OpenAPI Odata request receives authorization failure from Performance Management

book

Article ID: 186850

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

Using a curl statement to issue an OpenAPI Odata query the response received shows an http 403 error authorization failure error.

Trying to access the Odata OpenAPI Querybuilder UI in a browser, using the URL http://DA_Host:8581/odataquery an error is returned. The error states it is from the Single Sign-On service. The specific error states:

"The application associated with this instance of Single Sign-On does not appear to be running."

Performance Center (PC) web UI is configured to use SSL for HTTPS. Access to the Performance Center web UI using the same user used in the Odata queries works without error.

The SsoConfig command run on the PC server shows the correct values set for Web Service Host, the value passed to the Data Aggregator (DA) for user authentication in PC.

Cause

When reviewing the host name set for the NpcHostName value in the DA we found it incorrectly directing it to the wrong IP address for the PC server for user authentication.

This can be checked using the following URL:

Environment

All supported Performance Management releases

Resolution

To update the value the DA is set to use follow these steps. The key here is to update the Remote Value option for the Web Service Host value in Performance Center options. Even if it's set correctly already, or is empty, the act of updating or setting a new/updated value is what triggers the DA to look for new values. This shows it has new values to set, which forces it to update it's values. The end result is it using the correct PC host to authorize users for OpenAPI access.

  1. Log into the PC server as the root user or install owner.
  2. Go to the (default path) /opt/CA/PerformanceCenter directory.
  3. Run the command:
    1. ./SsoConfig
  4. Choose option 1 for Performance Center.
  5. Choose option 3 for Performance Center.
  6. Choose 1 for Remote Value
  7. Choose Property 2 for Web Service Host
  8. Enter 'u' for update
  9. Set the correct value for Web Service Host
    • Enter the PC server IP, short host name or FQDN. Any of those options the DA is able to resolve will work.
    • If the value is set correctly already, re-enter the same value.
    • If the value is set incorrectly, set the correct value.
  10. Enter b to exit the menu tree and the command.
  11. Log into the PC web UI.
  12. Go to the Administration->Data Sources->Data Sources page.
  13. Select the Data Aggregator Data Source
  14. Select the Resync button.
  15. Run an incremental sync only. Do NOT check off the full sync option.

It can take 5-20 minutes depending on system size for the sync to complete despite the UI showing a state change for the DA sync state from Available->Synchronization->Available.

Monitor the http://DA_Host:8581/rest/dataaggregator page to see the NpcHostName value change. Once that changes the failing Odata OpenAPI queries and UI access should now work.