ansible-ise icon indicating copy to clipboard operation
ansible-ise copied to clipboard

Published 20 hours ago verified publisher icon CiscoISE

ISE 3.2 system_certificate_export_info returns HTTP 400 `HostName should not be null`

Open chetanph opened this issue 1 year ago • 3 comments

Prerequisites

  • [x] Have you tested the operation in the API directly?
  • [x] Do you have the latest ISE Collection version?
  • [x] Review the compatibility matrix before opening an issue.

Describe the bug ISE 3.2 requires a new hostName field when exporting system certificate. This is missing from the cisco.ise.system_certificate_export_info module.

Expected behavior cisco.ise.system_certificate_export_info must support a required hostName field.

Screenshots

Here's the screenshot of the OpenAPI spec from the ISE node

URL: https://<ISE-Node-IP>/api/swagger-ui/index.html?urls.primaryName=Certificates#/Certificates/exportSystemCert

ISE-3-2-system-certificate-export-requires-hostName

CURL example:

Find ID of a system certificate from ISE using a curl command like this:

  • ISE node hostname in this example is "soar-psn02"
  • System certificate friendly name is "certificate-friendly-name"
curl -vvv --insecure \
  -H 'Accept: application/json' \
  -H 'Content-type: application/json' \
  -u 'apiuser:XXXXXXXXXX' \
'https://ise.example.org/api/v1/certs/system-certificate/soar-psn02?filter=friendlyName.EQ.certificate-friendly-name'

> GET /api/v1/certs/system-certificate/soar-psn02?filter=friendlyName.EQ.certificate-friendly-name HTTP/1.1
> Host: ise.example.org
> Authorization: Basic XXXXXXXXXX
> User-Agent: curl/8.1.2
> Accept: application/json
> Content-type: application/json
>

< HTTP/1.1 200
< Content-Type: application/json
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: no-cache, no-store, must-revalidate
< Set-Cookie: JSESSIONIDSSO=37E92B8D0FF41CDB089591793AA84789; Path=/; Secure; HttpOnly
< Set-Cookie: APPSESSIONID=25DB0B6C8701BCCC892A5711474D40C3; Path=/api; Secure; HttpOnly
< Pragma: no-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Request-ID: a32644f0-34a0-11ee-a837-7ea51f4e70b7
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
< X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
< X-XSS-Protection: 1; mode=block
< vary: accept-encoding
< Date: Sun, 06 Aug 2023 21:31:43 GMT
< Server:
<

{
  "response" : [ {
    "id" : "b16f7d74-433e-4603-8d27-6cd1f1b6bc81",
    "friendlyName" : "certificate-friendly-name",
    "serialNumberDecimalFormat" : "376647349526249031727061861550528501832581880022",
    "issuedTo" : "soar-psn02.cisco.com",
    "issuedBy" : "isecube-node.cisco.com",
    "validFrom" : "Tue Jul 25 09:45:28 EDT 2023",
    "expirationDate" : "Tue Jul 23 09:45:28 EDT 2024",
    "usedBy" : "Not in use",
    "keySize" : 4096,
    "groupTag" : "",
    "selfSigned" : false,
    "signatureAlgorithm" : "SHA256withRSA",
    "portalsUsingTheTag" : "",
    "sha256Fingerprint" : "d279477c957eb2fbfcb03f446e7d75891a558a0e0a157cb39a13d2455138e0a2",
    "link" : {
      "rel" : "self",
      "href" : "https://ise.example.org/api/v1/certs/system-certificate/soar-psn02/b16f7d74-433e-4603-8d27-6cd1f1b6bc81",
      "type" : "application/json"
    }
  } ],
  "nextPage" : null,
  "previousPage" : null,
  "version" : "1.0.1"
}

Returned "id" is "b16f7d74-433e-4603-8d27-6cd1f1b6bc81"

Then use this "id" in system certificate export API call without hostName:

curl -vvv --insecure \
  -H 'Accept: application/json' \
  -H 'Content-type: application/json' \
  -u 'apiuser:XXXXXXXXXX' \
  -d '{
    "id": "b16f7d74-433e-4603-8d27-6cd1f1b6bc81",
    "password": "Cisco123",
    "export": "CERTIFICATE_WITH_PRIVATE_KEY"
  }' \
  https://ise.example.org/api/v1/certs/system-certificate/export

