AltostratusIcontrol REST API not working for the remote user having cert manager role. It is throwing 401 unauthorised.
Its been observed that in the latest releases (tested from V14 onward ). Icontrol REST API not working for the remote user having cert manager role. It is throwing 401 unauthorised.
Output below:
Device version:
[admin@gs-f5-pe58:Active:Standalone] ~ # tmsh show sys version
Sys::Version
Main Package
Product BIG-IP
Version 15.1.0
Build 0.0.31
Edition Final
Date Thu Nov 21 05:44:00 PST 2019
[admin@gs-f5-pe58:Active:Standalone] ~ #
Working Scenario:
Cert manager user :
auth user sme {
description sme
encrypted-password XXXX/
partition Common
partition-access {
all-partitions {
role certificate-manager
}
}
shell tmsh
}
API Output : able to fetch the desired output when no external authentication server configured
appviewx@avxpll315:~$ curl -kv https://192.168.xxx.xxx/mgmt/tm/sys/software/volume/ -u sme:xxxx
* Trying 192.168.xxx.xxx...
* TCP_NODELAY set
* Connected to 192.168.xxx.xxx (192.168.xxx.xxx) port 443 (#0)
> GET /mgmt/tm/sys/software/volume/ HTTP/1.1
> Host: 192.168.xxx.xxx
> Authorization: Basic cxxxxxxxxxxx
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 01 Dec 2021 09:08:53 GMT
< Server: Jetty(9.2.22.vxxxxx)
< Set-Cookie: BIGIPAuthCookie=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx; path=/; Secure; HttpOnly
< Set-Cookie: BIGIPAuthUsernameCookie=sme; path=/; Secure; HttpOnly
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=16070400; includeSubDomains
< Content-Type: application/json; charset=UTF-8
< Allow:
< Pragma: no-cache
< Cache-Control: no-store
< Cache-Control: no-cache
< Cache-Control: must-revalidate
< Expires: -1
< Content-Length: 613
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Content-Security-Policy:
<
* Connection #0 to host 192.168.xxx.xxx left intact
{"kind":"tm:sys:software:volume:volumecollectionstate","selfLink":"https://localhost/mgmt/tm/sys/software/volume?ver=15.1.0","items":[{"kind":"tm:sys:software:volume:volumestate","name":"HD1.1","fullPath":"HD1.1","generation":152802,"selfLink":"https://localhost/mgmt/tm/sys/software/volume/HD1.1?ver=15.1.0","active":true,"apiRawValues":{},"basebuild":"0.0.31","build":"0.0.31","product":"BIG-IP","status":"complete","version":"15.1.0","media":[{"name":"HD1.1","defaultBootLocation":true,"media":"hd","size":"default","nameReference":{"link":"https://localhost/mgmt/tm/sys/software/volume/HD1.1?ver=15.1.0"}}]}]}
As soon as Remote Authentication is configured on the Device the API stops working with the same user: In this case we have configured Remote - TACACS+ is configured and throws 401 authentication error.
admin@(gs-f5-pe58)(cfg-sync Standalone)(Active)(/Common)(tmos)# list auth tacacs
auth tacacs system-auth {
protocol ip
secret XXXXXXXXXXXXX==
servers { 192.168.XXX.XXX }
service XXX
}
appviewx@avxpll315:~$ curl -kv https://192.168.xxx.xxx/mgmt/tm/sys/software/volume/ -u sme:xxxxx
* Trying 192.168.xxx.xxx...
* TCP_NODELAY set
* Connected to 192.168.xxx.xxx (192.168.xxx.xxx) port 443 (#0)
> GET /mgmt/tm/sys/software/volume/ HTTP/1.1
> Host: 192.168.xxx.xxx
> Authorization: Basic XXXXXXXXXX=
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 401 F5 Authorization Required
< Date: Wed, 01 Dec 2021 09:17:39 GMT
< Server: Apache
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=16070400; includeSubDomains
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Enterprise Manager"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
* Connection #0 to host 192.168.xxx.xxx left intact
Please let us know the if there is any solution or article provided to resolve the issue.