Terminating APM Sessions on BIG-IP devices using a BIG-IQ

Overview

You can use the REST API implemented on BIG-IQ to kill or terminate sessions on one or more BIG-IP devices. There are three types of actions that can be used to kill sessions.

  • Kill all sessions.
  • Kill sessions by user.
  • Kill list of sessions.

Version Information

Version: BIG-IQ 6.0.0, 6.0.1

Prerequisites

The following prerequisites must be met to use the API to terminate sessions.

  • All BIG-IP devices are operational and have the services provisioned that will be managed by the BIG-IQ Centralized Management system.
  • The BIG-IQ Centralized Management system is operational, has completed the setup wizard, and completed any other needed configuration.
  • Trust has been established between the BIG-IP device and the BIG-IQ Centralized Management system. The APM service is discovered for the BIG-IP in BIG-IQ Centralized Management system.
  • The APM Configuration is imported, if the access group name needs to be used as input criteria.
  • Set up a Data Collection Device to your BIG-IQ Cluster. Please refer to the article “Managing a Data Collection Device Cluster section in the BIG-IQ Planning and Implementing an F5 BIG-IQ Centralized Management Deployment” guide on www.support.f5.com and “Add a Data Collection Device to your BIG-IQ Cluster” article on www.devcentral.f5.com.
  • To kill access sessions, users need the necessary RBAC permissions for the “Access_Manager” role.

Required Information

In addition to the prerequisites, provide the following to kill access sessions.

  • BIG-IP device references - BIG-IP device references on which access sessions are to be killed.
  • Cluster Names – Cluster names used in BIG-IQ for the BIG-IP devices in which the Access sessions to be killed reside.
  • Access Group Names - Access Group names under which the BIG-IP devices (in which the Access sessions to be killed resides) are managed.
  • User Name - User name of the user who has established the APM sessions.
  • Sessions - List of session ids that needs to be killed per BIG-IPdevice.

Actions

Using the BIG-IQ public API, users can complete the following actions to collect necessary information and kill sessions based on different kill session actions.

Retrieve information on managed BIG-IP devices and from the response:

  • Find the cluster name of a device.
  • Find the device reference of a device.
  • Find the Access group name of a device

Retrieve list of sessions alive on the managed BIG-IP devices.

  • Kill sessions based on three types of actions.

Get information on managed BIG-IP devices

To find managed BIG-IP devices, users must use the “MachineId Resolver” API. This API lists all managed device in the system.

GET: https:///mgmt/cm/system/machineid-resolver

Response

{
   "items":[
      {
         "uuid":"98901455-6384-47cd-bc41-00a39dfe338f",
         "deviceUri":"https://10.192.123.69:443",
         "machineId":"98901455-6384-47cd-bc41-00a39dfe338f",
         "state":"ACTIVE",
         "address":"10.255.4.124",
         "httpsPort":443,
         "hostname":"bluebigipveha1.labf.com",
         "version":"12.1.0",
         "product":"BIG-IP",
         "edition":"Final",
         "build":"0.0.1354",
         "restFrameworkVersion":"12.1.0-0.0.1354",
         "managementAddress":"10.192.123.69",
         "mcpDeviceName":"/Common/bluebigipveha1",
         "trustDomainGuid":"5189f81c-96be-4449-b4110050560102e7",
         "properties":{
            "cm:gui:module":[
               "Access",
               "BigIPDevice",
               "adc"
            ],
            "modules":[
               "All Access managed BIG-IP devices"
            ],
            "cm-adccore-allbigipDevices":{
               "supportsBadgerEnhs":true,
               "supportsRest":true,
               "supportsAlpineEnhs":true,
               "lastDiscoveredDateTime":"2016-11-10T19:06:14.804Z",
               "imported":true,
               "clusterName":"BlueCluster",
               "restrictsPortTranslationStatelessVirtual":true,
               "requiresDhcpProfileInDhcpVirtualServer":true,
               "importStatus":"FINISHED",
               "discoveryStatus":"FINISHED",
               "importedDateTime":"2016-11-10T19:14:39.003Z",
               "lastUserDiscoveredDateTime":"2016-11-10T19:06:14.804Z",
               "modules":[
                  "All Access managed BIG-IP devices"
               ],
               "cm:gui:module":[
                  "Access",
                  "BigIPDevice",
                  "adc"
               ],
               "discovered":true,
               "supportsClassification":true
            },
            "cm-bigip-allBigIpDevices":{
               "shared:resolver:device-groups:discoverer":"d5d58cdd-f5b5-4379-9d12-08e28253a16f",
               "cm:gui:module":[
                  "BigIPDevice"
               ],
               "modules":[

