- Revenera Community
- :
- FlexNet Operations
- :
- FlexNet Operations Forum
- :
- Re: REST API "Token refused due to missing key" for /access_request
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
I am access the REST API of an FNO license server.
I set a password on the license server on FNO and I can successfully authenticate.
I receive a Bearer token, which allows me to make almost any REST calls such as "/features", "/hosts", etc...
EXCEPT "/access_request"...
Trying to request features through the "/access_request" access point FAILS as followed:
Status:Unauthorized, Reason:{
"key" : "glsErr.userAuthFailed",
"message" : "Authorization attempt at uri=/GlobalLicensingService/api/1.0/instances/RW0GJ2TDSZZW/preview_request failed for user (unknown) (error BadCredentialsException(Token refused due to missing key.))",
"arguments" : [ "uri=/GlobalLicensingService/api/1.0/instances/RW0GJ2TDSZZW/preview_request", "(unknown)", "BadCredentialsException", "Token refused due to missing key." ]
}
Why this call fails but all the others are successful, with the SAME Bearer token?
What to do?
Also: IS THERE ANY EXAMPLE OF ACQUIRING A FEATURE USING REST API ON FNO SERVER?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @kiangorji ,
You will also need to consult the License Server Producer Guide for additional information. The process is:
- Generate a Public / Private Key Pair (many available tools)
- Get Authorization Token from Cloud License Server (CLS) via /authorize
- Upload the Public Key (.der format) using /rest_licensing_keys to the CLS using the Authorization Token
- Create a JSON Web Token using the Private Key from Step 1. Many available tools, https://jwt.io is easy to use.
- Send license request to /access_request using the JWT.
I have attached an example I created that should help guide you.
Best regards,
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @kiangorji ,
That is correct. The /access_request endpoint to obtain a license from a license server (cloud or local) is one of the Cloud Monetization APIs (CMAPI). This REST API requires a Jason Web Token (JWT) for Authorization which is different from the authorization token used for License Server Management. Documentation along with examples are provided in the Cloud Monetization API Guide.
Best regards,
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
There is just a vague Python example on how to validate the response if you ask for a signed access.request.
Also "The Capability Exchange Process" and "Means to Attach the JWT to the Capability Request" have no example and are totally vague.
Is there any example of generating this token somewhere?
There's also talks about generating keys on server and all, but I can't see how that would apply to the client license server on FNO, there's nowhere to set a certificate there.
Any more precise clarification/example would really be helpful - we're stuck for those important calls.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @kiangorji ,
You will also need to consult the License Server Producer Guide for additional information. The process is:
- Generate a Public / Private Key Pair (many available tools)
- Get Authorization Token from Cloud License Server (CLS) via /authorize
- Upload the Public Key (.der format) using /rest_licensing_keys to the CLS using the Authorization Token
- Create a JSON Web Token using the Private Key from Step 1. Many available tools, https://jwt.io is easy to use.
- Send license request to /access_request using the JWT.
I have attached an example I created that should help guide you.
Best regards,
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
This was a great answer, it makes everything much clearer.
Thanks a lot jberthold for the detailed explanation (it should be added to the CMAPI manual) and for the PDF with example too.
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
That was not my question.
I already do everything you say when I call the API and as I already explained, other API calls work fine.
My question is specifically about the call to get all "/hostids" for all cloud servers in our company. In other words, our company account "XXXX" creates multiple cloud license servers "B", "C", "D" on FNO, for each of our customers. How do I retrieve this list (B, C, D)?
At this point, the problem is about this particular REST call seemingly nonexistent on FNO.
Works for a local license server. | |
https://flexXXXX-uat.compliance.flexnetoperations.com/api/1.0/hostids | Fails for cloud server, not because of authorization but rather '404 Not Found': clearly the path "api/1.0/hostids" is incorrect. |
https://flexXXXX-uat.compliance.flexnetoperations.com/api/1.0/instances/XYZ10203040/ | Works and returns this specific instance's hostid information. But I want the list of ALL hostids we have in the cloud, not just one. |
https://flexXXXX-uat.compliance.flexnetoperations.com/api/1.0/instances/XYZ10203040/hostids | Fails (404 Not Found). |
So again, my need is to programmatically retrieve the list of ALL cloud license server hostids so that I can select one of them and programmatically perform REST operations on it. But first I need to know which hostids exist...
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
@jberthold Thanks for your sample doc. While your example works, but you give some hardcoded "sub", and I have tried to change the "sub" to any value and it seems all works. So what's the point of providing sub? it seems like all the security measure is depends on the signature. There are nothing else to check to ensure the token is valid. I also cannot find any other document to explain this token other than your samples. Can you please point me where in the "License Server Producer Guide" describe this token, what claims are required and how is the token being validated?
- Mark as New
- Subscribe
- Mute
- Permalink
- Report Inappropriate Content
Hi @fuyili ,
In the License Server Producer Guide there is an example python script for generating a JWT signed using a private key. Here's a snippet from the example:
# Setup the JWT's payload
payload = {
# Subject field must be present but content is not significant
'sub': 'Authorization',
# Claim must include 'roles' as ROLE_CAPABILITY
'roles': 'ROLE_CAPABILITY',
# Other JWT, such as expiration, are optional
'exp': datetime.datetime.utcnow() + datetime.timedelta(days=365)
}
'sub' = Subject which must be present but as state the content is not significant. The 'roles':'ROLE_CAPABILITY' is mandatory, the 'exp' is optional.
The JWT is created with the private key. FlexNet Operations uses the uploaded public key to verify the authenticity of the JWT.
Thanks,