NetWorker REST API: How to use a remote AUTHC server when processing RESTAPI requests

Summary: In environments with multiple NetWorker datazones, NetWorker authentication may be configured through a single authc server. This KB explains how to use a header to direct NetWorker REST API calls to the designated authc server instead of the server in the API URI. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

The NetWorker REST API interface is being used to programmatically access the NetWorker data protection service. The NetWorker Authentication Service (authc) is configured on a remote NetWorker Server, so the NetWorker REST API request must include the authc information. The NetWorker REST API v3 interface and newer can include the authc server with a custom header. The key value should provide the authc server IP address or fully qualified domain name (FQDN) and the authc port (default=9090):

Key: X-NW-AUTHC-BASE-URL
Value: REMOTE_AUTHC_SERVER_ADDRESS:9090

Let us compare REST API authentication with NetWorker Management Console (NMC) and NetWorker Web User Interface (NWUI) authentication to better understand NetWorker authentication. Each NetWorker server has its own authentication server; however, this may not be the host where local NetWorker users or external (AD/LDAP) users have been configured. This varies depending on how the NetWorker environment is configured.

  • NMC: NMC authentication is configured during installation (Windows) and post installation (Linux). An authc server is specified during the deployment and all authentication requests are directed to the authc host. It is possible for one authc host to be managing the requests for multiple NetWorker servers. The authc host is defined as the authsvc_hostname in the NMC server's gstd.conf file:
    • Linux: /opt/lgtonmc/etc/gstd.conf
    • Windows: C:\Program Files\EMC NetWorker\Management\GST\etc\gstd.conf
  • NWUI: NWUI authentication is configured during installation (Windows) and post installation (Linux). An authc server is specified during the deployment and all authentication requests are directed to the authc host. It is possible for one authc host to be managing the requests for multiple NetWorker servers. The remote authentications server can typically be identified from a nsradmin prompt on the NetWorker server:
nsradmin
show name; external roles
print type: nsr usergroup; name: Application Administrators
Example: 
# nsradmin
NetWorker administration program.
Use the "help" command for help, "visual" for full-screen mode.
nsradmin> show name; external roles
nsradmin> print type: nsr usergroup; name: application administrators
                        name: Application Administrators;
              external roles: \
"cn=Administrators,cn=Groups,dc=nve,dc=networker,dc=lan",
"cn=Administrators,cn=Groups,dc=WIN-SRVR02,dc=networker,dc=lan",
"CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan";
nsradmin>
In this example, "nve" is the local authentication server on the NetWorker server, and "WIN-SRVR02" is a remote authc server where Active Directory has been added. We can also see that there is an AD group specified "NetWorker_Admins"
  • REST API: REST API does not have its own configuration file. The authentication is performed against the NetWorker server specified in the URL. In order to use a different authc server from the NetWorker server's local authc instance for REST API, the authc server must be specified in the REST API request.
Key: X-NW-AUTHC-BASE-URL
Value: REMOTE_AUTHC_SERVER_ADDRESS:9090

Syntax:

curl -k --header "X-NW-AUTHC-BASE-URL:REMOTE_AUTHC_SERVER_ADDRESS:9090" --user USER_ACCOUNT "https://NETWORKER_SERVER_ADDRESS:9090/nwrestapi/v3/global/"

Example:

nve:~ # curl -v -k --header "X-NW-AUTHC-BASE-URL:win-srvr02.networker.lan:9090" --user "networker.lan\bkupadmin" "https://nve.networker.lan:9090/nwrestapi/v3/global/jobs"
Enter host password for user 'networker.lan\bkupadmin':
*   Trying 192.168.0.4:9090...
* Connected to nve.networker.lan (192.168.0.4) port 9090 (#0)
..
* Server auth using Basic with user 'networker.lan\bkupadmin'
> GET /nwrestapi/v3/global/jobs HTTP/1.1
> Host: nve.networker.lan:9090
...
> X-NW-AUTHC-BASE-URL:win-srvr02.networker.lan:9090
>
< HTTP/1.1 200
...
<
{"count":471,"jobs":[{JOBDSB JSON CONTENT}]
NOTE: In this example, we are sending a GET request to the NetWorker server "nve.networker.lan" to return the jobsdb. In the request, we are using the authc host "win-srvr02.networker.lan" to process the authentication of domain user "networker.lan\bkupadmin". The output has been edited; however, we can see that status 200 (success) is returned and the contents of the jobsdb is returned. In order to use an external user (AD/LDAP), it must be integrated on the authc server, with appropriate permissions designated to the AD user or groups. NetWorker: How To Set up AD/LDAP Authentication

Logs:

Authentication Server:

Linux: /nsr/authc/logs
Windows: C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\logs

REST API (NetWorker Server):

Linux: /nsr/logs/restapi/restapi.log
Windows: C:\Program Files\EMC NetWorker\nsr\logs\restapi\restapi.log

Additional Information

NetWorker: How To Enable AUTHC DEBUG for Troubleshooting Purposes
NetWorker: How to Enable REST API Debugging
NetWorker REST API Triage Guide

Affected Products

NetWorker

Products

NetWorker
Article Properties
Article Number: 000011247
Article Type: How To
Last Modified: 04 Mar 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.