08-08-2016 02:03 AM - edited 03-01-2019 05:00 AM
Im trying to connect from a software to Cisco APIC...the software connects but register below from ACI side
https:/api/aaaLogin.xml
08/08/2016 13:01:14 Query 591:=>
>>>>>>>>>>>>>>
Keystore was tampered with, or password was incorrect
1120
704
1532 got null response for apic:
>>>>>>>>>>>>>>>>>
Im able to login to APIC using above username/password
Please suggest remediaiton ...Thanks in advance !
08-08-2016 04:06 AM
Hello
Thanks for using SupportForums
i think that URL might not be correct. the one i usually use for POST for example is something like this:
https://<ip of apic>/api/mo/aaaLogin.xml
i have the "mo" where yours did not
Try it out and let us know?
thanks!
08-08-2016 04:16 AM
Thanks for your response ... I cannot modify the client software yet but the hyperlink suggest below
'http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/api/rest/b_APIC_RESTful_API_User_Guide/b_IFC_RESTful_API_User_Guide_chapter_010.html#concept_4189FB35F36D454A9E8153C74C8F363E
These API methods enable you to manage session authentication:
aaaLogin—Sent as a POST message, this method logs in a user and opens a session. The message body contains an aaa:User object with the name and password attributes, and the response contains a session token and cookie. If multiple AAA login domains are configured, you must prepend the user's name with apic:domain\\.
aaaRefresh—Sent as a GET message with no message body or as a POST message with the aaaLogin message body, this method resets the session timer. The response contains a new session token and cookie.
aaaLogout—Sent as a POST message, this method logs out the user and closes the session. The message body contains an aaa:User object with the name attribute. The response contains an empty data structure.
aaaListDomains—Sent as a GET message, this method returns a list of valid AAA login domains. You can send this message without logging in.
You can call the authentication methods using this syntax, specifying either JSON or XML data structures:
{ http | https } ://host [:port] /api/methodName. { json | xml }
This example shows a user login message that uses a JSON data structure:
POST https://192.0.20.123/api/aaaLogin.json { "aaaUser" : { "attributes" : { "name" : "georgewa", "pwd" : "paSSword1" } }
l
08-08-2016 04:22 AM
Yes, i just tested and works fine without the "mo" part. I guess its not relevant.
im not really sure what your software is doing but it sounds like a good case to open with TAC. if we can see the POST the software is sending we might be able to figure something out through the logs on the APIC itself. This is the XML POST i send to login, its quite simple
<aaaUser name='username' pwd='password'/>
08-08-2016 04:34 AM
I do not know if you had intended this but the IP ADDRESS is missing in the URL:
"https:/api/aaaLogin.xml
08/08/2016 13:01:14 Query 591:=>"
The correct URL is:
"https://apic_ip_address/api/aaaLogin.json"
with the Body of JSON.
{
"aaaUser" : {
"attributes" : {
"name" : "admin",
"pwd" : "password"
} }
}
Another thing that you may be running into is that the APIC request may timeout after a RSA Key or Certificate change which can occur with an Upgrade or IP address change. If this is the case, you may need to open a browser to accept the new Certificate first. Then, try your API request.
For Example. I need to open my Chrome browser to the APIC in question first. Click on "Advanced" to accept the new Certificate. Once I do that, I can then open "Postman" and use the Admin URL above with no issue.
Please try this and let us know what you see.
Thanks
T.
08-08-2016 07:28 AM
Thanks for that !
The client is Cisco developed vmware vRO pugin for cisco ACI....we are trying to integrate the two....some parts of logs were sanitized before posting
08-08-2016 07:57 AM
Did you get it working?
Ok, so you are saying that you are trying to "Register" your vcenter plugin to an ACI Fabric? Did this work before? Are you trying to Register to more then "1" ACI Fabric. The updated plugin only supports "1" ACI Fabric.
If the issue is registering with ACI Fabric or accessing an ACI Fabric from the VCENTER Plugin, try REMOVING the fabric from VCENTER and RE-REGISTER. Use the "Do NOT use Certificate" option.
Then if it fails, use the following from APIC:
# cd /var/log/dme/log
# zgrep -E "<IP address of VCENTER>" *
This should shed some light on issue
Cheers!
T.
08-08-2016 08:21 AM
Thanks! Not its not working ...
This is vmware vRO ACI plugin not vcenter and the issue is with Creating APIC admin handles ...the workflows run succesfully in vRO but still the APIC admin handles turn up empty in vRO inventory
See below
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide