09-23-2021 07:25 AM
Hello all.
Is there a way to automate the exchange of HA keys when creating an HA pair?
I have gotten everything else using terraform/ansible/panorama. But I cannot figure out how to do HA key exchange programmatically.
Anyone has done it?
Thanks
09-23-2021 09:14 AM - edited 09-23-2021 09:14 AM
Hello @pkhavkine, can you confirm which part(s) of the HA key procedure you are looking to automate? If you are referring to step 6 listed here, the export function of the XML API does not include the high availability keys as an option today, which rules out Ansible and Terraform too, so the step 6 tasks would need to be done via CLI automation to get things done programmatically.
01-19-2023 01:06 PM - edited 01-19-2023 01:07 PM
anyone get anywhere on this? Steps are:
SSH to <USERNAME>@<FWA-IP>
<EXPECT-"Password:">
<SSHPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
scp export high-availability-key from HA-key-<SN#A> to sftpuser@<SFTP>:/home/sftpuser/HA-key-<SN#A>
<EXPECT-"sftpuser@<SFTP>'s password:">
<SFTPPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
exit
SSH to <USERNAME>@<FWB-IP>
<EXPECT-"Password:">
<SSHPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
scp export high-availability-key from HA-key-<SN#B> to sftpuser@1<SFTP>:/home/sftpuser/HA-key-<SN#B>
<EXPECT-"sftpuser@<SFTP>'s password:">
<SFTPPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
scp import high-availability-key from sftpuser@<SFTP>:/home/sftpuser/HA-key-<SN#A>
<EXPECT-"sftpuser@<SFTP>'s password:">
<SFTPPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
exit
SSH to <USERNAME>@<FWA-IP>
<EXPECT-"Password:">
<SSHPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
scp import high-availability-key from sftpuser@<SFTP>:/home/sftpuser/HA-key-<SN#B>
<EXPECT-"sftpuser@<SFTP>'s password:">
<SFTPPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
exit
I haven't ever used expect and that is just psuedo code based on what it might be like.
01-19-2023 01:51 PM - edited 01-20-2023 10:04 AM
ok - I am not a patient person here are the scripts
#!/usr/bin/expect
#Usage exporthakey.expect <host> <ssh user> <ssh password> <SFTP IP> <sftp user> <sftp password> <local SN#>
set timeout 60
spawn ssh [lindex $argv 1]@[lindex $argv 0]
expect "yes/no" {
send "yes\r"
expect "*?assword" { send "[lindex $argv 2]\r" }
} "*?assword" { send "[lindex $argv 2]\r" }
expect "> " { send "scp export high-availability-key from HA-key-[lindex $argv 6] to [lindex $argv 4]@[lindex $argv 3]:HA-key-[lindex $argv 6]\r" }
expect "yes/no" {
send "yes\r"
expect "password: " { send "[lindex $argv 5]\r" }
} "password: " { send "[lindex $argv 5]\r" }
expect "> " { send "exit\r" }#!/usr/bin/expect
#Usage importhakey.expect <host> <ssh user> <ssh password> <SFTP IP> <sftp user> <sftp password> <peer SN#>
set timeout 60
spawn ssh [lindex $argv 1]@[lindex $argv 0]
expect "yes/no" {
send "yes\r"
expect "*?assword" { send "[lindex $argv 2]\r" }
} "*?assword" { send "[lindex $argv 2]\r" }
expect "> " { send "scp import high-availability-key from [lindex $argv 4]@[lindex $argv 3]:~/HA-key-[lindex $argv 6]\r" }
expect "yes/no" {
send "yes\r"
expect "password: " { send "[lindex $argv 5]\r" }
} "password: " { send "[lindex $argv 5]\r" }
expect "> " { send "exit\r" }
You would export on each, then import - 4 ssh connections, not optimized for speed, but optimized for code base.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
