Authenticated Sessions at the HTTP level for the iControl API (HTTP Headers?)

Question

We're using i-Control-11.2's Interfaces object and doing some serious pounding of the system.  BigIp has no trouble handling the load; however, we're going through a third party authentication/authorization application (TACACS+) which is having trouble keeping up.&nbsp;
Is there a way to maintain the Axis HTTP session once authenticated?  I tried using the SOAP "session" header but that didn't work.  I'm pretty sure that's more of an application-level session.  I'm assuming the HTTP X-iControl-Session header will function the same way.  I'm wondering if the BigIp web server will respect HTTP session authentication.&nbsp;
If anyone out there has any ideas, I'm open to trying them.  We may be exploring pooling authenticated tcp connections with keep-alive.  I'm really hoping there's a better solution.&nbsp;

mike_burrows_59 · Answer

You're probably talking way over my head so this response will probably sound stupid but the first thing that comes to mind is a OneConnect profile. Could that be used in your situation to pool connections?

george_watkins_ · Answer

I believe the method you are looking for is called setMaintainSession. It is located on the Axis BindingStub objects. Setting it to true will perform the first authentication using HTTP basic auth, then will insert the BigIPAuthCookie (returned in the first response) in subsequent requests. The auth cookie should be checked before HTTP basic auth is attempted. Here is my test code, which is based upon the iControl JAR available on DevCentral (I also had to add the axis and axis-jaxrpc JARs to my CLASSPATH):&nbsp;import iControl.*;

public class AuthCookieTest {
    public static void main(String[] args) {
        iControl.Interfaces bigip = new iControl.Interfaces();
        bigip.initialize("test-ltm-01", "admin", "admin");
        
        try {
            SystemSystemInfoBindingStub systemInfoStub = bigip.getSystemSystemInfo();
            systemInfoStub.setMaintainSession(true);
            systemInfoStub.get_version();
            systemInfoStub.get_version();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}That should cut down on the TACACS chattiness as only the first call will require a TACACS query for authentication. Let me know if that does the trick.&nbsp;

kevin_davies_40 · Answer

Assuming your client making the call supports cookies. Many programatic interfaces do not generally support cookie handling so you would have to capture the returned cookie with your code and ensure you resend it in subsequent iControl requests for this to work.

Forum Discussion

Authenticated Sessions at the HTTP level for the iControl API (HTTP Headers?)

3 Replies

Recent Discussions

SCP / WINSCP - problem copy - not allowed SCP error

mejores practicas para actualizacion de firmas de ataques?

Packet based load balancing instead of connection based (default)

Manipulating Hostname and SNI

Can session persistence time impact load balancing

Related Content

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator

Doing mTLS Authentication per URL

Akamai G20 Header Authentication

Application Programming Interface (API) Authentication types simplified

iControl REST Authentication Token Management