topic Re: REST API No Longer Accessible After Upgrading FMC to 6.2.3? in Network Security

REST API No Longer Accessible After Upgrading FMC to 6.2.3?

DAVID YARASHUS — Fri, 21 Feb 2020 15:37:49 GMT

After upgrading FMC from 6.2.2 to 6.2.3, we seem to have lost access to the API Explorer. Expected behavior is a 200 response code when valid admin-level account/password combination is specified.

The configuration option in System --> Configuration --> REST API Preferences is enabled. Toggling it doesn't fix it.

When that configuration option for the REST API is enabled, all accounts (that worked prior to the upgrade, including admin) get an http 401 (unauthorized) whether a correct or incorrect password is used. Passwords are verified correct by being able to login to the FMC GUI with them.

When that configuration option is disabled, all accounts get an http 503 error.

Have I missed something obvious?

Re: REST API No Longer Accessible After Upgrading FMC to 6.2.3?

Marvin Rhoads — Sat, 14 Apr 2018 15:18:03 GMT

David,

In 6.2.3 Cisco did add a direct device API (vice having to go via FMC). However that's only supposed to affect locally-managed (i.e. FDM) appliances.

I checked my lab FMC running 6.2.3 and the API Explorer appears to work fine.

Re: REST API No Longer Accessible After Upgrading FMC to 6.2.3?

DAVID YARASHUS — Mon, 16 Apr 2018 11:28:25 GMT

Thanks for confirming that it's working for others, Marvin. We have a TAC case open, but no resolution yet.

Re: REST API No Longer Accessible After Upgrading FMC to 6.2.3?

DAVID YARASHUS — Thu, 19 Apr 2018 13:45:59 GMT

So, I've confirmed that the REST API works on a fresh install of 6.2.3-83, but we lose access to it after restoring a backup that was taken on 6.2.3-79. Still looking for a resolution, but that seems to narrow it down quite a bit. It's not the FMC checkbox to "Enable REST API" which is checked, and I tried creating a new local account with admin permissions, but after restoring the backup we have not yet found any way to authenticate successfully via the API.

Re: REST API No Longer Accessible After Upgrading FMC to 6.2.3?

Marvin Rhoads — Thu, 19 Apr 2018 15:09:53 GMT

My working FMC is running the slightly pre-release 6.2.3-60. It was upgraded from 6.2.2-81.

Re: REST API No Longer Accessible After Upgrading FMC to 6.2.3?

DAVID YARASHUS — Thu, 19 Apr 2018 18:45:13 GMT

If you're in the mood to risk it, I'd be curious if you lose API access after restoring a 6.2.3-60 backup onto a freshly imaged 6.2.3-83 (or later). We do have a TAC case open that may give us more information soon, and I'll post what we learn once there's a resolution or significant development. I did see that the FMC that was running 6.2.3-83 now claims in Help->About that it is 6.2.3-79 post-restore, which I hadn't expected.

Re: REST API No Longer Accessible After Upgrading FMC to 6.2.3?

DAVID YARASHUS — Thu, 31 May 2018 16:31:39 GMT

We missed something.

At the same time as the upgrade, the certificate for the FMC was updated to a new RSA certificate from our enterprise PKI with a 4096-bit strength key. It turns out that the web interface works fine with this longer key, but the java processes used to deal with the API fail with any key over 2048 bits. The clue was finding this message "Could not generate DH keypair" in the logs with pigtail. Web searches show that it's listed with Oracle as a symptom of an old java limitation. Fixed versions appear to include JDK-8072452, "Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits". While we wanted to use the stronger certificate, the fix was regenerating it with only 2048 bits. With the 2048 bit certificate installed, no problems.

Re: REST API No Longer Accessible After Upgrading FMC to 6.2.3?

Marvin Rhoads — Fri, 01 Jun 2018 02:49:54 GMT

Thanks for the update @DAVID YARASHUS

Back to basics in troubleshooting Q1: What changed?. (Corollary to Q1: Is that all?)