Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

api

83 Topics

API Pre-Authentication
Some time ago I was dealing with legacy web applications being retrofitted with modern authentication. As you can imagine this opens up a world of pain when the developers of said applications have long since left. In this particular case we had an application migrating to a new API which was secured behind a non-f5 reverse proxy. The difficulty was API authentication. First the user would SSO to access the application but this was only for web application access. The API used by the application was hosted in a secure environment behind the proxy and there is no support by the standards for any authentication flows under the hood. I refer to fetch() and XHTMLRequest() calls by the application. Key: Redirect = > Issue Flow User requests web application > Federated auth > Web application loads in user browser context and starts making API calls which fail. I did not have LTM handy to whip up some awesome solution to resolve this which would have been ideal case so had to figure out how to solve this another way. The Non-F5 Solution All authentication requests have to occur at the user level so the only way in this scenario, was to redirect them. They were redirected to a dedicated endpoint on the proxy which automatically triggered an auth redirect for federated authentication. This would see the user has already logged in and issue the relevant proxy credentials (as a cookie) to the client who would then return to the proxy with these credentials. The only issue with this flow is everything about the original redirect from the client is lost during the authentication process. The only thing that remains is the original URL the user requested. Prototype Solution User requests web application > Federated auth > Web application Loads - API Access? No > Proxy > Federated auth > Proxy > ? Javascript handling Developers add javascript calls to API endpoint and if the return code is XXX redirects the user to proxy with parameter ?return=current url Final Solution User requests web application > Federated auth > Web application loads - API Access? No > Proxy with return URL > (No Authentication) Federated auth > (Adds Proxy Authentication Cookie into Users Browser) Proxy with return URL > (Redirect user to return URL) Web application loads - API Access (Using Proxy Authentication Cookie) ? Yes, proceed as normal. Since that time there may have been new standards that make this challenge simpler to navigate. Are you aware of any? Moreover which of the various F5 offerings would have been able to assist us with this issue?
Solved
Kevin_Davies
Feb 22, 2026 Place Technical Forum
122Views
1like
8Comments
What's user role for get information with Rest API to F5
Could you please let me know about what's user role for get information with Rest API to F5 ?
Teerarat
Jul 30, 2025 Place Technical Forum
302Views
1like
11Comments
Modify SSL profiles via REST API
Hi wiz's I have been spending some time on automating certificate maintenance. This has brought my attention to this documentation: https://clouddocs.f5.com/api/icontrol-rest/APIRef_tm_ltm_profile_client-ssl.html In the table descriping "cert", "chain" and "key" it states in the notes that they are depricated and I should use certKeyChain option instead. However no matter what I construct of calls which makes changes to an already existing clientssl profile (PATCH and PUT) I'm told: {"code":403,"message":"Operation is not supported on component /ltm/profile/client-ssl.","errorStack":[],"apiError":1} Example code: curl -sk -H "X-F5-Auth-Token: $TOKEN" -X PATCH https://$f5/mgmt/tm/ltm/profile/client-ssl/ --header 'Content-Type: application/json' --data-raw '{ "name":"sletmig", "certKeyChain":[{"name":"default","cert":"hest.dk_2023","key":"hest.dk_2023","chain":"My_CA"}] }' {"code":403,"message":"Operation is not supported on component /ltm/profile/client-ssl.","errorStack":[],"apiError":1} I can make the change via this syntax: curl -sk -H "X-F5-Auth-Token: $TOKEN" -X PATCH https://$f5/mgmt/tm/ltm/profile/client-ssl/~Common~sletmig -H "Content-Type: application/json" -d '{ "key":"/Common/hest.dk_2023", "cert":"/Common/hest.dk_2023", "chain":"/Common/My_CA" }'|jq Do I read the documentation wrong or am I missing something else? JRahm any hints?
Solved
lnxgeek
Oct 08, 2023 Place Technical Forum
1.5KViews
1like
5Comments
Create a IFile {system level} via API - Powershell
