Demystifying iControl REST Part 6: Token-Based Authentication
iControl REST. It’s iControl SOAP’s baby, brother, introduced back in TMOS version 11.4 as an early access feature but released fully in version 11.5.
Several articles on basic usage have been writ...
Updated Jan 06, 2024
Version 2.0
JRahm
Admin
AdminJRahmAdmin
Admin
forsan
Altostratus
AltostratusHi,
I have two different environments where I'm testing this. I'm getting the RESTAPI to work fine with my TMOS 12.1 environment but in 11.6.1 I'm getting 401 error.
12.1
curl -sk --header "Content-Type:application/json" --request POST https://localhost/mgmt/shared/authn/login --data '{"username":"aduser", "password":"adpassword", "loginProviderName":"tmos"}'
{"username":"aduser","loginReference":{"link":"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/login"},"loginProviderName":"tmos","token":{"token":"4F7P62K5BL2UIN4ZSW3DMWTAKC","name":"4F7P62K5BL2UIN4ZSW3DMWTAKC","userName":"anfo","authProviderName":"tmos","user":{"link":"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/4f446f2a-9922-469a-ac69-656d770e8408"},"groupReferences":[{"link":"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/user-groups/21232f29-7a57-35a7-8389-4a0e4a801fc3"}],"timeout":1200,"startTime":"2016-09-14T14:25:47.986+0200","address":"127.0.0.1","partition":"[All]","generation":1,"lastUpdateMicros":1473855947986173,"expirationMicros":1473857147986000,"kind":"shared:authz:tokens:authtokenitemstate","selfLink":"https://localhost/mgmt/shared/authz/tokens/4F7P62K5BL2UIN4ZSW3DMWTAKC"},"generation":0,"lastUpdateMicros":0}[
curl -sk --header "Content-Type:application/json" --header "X-F5-Auth-Token: 4F7P62K5BL2UIN4ZSW3DMWTAKC" --request GET https://localhost/mgmt/shared/echo
{"stage":"STARTED","stageEnumValues":["CREATED","STARTED","SHUTDOWN"],"generation":0,"lastUpdateMicros":0,"kind":"shared:echo:echoworkerstate","selfLink":"https://localhost/mgmt/shared/echo"}
11.6.1
curl -sk --header "Content-Type:application/json" --request POST https://localhost/mgmt/shared/authn/login --data '{"username":"aduser", "password":"adpassword", "loginProviderName":"tmos"}'
{"username":"aduser","loginReference":{"link":"https://localhost/mgmt/shared/authn/providers/local/login"},"token":{"uuid":"af2323bb-295f-4c21-a2ad-bc874d96b6a3","name":"39EBC4D277ECE08D5AFE4EC57B05674F194291BC6959079F188816267CA22CD9E1E8AB3CD44DE8C846A3A9A0AD9BD93F4C65B9C0BCFA969B8AF465CE2BD5A0BE","token":"39EBC4D277ECE08D5AFE4EC57B05674F194291BC6959079F188816267CA22CD9E1E8AB3CD44DE8C846A3A9A0AD9BD93F4C65B9C0BCFA969B8AF465CE2BD5A0BE","userName":"aduser","user":{"link":"https://localhost/mgmt/shared/authz/users/aduser"},"groupReferences":[],"timeout":1200,"startTime":"2016-09-14T05:03:15.763-0700","address":"127.0.0.1","partition":"[All]","generation":1,"lastUpdateMicros":1473854595759258,"expirationMicros":1473855795763000,"kind":"shared:authz:tokens:authtokenitemstate","selfLink":"https://localhost/mgmt/shared/authz/tokens/af2323bb-295f-4c21-a2ad-bc874d96b6a3"},"generation":0,"lastUpdateMicros":0}
curl -sk --header "Content-Type:application/json" --header "X-F5-Auth-Token: 39EBC4D277ECE08D5AFE4EC57B05674F194291BC6959079F188816267CA22CD9E1E8AB3CD44DE8C846A3A0AD9BD93F4C65B9C0BCFA969B8AF465CE2BD5A0BE" --request GET https://localhost/mgmt/tm/ltm/pool?$select=name
{"code":401,"message":"Authorization failed: user=https://localhost/mgmt/shared/authz/users/aduser resource=/mgmt/tm/ltm/pool verb=GET uri:http://localhost:8100/mgmt/tm/ltm/pool?=name referrer:127.0.0.1 sender:127.0.0.1","referer":"127.0.0.1","restOperationId":12574003,"errorStack":["java.lang.SecurityException: Authorization failed: user=https://localhost/mgmt/shared/authz/users/aduser resource=/mgmt/tm/ltm/pool verb=GET uri:http://localhost:8100/mgmt/tm/ltm/pool?=name referrer:127.0.0.1 sender:127.0.0.1","at com.f5.rest.workers.ForwarderWorker.failPermissionValidation(ForwarderWorker.java:565)","at com.f5.rest.workers.ForwarderWorker.evaluateUserPermission(ForwarderWorker.java:633)","at com.f5.rest.workers.ForwarderWorker.evaluatePermission(ForwarderWorker.java:537)","at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:202)","at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:370)","at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:1009)","at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:976)","at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:889)","at com.f5.rest.common.RestServer.access$000(RestServer.java:43)","at com.f5.rest.common.RestServer$1.run(RestServer.java:165)","at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)","at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)","at java.lang.Thread.run(Thread.java:744)\n"]}
One thing i noticed is the difference in the user path response from the different versions.
12.1:
https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/login11.6.1:
https://localhost/mgmt/shared/authn/providers/local/loginI have tried to create a local user on the 11.6.1 system but I don't think this will help because the RESTAPI users does not work when changing the Auth type from Local to my case "Active Directory". The only local accounts that works then is the admin and root accounts.
Best Regards Andréas