04-04-2016 02:07 PM
We have successfully been using CUPI to extract user info (alias, DTMFaccessID) from our Unity connection Servers. Since we upgraded to version 10.5, the script has been failing to access the servers. We have updated the objects in the code and retested but it's still failing. I have read the SSO is now enable on the APIs, but our servers do not have SSO configured. We're getting a 403 access forbidden reply.
2016.04.01 16:08:03: Gathering registered users and extensions from Unity.
2016.04.01 16:08:03: Processing connections for 5 Unity servers.
2016.04.01 16:08:03: Processing Connection to Unity server '10.154.16.53'
2016.04.01 16:08:03: DEBUG: Attempting connection to Unity. Server '10.154.16.53' 'remote_user' '<password_masked>'
2016.04.01 16:08:06: ERROR: Error connecting to server: System.Management.Automation.MethodInvocationException: Exception calling ".ctor" with "5" argument(s): "Login failed to Connection server:10.154.16.53. Details=
WebCallResults contents:
URL Sent: https://10.154.16.53:8443/vmrest/vmsservers
Method Sent: GET
Body Sent:
Success returned: False
Status returned 403:Forbidden
Error Text: Forbidden
Raw Response Text: {"errors":{"code":"NOT_AUTHORIZED","message":"Not Authorized"}}
Total object count: 0
Status description: Forbidden
" ---> Cisco.UnityConnection.RestFunctions.UnityConnectionRestException: Login failed to Connection server:10.154.16.53. Details= WebCallResults contents:
URL Sent: https://10.154.16.53:8443/vmrest/vmsservers
Method Sent: GET
Body Sent:
Success returned: False
Status returned 403:Forbidden
Error Text: Forbidden
Raw Response Text: {"errors":{"code":"NOT_AUTHORIZED","message":"Not Authorized"}}
Total object count: 0
Status description: Forbidden
at Cisco.UnityConnection.RestFunctions.ConnectionServerRest..ctor(IConnectionRestCalls pTransportFunctions, String pServerName, String pLoginName, String pLoginPw, Boolean pLoginAsAdministrator, Boolean pAllowSelfSign
edCertificates)
at Cisco.UnityConnection.RestFunctions.ConnectionServerRest..ctor(String pServerName, String pLoginName, String pLoginPw, Boolean pLoginAsAdministrator, Boolean pAllowSelfSignedCertificates)
--- End of inner exception stack trace ---
at System.Management.Automation.DotNetAdapter.AuxiliaryConstructorInvoke(MethodInformation methodInformation, Object[] arguments, Object[] originalArguments)
at System.Management.Automation.DotNetAdapter.ConstructorInvokeDotNet(Type type, ConstructorInfo[] constructors, Object[] arguments)
at Microsoft.PowerShell.Commands.NewObjectCommand.CallConstructor(Type type, ConstructorInfo[] constructors, Object[] args)
2016.04.01 16:08:06: DEBUG: Unity connection not available, aborting fetch.
2016.04.01 16:08:06: Processing 0 users from Unity.
2016.04.01 16:08:06: End Script.
Solved! Go to Solution.
04-15-2016 12:24 AM
If you do not want that account to have system administrator role than you can assign "user administrator" role to that user account. Hope that helps !
04-05-2016 05:49 AM
Hi Ambrose,
Could you manually execute REST query : https://<UCXN_10.5_Hostname/IP>/vmrest/vmsservers manually using a REST client(Postman or POSTER), enable VMREST/CUCA traces and share below logs :
/usr/local/thirdparty/jakarta-tomcat/logs/security/log4j/security*
/var/log/active/cuc/diag_Tomcat*
//Security Logs
2016-04-05 18:01:37,314 DEBUG [http-bio-443-exec-15] authentication.AuthenticationImpl - Constructor:
2016-04-05 18:01:37,314 DEBUG [http-bio-443-exec-15] authentication.AuthenticationImpl - successfully read propertyfile - classname is com.cisco.unity.samlsso.CucOauthUtil
2016-04-05 18:01:37,315 DEBUG [http-bio-443-exec-15] authentication.AuthenticationImpl - login: Entering login
2016-04-05 18:01:37,315 DEBUG [http-bio-443-exec-15] authentication.AuthenticationImpl - loginUtil: Authenticating against DB.
