All Apps and Add-ons

Huawei eSight Open API login authentication fails

infrastructure_
Explorer

Step 1: I have to use "PUT" to login to my system and obtain a login token. Webtools curl command only supports GET, POST and DELETE as stated in the documentation. When I choose method=put I don't get any errors in Splunk, will it work as intended?

I need to authenticate via "userid" and "value" instead of user and password. I tried to put this information in the datafield like this, but it didn't work:

| makeresults count=1
| eval data="{\"userid\":\"ApiUser\",\"value\":\"password\"}"
| curl method=put uri=https://x.x.x.x:32102/rest/openapi/sm/session
| table curl*

The developer @jkat54 suggested that the Huawei system might want the username and password as parameters and I might have to urlencode them so I tried these:

uri=https://x.x.x.x:32102/rest/openapi/sm/session/?userid=ApiUser&value=password
uri=https://x.x.x.x:32102/rest/openapi/sm/session/%3Fuserid%3DApiUser%26value%3Dpassword
uri=https://x.x.x.x:32102/rest/openapi/sm/session/?userid%3DApiUser&value%3Dpassword
uri=https://x.x.x.x:32102/rest/openapi/sm/session/%3Fuserid=ApiUser%26value=password
I also tried uri=.../?xxx and uri=...?xxx

When I use Splunk and any variation of the curl command listed above the logs on the Huawei system show "Open API request from third system, URL: /rest/openapi/sm/session, error message: Authentication failed." and it shows username as "Invalid User".

If I connect to the API via another method the login succeeds. Whenever I input a wrong password or username, the chosen username will be displayed in the logs and the error message is "Failure reason: The user name does not match the password or the account does not exist."

Therefore it's not a wrong username or password error when using the curl command.

Step 2: After I obtain a session token with the above search (assuming it's working), I can use this token to query the API via executing additional curl commands. How would I do that in a Splunk search?

This is an excerpt from the documentation of the systems API to gain an access token:

/*
 * Log in Example
 */
public class Login
{ 
    public static void main(String[] args) throws Exception 
    {  
      login();
    }

    public static void login() throws Exception
    {
        //set the URL and method
        final String openidURL = "/rest/openapi/sm/session";
        final String method = "PUT";
        //set parameters
        final List<BasicNameValuePair> parameters = new ArrayList<BasicNameValuePair>();
        parameters.add(new BasicNameValuePair("userid", GlobalVar.GLOBAL_USERNAME));
        parameters.add(new BasicNameValuePair("value", GlobalVar.GLOBAL_USERVALUE));
        parameters.add(new BasicNameValuePair("ipaddr", GlobalVar.GLOBAL_USERIP));
        //send the request
        final HttpResponse response = NewHttpsAccess.access(GlobalVar.GLOBAL_IP,
                GlobalVar.GLOBAL_PORT,
                openidURL,
                method,
                null,
                parameters);
        //get the result
        final String ret = NewHttpsAccess.getResult(response);
        System.out.println(ret);
        //resolve the result and get the openid
        final JSONObject jObject = JSONObject.fromObject(ret);
        if (null == jObject)
        {
            System.out.println("Login failed.");
            return;
        }
        if ("0".equals(String.valueOf(jObject.get("code"))))
        {
            final String openid = String.valueOf(jObject.get("data"));
            GlobalVar.globalOpenid = openid;
        }
    }
}

jkat54
SplunkTrust
SplunkTrust

Hey thanks for the awesome post!

I have a code fix for you in version 1.2.5: https://splunkbase.splunk.com/app/4146/

Here's where the code was buggy:

alt text

As always, thank you for your support and if you like my apps, please leave a review on splunkbase, share some karma, or if you're super impressed, write a review for me on linkedin. Thanks again!

0 Karma

infrastructure_
Explorer

Thanks, but that didn't fix the problem. I added a PUT method to your curl.py and the connection can now be established.

0 Karma

jkat54
SplunkTrust
SplunkTrust

that was my next idea...

0 Karma

jkat54
SplunkTrust
SplunkTrust

I just added it to the app via version 1.2.6 Please do enjoy.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...