question of limitation and expiration for rest api token
now I cannot login ltm via rest api , i thought the number of token of my account has reach the maximum .here is an error login myhost fail b'{"code":401,"message":"remoteSender:http://localhost:8100/shared/authn/login, method:POST ","originalRequestBody":"{\\"username\\":\\"user\\",\\"loginProviderName\\":\\"tmos\\",\\"generation\\":0,\\"lastUpdateMicros\\":0}","referer":"ipaddress","restOperationId":124004534,"kind":":resterrorresponse"}' here are my questions: is there any number limitation for number of rest api token a user can apply ? I can see some one say one user can only apply 100 tokens , how to check the existing token by GUI, or cli since I cannot login device by rest api. how to take how long a token will expired ; is there any way to delete token;Solved3.8KViews0likes9Commentsgoogle 2fa irule error
I'm struggling with this error when doing "load sys config verify [use curly braces to avoid double substitution] full error message /Common/Google_Token:131: warning: [use curly braces to avoid double substitution][(0x{[string range ${token} ${offset} [expr {${offset} + 7}]]}] The irule line in original code was set ga_code [expr (0x[string range $token $offset [expr $offset + 7]] & 0x7FFFFFFF) % 1000000] And I changed it to set ga_code [expr (0x[string range ${token} ${offset} [expr {${offset} + 7}]] & 0x7FFFFFFF) % 1000000] I'm able to connect to APM and passing the token , it is working fine there, but this cannot get rid of this error message Any one can help with the correct syntax ? article https://support.f5.com/csp/article/K57410758 seems not to be very helpful545Views0likes2CommentsTesting for iControl auth errors
Hi folks, one of my clients noticed API auth errors after upgrading the systems to TMOS v15.1.5.1. When trying to use a newly created auth token to access LTM objects via API the systems returns a 401. After retrying with the same token the access is successful most times. As a workaround a latency was applied in his management framework. The issue can be observed in all possible combinations under TMOS v151.1.5.1: - using admin or specific user - using local and remote authentication/authorization - using mgmt interface and inband management Even you might run the script on the F5 itself, I would recommend running it not on the device under test. The script can be configured to use specific accounts, out of band or inband management and for a number of test cycles. A latency (delay) can be configured to determine the safe amount of time between token generation and token usage. In each test cycle a new token is created and the token is deleted afterwards as the number of active tokens is limited. The script stops after a failed second attempt with the same token or after reaching the configured number of test cycles. # python script: pyapitest.07.py # version: 0.7 (2022-06-22) # author: Stephan Manthey # purpose: # retrieve auth token # list example pool configruation with token based auth via inband management IP (self IP) # use configurable delay between token generation and token usage # module requests required (installed via Python PIP): # su -c 'yum install python-pip' # su -c 'sudo pip2 install requests' # su -c 'sudo pip3 install requests' # or: # su -c 'yum install python-requests' # su -c 'yum install python3-requests' # usage: # python pyapitest.07.py # notes: # tested with python 2.7 and python 3.6 import sys import time import json import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) # specify username username = '<username>' # specify passphrase password = '<passphrase>' # specify BIG-IP self IP address (inband management IP) or # specify BIG-IP mgmt IP address (out of band management IP) bigipdev = '<management-ip>' # using a sample pool provided automatically by the API # (do not change) poolname = 'example' # specify latency in milliseconds # (delay between auth token generation and delay for retry) sleep_ms = 2 # specify number of loops loop_count = 2000 authpath = 'https://{}/mgmt/shared/authn/login'.format(bigipdev) conthead = {'Content-Type': 'application/json'} authdata = {'username': username, 'password': password} session = requests.Session() for loop in range(1,loop_count + 1): authtime = time.time() tokenrequest = session.post(url=authpath,data=json.dumps(authdata),headers=conthead,verify=False) # print('getting auth token: {:f}'.format(time.time() - authtime)) if tokenrequest.status_code == 200: tokendata = tokenrequest.json() xauthhead = {'X-F5-Auth-Token': tokendata['token']['token'], 'Content-Type': 'application/json'} querypath = 'https://{}/mgmt/tm/ltm/pool/{}'.format(bigipdev,poolname) # print('sleeping: {} millisecond(s)'.format(sleep_ms)) time.sleep(sleep_ms / 1000.0) poolcheck = session.get(url=querypath,headers=xauthhead,verify=False) # print('1st response: {:f}'.format(time.time() - authtime)) if poolcheck.status_code == 200: pooldata = poolcheck.json() # print(pooldata) elif poolcheck.status_code == 401: print('pool list 1st auth error ({}), sleeping {} ms, retrying loop {}:'.format(poolcheck.status_code,sleep_ms,loop)) time.sleep(sleep_ms / 1000.0) poolcheck = session.get(url=querypath,headers=xauthhead,verify=False) if poolcheck.status_code != 200: print('pool list 2nd auth error ({}), stopping in loop {}:'.format(poolcheck.status_code,loop)) break else: print('pool list 2nd attempt succeeded ({}) in loop {}, continuing'.format(poolcheck.status_code,loop)) else: print('pool list error ({}), stopping in loop {}'.format(poolcheck.status_code,loop)) break tokendelpath = 'https://{}/mgmt/shared/authz/tokens/{}'.format(bigipdev,tokendata['token']['token']) tokendelete = session.delete(url=tokendelpath,headers=xauthhead,verify=False) # print('deleting auth token: {:f}'.format(time.time() - authtime)) if tokendelete.status_code != 200: print('token delete error ({}), stopping in loop {}'.format(tokendelete.status_code,loop)) break else: print('getting token auth error ({}), stopping in loop {}'.format(tokenrequest.status_code,loop)) break # print('successful iterations: {}'.format(loop))Solved1.7KViews0likes5CommentsAPM with Azure AD giving token ID to app authentication
Hello folks: Please, hope you could help me with this question. Currently, I have some applications developed in Visual Studio which are also declared in Azure AD (AAD) in order to take advantage of some sort of Federation. Thus, every user who wants to access to the apps must go to www.office.com so they can authenticate against the AAD. In order to do this, every app Visual Studio code has the Azure app ID. The AAD gives token IDs to the users wanting to access the apps. I am planning to deploy the F5 APM solution so I can centralise all those apps in the webtop due to I need to un-publish those apps from the Internet and offer them as a Portal Access with SSO. The F5 APM could become another app in the AAD, but the AAD must give token IDs to the APM portal. The token IDs given to the APM must be used by the Portal Access as its SSO. The token IDs delivery must remain the same and the APM only needs to use the tokens to perform SSO. How could I achieve this? Is there any possibility to use oAuth Bearer SSO to achieve this goal? Any suggestion or advice is very appreciated. Thanks Omar.338Views0likes0CommentsiControl Authentication Token time-out for health monitor API Call
Hi Guys, I want to collect health status about F5 virtual servers through an API Proxy or 3rd party tools using the HTTP request below. it works but only temporarily since the X-F5-Auth-Token expires after a short time. is there a way this token can stay forever? this method isn't at all practical with a temporary token and we shouldn't have the user/pass on 3rd party tools. but if we have to do it another way, can we replace x-f5-auth-token with a low-priv read-only username and password pair? how would the http request look like? thanks in advance GET https://172.16.45.75/mgmt/tm/ltm/virtual/Splunk-VS/stats HTTP/1.1 X-F5-Auth-Token: JJ3LFIRJALD44GH3SX6QK4TDVE Host: 172.16.45.75 Connection: close540Views0likes2CommentsAPI Token Length
We've got four Big-IP pairs, two running 11.6.1 and two running 12.1.3.2. When we connect to the API we get a token in the response but the they're different lengths. The 11.6.1 Big-IPs return a 128 character token while the 12.1.3.2 boxes return a 26 character token. Searching hasn't helped. Does anyone know why the token is shorter or if there's a setting somewhere that I can tweak to make my security folks happy? Thanks480Views0likes5CommentsProblem with kerberos ticket lifetime, ticket is not remove when user logoff
hi, we want to force expiration/deletion of kerberos user ticket. Im stick with the 10 minutes minimum value for ticketlifetime in Access Policy / SSO / Kerberos / my_kerberos_configuration. Default is 600 minutes and the minimum we can set is 10 minutes. Our customer using the portal pay for service, since transaction is approve, we add the user in a active directory security group in order he can access the new service. We ask customer to logoff and login again to get access. The problem, is that the kerberos user ticket doesn't have the new group, until the ticketlifetime is reach, default, 600 minutes, now 10 minutes. Im looking for a way to force the removal of the user kerberos ticket in the F5 cache (or any solution that work without delay). We have try /desk/hangup.php3 but only user session is remove, not kerberos ticket. Config : VE LTM+APM 11.5.2 Any idea ? thank in advance and sorry for my bad english !418Views0likes1Comment