F5 BIG IP iControl API Authentication

Hi srinidhi,

the links I've provided you are outlining the details to configure iControl REST. There is unfortunately no GUI for it. 

I somehow share your doubts. Personally I wont give lets say "untrusted people" a network access to my iControl REST and grant them "minimalistic" access permissions (e.g. Operator Role + API permissions). Its already to much for my taste... 

You may check the iRule coding below to use a Virtual Server to provide an alternative and very restricted access method to your iControl REST. The iRule checks for a PERM-API-KEY header value and applies simple access rules. When an request is allowed to pass, F5 administrative credentials are getting insert in the forwarded request. On this way you dont need to forward any credentials to a "untrusted people" and the dont need a direct access to your Management IP at all.   

 

 

when HTTP_REQUEST {
	
	# Check if a given "PERM-API-KEY" HTTP header value is allowed to access a specific API endpoint
				
	switch -glob -- "[HTTP::header value "PERM-API-KEY"]|[HTTP::method]|[HTTP::uri]" {
			
		"InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,10" {
			# Allow the request	
		}
		"InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,20" {
			# Allow the request	
		}
		default {
			# Deny all remaining requests	
			HTTP::respond 403 content "Access Denied" "Content-Type" "text/html"
			return
		}
		
	}
	
	# Sanitize inbound HTTP request headers and inject F5 Admin Credentials
		
	HTTP::header sanitize 
	HTTP::header insert "Authorization" "Basic [b64encode "admin:admin"]"
	
	# Forward the request to REST API (using Route-Domains other than 0 is required) 		
	node 10.0.17.200%1 443
	
}
when HTTP_RESPONSE {

	# Sanitize outbound HTTP request headers
	HTTP::header sanitize 
	HTTP::header remove "Set-Cookie"

}

ltm virtual VS_for_restricted_API_access {
    destination 10.0.18.23%1:https
    ip-protocol tcp
    mask 255.255.255.255
    profiles {
        clientssl {
            context clientside
        }
        http { }
        serverssl {
            context serverside
        }
        tcp { }
    }
    rules {
        iRule_for_restricted_API_access
    }
    serverssl-use-sni disabled
    source 0.0.0.0%1/0
    source-address-translation {
        type automap
    }
    translate-address enabled
    translate-port enabled
}

 

 

Note: The only requirement for the Virtual Server alternative access method is, that the Virtual Server must be operated in a Route-Domain other than 0 (default). The traffic has to leave your LTM-SelfIP and then find its way to the management IP via your network infrastructure.

Cheers, Kai

• This iRule checks for the PERM_API_KEY, from where do we get the perm_api_key

Its a free-text value. Simply replace the value in the iRule i send your with a long password string like "hsU8iHU28HU283HU283d8ad8a3d8ash247da334lkxm".

Then send the string to the guy who needs to access to your API. Tell the guy to use this string as the value in a custom HTTP Header called "PERM_API_KEY" when accessing your API. Its basically a shared-key authentication used between the API caller and your F5. 

curl -H "PERM_API_KEY: hsU8iHU28HU283HU283d8ad8a3d8ash247da334lkxm" https://10.0.17.200/mgmt/tm/sys/log/audit/stats

• Can you let me know if this below line will be replaced with the auth token and how does the authentication works 

The F5 injects Basic credentials to the HTTP request before forwarding to REST API. You may create a new user account with at least Admin or Auditor permissions to read the logs. Then replace "admin:admin" with "Username:Password" of the just created user account.

You may also base64 encode the "Username:Password" string offline an replace the line with:

HTTP::header insert "Authorization" "Basic YOURBASE64CODE=="

It will basically masks the contained password value a bit...

Cheers, Kai