> POST /api/v1/certs/system-certificate/export HTTP/1.1
> Host: ise.example.org
> Authorization: Basic XXXXXXXXXX
> User-Agent: curl/8.1.2
> Accept: application/json
> Content-type: application/json
> Content-Length: 128
>

< HTTP/1.1 400
< Content-Type: application/json
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: JSESSIONIDSSO=29C6ED7EBF6FB552B6619AF5930CC05E; Path=/; Secure; HttpOnly
< Set-Cookie: APPSESSIONID=AAE51B9E582C3D07609B54B3504B366C; Path=/api; Secure; HttpOnly
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Request-ID: c5733ea0-34a0-11ee-a837-7ea51f4e70b7
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
< X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
< X-XSS-Protection: 1; mode=block
< vary: accept-encoding
< Date: Sun, 06 Aug 2023 21:32:40 GMT
< Server:
<

{
  "status" : "Fail",
  "message" : "HostName should not be null"
}

ISE 3.2 returns HTTP 400 because hostName field is required.

Send request as per the OpenAPI spec from ISE 3.2 node, including hostName field.

curl -vvv --insecure \
  -H 'Accept: application/json' \
  -H 'Content-type: application/json' \
  -u 'apiuser:XXXXXXXXXX' \
  -d '{
    "hostName": "soar-psn02",
    "id": "b16f7d74-433e-4603-8d27-6cd1f1b6bc81",
    "password": "Cisco123",
    "export": "CERTIFICATE_WITH_PRIVATE_KEY"
  }' \
  https://ise.example.org/api/v1/certs/system-certificate/export --output exported_file.zip

> POST /api/v1/certs/system-certificate/export HTTP/1.1
> Host: ise.example.org
> Authorization: Basic XXXXXXXXXX
> User-Agent: curl/8.1.2
> Accept: application/json
> Content-type: application/json
> Content-Length: 158
>

< HTTP/1.1 200
< Content-Type: application/octet-stream
< Content-Length: 6110
< Connection: keep-alive
< Set-Cookie: JSESSIONIDSSO=39E9B68ECAEF49B10B40A58B7724025F; Path=/; Secure; HttpOnly
< Set-Cookie: APPSESSIONID=7F421E4488BC7C40B51FDAC510D0E0B5; Path=/api; Secure; HttpOnly
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Request-ID: fc65b640-34a0-11ee-a837-7ea51f4e70b7
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
< X-WebKit-CSP: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
< X-XSS-Protection: 1; mode=block
< Content-Disposition: attachment; filename=certificatefriendlyname.zip
< Cache-Control: no-cache, no-store, must-revalidate
< Pragma: no-cache
< Expires: 0
< Accept-Ranges: bytes
< Date: Sun, 06 Aug 2023 21:34:13 GMT
< Server:
<

[6110 bytes data]

Environment (please complete the following information):

  • ISE version and patch: ISE 3.2 patch 1
  • Ansible version: ansible [core 2.15.2]
  • ISE collection version: 2.5.13
  • OS version: macOS Ventura 13.5

Additional context

These need updates also.

  • Public documentation: https://developer.cisco.com/docs/identity-services-engine/latest/#!certificate-openapi
  • Public OpenAPI spec: https://pubhub.devnetcloud.com/media/identity-services-engine-api-v1/docs/endpoints/configuration/certificates.yaml
  • ciscoisesdk

chetanph avatar Aug 07 '23 16:08 chetanph

Version 3.2 of Cisco ISE is not currently sipported, when 3.2 is supported this issue will be solved

bvargasre avatar Aug 10 '23 23:08 bvargasre

Thank you for the update, @bvargasre!

chetanph avatar Aug 11 '23 17:08 chetanph

Version 3.2 of Cisco ISE is not currently sipported, when 3.2 is supported this issue will be solved

Is there a project tracker or estimated date for 3.2 support? @bvargasre

netopsengineer avatar Oct 21 '23 05:10 netopsengineer

Hi @chetanph the new version of ansible-ise 2.9.3 is now available, try with this new version I'm going to close this issue, in case the problem persists feel free to reopen it or create a new one Regards

bvargasre avatar Aug 06 '24 18:08 bvargasre