cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
kiangorji
Level 3

REST API "Token refused due to missing key" for /access_request

Jump to solution

I am access the REST API of an FNO license server.
I set a password on the license server on FNO and I can successfully authenticate.
I receive a Bearer token, which allows me to make almost any REST calls such as "/features", "/hosts", etc...

EXCEPT "/access_request"...

Trying to request features through the "/access_request" access point FAILS as followed:

Status:Unauthorized, Reason:{
  "key" : "glsErr.userAuthFailed",
  "message" : "Authorization attempt at uri=/GlobalLicensingService/api/1.0/instances/RW0GJ2TDSZZW/preview_request failed for user (unknown) (error BadCredentialsException(Token refused due to missing key.))",
  "arguments" : [ "uri=/GlobalLicensingService/api/1.0/instances/RW0GJ2TDSZZW/preview_request", "(unknown)", "BadCredentialsException", "Token refused due to missing key." ]
}

Why this call fails but all the others are successful, with the SAME Bearer token?

What to do?

Also: IS THERE ANY EXAMPLE OF ACQUIRING A FEATURE USING REST API ON FNO SERVER?

 

0 Kudos
(2) Solutions
jberthold
Revenera Moderator Revenera Moderator
Revenera Moderator

Hi @kiangorji ,

You will also need to consult the License Server Producer Guide for additional information.  The process is:

  1. Generate a Public / Private Key Pair (many available tools)
  2. Get Authorization Token from Cloud License Server (CLS) via /authorize
  3. Upload the Public Key (.der format) using /rest_licensing_keys to the CLS using the Authorization Token
  4. Create a JSON Web Token using the Private Key from Step 1.  Many available tools, https://jwt.io is easy to use.
  5. Send license request to /access_request using the JWT.

I have attached an example I created that should help guide you.

Best regards,

View solution in original post

0 Kudos
jberthold
Revenera Moderator Revenera Moderator
Revenera Moderator

Hi @kiangorji ,

You created a separate post for this last question which I just answered.

Thanks,

View solution in original post

0 Kudos
(8) Replies
jberthold
Revenera Moderator Revenera Moderator
Revenera Moderator

Hi @kiangorji ,

That is correct.  The /access_request  endpoint to obtain a license from a license server (cloud or local) is one of the Cloud Monetization APIs (CMAPI).  This REST API requires a Jason Web Token (JWT) for Authorization which is different from the authorization token used for License Server Management.  Documentation along  with examples are provided in the Cloud Monetization API Guide. 

Best regards,

   

0 Kudos
I have the CMAPI 2019R2 guide that I'm following and I do not see any example on HOW to GENERATE this token for the request.
There is just a vague Python example on how to validate the response if you ask for a signed access.request.
Also "The Capability Exchange Process" and "Means to Attach the JWT to the Capability Request" have no example and are totally vague.
Is there any example of generating this token somewhere?
There's also talks about generating keys on server and all, but I can't see how that would apply to the client license server on FNO, there's nowhere to set a certificate there.

Any more precise clarification/example would really be helpful - we're stuck for those important calls.
0 Kudos
jberthold
Revenera Moderator Revenera Moderator
Revenera Moderator

Hi @kiangorji ,

You will also need to consult the License Server Producer Guide for additional information.  The process is:

  1. Generate a Public / Private Key Pair (many available tools)
  2. Get Authorization Token from Cloud License Server (CLS) via /authorize
  3. Upload the Public Key (.der format) using /rest_licensing_keys to the CLS using the Authorization Token
  4. Create a JSON Web Token using the Private Key from Step 1.  Many available tools, https://jwt.io is easy to use.
  5. Send license request to /access_request using the JWT.

I have attached an example I created that should help guide you.

Best regards,

0 Kudos

This was a great answer, it makes everything much clearer.

Thanks a lot jberthold for the detailed explanation (it should be added to the CMAPI manual) and for the PDF with example too.

 

0 Kudos

That was not my question. 

I already do everything you say when I call the API and as I already explained, other API calls work fine.

My question is specifically about the call to get all "/hostids" for all cloud servers in our company. In other words, our company account "XXXX" creates multiple cloud license servers "B", "C", "D" on FNO, for each of our customers. How do I retrieve this list (B, C, D)

At this point, the problem is about this particular REST call seemingly nonexistent on FNO.

http://localserverUrl/api/1.0/hostids

Works for a local license server.
https://flexXXXX-uat.compliance.flexnetoperations.com/api/1.0/hostidsFails for cloud server, not because of authorization but rather '404 Not Found': clearly the path "api/1.0/hostids" is incorrect.
https://flexXXXX-uat.compliance.flexnetoperations.com/api/1.0/instances/XYZ10203040/Works and returns this specific instance's hostid  information. But I want the list of ALL hostids we have in the cloud, not just one. 
https://flexXXXX-uat.compliance.flexnetoperations.com/api/1.0/instances/XYZ10203040/hostidsFails (404 Not Found). 

 

So again, my need is to programmatically retrieve the list of ALL cloud license server hostids so that I can select one of them and programmatically perform REST operations on it. But first I need to know which hostids exist...

0 Kudos
jberthold
Revenera Moderator Revenera Moderator
Revenera Moderator

Hi @kiangorji ,

You created a separate post for this last question which I just answered.

Thanks,

0 Kudos

@jberthold  Thanks for your sample doc. While your example works, but you give some hardcoded "sub", and I have tried to change the "sub" to any value and it seems all works. So what's the point of providing sub?  it seems like all the security measure is depends on the signature. There are nothing else to check to ensure the token is valid. I also cannot find any other document to explain this token other than your samples. Can you please point me where in the "License Server Producer Guide" describe this token, what claims are required  and how is the token being validated?

0 Kudos
jberthold
Revenera Moderator Revenera Moderator
Revenera Moderator

Hi @fuyili ,

In the License Server Producer Guide there is an example python script for generating a JWT signed using a private key.  Here's a snippet from the example:

# Setup the JWT's payload
payload = {
       # Subject field must be present but content is not significant
       'sub': 'Authorization',
       # Claim must include 'roles' as ROLE_CAPABILITY
       'roles': 'ROLE_CAPABILITY',
       # Other JWT, such as expiration, are optional
       'exp': datetime.datetime.utcnow() + datetime.timedelta(days=365)
}

'sub' = Subject  which must be present but as state the content is not significant.  The 'roles':'ROLE_CAPABILITY' is mandatory, the 'exp' is optional.

The JWT is created with the private key.  FlexNet Operations uses the uploaded public key to verify the authenticity of the JWT.

Thanks,

 

0 Kudos