For an upcoming engagement I have been looking at the options for managing VIO (VMware Integrated Openstack) via its APIs.
While trying it out in a lab environment I found myself stuck at the very first hurdle, I couldn’t get my login request to succeed. Without the access cookie I wouldn’t be able to do anything else. The VMware documentation for VIO has a page outlining how to use the APIs but this wasn’t working for me when I tried to use Postman or curl. Curl was returning a 401 Unauthorized code with an error message about password not being a recognised internal or external command (this was on a Windows machine). Postman was simply returning the 401 Unauthorized code.
After some trial and error using verbose mode in curl, and referring to this documentation page I managed to get a successful connection in curl. The solution was to place the credentials into quotes (don’t fall into the trap I did of using a different VMware page showing an example of using the api commands via curl with single quote marks) so that the command became the following:
curl -k -v -X POST https://192.168.110.100:8443/login -d "firstname.lastname@example.org&password=VMware1!"
Within the output of the command there is a line
This is the cookie returned by the management server which can be used within subsequent API calls to confirm that the session is authenticated.
So now curl was working, but Postman was still failing with a 401 error. Looking at the contents of the successful verbose call via curl I noticed that it was setting a header of:
Adding this to Postman and setting the request body without using quotes to
Provided a successful connection, and the JSESSIONID value is shown in the response cookies.
Now The JSESSIONID cookie value can be passed to future api calls using the -b option in curl, for example to list the VIO clusters registered with the management server:
curl -k -v https://192.168.110.100:8443/v1/clusters -b JSESSIONID=7C233CE2BE8D4DF44B28B258E89;
Or in Postman by setting a header named Cookie:
Remember to include the semicolon on the end of the value in both methods or you will receive a 401 Unauthorized error again.