Hi All, Attempting the following: 1: Create iFile system level 2: Update existing iRule-> iFile referance the the file uploaded in step 1. Im getting stuck at step 1, any assistance creatly apprecuated. What I have tried: Get Auth Token: # Get API token $big_ip = 'https://[REDACTED]' $url = "{0}{1}" -f $big_ip, '/mgmt/shared/authn/login' $body = @{ username = "[REDACTED]" password = '[REDACTED]' loginProviderName = "tmos" } | ConvertTo-Json $result = Invoke-RestMethod -Method 'POST' -Uri $url -ContentType 'application/json' -Body $body $token = $($result.token.token) Works. Next, Upload my file: $File_Name = 'MyFile' $File_Upload = 'C:\Temp\MyFile' $url = "{0}{1}{2}" -f $big_ip, "/mgmt/shared/file-transfer/uploads/", $File_Name $filelength = (Get-Item $File_Upload).length $headers = @{ 'Content-Type' = 'application/octet-stream' 'X-F5-Auth-Token' = $token 'Content-Range' = "0-$($filelength-1)/$filelength" } $result = Invoke-RestMethod -Method Post -Uri $url -Headers $headers -InFile $File_Upload Works fine too I am returned with: remainingByteCount : 0 usedChunks : @{0=46321} totalByteCount : 46321 localFilePath : /var/config/rest/downloads/MyFile temporaryFilePath : /var/config/rest/downloads/tmp/MyFile generation : 0 lastUpdateMicros : 1661257236246203 Next is where im stuck, creation of the iFile system level from the uploaded file. Ive re-typed the below from the Curl samples here: Syncing local repositories and ifiles using iContr... - DevCentral (f5.com) ### Create a iFile {system level} - does not yet work $File_Name = 'MyFile' $url = "{0}{1}{2}" -f $big_ip, "/mgmt/tm/sys/file/ifile/", $File_Name $headers = @{ 'Content-Type' = 'application/json' 'X-F5-Auth-Token' = $token } $body = @{ 'name' = $File_Name 'source-path' = "file:///var/config/rest/downloads/$File_Name" } | ConvertTo-Json $result = Invoke-RestMethod -Method put -Uri $url -Headers $headers -Body $body Next I am recieving that the file cannot be found. So this query is incorrectly tructured ? Translated these examples to powershell: Syncing local repositories and ifiles using iContr... - DevCentral (f5.com) Invoke-RestMethod : {"code":404,"message":"01020036:3: The requested iFile (/Common/MyFile) was not found.","errorStack":[],"apiError":3} At line:1 char:11 + $result = Invoke-RestMethod -Method put -Uri $url -Headers $headers - ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand Any assistance appreated with the above & next up updating the iRule file refence.
Solved
proxicon
Aug 23, 2022 Place Technical Forum
2.4KViews
1like
10Comments
Running BASH commands via REST API
I am trying to run bash commands via the REST API but am getting an error. When trying to use the following syntax I am getting a 403 running with Admin authentication... GET: https://F5LTM/mgmt/tm/util/bash Output: {"code":403,"message":"Operation is not allowed on component /util/bash.","errorStack":[]} Does anyone know if this is possible, or have any syntax examples of how to run bash commands? I assume you need to submit a post request, but I am not sure how to structure the syntax in the body of the request and cannot find any examples.
Tim_Harber
Feb 08, 2017 Place Technical Forum
4.8KViews
1like
3Comments
which REST API is available for invoking using curl "force offline of node members" and checking the "current connections" for the node member.
I need a REST API available for invoking using curl "force offline of node members" and checking the "current connections" for the node member.
ha1
Feb 25, 2020 Place Technical Forum
989Views
1like
4Comments
Concurrent Sessions
I am trying to get the Max Concurrent Access Sessions (over a period of time) as is displayed in the BIG-IQ GUI, but through the API. I have located the Device Traffic metric set in the Analytics endpoint and, particularly, the server-concurrent-connections Metric. However, this is concurrent Connections, not concurrent Sessions. Does anyone know where concurrent access sessions information would be located as I have scoured the documentation to no avail.
mddsangster
Mar 04, 2020 Place Technical Forum
376Views
1like
0Comments
Adding Value Masking in an ASM JSON Profile via API
The article "Masking data in the BIG-IP ASM request log (f5.com)" describes a way to mask sensitive parameters in the ASM logs. We appreciate that feature and would like to use it. But instead of adding the element names through the UI, we would like to do this via an API. I've tried to find an endpoint and hoped that the default iControlREST endpoint for JSON-profiles (https://my.bigip/mgmt/tm/asm/policies/<policy-id>/json-profiles/<profile-id>) would do it, but it doesn't show the parameters. Is anyone aware of a way to do it via a script or so? Thanks in advance!
chrros95
Oct 08, 2021 Place Technical Forum
677Views
1like
0Comments
BIG-IP 11.4.1 Build 651.0 Hotfix HF5
Hello, We've the following version of BIG-IP 11.4.1 Build 651.0 Hotfix HF5 devices in our lab and we would like to start using REST API. We know that v11.5 is already released and in stable state, but can you let us know whether it's okay to start using REST API in v11.4.1 with HF5? Are there any definitive steps to enable or trigger REST API service in F5 LTM v11.4.1? Any further help would be greatly appreciated. Thank you!
Srinath_Sadda_1
Feb 19, 2015 Place Technical Forum
457Views
1like
8Comments