16 Replies Latest reply on Aug 1, 2017 2:57 PM by ekis

    403 with rest api call

    r.sjouw

      I;ve seen a few other people with this issue, and some where resolved, but nowhere is a solution to be found.

       

      The code:

       

      $VLANNAAM = "Somevlan"

      $cred = get-credential

      $invoked = Invoke-RestMethod -Uri ("https://"+$Hostname+":17778/SolarWinds/InformationService/v3/Json/Query?query=SELECT GroupId,VLAN_Naam FROM IPAM.GroupNodeAttr WHERE (VLAN_Naam='$VLANNAAM')") -method Get -credential $cred

       

      For the credentials I've used a windows account, local account, database user.

      Nothing works, Always the 403 error.

       

      2015-08-27 07_33_58-Pool 06 - ICT Services Windows 8 Werkplek.png

        • Re: 403 with rest api call
          KMSigma

          This most commonly has to do with the certificate that's used by Orion for HTTPS communications.

           

          The quick and dirty way to handle this is to just trust all web certificates.  Below is a code snippet that I found years ago on PoshCode.com and continue to use it to this day.  It will probably work for you.

          #region Ignore SSL Messages
          ## Choose to ignore any SSL Warning issues caused by Self Signed Certificates  
            
          ## Code From http://poshcode.org/624
          ## Create a compilation environment
          $Provider=New-Object Microsoft.CSharp.CSharpCodeProvider
          $Compiler=$Provider.CreateCompiler()
          $Params=New-Object System.CodeDom.Compiler.CompilerParameters
          $Params.GenerateExecutable=$False
          $Params.GenerateInMemory=$True
          $Params.IncludeDebugInformation=$False
          $Params.ReferencedAssemblies.Add("System.DLL") | Out-Null
          
          $TASource=@'
            namespace Local.ToolkitExtensions.Net.CertificatePolicy{
              public class TrustAll : System.Net.ICertificatePolicy {
                public TrustAll() { 
                }
                public bool CheckValidationResult(System.Net.ServicePoint sp,
                  System.Security.Cryptography.X509Certificates.X509Certificate cert, 
                  System.Net.WebRequest req, int problem) {
                  return true;
                }
              }
            }
          '@ 
          $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource)
          $TAAssembly=$TAResults.CompiledAssembly
          
          ## We now create an instance of the TrustAll and attach it to the ServicePointManager
          $TrustAll=$TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
          [System.Net.ServicePointManager]::CertificatePolicy=$TrustAll
          
          ## end code from http://poshcode.org/624
          #endregion Ignore SSL Messages
          
            • Re: 403 with rest api call
              r.sjouw

              Sorry did not mention I already took that hurdle.

              I found a powershell function that does the same, trust all certificates.

               

              But still the same issue.

              I was getting a ssl tls error, but thats been gone when using this fuction.

              2015-08-27 09_02_14-Pool 06 - ICT Services Windows 8 Werkplek.png

                • Re: 403 with rest api call
                  KMSigma

                  ok - taking a step back.  I'm looking at your query, which (when normalized) is:

                  SELECT GroupId,VLAN_Naam FROM IPAM.GroupNodeAttr WHERE (VLAN_Naam='Somevlan')

                   

                  I'm using the SWQL Studio, and I'm not finding anything in the IPAM.GroupNodeAttr table.  What exactly are you trying to get with this query?

                    • Re: 403 with rest api call
                      r.sjouw

                      Ok I'll start from the beginning.

                       

                      We are rolling out automation center, and need to get the first free address from solarwinds IPAM, to provision a server.

                      As there is no Orchastrator plugin, or any other production ready automation tool for IPAM, we are using the SDK to get this information.

                       

                      I've build a powershell script which gets the information from IPAM, using the module build by another Thwack member.

                      The field VLAN_Naam is a custom field which contains the name of the vlan, which matches to the port profile in VMWare.

                      In getting the VLAN_Naam field, we also get the groupid, from which we can then get the free ip addresses from. using the following query from the module:

                      $qry="SELECT SubnetID, IPOrdinal, IPAddress, IPAddressN, Alias, DnsBackward, Description, Comments, Status FROM IPAM.IPNode WHERE (Status = 2) AND (Comments IS NULL) AND (Alias IS NULL) AND (DNSBackward IS NULL) AND (SubnetID=$GroupID) ORDER BY IPOrdinal ASC"

                       

                      So far so good. This al works in powershell. But we need to get the information in the orchastrator. This is where powershell fails.

