cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3493
Views
0
Helpful
7
Replies

REST API No Longer Accessible After Upgrading FMC to 6.2.3?

DAVID YARASHUS
Level 5
Level 5

After upgrading FMC from 6.2.2 to 6.2.3, we seem to have lost access to the API Explorer. Expected behavior is a 200 response code when valid admin-level account/password combination is specified.

 

The configuration option in System --> Configuration --> REST API Preferences is enabled. Toggling it doesn't fix it.

 

When that configuration option for the REST API is enabled, all accounts (that worked prior to the upgrade, including admin) get an http 401 (unauthorized) whether a correct or incorrect password is used. Passwords are verified correct by being able to login to the FMC GUI with them.

When that configuration option is disabled, all accounts get an http 503 error.

Have I missed something obvious?

1 Accepted Solution

Accepted Solutions

DAVID YARASHUS
Level 5
Level 5
We missed something.

At the same time as the upgrade, the certificate for the FMC was updated to a new RSA certificate from our enterprise PKI with a 4096-bit strength key. It turns out that the web interface works fine with this longer key, but the java processes used to deal with the API fail with any key over 2048 bits. The clue was finding this message "Could not generate DH keypair" in the logs with pigtail. Web searches show that it's listed with Oracle as a symptom of an old java limitation. Fixed versions appear to include JDK-8072452, "Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits". While we wanted to use the stronger certificate, the fix was regenerating it with only 2048 bits. With the 2048 bit certificate installed, no problems.

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

David,

 

In 6.2.3 Cisco did add a direct device API (vice having to go via FMC). However that's only supposed to affect locally-managed (i.e. FDM) appliances.

 

I checked my lab FMC running 6.2.3 and the API Explorer appears to work fine.

 

FMC 6.2.3 API Explorer.PNG

 

Thanks for confirming that it's working for others, Marvin. We have a TAC case open, but no resolution yet.

So, I've confirmed that the REST API works on a fresh install of 6.2.3-83, but we lose access to it after restoring a backup that was taken on 6.2.3-79. Still looking for a resolution, but that seems to narrow it down quite a bit. It's not the FMC checkbox to "Enable REST API" which is checked, and I tried creating a new local account with admin permissions, but after restoring the backup we have not yet found any way to authenticate successfully via the API.

My working FMC is running the slightly pre-release 6.2.3-60. It was upgraded from 6.2.2-81.

 

 

If you're in the mood to risk it, I'd be curious if you lose API access after restoring a 6.2.3-60 backup onto a freshly imaged 6.2.3-83 (or later). We do have a TAC case open that may give us more information soon, and I'll post what we learn once there's a resolution or significant development. I did see that the FMC that was running 6.2.3-83 now claims in Help->About that it is 6.2.3-79 post-restore, which I hadn't expected.

DAVID YARASHUS
Level 5
Level 5
We missed something.

At the same time as the upgrade, the certificate for the FMC was updated to a new RSA certificate from our enterprise PKI with a 4096-bit strength key. It turns out that the web interface works fine with this longer key, but the java processes used to deal with the API fail with any key over 2048 bits. The clue was finding this message "Could not generate DH keypair" in the logs with pigtail. Web searches show that it's listed with Oracle as a symptom of an old java limitation. Fixed versions appear to include JDK-8072452, "Support DHE sizes up to 8192-bits and DSA sizes up to 3072-bits". While we wanted to use the stronger certificate, the fix was regenerating it with only 2048 bits. With the 2048 bit certificate installed, no problems.

Thanks for the update @DAVID YARASHUS

 

Back to basics in troubleshooting Q1: What changed?. (Corollary to Q1: Is that all?)

Review Cisco Networking for a $25 gift card