Unable to access the NetOps Portal REST interface as the admin user. Receiving 403 errors when attempting access.
Using the admin user, or a REST access only user for API usage all attempts to run curl commands return 401 errors. This is seen with both admin user and an "apiuser" user set up following this KB for REST only access.
REST access for user without Performance Management UI access
Running CLI curl REST commands as tests, using the following curl, there is no response. Nothing is returned to the CLI after entering the user password.
curl --user <UserName> -k https://<PortalHostName>:8182/pc/center/webservice/devices
Running CLI curl REST commands as tests, using the following curl with -vv added:
curl --user <UserName> -vv -k https://<PortalHostName>:8182/pc/center/webservice/devices
We see errors that reference a 401 error like this.
< HTTP/1.1 401 Unauthorized
In the Portal (default path shown) /opt/CA/PerformanceCenter/PC/logs/PCService.log file, when attempting the failing curl commands we see errors like this.
WARN | qtp1017003165-9189 | 2024-10-01 08:05:55,635 | com.ca.im.portal.services.sso.SingleSignOnWsImpl
| Attempted login with expired password: user 'admin'
WARN | qtp1017003165-10160 | 2024-10-01 08:05:55,638 | com.ca.im.portal.services.util.FailCountAuthInterceptor
| REST login failure. Attempt=1 for Username=admin; Attempt=3 for IP=10.xxxxx
WARN | qtp1017003165-10160 | 2024-10-01 08:05:55,638 | com.ca.im.portal.common.web.util.AuthInterceptor
| Could not validate user 'admin' for access in request: {}https://<PortalHostName>:8182/pc/center/webservice/devices from 10.#.#.10
The problem is not seen for externally authenticated users. Any user with LDAP or SAML2 based external authentication work without issue. Only users set with NetOps internal authentication are affected.
All supported DX NetOps Performance Management releases
The users password has expired based on the default 105 day expiration time frame for NetOps internally authenticated users.
The SsoConfig controlled "Password lifespan" value is set by default to 105 days. When this is reached the users password is expired and will fail authentication until it is reset.
The Password lifespan is defined as:
There are a few options to resolve this.
See the Configure the Password Security Settings Using the SSO Configuration Tool documentation topic for details on modifying these values.