Automating HA key exchange

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Automating HA key exchange

L1 Bithead

Hello all.

Is there a way to automate the exchange of HA keys when creating an HA pair?

I have gotten everything else using terraform/ansible/panorama. But I cannot figure out how to do HA key exchange programmatically.

Anyone has done it?

 

 

Thanks

4 REPLIES 4

L5 Sessionator

Hello @pkhavkine, can you confirm which part(s) of the HA key procedure you are looking to automate? If you are referring to step 6 listed here, the export function of the XML API does not include the high availability keys as an option today, which rules out Ansible and Terraform too, so the step 6 tasks would need to be done via CLI automation to get things done programmatically.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

L1 Bithead

Yes, that is exactly what i'm looking for to automate, maybe someone has an expect script handy?

 

Thanks

L0 Member

anyone get anywhere on this? Steps are:

 

SSH to <USERNAME>@<FWA-IP>
<EXPECT-"Password:">
<SSHPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
scp export high-availability-key from HA-key-<SN#A> to sftpuser@<SFTP>:/home/sftpuser/HA-key-<SN#A>
<EXPECT-"sftpuser@<SFTP>'s password:">
<SFTPPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
exit

SSH to <USERNAME>@<FWB-IP>
<EXPECT-"Password:">
<SSHPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
scp export high-availability-key from HA-key-<SN#B> to sftpuser@1<SFTP>:/home/sftpuser/HA-key-<SN#B>
<EXPECT-"sftpuser@<SFTP>'s password:">
<SFTPPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
scp import high-availability-key from sftpuser@<SFTP>:/home/sftpuser/HA-key-<SN#A>
<EXPECT-"sftpuser@<SFTP>'s password:">
<SFTPPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
exit

SSH to <USERNAME>@<FWA-IP>
<EXPECT-"Password:">
<SSHPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
scp import high-availability-key from sftpuser@<SFTP>:/home/sftpuser/HA-key-<SN#B>
<EXPECT-"sftpuser@<SFTP>'s password:">
<SFTPPASSWORD>
<EXPECT-"<USERNAME>@<HOSTNAME>">
exit

 


 I haven't ever used expect and that is just psuedo code based on what it might be like.

ok - I am not a patient person here are the scripts

 

 

#!/usr/bin/expect
#Usage exporthakey.expect <host> <ssh user> <ssh password> <SFTP IP> <sftp user> <sftp password> <local SN#>

set timeout 60

spawn ssh [lindex $argv 1]@[lindex $argv 0]

expect "yes/no" {
        send "yes\r"
        expect "*?assword" { send "[lindex $argv 2]\r" }
        } "*?assword" { send "[lindex $argv 2]\r" }

expect "> " { send "scp export high-availability-key from HA-key-[lindex $argv 6] to [lindex $argv 4]@[lindex $argv 3]:HA-key-[lindex $argv 6]\r" }
expect "yes/no" {
        send "yes\r"
        expect "password: " { send "[lindex $argv 5]\r" }
        } "password: " { send "[lindex $argv 5]\r" }
expect "> " { send "exit\r" }
#!/usr/bin/expect
#Usage importhakey.expect <host> <ssh user> <ssh password> <SFTP IP> <sftp user> <sftp password> <peer SN#>

set timeout 60

spawn ssh [lindex $argv 1]@[lindex $argv 0]

expect "yes/no" {
        send "yes\r"
        expect "*?assword" { send "[lindex $argv 2]\r" }
        } "*?assword" { send "[lindex $argv 2]\r" }

expect "> " { send "scp import high-availability-key from [lindex $argv 4]@[lindex $argv 3]:~/HA-key-[lindex $argv 6]\r" }
expect "yes/no" {
        send "yes\r"
        expect "password: " { send "[lindex $argv 5]\r" }
        } "password: " { send "[lindex $argv 5]\r" }
expect "> " { send "exit\r" }

 

You would export on each, then import - 4 ssh connections, not optimized for speed, but optimized for code base.

  • 2544 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!