2016-04-05 18:01:37,315 DEBUG [http-bio-443-exec-15] impl.AuthenticationDB - Constructor:
2016-04-05 18:01:37,315 DEBUG [http-bio-443-exec-15] impl.AuthenticationDB - authenticateUser: userId=admin isLogin true
2016-04-05 18:01:37,315 DEBUG [http-bio-443-exec-15] security.Log4jEncLogger - Entering HashTextSHA
2016-04-05 18:01:37,316 INFO [http-bio-443-exec-15] security.Log4jEncLogger - class java.security.MessageDigest$Delegate
2016-04-05 18:01:37,316 DEBUG [http-bio-443-exec-15] security.Log4jEncLogger - Exiting HashTextSHA
2016-04-05 18:01:37,316 INFO [http-bio-443-exec-15] impl.IMSCacheManager - checkForCache: cache entry found for admin
2016-04-05 18:01:37,317 DEBUG [http-bio-443-exec-15] authentication.AuthenticationImpl - loginUtil: Authentication complete with result=0
//diag_Tomcat Logs
18:01:37.443 |9067,,,Cuca,7,INFO [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.CombinedThrottleFilter - incoming request uri: /vmrest/vmsservers
18:01:37.443 |9067,,,Cuca,7,INFO [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.CombinedThrottleFilter - excluded regex pattern: /vmrest/calls.*
18:01:37.443 |9067,,,Cuca,7,INFO [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.CombinedThrottleFilter - excluded regex pattern: /vmrest/cuce/provisioning/end.*
18:01:37.443 |9067,,,Cuca,7,DEBUG [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.ThrottleFilter - isNoThrottleRequest - request: /vmrest/vmsservers
18:01:37.443 |9067,,,Cuca,7,DEBUG [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.CombinedThrottleFilter - doFilter - use request /vmrest/vmsservers
18:01:37.443 |9067,,,Cuca,7,DEBUG [http-bio-443-exec-15] com.cisco.unity.tools.tomcat.PerformanceCountersAdapter - updateCounter - Setting counter: 4 to: 1
18:01:37.443 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.CorsFilter - doFilter - The request is not a CORS request as request is from same origin: null . Delegating to next filter for further processing.
18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.RequestFilter - REQUEST GET vmsservers
18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - setting rows per page to default: 20001
18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - setting page number to default: 1
18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - query: null
18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - parse sort: null
18:01:37.444 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - user object ID retrieved from security context: objectid=6f8b4017-2c16-43e8-996d-68d811ee8ba5
18:01:37.445 |9067,,,VMREST,3,DEBUG [http-bio-443-exec-15] com.cisco.connection.rest.impl.GeneratedVmsServerRestImpl - created authentication information: username=admin, alias=admin, id=6f8b4017-2c16-43e8-996d-68d811ee8ba5
Also check the default application administrator configured at the time of installation :
run cuc dbquery unitydirdb select objectid,alias from vw_user where objectid in (select value from vw_configuration where fullname="System.Directory.DefaultObjects.DefaultAdministrator");
objectid alias
------------------------------------ -----
6f8b4017-2c16-43e8-996d-68d811ee8ba5 admin
04-07-2016 10:11 AM
I have found that changing the role of the user used to access the system from "help desk administrator" to "system administrator" resolved the access issue. The problem now is that I do not want sys admin level on this account. Am I going to be forced to use sys admin or enable SSO for this API to resolve the problem?
04-15-2016 12:24 AM
If you do not want that account to have system administrator role than you can assign "user administrator" role to that user account. Hope that helps !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide