Re: CUCM 10.5.2 - SXML DimeGetFileService API issue

Francesco La Bella · ‎08-06-2015

Hi,

I'm using the SXML API DimeGetFileService (OneFile), to get from the CUCM some logs files via HTTP. Upgrading from 9.1 to 10.5 calls to the logcollectionservice/services/DimeGetFileService GetOneFile API fail with the error "file not allowed for download":

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><soapenv:Fault><faultcode>soapenv:Server.generalException</faultcode><faultstring>DimeGetFileService:GetOneFile(): file not allowed for download: /var/log/active/syslog/messages</faultstring><detail><ns1:stackTrace xmlns:ns1="http://xml.apache.org/axis/">DimeGetFileService:GetOneFile(): file not allowed for download: /var/log/active/syslog/messages at com.cisco.ccm.serviceability.soap.LogCollection.GetFile.DimeGetFileService.GetOneFile(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:397) at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:186) at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:323) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:454) at org.apache.axis.server.AxisServer.invoke(AxisServer.java:281) at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:699) at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:327) at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at com.cisco.vos.platform.tomcat.valves.CiscoResponseHeaderFilter.doFilter(Unknown Source) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:613) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:312) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) </ns1:stackTrace><ns2:hostname xmlns:ns2="http://xml.apache.org/axis/">ucrmsxrsub01</ns2:hostname></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>

With CUCM 9.1.2 the same API works fine, with 10.5.2 it fails. Has someone experienced something similar? I cannot figure out what's changed with new 10.5 APIs (can't find any documentation).

If someone has any information about it, please share!

Thanks in advance.

Regards,

Francesco

npetrele · ‎08-06-2015

Can you post the XML request you're using? You can sanitize anything that you want to remain private.

Francesco La Bella · ‎08-06-2015

Hi Nicholas,

here the XML request:

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.cisco.com/ast/soap/">

<soapenv:Header/>

<soapenv:Body>

<soap:GetOneFile soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

<FileName xsi:type="get:FileName" xmlns:get="http://cisco.com/ccm/serviceability/soap/LogCollection/GetFile/">/var/log/active/platform/cli/phones-rep-PST.txt</FileName>

</soap:GetOneFile>

</soapenv:Body>

</soapenv:Envelope>

I'm trying to download a file generated by a risdb command on CUCM. In CUCM version 9.1 all work fine.

I get the same error even using the SoapUI test tool.

Thanks in advance,

Francesco

Francesco La Bella · ‎08-07-2015

I'm doing other tests on this, and I found that for some files it works correctly. For example, if I try to download a file in the Tomcat Logs folder, the API is executed. Below, working XML request:

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://schemas.cisco.com/ast/soap/">

<soapenv:Header/>

<soapenv:Body>

<soap:GetOneFile soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

<FileName xsi:type="get:FileName" xmlns:get="http://cisco.com/ccm/serviceability/soap/LogCollection/GetFile/">/var/log/active/tomcat/logs/localhost.2015-08-03.log</FileName>

</soap:GetOneFile>

</soapenv:Body>

</soapenv:Envelope>

Could it be a permission issue on some folders? I'm using an application user belonging to the following groups:

Standard CCM Superuser
Standard CCM Server Monitoring
Standard RealtimeAndTraceCollection

It seams no other groups are related to the use of SXML APIs.

Ciao,

Francesco

npetrele · ‎08-07-2015

Hi Francesco,

Yes, that's what I suspect it is. In CUCM (logged in as an administrator), go to User Management -> User Settings -> Role, and take a look at the roles your system has defined and what privileges they afford. You can always define a new role, too, and assign it the privileges you need for your application. Also, check out User Management -> User Settings -> Access Control Group.

Unless you just mis-typed it, maybe someone has defined new roles and permissions and you're not getting the permissions you expect. On our lab, the ACL is called Standard CCM Super Users, not Standard CCM Superuser.

endamcm79 · ‎01-11-2016

Hi Francesco,

Did you manage to resolve this?

I am encountering the same issue.

Thanks,

Enda

Alexey Smirnov · ‎02-08-2016

Looks like there is a bug with DimeGetFileService API GetOneFile() on CUCM 10.5.2 CSCuv89821

I've tried to move Cisco AMC service logs to IM&P server, but got the same error.