How to encrypt/encode LTM credentials via iControl

Hi Roman,

 

 

What are you trying to protect the credentials from? iControl communication is encrypted using SSL over the network. Are you trying to avoid storing the credentials in your program in clear text? If so, you could use an encryption method that your clientside platform supports. What language are you using? Maybe someone here can give you a suggestion.

 

 

Aaron

Hi Aaron,

 

 

Thanks for a speedy reply. Here's the scoop: we have java classes to manipulate LTM via iControl (add pool, add member, add v server, etc), which are being invoked form the command-line, thus passing all connection info as clear text (classname ltm_hostname username passwd action params). I want to encode/encrypt credentials, store them on the file system, and pass them along to ltm host, instead of a user/process providing them each time in a readable format. I know I could prob use base64 encoding, or some encryption mechanism, but was wondering if iControl had smth to suit the need.

 

 

Does that make sense?

 

 

Thank you, Roman

You could easily encode or encrypt them within your local file system but it will be up to your iControl application to take the encoded/encrypted values and decode/decrypt them before passing them on to the LTM. The authentication occurs with the HTTP connection on each iControl method call. The LTM needs to be able to authenticate each request so you'll have to pass them in a format that the webserver can understand. which means you'll have to work with some form of clear-text credentials on the client. Make sense?

 

 

-Joe

 

That does make sense. It would be specific to your clientside platform. iControl just accepts cleartext credentials.

 

 

You'd want to use some function in Java to encrypt and then encode the credentials, save that string and then have your program decrypt and decode to initiate the iControl call. If you're not sure how to do this in Java, you could search online for sample code or tutorials.

 

 

Aaron

Hi Joe,

 

Got it, makes more sense now.

 

 

Thank you

Hi Aaron,

 

 

Sounds good, thank you.

 

Is there a way to do similar functions with powershell? Many people have a requirement that they cannot store a credential in clear text when the data is at rest.

 

 

Thanks,

 

 

 

CarlB

 

Carl, as I mentioned before, iControl works just like the BIG-IP GUI. It supplies it's credentials with the WWW-Authenticated header over an SSL connection. On the client side, you have full control of how you want to manage your credentials. You can store them in plain text in the script, you could encrypt/decrypt them from somewhere on disk (although the caller of the script would need to have the key to decrypt them - or the script would), or you could use a 3rd party service to authenticate the user and then return the BIG-IP creds to your script. But ultimately the will have to be in some form of clear text before passing them on the BIG-IP.

 

 

For PowerShell, I created an alternate parameter in the Initialize-F5.iControl that takes as input a PSCredentials object which can have a secure password. That may be of some use if you have a way to serialize that object securely in your system.

 

 

Hope this helps...