                      The script does not run with powershell remoting.( I've been in contact with a product manager from Solarwinds.), not from the orchastrator, where others scripts run fine remotely, and not from another server/workstation using a powershell remote session.

                       

                      So now I'm trying the rest API using orchstrator, fist buidling the script flow in powershell and then building it in orchastrator.

                        • Re: 403 with rest api call
                          KMSigma

                          And VLAN_Naam is bound to the Node?  Also where did you get $GroupID from?

                           

                          P.S. - I'm mocking this up in my own development environment which is why I'm asking so many questions.


                          Update:

                          I just did this in my own lab from a machine that does not have the Orion SDK installed and pointed it to the Primary Polling Engine (though you can point it at an Additional Web Server).

                          function Trust-AllWebCertificates {
                          #region Ignore SSL Messages
                          ## Choose to ignore any SSL Warning issues caused by Self Signed Certificates  
                            
                          ## Code From http://poshcode.org/624
                          ## Create a compilation environment
                          $Provider=New-Object Microsoft.CSharp.CSharpCodeProvider
                          $Compiler=$Provider.CreateCompiler()
                          $Params=New-Object System.CodeDom.Compiler.CompilerParameters
                          $Params.GenerateExecutable=$False
                          $Params.GenerateInMemory=$True
                          $Params.IncludeDebugInformation=$False
                          $Params.ReferencedAssemblies.Add("System.DLL") | Out-Null
                          
                          $TASource=@'
                            namespace Local.ToolkitExtensions.Net.CertificatePolicy{
                              public class TrustAll : System.Net.ICertificatePolicy {
                                public TrustAll() { 
                                }
                                public bool CheckValidationResult(System.Net.ServicePoint sp,
                                  System.Security.Cryptography.X509Certificates.X509Certificate cert, 
                                  System.Net.WebRequest req, int problem) {
                                  return true;
                                }
                              }
                            }
                          '@ 
                          $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource)
                          $TAAssembly=$TAResults.CompiledAssembly
                          
                          ## We now create an instance of the TrustAll and attach it to the ServicePointManager
                          $TrustAll=$TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
                          [System.Net.ServicePointManager]::CertificatePolicy=$TrustAll
                          
                          ## end code from http://poshcode.org/624
                          #endregion Ignore SSL Messages
                          }
                          
                          #region Main Body
                          Trust-AllWebCertificates
                          
                          $SwisUsername = "admin"
                          $SwisPassword = "P@ssw0rd"
                          $SwisCredentails = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $SwisUsername, ( ConvertTo-SecureString $SwisPassword -AsPlainText -Force )
                          $SwisHost = "orion.demo.lab"
                          
                          $SwqlQuery = "SELECT TOP 2 DisplayName, Description, Status, StatusDescription, StatusLED, UnManaged, UnManageFrom, UnManageUntil, DetailsUrl, Image, AncestorDisplayNames, AncestorDetailsUrls FROM System.ManagedEntity"
                          
                          $Uri = "https://$( $SwisHost ):17778/SolarWinds/InformationService/v3/Json/Query?query=$( $SwqlQuery )"
                          
                          $invoked = Invoke-RestMethod -Uri $Uri -Method Get -Credential $SwisCredentails
                          
                          $invoked.Results
                          #endregion Main Body
                          

                          Results:

                          DisplayName                                                        StatusDescription                                                 
                          -----------                                                        -----------------                                                 
                          Microsoft Exchange                                                 Critical                                                          
                          Microsoft Exchange                                                 Critical            
                          

                          The server on which I ran this is Windows 2012 R2 with $PSVersionTable.PSVersion.Major = 4.  I don't have a convenient place to check this with a previous version of PowerShell, but I can't imagine that it would be too much different.

                            • Re: 403 with rest api call
                              r.sjouw

                              Using the query and code you provided I'm getting the same error : 403 :

                               

                              Invoke-RestMethod : The remote server returned an error: (403) Forbidden.

                              At D:\ProvisionVM\scripts\Solarwinds\newtest.ps1:51 char:12

                              + $invoked = Invoke-RestMethod -Uri $Uri -Method Get -Credential $SwisCredentails

                              +            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                                  + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException

                                  + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

                               

                              I'm using the windows admin account, and also using any other windows service account user account or admin account, alle the same error 403.

                              What kind of account are you using, the admin is it a local windows users or something else ?

                    • Re: 403 with rest api call
                      wsoto

                      We are experiencing the exact issue was this ever resolved?  I do not see a resolution for this API connection issue?

                      • Re: 403 with rest api call
                        ekis

                        can you try using IP address instead of the hostname?

                        or, can you try FQDN instead of the hostname?