Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1012
Views
0
Helpful
8
Replies

Licensing process

otavio.augusto
Level 1
Level 1

‎02-27-2013 06:29 AM

Hi all

I applied my license number to Tidal Enterprise Orchestrator without problems. I have a problem when trying to "Refresh and Update Cloud License" from the portal. I'm using AD integration and all users from the AD are successfully authenticated at the portal.

But when trying to "Refresh and Update Cloud License" from the portal, I get a 401 error at orchestrator (task:Get Subscription Data for API User) :

The remote server returned an error: (401) Unauthorized.

<nsapi-error-response>User does not have proper authentication.</nsapi-error-response>

And the following extra messages show up at the JBoss terminal:

11:16:27,585 ERROR [com.newscale.bfw.ldap.jldap.JLDAPSimpleAuth] (http--0.0.0.0-

8080-4) COR-ID=-5320234174044470466::LDAPException in Simple Auth: : LDAPExcepti

on: Invalid Credentials (49) Invalid Credentials

.

.

.

11:16:27,585 ERROR [com.newscale.bfw.eui.EUIOperationManager] (http--0.0.0.0-808

0-4) COR-ID=-5320234174044470466::EUA Authentication Failed

11:16:27,585 ERROR [com.newscale.bfw.signon.AuthenticationManager] (http--0.0.0.

0-8080-4) COR-ID=-5320234174044470466::EUI Flow exception: : com.newscale.bfw.eu

i.EUIException: EUA Authentication Failed

So, looks like the user executing the process does not have proper authorization. I've tried it with nsapiuser (who is a CPTA and Site Administrator) and with another user I called svc_cloud (who is CPTA).

Any hints on what I might be missing?

Regards


Labels:
0 Helpful
8 Replies 8

Julio Silveira
Level 1
Level 1

‎02-27-2013 06:44 AM

With directory  integration and SL authentication enabled. Note that in 9.4.1 SL authentication is enabled by default (you can see it in the Administration -> settings, at the end of the list, that Inbound HTTP Requests Authentication is enabled), you need to:

-  Login with your nsapi account to get a local account created.

- Go to Org designer and set the nsapi account pwd as the same as the AD pwd.

We have another issue that happnes some times, where nsapi stops working and you need to restart Request Center, but you would see a different exception in the log.

I hope it helps.

0 Helpful

otavio.augusto
Level 1
Level 1
In response to Julio Silveira

‎02-27-2013 06:52 AM

"

Go to Org designer and set the nsapi account pwd as the same as the AD pwd.

"

You mean setting the nsapiuser password I'm logged with right now to the same password nsapiuser has in the AD server?

Thanks for your support.

0 Helpful

Julio Silveira
Level 1
Level 1
In response to otavio.augusto

‎02-27-2013 07:13 AM

Yes, the account PO uses to connect to CP  (normally called the nsapi account)  must have the same pwd in AD and local.

If you have SL authentication disabled it is not necessary.

0 Helpful

otavio.augusto
Level 1
Level 1
In response to Julio Silveira

‎02-27-2013 07:22 AM

The password for nsapiuser in both AD and PO have always been the same - since it was imported into the portal.

I can even log in to the portal with or without AD enabled with the same password for nsapiuser.

So I have to disable service link authentication by now ?

0 Helpful

Julio Silveira
Level 1
Level 1
In response to otavio.augusto

‎02-27-2013 07:51 AM

You can disable SL authentication to take out one of the variables, and see if works, but you should try to get it working with SL authentication later.

The directory integration mapping has password as one of the fields and you normally sync it with user name or something else because it cannot be the real AD password. When you login with the NSAPI account the pwd may get re-mapped . The steps I normally do are login as NSAPI account, get the local account created, update the pwd and then do not login as NSAPI account again to avoid re-mapping.

** Please also restart Request Center.

0 Helpful

otavio.augusto
Level 1
Level 1

‎02-27-2013 07:32 AM

Doesn't work. With or without SL auth enabled.

Looks like orchestrator is trying to authenticate to the portal with an invalid user - but I have checked the orchestrator runtime users hundreds of times and they match the username and passwords in AD.

Any clues ?

0 Helpful

Julio Silveira
Level 1
Level 1
In response to otavio.augusto

‎02-27-2013 07:55 AM

Note that you need to update nsapi account in 2 runtime users:

Cisco Service Portal User

Cisco Cloud Portal User

and also in the extended target property:

Cloud.Configuration.CloudPortal.API.User

Cloud.Configuration.CloudPortal.API.Password

0 Helpful

otavio.augusto
Level 1
Level 1
In response to Julio Silveira

‎02-27-2013 08:32 AM

Thanks for the support. I had forgotten to update the two target properties as well. Those auth errors no longer happen, but a new one is preventing the service item to be created and the license refreshing process to finish:

Unable to fully resolve expression, as Reference to Property ResultTable.FirstRow.Feature of ActivityInstance 0b67ac58-5093-42ef-8b2c-a9d775a343e7. could not be resolved.

That happens at the "Update Service Item" task, invoked by Manage License Data process.

Any infos ?

Thanks for the help.

0 Helpful
Customers Also Viewed These Support Documents