Solved: Prime API Auth

skylar.sands · ‎02-09-2016

I tried to perform a 'GET' on Prime's API, and it keeps returning the login HTML, In postman, after setting the Basic Auth, returns 401 Unauthorized. It seems like after I login to prime through the GUI, it will work just fine. I even tried in a web browser. I set up a new username and password as NBI Read/Write, and I still get the same thing. I also tried curl -k -u username:password https://your_server/webacs/api/v1/data/InventoryDetails. Can someone shed some light?

smp · ‎02-11-2016

Great!

Just something to consider, in my opinion. I don't believe you should be adding account for API calls to the admin group. Obviously it appears you will want that account to have "NBI Read" and "NBI Write" permission. But if you need the account to also access any API calls that return credentials-related information, you should add it to "NBI Credential", not "Admin". The "Authentication & Authorization" page in the API documentation has a statement on this about "NBI Credential":

"Can access APIs that return device credentials (such as the Credentials Service group) or other sensitive information."

The "Northbound API" is for the "Guest Access API", which is a different API set altogether.

View solution in original post

smp · ‎02-11-2016

Yay, another PI API user!

I also ran into this problem, or at least something similar. I typically use Postman in Chrome for my testing. I found my API calls would fail like this because I am using a self-signed SSL certificate that was not trusted by Chrome. One workaround I stumbled upon was to first open Chrome and connect to the GUI to accept the certificate warning, but then left the browser open. After that, all my calls from Postman would succeed - just like you described.

Of course I eventually added the certificate to my trusted list in Chrome. But I kept running to this from time-to-time. What I then discovered is that sometimes I would run my test with a hostname that matched the CN on the certificate, and other times I would be using something else. When the hostname in my API call did not match the CN, the calls would fail with the error you noted.

I was going to advise you to try adding the -k option to your curl call, but I see you are already using that option. I see you are passing the credentials, but the API documentation says it uses Basic Authentication. So I think you need to add the "--basic" argument to your curl command.

skylar.sands · ‎02-11-2016

I actually ended up getting it to work. When I tried adding my test user account I added it to the groups: [npi_read, npi_write, npi_northbound] which wasn't working. In another post someone mentioned that they changed it to [admin, npi_read, npi_write] I cdid that and my Python script started working fine. I appreciate the quick response.

smp · ‎02-11-2016

Great!

Just something to consider, in my opinion. I don't believe you should be adding account for API calls to the admin group. Obviously it appears you will want that account to have "NBI Read" and "NBI Write" permission. But if you need the account to also access any API calls that return credentials-related information, you should add it to "NBI Credential", not "Admin". The "Authentication & Authorization" page in the API documentation has a statement on this about "NBI Credential":

"Can access APIs that return device credentials (such as the Credentials Service group) or other sensitive information."

The "Northbound API" is for the "Guest Access API", which is a different API set altogether.