AnsweredAssumed Answered

Problems accessing Asset View / Asset Management API

Question asked by strasser on May 18, 2020
Latest reply on May 20, 2020 by strasser

Dear Qualys Community

 

I'm reaching out to you concerning issues I have with accessing the AssetView / Asset Management API.

 

  • I can use the v1 and v2 VM/PC API without any problems.
  • When trying to access the AM API, I keep on getting "Authentication Failed" error messages.

 

<?xml version="1.0" encoding="UTF-8"?>
<ServiceResponse xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://qualysapi.qualys.eu/qps/xsd/2.0/am/hostasset.xsd">
  <responseCode>INVALID_CREDENTIALS</responseCode>
  <responseErrorDetails>
    <errorMessage>Authentication Failed</errorMessage>
    <errorResolution>Verify both 'user' and 'password' credentials.</errorResolution>
  </responseErrorDetails>
</ServiceResponse>

 

Here's the example script doing three API calls

  • VM/PC v1 API -> works
  • VM/PC v2 API -> works
  •  AM API -> fails

 

Please be aware that we use two-factor authentication with username / password plus client certificates through a proxy. Therefore we use the certs.qualys.eu URLs. However, you can ignore these aspects, since the TLS handshake works well for all three calls, so the error must be coming from somewhere else…

 

# Server and API URLs / URIs
$baseURL = "https://certs.qualys.eu/"
$APIVMv1URI = "https://certs.qualys.eu/msp"
$APIVMv2URI = "https://certs.qualys.eu/api/2.0/fo"
$APIAMURI = "https://certs.qualys.eu/qps/rest/2.0"

# Authentication Credentials
$thumbprint = "3EAEDCE020CBEF18CE8B74D0667A7FCB462D2203"
$username = "username"
$password = "password"
$qualysBasicAuth = $pair = "$($qualysUsername):$($qualysPassword)"
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($qualysBasicAuth))
$basicAuthValue = "Basic $encodedCreds"
$certificate = Get-ChildItem -Path cert:\CurrentUser\My\$thumbprint
$assetid = "33267945"

$Headers = @{
Authorization = $basicAuthValue
"X-Requested-With"="powershell"
}

$ProxyUri = [Uri]$null
$Proxy = [System.Net.WebRequest]::GetSystemWebProxy()
if ($Proxy) {
   $Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials
   $ProxyUri = $Proxy.GetProxy("$baseURL")
   [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

   # VM API v1 call
   $response = Invoke-RestMethod -Headers $Headers -Uri "$APIVMv1URI/ticket_list.php?since_ticket_number=46000" -Method Post -Proxy $proxyUri -ProxyUseDefaultCredentials -Certificate $certificate
   write-host $response.InnerXml

   # VM API v2 call
  # Log in
  $body = "action=login&username=$qualysUsername&password=$qualysPassword"
   $websession = $null
   $response = Invoke-RestMethod -Headers $Headers -Uri "$APIVMv2URI/session/" -Method Post -Body $body -Proxy $proxyUri -ProxyUseDefaultCredentials -Certificate $certificate -SessionVariable websession
   write-host $response.InnerXml
   # API call
   $response = Invoke-RestMethod -Headers $Headers -Uri "$APIVMv2URI/asset/host/?action=list&truncation_limit=100" -Method Post -Proxy $proxyUri -ProxyUseDefaultCredentials -WebSession $websession
   write-host $response.InnerXml
   # Log out
   $response = Invoke-RestMethod -Headers $Headers -Uri "$APIVMv2URI/session/?action=logout" -Method Post -Proxy $proxyUri -ProxyUseDefaultCredentials -WebSession $websession
   write-host $response.InnerXml

   # AM API call
   $response = Invoke-RestMethod -Headers $Headers -ContentType "text/xml" -Uri "$APIAMURI/get/am/hostasset/$assetid" -Method Get -Proxy $proxyUri -ProxyUseDefaultCredentials -Certificate $certificate
   write $response.InnerXml
}

Outcomes