NetWorker REST API: How to use a remote AUTHC server when processing RESTAPI requests
Résumé: In environments with multiple NetWorker datazones, NetWorker authentication may be configured through a single authc server. This KB explains how to use a header to direct NetWorker REST API calls to the designated authc server instead of the server in the API URI. ...
Instructions
The NetWorker Representational State Transfer (REST) Application Programming Interface (API) is used to access the NetWorker data protection service. All NetWorker servers include the NetWorker Authentication (AUTHC) function. In multiserver environments, only one AUTHC server may process NetWorker authentication. This can be environment and configuration-specific. In such scenarios, it may be necessary to specify the "AUTHC" server during API requests. This configuration is referred to as a "remote AUTHC server" in this article. If the remote AUTHC server is not specified in the API call, it may fail with HTTP errors suggesting invalid credentials, unauthorized access, or missing permissions. The NetWorker REST API v3 interface and newer can include the AUTHC server with a custom header. This article provides information on how to determine which host is the AUTHC server used by the NetWorker Management Console (NMC), and how to use the X-NW-AUTHC-BASE-URL API header.
Using a "remote AUTHC server" for REST API:
The key value should provide the AUTHC server IP address or fully qualified domain name (FQDN) and the AUTHC port (default=9090):
Key: X-NW-AUTHC-BASE-URL Value: REMOTE_AUTHC_SERVER_ADDRESS:9090
Let us compare REST API authentication with NetWorker Management Console (NMC) and NetWorker Web User Interface (NWUI) authentication to better understand NetWorker authentication. Each NetWorker server has its own AUTHC server; however, this may not be the host where local NetWorker users or external (AD/LDAP) users have been configured. This varies depending on how the NetWorker environment is configured.
- NMC: NMC authentication is configured during installation (Windows) and post installation (Linux). An AUTHC server is specified during the deployment and all authentication requests are directed to the AUTHC host. It is possible for one AUTHC host to be managing the requests for multiple NetWorker servers. The AUTHC host is defined as the
authsvc_hostnamein the NMC server'sgstd.conffile:- Linux:
/opt/lgtonmc/etc/gstd.conf - Windows (Default):
C:\Program Files\EMC NetWorker\Management\GST\etc\gstd.conf
- Linux:
- NWUI: NWUI authentication is configured during installation (Windows) and post installation (Linux). An AUTHC server is specified during the deployment and all authentication requests are directed to the AUTHC host. It is possible for one AUTHC host to be managing the requests for multiple NetWorker servers. The remote authentications server can typically be identified from a nsradmin prompt on the NetWorker server:
nsradmin show name; external roles print type: nsr usergroup; name: Application Administrators
# nsradmin
NetWorker administration program.
Use the "help" command for help, "visual" for full-screen mode.
nsradmin> show name; external roles
nsradmin> print type: nsr usergroup; name: application administrators
name: Application Administrators;
external roles: \
"cn=Administrators,cn=Groups,dc=nve,dc=networker,dc=lan",
"cn=Administrators,cn=Groups,dc=WIN-SRVR02,dc=networker,dc=lan",
"CN=NetWorker_Admins,OU=DELL,dc=networker,dc=lan";
nsradmin>
nve" is the local authentication server on the NetWorker server, and "WIN-SRVR02" is a remote AUTHC server where Active Directory has been added. We can also see that there is an AD group specified "NetWorker_Admins"
- REST API: REST API does not have its own configuration file. The authentication is performed against the NetWorker server specified in the URL. In order to use a different AUTHC server from the NetWorker server's local AUTHC instance for the REST API, the AUTHC server must be specified in the REST API request.
Key: X-NW-AUTHC-BASE-URL Value: REMOTE_AUTHC_SERVER_ADDRESS:9090
Syntax:
curl -k --header "X-NW-AUTHC-BASE-URL:REMOTE_AUTHC_SERVER_ADDRESS:9090" --user USER_ACCOUNT "https://NETWORKER_SERVER_ADDRESS:9090/nwrestapi/v3/global/"
Example:
nve:~ # curl -v -k --header "X-NW-AUTHC-BASE-URL:win-srvr02.networker.lan:9090" --user "networker.lan\bkupadmin" "https://nve.networker.lan:9090/nwrestapi/v3/global/jobs" Enter host password for user 'networker.lan\bkupadmin': * Trying 192.168.0.4:9090... * Connected to nve.networker.lan (192.168.0.4) port 9090 (#0) .. * Server auth using Basic with user 'networker.lan\bkupadmin' > GET /nwrestapi/v3/global/jobs HTTP/1.1 > Host: nve.networker.lan:9090 ... > X-NW-AUTHC-BASE-URL:win-srvr02.networker.lan:9090 > < HTTP/1.1 200 ... < {"count":471,"jobs":[{JOBDSB JSON CONTENT}]
nve.networker.lan" to return the JOBSDB. In the request, we are using the AUTHC host "win-srvr02.networker.lan" to process the authentication of domain user "networker.lan\bkupadmin." The output has been edited; however, we can see that status 200 (success) is returned and the contents of the JOBSDB is returned. In order to use an external user (AD/LDAP), it must be integrated on the AUTHC server, with appropriate permissions designated to the AD user or groups. NetWorker: How To Set up AD/LDAP Authentication
Logs:
Authentication Server:
Linux: /nsr/authc/logs
Windows: C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\logs
REST API (NetWorker Server):
Linux: /nsr/logs/restapi/restapi.log
Windows: C:\Program Files\EMC NetWorker\nsr\logs\restapi\restapi.log
Informations supplémentaires
NetWorker: How to Enable REST API Debugging
NetWorker REST API Triage Guide