We are trying to use the AdminUI Rest API services but we are getting a HTTP 401 error in the browser. We have tried the basic-js and browser samples and both give the same errors. The admin account works fine when we access AdminUI, and the following error is shown in smrestservices.log:

[2018-06-25 10:15:30][ERROR][SmRestAuthFilter:com.ca.siteminder.sdk.restservlet.filters.SmRestAuthFilter.doFilter(SmRestAuthFilter.java:171)][SMRESTAPI_004-Unable to decrypt the JWT token.] com.ca.siteminder.rpc.rpc.SystemError: AGENTAPI_FAILURE at com.ca.siteminder.rpc.rpc.TunnelConnection.send(Unknown Source) ~[smrpc-12.70.jar:?] at com.ca.siteminder.rpc.rpc.RpcTransport.sendBuffer(Unknown Source) ~[smrpc-12.70.jar:?] at com.ca.siteminder.rpc.rpc.RpcTransport.connect(Unknown Source) ~[smrpc-12.70.jar:?] at com.ca.siteminder.rpc.rpc.RpcContext.lookup(Unknown Source) ~[smrpc-12.70.jar:?] at com.ca.siteminder.sdk.adminapi.Session.connect(Unknown Source) ~[smadminapi-12.70.jar:?] at com.ca.siteminder.sdk.restimpl.ClientSession. (Unknown Source) ~[smrestapi-12.70.jar:?] at com.ca.siteminder.sdk.restimpl.ServiceImpl. (Unknown Source) ~[smrestapi-12.70.jar:?] at com.ca.siteminder.sdk.restimpl.ServiceFactory.getRESTService(Unknown Source) ~[smrestapi-12.70.jar:?] at com.ca.siteminder.sdk.restservlet.filters.SmRestAuthFilter.createServiceInstance(SmRestAuthFilter.java:232) ~[classes:?] at com.ca.siteminder.sdk.restservlet.filters.SmRestAuthFilter.getOrCreateServiceInstance(SmRestAuthFilter.java:302) ~[classes:?] at com.ca.siteminder.sdk.restservlet.filters.SmRestAuthFilter.doFilter(SmRestAuthFilter.java:152) [classes:?] at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) [undertow-servlet-1.1.0.Final.jar!/:1.1.0.Final] at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) [undertow-servlet-1.1.0.Final.jar!/:1.1.0.Final] at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) [undertow-servlet-1.1.0.Final.jar!/:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) [undertow-servlet-1.1.0.Final.jar!/:1.1.0.Final] at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.0.Final.jar!/:1.1.0.Final] at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) [wildfly-undertow-8.2.0.Final.jar!/:8.2.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar!/:1.1.0.Final] at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.0.Final.jar!/:1.1.0.Final] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) [undertow-servlet-1.1.0.Final.jar!/:1.1.0.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.0.Final.jar!/:1.1.0.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) [undertow-core-

How can we solve it?

AdminUI R12.8 on RHEL7
SDK R12.8 on RHEL7

This basic-js sample is designed to be ran in the AdminUI sso-restapi-services.war, similarly to the browser sample application, therefore it does need to be copied into the sso-restapi-services.war folder and accessed through AdminUI, and not executed in the browser or in another web server. The instructions available in SDK readme file for browser sample application are applicable for the basic-js application as well.

The steps to deploy this sample are: 
1. Copy the content of the directory into the existing sso-restapi-services.war directory in the same container where the AdminUI is running. 
2. Restart AdminUI. 
3. Open a web browser and navigate to https://[WAMUI-HOSTNAME]:8443/ca/api/sso/services/policy/sample.htm. 
4. Set the URL, and the authentication service URL to get the token with the credentials.  
5. Once authenticated, the URL results will be displayed below. 

Remember that the token will last for 15 minutes, and after that time it will expire. Then, it is application logic to regenerate token once it expires.