Forum Discussion

Srinath_Sadda_1's avatar
Srinath_Sadda_1
Icon for Altostratus rankAltostratus
Mar 10, 2015

iControl PowerShell Authentication Behavior (Initialize-F5.iControl)

Hello,

 

I've the below sample code snippet to retrieve pool member statistics. F5 LTM v11.4.1

 

In my assumption, "Initialize-F5.iControl" Cmdlet establishes only one authentication request to F5 there by total of 3 requests for 3 HostNames. Am I correct?

 

Is each query like "$iControl.LocalLBPoolMember.get_object_status()" establishes another authentication request to F5?

 

Is there any documentation exist which talks about iControl authentication (PowerShell) in detail?

 

Any further help would be greatly appreciated. Thank you!

 

ForEach ($HostName in $HostNames) {
    Try {
        If (Initialize-F5.iControl -HostName $HostName -PSCredentials $F5Credential) {
            $iControl = Get-F5.iControl
        }
        ForEach ($Pool in $Pools) {
            $PoolMemberObjectStatus = $iControl.LocalLBPoolMember.get_object_status($Pool)
            ForEach ($PoolMemberObject in $PoolMemberObjectStatus) {
                $PoolMembers = $PoolMemberObject.member
                ForEach ($PoolMember in $PoolMembers) {
                    ...
                    ...
                    ...
                }
            }
        }
    }
    Catch {
        Write-Error -Message $_.Exception.Message
    }
}

6 Replies

  • I don't know of any documentation that describes the Powershell implementation the way you're asking, but I can try to answer your questions.

    First, the only documentation I know of would be the download page and then the iControl PowerShell page.

    When you do

    Initialize-F5.iControl
    , it sets up the information for a connection to the specified device. If you call it subsequent times, it will overwrite the existing connection information.

    Then, when you make a call like

    $iControl = Get-F5.iControl
    it will be based on the connection you just initialized. (Note that if you run the initialize command again after calling the Get-F5.iControl function, your object will be updated to point to the new device. So you wouldn't be able to have multiple different
    $iControl
    instances going to different devices.

    Regarding the way authentication works on each call, PowerShell will send the credentials in a header as the service uses Basic authentication to validate the user. So each command is essentially independent of any others, and will always send the authorization header for each request.

    So basically, if you have multiple devices you want to interact with (as your script does), the

    Initialize-F5.iControl
    command will keep updating with the specified hostname instead of creating additional connection objects. Then the subsequent commands in your loop will be scoped to that device.

    Hope this helps.

  • Hi Michael,

     

    Thank you so much for your detailed explanation. So by using the above code snippet to retrieve pool statistics, I'm making several thousands of authentication calls... is there any alternative or better way of retrieving pool member statistics for a given set of pools?

     

    Thanks.

     

    • Joe_Pruitt's avatar
      Joe_Pruitt
      Icon for Cirrostratus rankCirrostratus
      Each iControl method call makes a separate HTTP request. The Authentication headers are passed with each HTTP request so there is no extra authentication overhead besides the auth header in the HTTP request.
  • I heard about iControl REST protocol, but it looks like this approach requires full ADMIN rights to initiate calls which is little bit difficult to get approval in our ENT environment at this time.

     

    Thanks again!

     

  • Michael has it pretty much correct but each time you make a call it doesn't make a separate auth calls. The Initialize-F5.iControl essentially creates an internal iControl.Interfaces object that can be retrieved with the Get-F5.iControl cmdlet. When you call Initialize-F5.iControl it makes a call to the BIG-IP's system information interface just to check that the credentials will work. Then when you access any of the interface members of the Interfaces object (returned from Get-F5.iControl), a separate auth call isn't made. It just uses the credentials you originally supplied and adds Authentication headers to all method call requests. iControl is stateless in that each call you make will establish a new HTTPS connection to the BIG-IP and request the URL for the given method. I believe I set the PreAuthenticate header on the .Net connection object so that it would pass the credentials on the first pass without requiring retries.

    If you wish to manage multiple systems, you can create individual interfaces objects, initialize each once, and then use them for your different devices. Essentially it's just a object storing the server IP and client credentials.

    You can do something like this for multiple systems if you don't want to have to keep calling Initialize-F5.iControl back and forth

    $bigip1 = New-Object iControl.Interfaces
    $bigip1.initialize("address1", 443, "username1", "password1")
    $bigip2 = New-Object iControl.Interfaces
    $bigip2.initialize("address2", 443, "username2", "password2")
    ...
    $sysinfo1 = $bigip1.SystemSystemInfo.get_system_information()
    $sysinfo2 = $bigip2.SystemSystemInfo.get_system_information()
    

    Hope this helps...

    -Joe