Demystifying iControl REST Part 6: Token-Based Authentication

iControl REST. It’s iControl SOAP’s baby, brother, introduced back in TMOS version 11.4 as an early access feature but released fully in version 11.5. Several articles on basic usage have been writ...
Updated Jan 06, 2024
Version 2.0
devops
iControlREST
python
series-demystifying-icontrol-rest
forsan's avatar
forsan
Icon for Altostratus rankAltostratus
Sep 14, 2016

Hi,

I have two different environments where I'm testing this. I'm getting the RESTAPI to work fine with my TMOS 12.1 environment but in 11.6.1 I'm getting 401 error.

12.1

curl -sk --header "Content-Type:application/json" --request POST https://localhost/mgmt/shared/authn/login --data '{"username":"aduser", "password":"adpassword", "loginProviderName":"tmos"}'

{"username":"aduser","loginReference":{"link":"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/login"},"loginProviderName":"tmos","token":{"token":"4F7P62K5BL2UIN4ZSW3DMWTAKC","name":"4F7P62K5BL2UIN4ZSW3DMWTAKC","userName":"anfo","authProviderName":"tmos","user":{"link":"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/4f446f2a-9922-469a-ac69-656d770e8408"},"groupReferences":[{"link":"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/user-groups/21232f29-7a57-35a7-8389-4a0e4a801fc3"}],"timeout":1200,"startTime":"2016-09-14T14:25:47.986+0200","address":"127.0.0.1","partition":"[All]","generation":1,"lastUpdateMicros":1473855947986173,"expirationMicros":1473857147986000,"kind":"shared:authz:tokens:authtokenitemstate","selfLink":"https://localhost/mgmt/shared/authz/tokens/4F7P62K5BL2UIN4ZSW3DMWTAKC"},"generation":0,"lastUpdateMicros":0}[

curl -sk --header "Content-Type:application/json" --header "X-F5-Auth-Token: 4F7P62K5BL2UIN4ZSW3DMWTAKC" --request GET https://localhost/mgmt/shared/echo

{"stage":"STARTED","stageEnumValues":["CREATED","STARTED","SHUTDOWN"],"generation":0,"lastUpdateMicros":0,"kind":"shared:echo:echoworkerstate","selfLink":"https://localhost/mgmt/shared/echo"}

11.6.1

curl -sk --header "Content-Type:application/json" --request POST https://localhost/mgmt/shared/authn/login --data '{"username":"aduser", "password":"adpassword", "loginProviderName":"tmos"}'

{"username":"aduser","loginReference":{"link":"https://localhost/mgmt/shared/authn/providers/local/login"},"token":{"uuid":"af2323bb-295f-4c21-a2ad-bc874d96b6a3","name":"39EBC4D277ECE08D5AFE4EC57B05674F194291BC6959079F188816267CA22CD9E1E8AB3CD44DE8C846A3A9A0AD9BD93F4C65B9C0BCFA969B8AF465CE2BD5A0BE","token":"39EBC4D277ECE08D5AFE4EC57B05674F194291BC6959079F188816267CA22CD9E1E8AB3CD44DE8C846A3A9A0AD9BD93F4C65B9C0BCFA969B8AF465CE2BD5A0BE","userName":"aduser","user":{"link":"https://localhost/mgmt/shared/authz/users/aduser"},"groupReferences":[],"timeout":1200,"startTime":"2016-09-14T05:03:15.763-0700","address":"127.0.0.1","partition":"[All]","generation":1,"lastUpdateMicros":1473854595759258,"expirationMicros":1473855795763000,"kind":"shared:authz:tokens:authtokenitemstate","selfLink":"https://localhost/mgmt/shared/authz/tokens/af2323bb-295f-4c21-a2ad-bc874d96b6a3"},"generation":0,"lastUpdateMicros":0}

curl -sk --header "Content-Type:application/json" --header "X-F5-Auth-Token: 39EBC4D277ECE08D5AFE4EC57B05674F194291BC6959079F188816267CA22CD9E1E8AB3CD44DE8C846A3A0AD9BD93F4C65B9C0BCFA969B8AF465CE2BD5A0BE" --request GET https://localhost/mgmt/tm/ltm/pool?$select=name

{"code":401,"message":"Authorization failed: user=https://localhost/mgmt/shared/authz/users/aduser resource=/mgmt/tm/ltm/pool verb=GET uri:http://localhost:8100/mgmt/tm/ltm/pool?=name referrer:127.0.0.1 sender:127.0.0.1","referer":"127.0.0.1","restOperationId":12574003,"errorStack":["java.lang.SecurityException: Authorization failed: user=https://localhost/mgmt/shared/authz/users/aduser resource=/mgmt/tm/ltm/pool verb=GET uri:http://localhost:8100/mgmt/tm/ltm/pool?=name referrer:127.0.0.1 sender:127.0.0.1","at com.f5.rest.workers.ForwarderWorker.failPermissionValidation(ForwarderWorker.java:565)","at com.f5.rest.workers.ForwarderWorker.evaluateUserPermission(ForwarderWorker.java:633)","at com.f5.rest.workers.ForwarderWorker.evaluatePermission(ForwarderWorker.java:537)","at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:202)","at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:370)","at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:1009)","at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:976)","at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:889)","at com.f5.rest.common.RestServer.access$000(RestServer.java:43)","at com.f5.rest.common.RestServer$1.run(RestServer.java:165)","at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)","at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)","at java.lang.Thread.run(Thread.java:744)\n"]}

One thing i noticed is the difference in the user path response from the different versions.

12.1: 

https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/login

11.6.1: 

https://localhost/mgmt/shared/authn/providers/local/login
`

I have tried to create a local user on the 11.6.1 system but I don't think this will help because the RESTAPI users does not work when changing the Auth type from Local to my case "Active Directory". The only local accounts that works then is the admin and root accounts.

Best Regards Andréas