Forum Discussion

srinidhi12's avatar
srinidhi12
Icon for Cirrostratus rankCirrostratus
Dec 02, 2022

F5 BIG IP iControl API Authentication

Hi All, I am trying to access the icontrol API and collect the BIG IP logs. curl -sku admin:admin -H "Content-Type: application/json" -X GET https://x.x.x.x/mgmt/tm/sys/log/ltm/stats I am able to ...
  • Kai_Wilke's avatar
    Kai_Wilke
    Dec 05, 2022

    Hi srinidhi,

    the links I've provided you are outlining the details to configure iControl REST. There is unfortunately no GUI for it. 

    I somehow share your doubts. Personally I wont give lets say "untrusted people" a network access to my iControl REST and grant them "minimalistic" access permissions (e.g. Operator Role + API permissions). Its already to much for my taste... 

    You may check the iRule coding below to use a Virtual Server to provide an alternative and very restricted access method to your iControl REST. The iRule checks for a PERM-API-KEY header value and applies simple access rules. When an request is allowed to pass, F5 administrative credentials are getting insert in the forwarded request. On this way you dont need to forward any credentials to a "untrusted people" and the dont need a direct access to your Management IP at all.   

     

     

    when HTTP_REQUEST {
    	
    	# Check if a given "PERM-API-KEY" HTTP header value is allowed to access a specific API endpoint
    				
    	switch -glob -- "[HTTP::header value "PERM-API-KEY"]|[HTTP::method]|[HTTP::uri]" {
    			
    		"InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,10" {
    			# Allow the request	
    		}
    		"InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,20" {
    			# Allow the request	
    		}
    		default {
    			# Deny all remaining requests	
    			HTTP::respond 403 content "Access Denied" "Content-Type" "text/html"
    			return
    		}
    		
    	}
    	
    	# Sanitize inbound HTTP request headers and inject F5 Admin Credentials
    		
    	HTTP::header sanitize 
    	HTTP::header insert "Authorization" "Basic [b64encode "admin:admin"]"
    	
    	# Forward the request to REST API (using Route-Domains other than 0 is required) 		
    	node 10.0.17.200%1 443
    	
    }
    when HTTP_RESPONSE {
    
    	# Sanitize outbound HTTP request headers
    	HTTP::header sanitize 
    	HTTP::header remove "Set-Cookie"
    
    }
    
    
    ltm virtual VS_for_restricted_API_access {
        destination 10.0.18.23%1:https
        ip-protocol tcp
        mask 255.255.255.255
        profiles {
            clientssl {
                context clientside
            }
            http { }
            serverssl {
                context serverside
            }
            tcp { }
        }
        rules {
            iRule_for_restricted_API_access
        }
        serverssl-use-sni disabled
        source 0.0.0.0%1/0
        source-address-translation {
            type automap
        }
        translate-address enabled
        translate-port enabled
    }

     

     

    Note: The only requirement for the Virtual Server alternative access method is, that the Virtual Server must be operated in a Route-Domain other than 0 (default). The traffic has to leave your LTM-SelfIP and then find its way to the management IP via your network infrastructure.

    Cheers, Kai

  • Kai_Wilke's avatar
    Kai_Wilke
    Dec 06, 2022
    • This iRule checks for the PERM_API_KEY, from where do we get the perm_api_key

    Its a free-text value. Simply replace the value in the iRule i send your with a long password string like "hsU8iHU28HU283HU283d8ad8a3d8ash247da334lkxm".

    Then send the string to the guy who needs to access to your API. Tell the guy to use this string as the value in a custom HTTP Header called "PERM_API_KEY" when accessing your API. Its basically a shared-key authentication used between the API caller and your F5. 

    curl -H "PERM_API_KEY: hsU8iHU28HU283HU283d8ad8a3d8ash247da334lkxm" https://10.0.17.200/mgmt/tm/sys/log/audit/stats
    • Can you let me know if this below line will be replaced with the auth token and how does the authentication works 

    The F5 injects Basic credentials to the HTTP request before forwarding to REST API. You may create a new user account with at least Admin or Auditor permissions to read the logs. Then replace "admin:admin" with "Username:Password" of the just created user account.

    You may also base64 encode the "Username:Password" string offline an replace the line with:

    HTTP::header insert "Authorization" "Basic YOURBASE64CODE=="

    It will basically masks the contained password value a bit...

    Cheers, Kai