               ]
            },
            "cm-bigip-allDevices":{
               "shared:resolver:device-groups:discoverer":"d5d58cdd-f5b5-4379-9d12-08e28253a16f",
               "cm:gui:module":[

               ],
               "modules":[

               ]
            },
            "cm-access-allBigIpDevices":{
               "discovered":true,
               "imported":true,
               "clusterName":"BlueCluster",
               "supportsRest":true,
               "supports_13_0_Enhs":false,
               "supportsCascadeEnhs":true,
               "lastDiscoveredDateTime":"2016-11-10T19:15:18.963Z",
               "lastUserDiscoveredDateTime":"2016-11-10T19:15:18.963Z",
               "cm:access:access-group-name":"TestGroup",
               "cm:access:source-device":true,
               "cm:access:access-group-device-link":"https://localhost/mgmt/shared/resolver/device-groups/CA/devices/98901455-6384-47cd-bc41-00a39dfe338f",
               "cm:access:import-version":"12.1.0",
               "cm:access:access-group-link":"https://localhost/mgmt/shared/resolver/device-groups/TestGroup",
               "importedDateTime":"2016-11-10T19:17:04.459Z",
               "discoveryStatus":"FINISHED",
               "importStatus":"FINISHED",
               "cm:gui:module":[
                  "Access"
               ],
               "modules":[
                  "All Access managed BIG-IP devices"
               ]
            },
            "cm-bigip-cluster_BlueCluster":{
               "clusterName":"BlueCluster",
               "shared:resolver:device-groups:discoverer":"da4a4ca7-19f9-4a31-a1c2-004d5557ff10",
               "cm:gui:module":[

               ],
               "modules":[

               ]
            },
            "cm-access-allDevices":{
               "clusterName":"BlueCluster",
               "cm:gui:module":[
                  "Access"
               ],
               "modules":[
                  "All Access managed BIG-IP devices"
               ]
            },
            "TestGroup":{
               "discovered":true,
               "imported":false,
               "supportsRest":true,
               "supports_13_0_Enhs":false,
               "supportsCascadeEnhs":true,
               "discoveryStatus":"FINISHED",
               "lastDiscoveredDateTime":"2016-10-26T04:15:56.356Z",
               "lastUserDiscoveredDateTime":"2016-10-26T04:15:56.356Z",
               "cm:access:all-bigip-device-link":"https://localhost/mgmt/shared/resolver/device-groups/cm-access-allBigIpDevices/devices/98901455-6384-47cd-bc41-00a39dfe338f",
               "cm:access:import-version":"12.1.0",
               "cm:access:source-device":true,
               "cm:gui:module":[
                  "Access"
               ],
               "modules":[
                  "All Access managed BIG-IP devices"
               ]
            },
            "cm-adccore-allDevices":{
               "cm:gui:module":[

