ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error: "Server requires a valid encrypted token in the request" returned by CLI command scripts to ProxySG appliance

book

Article ID: 172522

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

After upgrading SGOS on a ProxySG appliance or MACH5 edition appliance, scripts that send CLI commands to the system as POST method requests result in an error message, "Server requires a valid encrypted token in the request." The scripts worked prior to upgrading to SGOS 6.7.4.1 and later.

Server requires a valid encrypted token in the request.

Cause

Additional security mechanisms were implemented.

Resolution

Your script must request an encrypted token from the appliance, and then include the token in subsequent HTTP requests that use the POST method.

  1. Obtain an encrypted token from the appliance by making an HTTP request using the GET method to the URL "/EncToken".
  2. The entirety of the response body should be used as the encrypted token in future POST requests. This token has a time-to-live (TTL) of 20 minutes. After 20 minutes, this encrypted token expires. If this occurs, you can make another request to "/EncToken" to get a new encrypted token.
  3. Include the encrypted token in subsequent HTTP requests either in a header or within the body. Refer to the following sections for details.

Encrypted Token in HTTP POST Request Header

When the encrypted token is passed in the header, it is identified by the label "X-Bluecoat-Enc-Token". Refer to the following example:

X-Bluecoat-Enc-Token: JVizLJLt5YzKvcJqSl7y9HdMSNZTyDJpV8yrvFGni-uuO6-uWqyN9xXbBWbeNLtBAE7TAv4xRYtkpErIWjqr31m61ApC8wGoqJyA_EZ0iMfjCF5qG9kErL10SnLN23hVMLh_oSeXnM_zcBDVgRsoid8

 

Encrypted Token in HTTP POST Request Body

When the encrypted token is passed in the body, it can be part of a query string when Content-Type is "application/x-www-form-urlencoded", or it can be one of the multipart sections when Content-Type is "multipart/form-data".

Note: Some ProxySG Advanced URLs will accept only one of the specified content types.

  • Refer to the following example of using  "application/x-www-form-urlencoded" in a query string:

    bluecoat-enc-token=JVizLJLt5YzKvcJqSl7y9HdMSNZTyDJpV8yrvFGni-uuO6-uWqyN9xXbBWbeNLtBAE7TAv4xRYtkpErIWjqr31m61ApC8wGoqJyA_EZ0iMfjCF5qG9kErL10SnLN23hVMLh_oSeXnM_zcBDVgRsoid8

    Important: Standard formatting requires an empty line as the start of the body.

  • When using "multipart/form-data" the encrypted token must be the only data in the section identified with the name "bluecoat-enc-token". Refer to the following example, where the multipart/form-data boundary is "--------32456734": 

    ----------32456734
    Content-Disposition: name="bluecoat-enc-token"; form-data  

    JVizLJLt5YzKvcJqSl7y9HdMSNZTyDJpV8yrvFGni-uuO6-uWqyN9xXbBWbeNLtBAE7TAv4xRYtkpErIWjqr31m61ApC8wGoqJyA_EZ0iMfjCF5qG9kErL10SnLN23hVMLh_oSeXnM_zcBDVgRsoid8
    ----------32456734

    Important:  Standard formatting requires an empty line after the Content-Disposition line.