cancel
Showing results for 
Search instead for 
Did you mean: 

Icontrol REST API not working for the remote user having cert manager role. It is throwing 401 unauthorised.

Surya_Kant_Pasa
Altostratus
Altostratus

Its been observed that in the latest releases (tested from V14 onward ). Icontrol REST API not working for the remote user having cert manager role. It is throwing 401 unauthorised.

 

Output below:

 

Device version:

[admin@gs-f5-pe58:Active:Standalone] ~ # tmsh show sys version

 

Sys::Version

Main Package

 Product   BIG-IP

 Version   15.1.0

 Build    0.0.31

 Edition   Final

 Date    Thu Nov 21 05:44:00 PST 2019

 

[admin@gs-f5-pe58:Active:Standalone] ~ # 

 

Working Scenario:

 

Cert manager user :

auth user sme {

  description sme

  encrypted-password XXXX/

  partition Common

  partition-access {

    all-partitions {

      role certificate-manager

    }

  }

  shell tmsh

}

 

API Output : able to fetch the desired output when no external authentication server configured

 

appviewx@avxpll315:~$ curl -kv https://192.168.xxx.xxx/mgmt/tm/sys/software/volume/ -u sme:xxxx

*  Trying 192.168.xxx.xxx...

* TCP_NODELAY set

* Connected to 192.168.xxx.xxx (192.168.xxx.xxx) port 443 (#0)

> GET /mgmt/tm/sys/software/volume/ HTTP/1.1

> Host: 192.168.xxx.xxx

> Authorization: Basic cxxxxxxxxxxx

> User-Agent: curl/7.58.0

> Accept: */*

< HTTP/1.1 200 OK

< Date: Wed, 01 Dec 2021 09:08:53 GMT

< Server: Jetty(9.2.22.vxxxxx)

< Set-Cookie: BIGIPAuthCookie=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; path=/; Secure; HttpOnly

< Set-Cookie: BIGIPAuthUsernameCookie=sme; path=/; Secure; HttpOnly

< X-Frame-Options: SAMEORIGIN

< Strict-Transport-Security: max-age=16070400; includeSubDomains

< Content-Type: application/json; charset=UTF-8

< Allow: 

< Pragma: no-cache

< Cache-Control: no-store

< Cache-Control: no-cache

< Cache-Control: must-revalidate

< Expires: -1

< Content-Length: 613

< X-Content-Type-Options: nosniff

< X-XSS-Protection: 1; mode=block

< Content-Security-Policy: 

* Connection #0 to host 192.168.xxx.xxx left intact

{"kind":"tm:sys:software:volume:volumecollectionstate","selfLink":"https://localhost/mgmt/tm/sys/software/volume?ver=15.1.0","items":[{"kind":"tm:sys:software:volume:volumestate","name":"HD1.1","fullPath":"HD1.1","generation":152802,"selfLink":"https://localhost/mgmt/tm/sys/software/volume/HD1.1?ver=15.1.0","active":true,"apiRawValues":{},"basebuild":"0.0.31","build":"0.0.31","product":"BIG-IP","status":"complete","version":"15.1.0","media":[{"name":"HD1.1","defaultBootLocation":true,"media":"hd","size":"default","nameReference":{"link":"https://localhost/mgmt/tm/sys/software/volume/HD1.1?ver=15.1.0"}}]}]}

 

 

As soon as Remote Authentication is configured on the Device the API stops working with the same user: In this case we have configured Remote - TACACS+ is configured and throws 401 authentication error.

 

admin@(gs-f5-pe58)(cfg-sync Standalone)(Active)(/Common)(tmos)# list auth tacacs 

auth tacacs system-auth {

  protocol ip

  secret XXXXXXXXXXXXX==

  servers { 192.168.XXX.XXX }

  service XXX

}

 

appviewx@avxpll315:~$ curl -kv https://192.168.xxx.xxx/mgmt/tm/sys/software/volume/ -u sme:xxxxx

*  Trying 192.168.xxx.xxx...

* TCP_NODELAY set

* Connected to 192.168.xxx.xxx (192.168.xxx.xxx) port 443 (#0)

> GET /mgmt/tm/sys/software/volume/ HTTP/1.1

> Host: 192.168.xxx.xxx

> Authorization: Basic XXXXXXXXXX=

> User-Agent: curl/7.58.0

> Accept: */*

< HTTP/1.1 401 F5 Authorization Required

< Date: Wed, 01 Dec 2021 09:17:39 GMT

< Server: Apache

< X-Frame-Options: SAMEORIGIN

< Strict-Transport-Security: max-age=16070400; includeSubDomains

* Authentication problem. Ignoring this.

< WWW-Authenticate: Basic realm="Enterprise Manager"

< Content-Length: 381

< Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>401 Unauthorized</title>

</head><body>

<h1>Unauthorized</h1>

<p>This server could not verify that you

are authorized to access the document

requested. Either you supplied the wrong

credentials (e.g., bad password), or your

browser doesn't understand how to supply

the credentials required.</p>

</body></html>

* Connection #0 to host 192.168.xxx.xxx left intact

 

Please let us know the if there is any solution or article provided to resolve the issue.

 

 

 

 

0 REPLIES 0