               ],
               "modules":[

               ]
            }
         },
         "isClustered":false,
         "isVirtual":true,
         "isLicenseExpired":false,
         "slots":[
            {
               "volume":"HD1.1",
               "product":"BIG-IP",
               "version":"12.1.0",
               "build":"0.0.1354",
               "isActive":true
            },
            {
               "volume":"HD1.3",
               "product":"BIG-IP",
               "version":"12.0.0",
               "build":"0.0.606",
               "isActive":false
            }
         ],
         "generation":67,
         "lastUpdateMicros":1479332833705505,
         "kind":"shared:resolver:device-groups:restdeviceresolverdevicestate",
         "selfLink":"https://localhost/mgmt/cm/system/machineid-resolver/98901455-6384-47cd-bc41-00a39dfe338f"
      }
   ],
   "generation":0,
   "lastUpdateMicros":0,
   "selfLink":"http://localhost:8100/cm/system/machineid-resolver/?$filter=%27address%27+eq+%2710.192.123.198%27"
}

Find Cluster Name of a device that is part of Cluster from GET “MachineId Resolver” API response

{
   "properties":{
      "cm-access-allBigIpDevices":{
         "clusterName":"BlueCluster"
      }
   }
}

Find device reference of a device from GET “MachineId Resolver” API response

{
"selfLink":"http://localhost:8100/cm/system/machineid-resolver/?$filter=%27address%27+eq+%2710.192.123.198%27"
}

Find Access Group Name of the device from GET “MachineId Resolver” API response

{
   "properties":{
      "cm-access-allBigIpDevices":{
         "cm:access:access-group-name":"TestGroup"
      }
   }
}

Kill All Sessions

To kill all sessions, “action” must be set to “KILL_ALL_SESSIONS” and must have at least one of the “accessGroupNames”, “clusterNames”, or “deviceRefernces” filters. They can be obtained from “Get information on managed BIG-IP devices”.

POST:  https:///mgmt/cm/access/tasks/kill-sessions

Body of POST data for the Kill Sessions worker.

{
   "action":"KILL_ALL_SESSIONS",
   "accessGroupNames":[
      "TestGroup1"
   ],
   "clusterNames":"['ca-cluster']",
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      }
   ]
}

Response

{
   "action":" KILL_ALL_SESSIONS",
   "currentStep":"RESOLVE_DEVICES",
   "accessGroupNames":[
      "TestGroup1"
   ],
   "clusterNames":"['ca-cluster']",
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      }
   ],
   "generation":4,
   "id":"1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
   "identityReferences":[
      {
         "link":"https://localhost/mgmt/shared/authz/users/admin"
      }
   ],
   "kind":"cm:access:tasks:kill-sessions:accesskillsessionstaskitemstate",
   "lastUpdateMicros":1479242595185322,
   "name":"kill-access-sessions",
   "ownerMachineId":"adf1e56b-bf8c-472a-9b2d-e2dd7199ffbd",
   "selfLink":"https://localhost/mgmt/cm/access/tasks/kill-sessions/1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
   "startDateTime":"2016-11-15T12:42:31.294-0800",
   "status":"FINISHED",
   "userReference":{
      "link":"https://localhost/mgmt/shared/authz/users/admin"
   },
   "username":"admin"
}

Kill Sessions by User

To kill sessions by user, “action” must be set to “KILL_BY_USER” and must have at least one of the “accessGroupNames”, “clusterNames”, or “deviceRefernces” filters. They can be obtained from “Get information on managed BIG-IP devices”.

POST:  https:///mgmt/cm/access/tasks/kill-sessions

Body of POST data for the Kill Sessions worker.

