Solved: Re: REST API No Longer Accessible After Upgrading FMC to 6.2.3?

DAVID YARASHUS · ‎04-13-2018

After upgrading FMC from 6.2.2 to 6.2.3, we seem to have lost access to the API Explorer. Expected behavior is a 200 response code when valid admin-level account/password combination is specified.

The configuration option in System --> Configuration --> REST API Preferences is enabled. Toggling it doesn't fix it.

When that configuration option for the REST API is enabled, all accounts (that worked prior to the upgrade, including admin) get an http 401 (unauthorized) whether a correct or incorrect password is used. Passwords are verified correct by being able to login to the FMC GUI with them.

When that configuration option is disabled, all accounts get an http 503 error.

Have I missed something obvious?

DAVID YARASHUS · ‎05-31-2018

We missed something.

At the same time as the upgrade, the certificate for the FMC was updated to a new RSA certificate from our enterprise PKI with a 4096-bit strength key. It turns out that the web interface works fine with this longer key, but the java processes used to deal with the API fail with any key over 2048 bits. The clue was finding this message "Could not generate DH keypair" in the logs with pigtail. Web searches show that it's listed with Oracle as a symptom of an old java limitation. Fixed versions appear to include JDK-8072452, "Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits". While we wanted to use the stronger certificate, the fix was regenerating it with only 2048 bits. With the 2048 bit certificate installed, no problems.

View solution in original post

Marvin Rhoads · ‎04-14-2018

David,

In 6.2.3 Cisco did add a direct device API (vice having to go via FMC). However that's only supposed to affect locally-managed (i.e. FDM) appliances.

I checked my lab FMC running 6.2.3 and the API Explorer appears to work fine.

DAVID YARASHUS · ‎04-16-2018

Thanks for confirming that it's working for others, Marvin. We have a TAC case open, but no resolution yet.

DAVID YARASHUS · ‎04-19-2018

So, I've confirmed that the REST API works on a fresh install of 6.2.3-83, but we lose access to it after restoring a backup that was taken on 6.2.3-79. Still looking for a resolution, but that seems to narrow it down quite a bit. It's not the FMC checkbox to "Enable REST API" which is checked, and I tried creating a new local account with admin permissions, but after restoring the backup we have not yet found any way to authenticate successfully via the API.

Marvin Rhoads · ‎04-19-2018

My working FMC is running the slightly pre-release 6.2.3-60. It was upgraded from 6.2.2-81.

DAVID YARASHUS · ‎04-19-2018

If you're in the mood to risk it, I'd be curious if you lose API access after restoring a 6.2.3-60 backup onto a freshly imaged 6.2.3-83 (or later). We do have a TAC case open that may give us more information soon, and I'll post what we learn once there's a resolution or significant development. I did see that the FMC that was running 6.2.3-83 now claims in Help->About that it is 6.2.3-79 post-restore, which I hadn't expected.

DAVID YARASHUS · ‎05-31-2018

We missed something.

At the same time as the upgrade, the certificate for the FMC was updated to a new RSA certificate from our enterprise PKI with a 4096-bit strength key. It turns out that the web interface works fine with this longer key, but the java processes used to deal with the API fail with any key over 2048 bits. The clue was finding this message "Could not generate DH keypair" in the logs with pigtail. Web searches show that it's listed with Oracle as a symptom of an old java limitation. Fixed versions appear to include JDK-8072452, "Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits". While we wanted to use the stronger certificate, the fix was regenerating it with only 2048 bits. With the 2048 bit certificate installed, no problems.

Marvin Rhoads · ‎05-31-2018

Thanks for the update @DAVID YARASHUS

Back to basics in troubleshooting Q1: What changed?. (Corollary to Q1: Is that all?)