All Apps and Add-ons

Huawei eSight Open API login authentication fails

infrastructure_
Explorer

Step 1: I have to use "PUT" to login to my system and obtain a login token. Webtools curl command only supports GET, POST and DELETE as stated in the documentation. When I choose method=put I don't get any errors in Splunk, will it work as intended?

I need to authenticate via "userid" and "value" instead of user and password. I tried to put this information in the datafield like this, but it didn't work:

| makeresults count=1
| eval data="{\"userid\":\"ApiUser\",\"value\":\"password\"}"
| curl method=put uri=https://x.x.x.x:32102/rest/openapi/sm/session
| table curl*

The developer @jkat54 suggested that the Huawei system might want the username and password as parameters and I might have to urlencode them so I tried these:

uri=https://x.x.x.x:32102/rest/openapi/sm/session/?userid=ApiUser&value=password
uri=https://x.x.x.x:32102/rest/openapi/sm/session/%3Fuserid%3DApiUser%26value%3Dpassword
uri=https://x.x.x.x:32102/rest/openapi/sm/session/?userid%3DApiUser&value%3Dpassword
uri=https://x.x.x.x:32102/rest/openapi/sm/session/%3Fuserid=ApiUser%26value=password
I also tried uri=.../?xxx and uri=...?xxx

When I use Splunk and any variation of the curl command listed above the logs on the Huawei system show "Open API request from third system, URL: /rest/openapi/sm/session, error message: Authentication failed." and it shows username as "Invalid User".

If I connect to the API via another method the login succeeds. Whenever I input a wrong password or username, the chosen username will be displayed in the logs and the error message is "Failure reason: The user name does not match the password or the account does not exist."

Therefore it's not a wrong username or password error when using the curl command.

Step 2: After I obtain a session token with the above search (assuming it's working), I can use this token to query the API via executing additional curl commands. How would I do that in a Splunk search?

This is an excerpt from the documentation of the systems API to gain an access token:

/*
 * Log in Example
 */
public class Login
{ 
    public static void main(String[] args) throws Exception 
    {  
      login();
    }

    public static void login() throws Exception
    {
        //set the URL and method
        final String openidURL = "/rest/openapi/sm/session";
        final String method = "PUT";
        //set parameters
        final List<BasicNameValuePair> parameters = new ArrayList<BasicNameValuePair>();
        parameters.add(new BasicNameValuePair("userid", GlobalVar.GLOBAL_USERNAME));
        parameters.add(new BasicNameValuePair("value", GlobalVar.GLOBAL_USERVALUE));
        parameters.add(new BasicNameValuePair("ipaddr", GlobalVar.GLOBAL_USERIP));
        //send the request
        final HttpResponse response = NewHttpsAccess.access(GlobalVar.GLOBAL_IP,
                GlobalVar.GLOBAL_PORT,
                openidURL,
                method,
                null,
                parameters);
        //get the result
        final String ret = NewHttpsAccess.getResult(response);
        System.out.println(ret);
        //resolve the result and get the openid
        final JSONObject jObject = JSONObject.fromObject(ret);
        if (null == jObject)
        {
            System.out.println("Login failed.");
            return;
        }
        if ("0".equals(String.valueOf(jObject.get("code"))))
        {
            final String openid = String.valueOf(jObject.get("data"));
            GlobalVar.globalOpenid = openid;
        }
    }
}

jkat54
SplunkTrust
SplunkTrust

Hey thanks for the awesome post!

I have a code fix for you in version 1.2.5: https://splunkbase.splunk.com/app/4146/

Here's where the code was buggy:

alt text

As always, thank you for your support and if you like my apps, please leave a review on splunkbase, share some karma, or if you're super impressed, write a review for me on linkedin. Thanks again!

0 Karma

infrastructure_
Explorer

Thanks, but that didn't fix the problem. I added a PUT method to your curl.py and the connection can now be established.

0 Karma

jkat54
SplunkTrust
SplunkTrust

that was my next idea...

0 Karma

jkat54
SplunkTrust
SplunkTrust

I just added it to the app via version 1.2.6 Please do enjoy.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...