Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Authenticated Sessions at the HTTP level for the iControl API (HTTP Headers?)

We're using i-Control-11.2's Interfaces object and doing some serious pounding of the system. BigIp has no trouble handling the load; however, we're going through a third party authentication/authorization application (TACACS+) which is having trouble keeping up.

Is there a way to maintain the Axis HTTP session once authenticated? I tried using the SOAP "session" header but that didn't work. I'm pretty sure that's more of an application-level session. I'm assuming the HTTP X-iControl-Session header will function the same way. I'm wondering if the BigIp web server will respect HTTP session authentication.

If anyone out there has any ideas, I'm open to trying them. We may be exploring pooling authenticated tcp connections with keep-alive. I'm really hoping there's a better solution.

3
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

You're probably talking way over my head so this response will probably sound stupid but the first thing that comes to mind is a OneConnect profile. Could that be used in your situation to pool connections?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I believe the method you are looking for is called setMaintainSession. It is located on the Axis BindingStub objects. Setting it to true will perform the first authentication using HTTP basic auth, then will insert the BigIPAuthCookie (returned in the first response) in subsequent requests. The auth cookie should be checked before HTTP basic auth is attempted. Here is my test code, which is based upon the iControl JAR available on DevCentral (I also had to add the axis and axis-jaxrpc JARs to my CLASSPATH):

import iControl.*;

public class AuthCookieTest {
    public static void main(String[] args) {
        iControl.Interfaces bigip = new iControl.Interfaces();
        bigip.initialize("test-ltm-01", "admin", "admin");
        
        try {
            SystemSystemInfoBindingStub systemInfoStub = bigip.getSystemSystemInfo();
            systemInfoStub.setMaintainSession(true);
            systemInfoStub.get_version();
            systemInfoStub.get_version();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

That should cut down on the TACACS chattiness as only the first call will require a TACACS query for authentication. Let me know if that does the trick.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Assuming your client making the call supports cookies. Many programatic interfaces do not generally support cookie handling so you would have to capture the returned cookie with your code and ensure you resend it in subsequent iControl requests for this to work.

0