AS3 Declare

Overview

Use this API to post an Application Services 3 Extension (AS3) declaration, with an AS3 template defined on BIG-IQ, to a BIG-IP from BIG-IQ. With BIG-IQ, declarations use an AS3 template which is defined in BIG-IQ. For an example of an AS3 declaration that uses an AS3 template, see the AS3 documentation: Using declarations with AS3 templates . You can use AS3 on BIG-IQ in largely the same way as on BIG-IP and described in the AS3 documentation: Using AS3 with BIG-IQ. You can use the AS3 Template API to define your AS3 templates on BIG-IQ.

Note that an AS3 application created using the AS3 Declare API appears with the Unknown Applications in the BIG-IQ. You can move it using the UI or by using the AS3 Move/Merge API.

REST Endpoint: /mgmt/shared/appsvcs/declare

Requests

POST /mgmt/shared/appsvcs/declare

To post an AS3 declaration you can send the POST request to the declare endpoint.

Request Parameters

The request parameters in a POST request includes the following parameters.

Name Type Required Description
schemaOverlay string True This is the name BIG-IQ uses for a supplemental validation schema that is applied to the Application class definition before the main AS3 schema. The subfields of schemaOverlay depend upon the particular application. The AS3 application declarations are validated using the contents of this field and the contents must be a valid JSON Schema draft 7 .

Query Parameters

None

Response

HTTP/1.1 200 OK

Name Type Description
schemaOverlay string This is the name BIG-IQ uses for a supplemental validation schema that is applied to the Application class definition before the main AS3 schema. The subfields of schemaOverlay depend upon the particular application. The AS3 application declarations are validated using the contents of this field and the contents must be a valid JSON Schema draft 7 .

Permissions

Role Allow
Application_Creator Yes
Application_Manager Yes

Examples

POST an AS3 declaration for a virtual service referencing an external security policy

To post an AS3 declaration for a virtual service referencing an external security policy, you can send the POST request to the declare endpoint on the BIG-IQ with the declaration in the body. For more information about AS3 declarations used to secure your BIG-IP, refer to the Application Security in the AS3 documentation.

On the BIG-IQ, your POST can look similar to the following example.

POST https://192.0.2.242/mgmt/shared/appsvcs/declare

The JSON in the body of the POST can look similar to the following. This example declaration creates an HTTP service, and attaches a Web Application Firewall (WAF) security policy hosted in an external location. Note the URL in the following example does not resolve, you would need to use a valid URL where you have uploaded the ASM policy you exported from a BIG-IP system.

{
    "class": "ADC",
    "schemaVersion": "3.2.0",
    "id": "5489432",
    "label": "ASM_policy_external_URL",
    "remark": "ASM_policy_external_URL",
    "Sample_app_sec_02": {
            "class": "Tenant",
            "HTTP_Service": {
                    "class": "Application",
                    "template": "http",
                    "serviceMain": {
                            "class": "Service_HTTP",
                            "virtualAddresses": [
                                    "192.0.10.107"
                            ],
                            "snat": "auto",
                            "pool": "Pool1",
                            "policyWAF": {
                                    "use": "My_ASM_Policy"
                            }
                    },
                    "Pool1": {
                            "class": "Pool",
                            "monitors": [
                                    "http"
                            ],
                            "members": [{
                                            "servicePort": 8001,
                                            "serverAddresses": [
                                                    "10.10.10.143"
                                            ]
                                    },
                                    {
                                            "servicePort": 8002,
                                            "serverAddresses": [
                                                    "10.10.10.144"
                                            ]
                                    }
                            ]
                    },
                    "My_ASM_Policy": {
                            "class": "WAF_Policy",
                            "url": "https://example.com/asm-policy.xml",
                            "ignoreChanges": true
                    }
            }
    }
}

Note that if the external resource url is using a self-signed certificate, you can receive an error message similar to the following example, which indicates you need to add the certificate to the certificate store on the BIG-IQ.

Failed to execute step GET_PROTECTION_MODE: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target:

If you receive this error message, perform the following manual steps to add the self-signed certificate to the certificate store on the BIG-IQ.

First, get the certificate chain. If using OpenSSL, the command can look similar to the following.

echo "" | openssl s_client -host example.com -port 443 -showcerts | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' > ~/example.com.pem

Second, add the certificate to the java keystore on the BIG-IQ. If using the java keytool, the command can look similar to this example.

/usr/lib/jvm/jre-1.8.0-openjdk.x86_64/bin/keytool -import -trustcacerts -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el6_10.x86_64/jre/lib/security/cacerts -alias example.com -file ~/example.com.pem

Third, you must restart restjavad on the BIG-IQ before sending the POST request to /mgmt/shared/appsvcs/declare to post the AS3 declaration. You can use the following command to restart restjavad.

bigstart restart restjavad

Declare an AS3 template defined in BIG-IQ

For an example of an AS3 template (the schemaOverlay) which is defined in BIG-IQ see Using declarations with AS3 templates in the Application Services 3 Extension Documentation documentation.