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
"startDateTime":"2016-11-15T12:42:31.294-0800",
"status":"FINISHED",
"userName":"user2",
"userReference":{
"link":"https://localhost/mgmt/shared/authz/users/admin"
},
"username":"admin"
}
Monitor the task “Kill Access sessions” to complete¶
Monitor the task using GET methods until the status has reached a value of FINISHED, FAILED or CANCELLED. When the GET method status value is FINISHED and the result value is COMPLETE, the kill sessions is completed.
GET: https:///mgmt/cm/access/tasks/kill-sessions/
Response¶
{
"action":" KILL_BY_LIST_OF_SESSIONS ",
"currentStep":"RESOLVE_DEVICES", "sessions":[
{
"sessionIds":[
"2a5d7604",
"875f7fed"
],
"deviceReference":{
"link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
}
}
],
"accessGroupNames":[
"TestGroup1"
],
"clusterNames":"['ca-cluster']",
"deviceReferences":[
{
"link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
}
],
"generation":4,
"id":"1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
"identityReferences":[
{
"link":"https://localhost/mgmt/shared/authz/users/admin"
}
],
"kind":"cm:access:tasks:kill-sessions:accesskillsessionstaskitemstate",
"lastUpdateMicros":1479242595185322,
"name":"kill-access-sessions",
"ownerMachineId":"adf1e56b-bf8c-472a-9b2d-e2dd7199ffbd",
"selfLink":"https://localhost/mgmt/cm/access/tasks/kill-sessions/1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
"startDateTime":"2016-11-15T12:42:31.294-0800",
"status":"STARTED",
"userReference":{
"link":"https://localhost/mgmt/shared/authz/users/admin"
},
"username":"admin"
}
GET: https:///mgmt/cm/access/tasks/kill-sessions/
Response¶
{
"action":" KILL_BY_LIST_OF_SESSIONS ",
"currentStep":"RESOLVE_DEVICES", "sessions":[
{
"sessionIds":[
"2a5d7604",
"875f7fed"
],
"deviceReference":{
"link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
}
}
],
"accessGroupNames":[
"TestGroup1"
],
"clusterNames":"['ca-cluster']",
"deviceReferences":[
{
"link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
}
],
"generation":4,
"id":"1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
"identityReferences":[
{
"link":"https://localhost/mgmt/shared/authz/users/admin"
}
],
"kind":"cm:access:tasks:kill-sessions:accesskillsessionstaskitemstate",
"lastUpdateMicros":1479242595185322,
"name":"kill-access-sessions",
"ownerMachineId":"adf1e56b-bf8c-472a-9b2d-e2dd7199ffbd",
"selfLink":"https://localhost/mgmt/cm/access/tasks/kill-sessions/1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
"startDateTime":"2016-11-15T12:42:31.294-0800",
"status":"FINISHED",
"result": "COMPLETE",
"userReference":{
"link":"https://localhost/mgmt/shared/authz/users/admin"
},
"username":"admin"
}
Result¶
By using the BIG-IQ public API to perform the above tasks, users can write a script to complete the workflow to terminate APM Sessions on BIG-IP devices.