Technical Blog Post
Troubleshooting Cisco UCS Agent problems when authenticating with Cisco UCS
The most common problems while performing the first configuration of a Cisco UCS Agent (v6 agent) deal with authentication or with a wrong CISCO URL used in configuration parameter KV6_URL.
From user perspective, the agent simply returns no data on TEP workspaces, while instead the agent data collector file
(having name KV6_DP_<instance_name>_0.log) might shows an error sequence like this:
2017-09-09 18:17:53.761 1 INFO: RequestStrings.getLoginContent: <aaaLogin inName="ucsdomain\user" inPassword="<ENCRYPTED>"/>
2017-09-09 18:17:57.330 1 CONFIG: AgentUtility.httpPostLogin: Cookie Retrieved : null
2017-09-09 18:17:57.330 1 SEVERE: FactoryInterfaceController.serviceRequests: Cookie returned NULL. Session could not be established with Cisco UCS. Please check URL, Username and Password -or- check Cisco UCS connectivity and try again.
2017-09-09 18:17:57.331 36 INFO: RequestStrings.getLogoutContent: <aaaLogout inCookie="null"/>
What to do in this case ?
There are few steps you should follow to identify possible errors in the configuration and correct them.
1) Verify if the connection with the target CISCO UCS must be done using HTTP or HTTPS.
Parameter KV6_URL must be coded accordingly, so if you are using HTTPS, it will look like
2) Parameter KV6_URL must have the string "/nuova" as suffix after the hostname or ip address of the target CISCO UCS as also showed in previous step.
3) If you are using HTTPS, you must configure the truststore file path in parameter KV6_SSL_TRUSTSTORE_FILE_PATH. For example:
Furthermore, there are some considerations regarding certificates to be imported into the truststore under specific conditions.
You can refer to the Cisco UCS Agent User's Guide to verify if you need to perform additional actions on truststore to enable the agent
in using SSL correctly.
4) User's guide strongly suggests, if you are using SSL, to also enable certificate validation. (parameter KV6_SSL_VALIDATE_CERTIFICATES set to yes) .
In this way, if the certificate is invalid or expired, the agent will not connect to the target URL.
It is an additional security protection, but in case you are still failing to connect and the previous steps have been already verified, it is possible
that the certificate into the truststore is no longer valid. You can then try to temporary disable certificate validation to check whether or not agent
can connect to Cisco. Remember you need to restart the agent every time you change the agent configuration.
Depending on the result you can then plan the corrective steps (import the new certificate, for example) and then enable certificate validation again.
5) Try connecting to Cisco using the Cisco UCSM from the same machine where the agent runs and using the same set of credentials; verify if it works or not.
If it also fails, the problem is of course outside of the agent and it should be investigated by the Cisco administrator.
If instead you are able to connect correctly using Cisco UCSM, there is a chance you are not using the correct string for user domain.
Cisco UCSM shows the available Domains in a drop-down list.
If you are using domain user authentication, obtain from the CISCO UCSM drop down list the name of the domain and remember that domain is case sensitive in the Cisco environment.
So, if the domain name is for example "DOMAIN1", in the agent configuration you must provide the domain name in uppercase as well.
Furthermore, you must prefix the domain name with string "ucs-", even if it does not appear in the drop down list of Cisco UCSM.
So in our example, the domain name should be : "ucs-DOMAIN1".
In the agent configuration, where we also provide the username, it will look like:
For local user authentication you don't need to provide any domain, just be sure to provide the correct user/password pair.
6) Last but not least, you can use an external tool to verify how Cisco is responding to the REST requests arriving from the agent.
In the past it was suggested to use Poster plugin for Firefox. Anyway this is no longer working well with most recent Firefox versions.
I suggest using Restclient plugin instead.
You can download it from here
Once it is installed and executed, select the POST method, provide url as:
In the "Body" section you must write an xml like the following:
<aaaLogin inName="<domain\user>" inPassword="<Password>"/>
Of course change <domain\user> with actual values, the same for <Password>, so for example it can be something like:
<aaaLogin inName="ucs-DOMAIN1\albook" inPassword="miapasdw1234"/>
Press Send button and then check the response in the tab "Response Body".
If the login fails, you will get here some additional details that are not showed into the agent log,like for example the errorCode and the errorDescription.
This can help having a better idea about what is failing and correct it quickly.
Before running RESTclient on Firefox, I would suggest opening the UCS url https://<cisco_url> in a separate tab in same Firefox session
and accept any Certificate errors, so that you have also removed another possible showstopper for Restclient execution.
Depending on what you obtain from the execution of RESTClient, you may need to work with your Cisco administrator, if also RESTClient
fails to connect despite you provide the expected credentials and URL, or simply reconfiguring the agent using the credentials you have verified
on RESTclient if they are different than the one currently used on the agent.
Hope it helps.
Subscribe and follow us for all the latest information directly on your social feeds:
|Academy Twitter :||https://goo.gl/AhR8CL|