Solved: CUPI access failing after upgrade from 8.6.2 to 10.5.2

Brian Ambrose · ‎04-04-2016

We have successfully been using CUPI to extract user info (alias, DTMFaccessID) from our Unity connection Servers. Since we upgraded to version 10.5, the script has been failing to access the servers. We have updated the objects in the code and retested but it's still failing. I have read the SSO is now enable on the APIs, but our servers do not have SSO configured. We're getting a 403 access forbidden reply.

2016.04.01 16:08:03: Gathering registered users and extensions from Unity.

2016.04.01 16:08:03: Processing connections for 5 Unity servers.

2016.04.01 16:08:03: Processing Connection to Unity server '10.154.16.53'

2016.04.01 16:08:03: DEBUG: Attempting connection to Unity. Server '10.154.16.53' 'remote_user' '<password_masked>'

2016.04.01 16:08:06: ERROR: Error connecting to server: System.Management.Automation.MethodInvocationException: Exception calling ".ctor" with "5" argument(s): "Login failed to Connection server:10.154.16.53. Details=

WebCallResults contents:

URL Sent: https://10.154.16.53:8443/vmrest/vmsservers

Method Sent: GET

Body Sent:

Success returned: False

Status returned 403:Forbidden

Error Text: Forbidden

Raw Response Text: {"errors":{"code":"NOT_AUTHORIZED","message":"Not Authorized"}}

Total object count: 0

Status description: Forbidden

" ---> Cisco.UnityConnection.RestFunctions.UnityConnectionRestException: Login failed to Connection server:10.154.16.53. Details= WebCallResults contents:

URL Sent: https://10.154.16.53:8443/vmrest/vmsservers

Method Sent: GET

Body Sent:

Success returned: False

Status returned 403:Forbidden

Error Text: Forbidden

Raw Response Text: {"errors":{"code":"NOT_AUTHORIZED","message":"Not Authorized"}}

Total object count: 0

Status description: Forbidden

at Cisco.UnityConnection.RestFunctions.ConnectionServerRest..ctor(IConnectionRestCalls pTransportFunctions, String pServerName, String pLoginName, String pLoginPw, Boolean pLoginAsAdministrator, Boolean pAllowSelfSign

edCertificates)

at Cisco.UnityConnection.RestFunctions.ConnectionServerRest..ctor(String pServerName, String pLoginName, String pLoginPw, Boolean pLoginAsAdministrator, Boolean pAllowSelfSignedCertificates)

--- End of inner exception stack trace ---

at System.Management.Automation.DotNetAdapter.AuxiliaryConstructorInvoke(MethodInformation methodInformation, Object[] arguments, Object[] originalArguments)

at System.Management.Automation.DotNetAdapter.ConstructorInvokeDotNet(Type type, ConstructorInfo[] constructors, Object[] arguments)

at Microsoft.PowerShell.Commands.NewObjectCommand.CallConstructor(Type type, ConstructorInfo[] constructors, Object[] args)

2016.04.01 16:08:06: DEBUG: Unity connection not available, aborting fetch.

2016.04.01 16:08:06: Processing 0 users from Unity.

2016.04.01 16:08:06: End Script.

namsaini · ‎04-15-2016

If you do not want that account to have system administrator role than you can assign "user administrator" role to that user account. Hope that helps !

View solution in original post

namsaini · ‎04-05-2016

Hi Ambrose,

Could you manually execute REST query : https://<UCXN_10.5_Hostname/IP>/vmrest/vmsservers manually using a REST client(Postman or POSTER), enable VMREST/CUCA traces and share below logs :

/usr/local/thirdparty/jakarta-tomcat/logs/security/log4j/security*

/var/log/active/cuc/diag_Tomcat*

//Security Logs

2016-04-05 18:01:37,314 DEBUG [http-bio-443-exec-15] authentication.AuthenticationImpl - Constructor:

2016-04-05 18:01:37,314 DEBUG [http-bio-443-exec-15] authentication.AuthenticationImpl - successfully read propertyfile - classname is com.cisco.unity.samlsso.CucOauthUtil

2016-04-05 18:01:37,315 DEBUG [http-bio-443-exec-15] authentication.AuthenticationImpl - login: Entering login

2016-04-05 18:01:37,315 DEBUG [http-bio-443-exec-15] authentication.AuthenticationImpl - loginUtil: Authenticating against DB.

2016-04-05 18:01:37,315 DEBUG [http-bio-443-exec-15] impl.AuthenticationDB - Constructor:

2016-04-05 18:01:37,315 DEBUG [http-bio-443-exec-15] impl.AuthenticationDB - authenticateUser: userId=admin isLogin true

2016-04-05 18:01:37,315 DEBUG [http-bio-443-exec-15] security.Log4jEncLogger - Entering HashTextSHA

2016-04-05 18:01:37,316 INFO [http-bio-443-exec-15] security.Log4jEncLogger - class java.security.MessageDigest$Delegate

2016-04-05 18:01:37,316 DEBUG [http-bio-443-exec-15] security.Log4jEncLogger - Exiting HashTextSHA

2016-04-05 18:01:37,316 INFO [http-bio-443-exec-15] impl.IMSCacheManager - checkForCache: cache entry found for admin

2016-04-05 18:01:37,317 DEBUG [http-bio-443-exec-15] authentication.AuthenticationImpl - loginUtil: Authentication complete with result=0

//diag_Tomcat Logs

18:01:37.443 |9067,,,Cuca,7,INFO [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.CombinedThrottleFilter - incoming request uri: /vmrest/vmsservers

18:01:37.443 |9067,,,Cuca,7,INFO [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.CombinedThrottleFilter - excluded regex pattern: /vmrest/calls.*

18:01:37.443 |9067,,,Cuca,7,INFO [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.CombinedThrottleFilter - excluded regex pattern: /vmrest/cuce/provisioning/end.*

18:01:37.443 |9067,,,Cuca,7,DEBUG [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.ThrottleFilter - isNoThrottleRequest - request: /vmrest/vmsservers

18:01:37.443 |9067,,,Cuca,7,DEBUG [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.CombinedThrottleFilter - doFilter - use request /vmrest/vmsservers

18:01:37.443 |9067,,,Cuca,7,DEBUG [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.PerformanceCountersAdapter - updateCounter - Setting counter: 4 to: 1

18:01:37.443 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.CorsFilter - doFilter - The request is not a CORS request as request is from same origin: null . Delegating to next filter for further processing.

18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.RequestFilter - REQUEST GET vmsservers

18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - setting rows per page to default: 20001

18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - setting page number to default: 1

18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - query: null

18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - parse sort: null

18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - user object ID retrieved from security context: objectid=6f8b4017-2c16-43e8-996d-68d811ee8ba5

18:01:37.445 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - created authentication information: username=admin, alias=admin, id=6f8b4017-2c16-43e8-996d-68d811ee8ba5

Also check the default application administrator configured at the time of installation :

run cuc dbquery unitydirdb select objectid,alias from vw_user where objectid in (select value from vw_configuration where fullname="System.Directory.DefaultObjects.DefaultAdministrator");

objectid alias

------------------------------------ -----

6f8b4017-2c16-43e8-996d-68d811ee8ba5 admin

Brian Ambrose · ‎04-07-2016

I have found that changing the role of the user used to access the system from "help desk administrator" to "system administrator" resolved the access issue. The problem now is that I do not want sys admin level on this account. Am I going to be forced to use sys admin or enable SSO for this API to resolve the problem?

namsaini · ‎04-15-2016

If you do not want that account to have system administrator role than you can assign "user administrator" role to that user account. Hope that helps !