Forum Discussion

srinidhi12's avatar
Icon for Cirrostratus rankCirrostratus
Dec 02, 2022

F5 BIG IP iControl API Authentication

Hi All, I am trying to access the icontrol API and collect the BIG IP logs. curl -sku admin:admin -H "Content-Type: application/json" -X GET https://x.x.x.x/mgmt/tm/sys/log/ltm/stats I am able to ...
  • Kai_Wilke's avatar
    Dec 05, 2022

    Hi srinidhi,

    the links I've provided you are outlining the details to configure iControl REST. There is unfortunately no GUI for it. 

    I somehow share your doubts. Personally I wont give lets say "untrusted people" a network access to my iControl REST and grant them "minimalistic" access permissions (e.g. Operator Role + API permissions). Its already to much for my taste... 

    You may check the iRule coding below to use a Virtual Server to provide an alternative and very restricted access method to your iControl REST. The iRule checks for a PERM-API-KEY header value and applies simple access rules. When an request is allowed to pass, F5 administrative credentials are getting insert in the forwarded request. On this way you dont need to forward any credentials to a "untrusted people" and the dont need a direct access to your Management IP at all.   



    when HTTP_REQUEST {
    	# Check if a given "PERM-API-KEY" HTTP header value is allowed to access a specific API endpoint
    	switch -glob -- "[HTTP::header value "PERM-API-KEY"]|[HTTP::method]|[HTTP::uri]" {
    		"InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,10" {
    			# Allow the request	
    		"InsertYourKeyValueToAllow|GET|/mgmt/tm/sys/log/ltm/stats?options=lines,20" {
    			# Allow the request	
    		default {
    			# Deny all remaining requests	
    			HTTP::respond 403 content "Access Denied" "Content-Type" "text/html"
    	# Sanitize inbound HTTP request headers and inject F5 Admin Credentials
    	HTTP::header sanitize 
    	HTTP::header insert "Authorization" "Basic [b64encode "admin:admin"]"
    	# Forward the request to REST API (using Route-Domains other than 0 is required) 		
    	node 443
    when HTTP_RESPONSE {
    	# Sanitize outbound HTTP request headers
    	HTTP::header sanitize 
    	HTTP::header remove "Set-Cookie"
    ltm virtual VS_for_restricted_API_access {
        ip-protocol tcp
        profiles {
            clientssl {
                context clientside
            http { }
            serverssl {
                context serverside
            tcp { }
        rules {
        serverssl-use-sni disabled
        source-address-translation {
            type automap
        translate-address enabled
        translate-port enabled



    Note: The only requirement for the Virtual Server alternative access method is, that the Virtual Server must be operated in a Route-Domain other than 0 (default). The traffic has to leave your LTM-SelfIP and then find its way to the management IP via your network infrastructure.

    Cheers, Kai

  • Kai_Wilke's avatar
    Dec 06, 2022
    • This iRule checks for the PERM_API_KEY, from where do we get the perm_api_key

    Its a free-text value. Simply replace the value in the iRule i send your with a long password string like "hsU8iHU28HU283HU283d8ad8a3d8ash247da334lkxm".

    Then send the string to the guy who needs to access to your API. Tell the guy to use this string as the value in a custom HTTP Header called "PERM_API_KEY" when accessing your API. Its basically a shared-key authentication used between the API caller and your F5. 

    curl -H "PERM_API_KEY: hsU8iHU28HU283HU283d8ad8a3d8ash247da334lkxm"
    • Can you let me know if this below line will be replaced with the auth token and how does the authentication works 

    The F5 injects Basic credentials to the HTTP request before forwarding to REST API. You may create a new user account with at least Admin or Auditor permissions to read the logs. Then replace "admin:admin" with "Username:Password" of the just created user account.

    You may also base64 encode the "Username:Password" string offline an replace the line with:

    HTTP::header insert "Authorization" "Basic YOURBASE64CODE=="

    It will basically masks the contained password value a bit...

    Cheers, Kai