{
   "action":"KILL_BY_USER",
   "userName":"user2",
   "accessGroupNames":[
      "TestGroup1"
   ],
   "clusterNames":"['ca-cluster']",
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      }
   ]
}

Response

{
   "action":"KILL_BY_USER",
   "currentStep":"RESOLVE_DEVICES",
   "accessGroupNames":[
      "TestGroup1"
   ],
   "clusterNames":"['ca-cluster']",
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      }
   ],
   "generation":4,
   "id":"1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
   "identityReferences":[
      {
         "link":"https://localhost/mgmt/shared/authz/users/admin"
      }
   ],
   "kind":"cm:access:tasks:kill-sessions:accesskillsessionstaskitemstate",
   "lastUpdateMicros":1479242595185322,
   "name":"kill-access-sessions",
   "ownerMachineId":"adf1e56b-bf8c-472a-9b2d-e2dd7199ffbd",
   "selfLink":"https://localhost/mgmt/cm/access/tasks/kill-sessions/1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
   "startDateTime":"2016-11-15T12:42:31.294-0800",
   "status":"FINISHED",
   "userName":"user2",
   "userReference":{
      "link":"https://localhost/mgmt/shared/authz/users/admin"
   },
   "username":"admin"
}

Monitor the task “Kill Access sessions” to complete

Monitor the task using GET methods until the status has reached a value of FINISHED, FAILED or CANCELLED. When the GET method status value is FINISHED and the result value is COMPLETE, the kill sessions is completed.

GET: https:///mgmt/cm/access/tasks/kill-sessions/

Response

{
   "action":" KILL_BY_LIST_OF_SESSIONS ",
   "currentStep":"RESOLVE_DEVICES", "sessions":[
      {
         "sessionIds":[
            "2a5d7604",
            "875f7fed"
         ],
         "deviceReference":{
            "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
         }
      }
   ],
   "accessGroupNames":[
      "TestGroup1"
   ],
   "clusterNames":"['ca-cluster']",
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      }
   ],
   "generation":4,
   "id":"1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
   "identityReferences":[
      {
         "link":"https://localhost/mgmt/shared/authz/users/admin"
      }
   ],
   "kind":"cm:access:tasks:kill-sessions:accesskillsessionstaskitemstate",
   "lastUpdateMicros":1479242595185322,
   "name":"kill-access-sessions",
   "ownerMachineId":"adf1e56b-bf8c-472a-9b2d-e2dd7199ffbd",
   "selfLink":"https://localhost/mgmt/cm/access/tasks/kill-sessions/1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
   "startDateTime":"2016-11-15T12:42:31.294-0800",
   "status":"STARTED",
   "userReference":{
      "link":"https://localhost/mgmt/shared/authz/users/admin"
   },
   "username":"admin"
}
GET: https:///mgmt/cm/access/tasks/kill-sessions/

Response

{
   "action":" KILL_BY_LIST_OF_SESSIONS ",
   "currentStep":"RESOLVE_DEVICES", "sessions":[
      {
         "sessionIds":[
            "2a5d7604",
            "875f7fed"
         ],
         "deviceReference":{
            "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
         }
      }
   ],
   "accessGroupNames":[
      "TestGroup1"
   ],
   "clusterNames":"['ca-cluster']",
   "deviceReferences":[
      {
         "link":"https://localhost/mgmt/cm/system/machineid-resolver/901695c8-f405-489f-9996-54f7b21da642"
      }
   ],
   "generation":4,
   "id":"1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
   "identityReferences":[
      {
         "link":"https://localhost/mgmt/shared/authz/users/admin"
      }
   ],
   "kind":"cm:access:tasks:kill-sessions:accesskillsessionstaskitemstate",
   "lastUpdateMicros":1479242595185322,
   "name":"kill-access-sessions",
   "ownerMachineId":"adf1e56b-bf8c-472a-9b2d-e2dd7199ffbd",
   "selfLink":"https://localhost/mgmt/cm/access/tasks/kill-sessions/1834e57c-94a2-42eb-860a-1d5cf67ba9bf",
   "startDateTime":"2016-11-15T12:42:31.294-0800",
   "status":"FINISHED",
   "result": "COMPLETE",
   "userReference":{
      "link":"https://localhost/mgmt/shared/authz/users/admin"
   },
   "username":"admin"
}

Result

By using the BIG-IQ public API to perform the above tasks, users can write a script to complete the workflow to terminate APM Sessions on BIG-IP devices.