Forum Discussion

sysAdm's avatar
sysAdm
Icon for Altocumulus rankAltocumulus
May 17, 2023

REST API access right

Hi all,

We're running F5 LTM (version 14.1.4.x) and sorry for any newbie question.

We're trying to perform some tasks through REST API to the LTM:

1. Check system status, e.g.

curl -ks -H "Content-Type: application/json" -u admin:admin "https://192.168.1.1/mgmt/tm" -d "{\"command\":\"show\", \"utilCmdArgs\":\"-c 'cm failover-status'\"}"

2. Perform failover, e.g.

curl -ks -H "Content-Type: application/json" -u admin:admin "https://192.168.1.1/mgmt/tm" -d "{\"command\":\"run\", \"utilCmdArgs\":\"-c 'sys failover standby'\"}"

We don't want to expose admin password in any script, while authentication token seems only valid for 10 hours at most and not suitable to be used in cronjobs.   We create user for this specific purpose with user role Resource Administrator who can perform the task through ssh or GUI.

However, both commands can run as that specific user (testuser1) in tmsh interactively, but fail when running through curl with error:

{"code":401,"message":"Authorization failed: user=https://localhost/mgmt/shared/authz/users/testuser1 resource=/mgmt/tm verb=POST uri:http://localhost:8100/mgmt/tm referrer:192.168.1.8 sender:192.168.1.8","referer":"192.168.1.8","restOperationId":2225072,"kind":":resterrorresponse"}

I'm afraid we've something missed or setting up based on wrong concept...   

Would anyone please help?  

Thanks and Rgds

/st wong

  • sysAdm Is this user a local user? Is your F5 configured for remote authentication for user login? Typically if you have an F5 using remote authentication the only local users that work are root and admin.

    • sysAdm's avatar
      sysAdm
      Icon for Altocumulus rankAltocumulus

      PauliusYes, the user is a local user.  We didn't configure our F5 for remote authentication while we only played and learn using REST with admin user only.     Would you advise how to configure F5 to enable remote user authentication and thus to use REST api ?

      Thanks  a  lot.

      • Paulius's avatar
        Paulius
        Icon for MVP rankMVP

        sysAdm You do not need to enable remote authentication in order to use REST api. I was just making sure it wasn't enabled because if it was and you were using a local user, the local users are disabled when remote authentication is enabled. The exception to disabled local users with remote authentication is the root and admin user that come default on the F5.