topic Re: Automating HA key exchange in Automation/API Discussions

Automating HA key exchange

pkhavkine — Thu, 23 Sep 2021 14:25:01 GMT

Hello all.

Is there a way to automate the exchange of HA keys when creating an HA pair?

I have gotten everything else using terraform/ansible/panorama. But I cannot figure out how to do HA key exchange programmatically.

Anyone has done it?

Thanks

Re: Automating HA key exchange

JimmyHolland — Thu, 23 Sep 2021 16:14:53 GMT

Hello @pkhavkine, can you confirm which part(s) of the HA key procedure you are looking to automate? If you are referring to step 6 listed here, the export function of the XML API does not include the high availability keys as an option today, which rules out Ansible and Terraform too, so the step 6 tasks would need to be done via CLI automation to get things done programmatically.

Re: Automating HA key exchange

pkhavkine — Thu, 23 Sep 2021 16:19:15 GMT

Yes, that is exactly what i'm looking for to automate, maybe someone has an expect script handy?

Thanks

Re: Automating HA key exchange

sborba-ntx — Thu, 19 Jan 2023 21:07:46 GMT

anyone get anywhere on this? Steps are:

SSH to <USERNAME>@<FWA-IP> <EXPECT-"Password:"> <SSHPASSWORD> <EXPECT-"<USERNAME>@<HOSTNAME>"> scp export high-availability-key from HA-key-<SN#A> to sftpuser@<SFTP>:/home/sftpuser/HA-key-<SN#A> <EXPECT-"sftpuser@<SFTP>'s password:"> <SFTPPASSWORD> <EXPECT-"<USERNAME>@<HOSTNAME>"> exit SSH to <USERNAME>@<FWB-IP> <EXPECT-"Password:"> <SSHPASSWORD> <EXPECT-"<USERNAME>@<HOSTNAME>"> scp export high-availability-key from HA-key-<SN#B> to sftpuser@1<SFTP>:/home/sftpuser/HA-key-<SN#B> <EXPECT-"sftpuser@<SFTP>'s password:"> <SFTPPASSWORD> <EXPECT-"<USERNAME>@<HOSTNAME>"> scp import high-availability-key from sftpuser@<SFTP>:/home/sftpuser/HA-key-<SN#A> <EXPECT-"sftpuser@<SFTP>'s password:"> <SFTPPASSWORD> <EXPECT-"<USERNAME>@<HOSTNAME>"> exit SSH to <USERNAME>@<FWA-IP> <EXPECT-"Password:"> <SSHPASSWORD> <EXPECT-"<USERNAME>@<HOSTNAME>"> scp import high-availability-key from sftpuser@<SFTP>:/home/sftpuser/HA-key-<SN#B> <EXPECT-"sftpuser@<SFTP>'s password:"> <SFTPPASSWORD> <EXPECT-"<USERNAME>@<HOSTNAME>"> exit

I haven't ever used expect and that is just psuedo code based on what it might be like.

Re: Automating HA key exchange

sborba-ntx — Fri, 20 Jan 2023 18:04:53 GMT

ok - I am not a patient person here are the scripts

#!/usr/bin/expect #Usage exporthakey.expect <host> <ssh user> <ssh password> <SFTP IP> <sftp user> <sftp password> <local SN#> set timeout 60 spawn ssh [lindex $argv 1]@[lindex $argv 0] expect "yes/no" { send "yes\r" expect "*?assword" { send "[lindex $argv 2]\r" } } "*?assword" { send "[lindex $argv 2]\r" } expect "> " { send "scp export high-availability-key from HA-key-[lindex $argv 6] to [lindex $argv 4]@[lindex $argv 3]:HA-key-[lindex $argv 6]\r" } expect "yes/no" { send "yes\r" expect "password: " { send "[lindex $argv 5]\r" } } "password: " { send "[lindex $argv 5]\r" } expect "> " { send "exit\r" }

#!/usr/bin/expect #Usage importhakey.expect <host> <ssh user> <ssh password> <SFTP IP> <sftp user> <sftp password> <peer SN#> set timeout 60 spawn ssh [lindex $argv 1]@[lindex $argv 0] expect "yes/no" { send "yes\r" expect "*?assword" { send "[lindex $argv 2]\r" } } "*?assword" { send "[lindex $argv 2]\r" } expect "> " { send "scp import high-availability-key from [lindex $argv 4]@[lindex $argv 3]:~/HA-key-[lindex $argv 6]\r" } expect "yes/no" { send "yes\r" expect "password: " { send "[lindex $argv 5]\r" } } "password: " { send "[lindex $argv 5]\r" } expect "> " { send "exit\r" }

You would export on each, then import - 4 ssh connections, not optimized for speed, but optimized for code base.