Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

RahulG's avatar
RahulG
Icon for Altocumulus rankAltocumulus
Jun 01, 2020

Encrypting password

Hi All, I am wrinting a phython script to gather few details for GTM. But in that script I am passing the password to login into the device as a plain text. This poses a security issue and the script...
application delivery
BIG-IP DNS
iControlREST
Satoshi_Toyosa1's avatar
Satoshi_Toyosa1
Ret. Employee
Jun 01, 2020

I assume your script uses iControl REST (for example, K86953011). Two ideas.

 

Idea 1: Add a code to enter the username and password upon the script's startup (or command line options). Create individual accounts on BIG-IP for the users who may use your python script. This requires user management, however, that's the best option security-wise.

 

Idea 2: Use Basic Authentication. HTTP's Basic Authentication embeds base64 encoded username:password pair in the "Authorization" header (see RFC 2617). For example, username "admin" and password "admin" are combined with the delimiter ":" ("admin:admin"), then encoded into a string "YWRtaW46YWRtaW4=". This is less readable as compared to 100% plain text. A curl example is shown below:

 curl -sk https://$HOST/mgmt/tm/sys/version -H "Authorization: Basic YWRtaW46YWRtaW4="
(where $HOST is your BIG-IP)

You can obtain the base64 string from a plain-text by executing the following Node.js snippet (Node.js is preinstalled on BIG-IP).

node -p 'Buffer.from("admin:admin").toString("base64")'

The issue is that you can decode the base64 string back to the plain text (easy). I assume your sharedrive is internal, so sharing the secret is acceptable.