Citrix NetScaler ADC: Having fun with Nitro

By Johannes Norz
31 May 2018
5 Min read
In Tricks
Add comment
C

Recently I had several requests related to NITRO. NITRO is Citrix NetScaler’s API. Any device may communicate to a NetScaler using NITRO. Even a browser! Citrix exposes several settings and counters and even allows changes. NITRO is the central source for scripting NetScalers.

I, being rather an administrator than a programmer, am not that much interested in using NITRO with C++/C#, Java, …, instead I have an administrator’s view on it. My first steps with NITRO had been around retrieving and logging counters. I wrote a blog about logging slowloris attacks. This was NITRO calls from within a NetScaler.

This one is about NITRO in general.

NITRO in a nutshell

Citrix NetScaler’s NITRO is an API. Even though it’s partly possible to be useed it with standard HTTP, it’s based on REST and JSON. That means: Requests and responses follow a structured, XML like, format. That’s fine from one side, but turned out to be a bit challenging for me.

What does it expose?

There is a good SDK available. NITRO exposes:

  • Configurations. http(s)://<netscaler-ip-address>/nitro/v1/config/<resource-type>
  • Statistics. http(s)://<netscaler-ip-address>/nitro/v1/stat/<resource-type>

So it’s possible to get read/write access to Citrix NetScaler’s configuration as well as read access to NetScaler statistics!

The Nike® way: Let’s do IT (or: a first try)

My Citrix NetScaler ADC Testsystem’s NSIP is 192.168.30.100. So I surf to https://192.168.30.100/nitro/v1/stat/.

I get promptet for username and password. An easy one for all of you as my testsystem uses nsroot/nsroot . If you want to logon using a script you would follow these guide lines in Citrix NetScaler NITRO SDK.

Immediately after sending my credentials our first success:

Or, if I select RAW data in Firefox:

This is a complete list of objects Citrix NetScaler NITRO exposes counters for.

Next step: Retrieve counters for a specific class:

Let’s say: I’m currently mainly interested in WAF, so the counters I’ll try to extract is appfw. My URL would be https://192.168.30.100/nitro/v1/stat/appfw. And here they are! Again, this is a great JSON file and can be processed easily. This can even be done from inside Citrix NetScaler using http callout.

Let’s go into the config side!

So my first guess would be: surf to https://192.168.30.100/nitro/v1/config/. And it works!

View Citrix NetScaler Firmware version:

https://192.168.30.100/nitro/v1/config/nsversion

Get Citrix NetScaler basic configuration

https://192.168.30.100/nitro/v1/config/nsconfig

This is some information like NS-IP, cookie version, HA status, time zone, last config update / save, system time and more.

I see, I would have to save my “valuable” configuration. This would be possible using https://192.168.30.100/nitro/v1/config/nsconfig?action=save, however it does not work. Why? Because I send a http get instead of a put. See here for details. I could use fiddler to change my get into a put (putting the right content into the body), but that’s way to complex for me to do, so I left my configuration unsaved.

(just kidding, of course I did! It’s not that easy, but in the end I made it, that’s why I’m still here, some minutes before midnight)

Nitro: Which lb-vServers are on my Citrix NetScaler?

https://192.168.30.100/nitro/v1/config/lbvserver (https://192.168.30.100/nitro/v1/config/csvserver)

Get a list of all vServers out of Citrix NetScaler Nitro call(I have collapsed several servers, so you can see there are several of them)

This will retrieve a list of all vServers out of Citrix NetScaler using a Nitro call (I have collapsed several servers, so you can see there are several of them)

https://192.168.30.100/nitro/v1/config/lbvserver/lb_vsrv_colors

getting lb-vServer out of Nitro
Nitro: give me a list of SSL certificates?

https://192.168.30.100/nitro/v1/config/sslcertkey

get a list of SSL-Certs out of Citrix NetScaler NITROA complete list. Simmilar to lb-vServer a specific certificate would be: https://192.168.30.100/nitro/v1/config/sslcertkey/ns-server-certificate.

There is much more to query for. NetScaler GUI constantly does NITRO queries to Citrix NetScaler. Using a proxy like fiddler could help you seeing these calls.

I hope, you liked my blog. It’s fun to play around, dig into NetScaler and I really had fun to see my NetScaler from a programmer’s perspective. I’d be more than just happy to see comments on this article. Your comments keep me writing more blogs …

FacebookXEmailLinkedInWhatsAppPinterest

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

View all posts

Add comment

Read more

By Johannes Norz 31 May 2018
Add comment

Recent Posts

Recent Comments