After upgrading SGOS on an Edge SWG appliance or a MACH5 edition appliance, scripts that send CLI commands to the system as POST method requests result in an error message, "Server requires a valid encrypted token in the request." The scripts worked prior to upgrading to SGOS 6.7.4.1 and later.

The server requires a valid encrypted token in the request.

Additional security mechanisms were implemented.

Your script must request an encrypted token from the appliance, and then include the token in subsequent HTTP requests that use the POST method.

1. Obtain an encrypted token from the appliance by making an HTTP request using the GET method to the URL "/EncToken".
2. The entirety of the response body should be used as the encrypted token in future POST requests. This token has a time-to-live (TTL) of 20 minutes. After 20 minutes, this encrypted token expires. If this occurs, you can make another request to "/EncToken" to get a new encrypted token.
3. Include the encrypted token in subsequent HTTP requests either in a header or within the body. Refer to the following sections for details.

Encrypted Token in HTTP POST Request Header

When the encrypted token is passed in the header, it is identified by the label "X-Bluecoat-Enc-Token". Refer to the following example:

X-Bluecoat-Enc-Token: JVizLJLt5YzKvcJqSl7y9HdMSNZTyDJpV8yrvFGni-uuO6-uWqyN9xXbBWbeNLtBAE7TAv4xRYtkpErIWjqr31m61ApC8wGoqJyA_EZ0iMfjCF5qG9kErL10SnLN23hVMLh_oSeXnM_zcBDVgRsoid8

Encrypted Token in HTTP POST Request Body

When the encrypted token is passed in the body, it can be part of a query string when Content-Type is "application/x-www-form-urlencoded", or it can be one of the multipart sections when Content-Type is "multipart/form-data".

Note: Some Edge SWG Advanced URLs will accept only one of the specified content types.

• Refer to the following example of using  "application/x-www-form-urlencoded" in a query string:

  bluecoat-enc-token=JVizLJLt5YzKvcJqSl7y9HdMSNZTyDJpV8yrvFGni-uuO6-uWqyN9xXbBWbeNLtBAE7TAv4xRYtkpErIWjqr31m61ApC8wGoqJyA_EZ0iMfjCF5qG9kErL10SnLN23hVMLh_oSeXnM_zcBDVgRsoid8

  Important: Standard formatting requires an empty line as the start of the body.

• When using "multipart/form-data" the encrypted token must be the only data in the section identified with the name "bluecoat-enc-token". Refer to the following example, where the multipart/form-data boundary is "--------32456734": 

  ----------32456734
Content-Disposition: name="bluecoat-enc-token"; form-data  

  JVizLJLt5YzKvcJqSl7y9HdMSNZTyDJpV8yrvFGni-uuO6-uWqyN9xXbBWbeNLtBAE7TAv4xRYtkpErIWjqr31m61ApC8wGoqJyA_EZ0iMfjCF5qG9kErL10SnLN23hVMLh_oSeXnM_zcBDVgRsoid8
----------32456734

  Important:  Standard formatting requires an empty line after the Content-Disposition line.