Unable to access the NetOps Portal REST interface as the admin user
search cancel

Unable to access the NetOps Portal REST interface as the admin user

book

Article ID: 141582

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Unable to access the NetOps Portal REST interface as the admin user. Receiving 403 errors when attempting access.

Using the admin user, or a REST access only user for API usage all attempts to run curl commands return 401 errors. This is seen with both admin user and an "apiuser" user set up following this KB for REST only access.

REST access for user without Performance Management UI access

Running CLI curl REST commands as tests, using the following curl, there is no response. Nothing is returned to the CLI after entering the user password.

curl --user <UserName> -k https://<PortalHostName>:8182/pc/center/webservice/devices

Running CLI curl REST commands as tests, using the following curl with -vv added:

curl --user <UserName> -vv -k https://<PortalHostName>:8182/pc/center/webservice/devices

We see errors that reference a 401 error like this.

< HTTP/1.1 401 Unauthorized

In the Portal (default path shown) /opt/CA/PerformanceCenter/PC/logs/PCService.log file, when attempting the failing curl commands we see errors like this.

WARN  | qtp1017003165-9189       | 2024-10-01 08:05:55,635 | com.ca.im.portal.services.sso.SingleSignOnWsImpl
      | Attempted login with expired password: user 'admin'
WARN  | qtp1017003165-10160      | 2024-10-01 08:05:55,638 | com.ca.im.portal.services.util.FailCountAuthInterceptor
      | REST login failure. Attempt=1 for Username=admin; Attempt=3 for IP=10.xxxxx
WARN  | qtp1017003165-10160      | 2024-10-01 08:05:55,638 | com.ca.im.portal.common.web.util.AuthInterceptor
      | Could not validate user 'admin' for access in request: {}https://<PortalHostName>:8182/pc/center/webservice/devices from 10.#.#.10

The problem is not seen for externally authenticated users. Any user with LDAP or SAML2 based external authentication work without issue. Only users set with NetOps internal authentication are affected.

Environment

All supported DX NetOps Performance Management releases

Cause

The users password has expired based on the default 105 day expiration time frame for NetOps internally authenticated users.

The SsoConfig controlled "Password lifespan" value is set by default to 105 days. When this is reached the users password is expired and will fail authentication until it is reset.

The Password lifespan is defined as:

  • Password lifespan: Specify the number of days after which passwords expire.
  • Values: 0-712 days
    • Note: To disable password expiration and to specify that passwords never expire, specify 0.
    • Disabling password expiration is a global change affecting all users. It is not recommended in production environments.
  • Default: 105 days
  • Recommended: 105 days

Resolution

There are a few options to resolve this.

  • Reset the users password.
    1. Log in to the Portal UI as user assigned to the Administrator Role.
    2. Navigate to Administration->User Settings->Users
    3. Find and select the target user, select to Edit it.
    4. Reset the users password and save the change.
  • Disable password expiration for all internally authenticated users.
    • Does not impact password requirements for externally authenticated users.
    • See Cause field above re: setting "Password lifespan" to zero (0).
  • Disable password expiration for a specific user.
    1. Run the SsoConfig script and enter option 7 for "NetOps Portal Local Password Authentication" config.
    2. Enter 1 for "Remote Value"
      • NOTE: Never use option 2 for "Local Override" without Broadcom Support or Engineering direction.
    3. Select option 5. Disable password expiration for a specific user
    4. Enter a user name.
      • Entering an externally authenticated user, or a user name that doesn't exist, returns:
        • The user <userName> does not exist, or is not a local user.
      • Entering the correct username for an internally authenticated user returns the Remote Value listing with no message.
    5. To enable password expiration for the user repeat the process using option 6 for "Enable password expiration for a specific user".

Additional Information

See the Configure the Password Security Settings Using the SSO Configuration Tool documentation topic for details on modifying these values.