API troubles

[Matthew Halder]

I can seem to get the example API interaction to succeed.  Creating the "requests.json" file in the docs and then this command:
curl --cert /usr/local/keywhiz//server/src/test/resources/clients/client.p12:ponies -H "Content-Type:application/json" -d @request.json https://localhost:4444/automation/secrets/

as either a normal user or as root yields the same results.  `curl: (58) unable to use client certificate (no key found or wrong pass phrase?)`
I've verified that the password is correct via keytool and that port 4444 is listening on the server.  Went a bit further and tested some of the other API uri's that are listed on https://square.github.io/keywhiz/apidocs/ but it's definitely a cannot find or read the cert issue.  Tried some of the usual suspects such as mailing list, stackoverflow, and linuxquestion.org.  Not having much success in using the API.  Any guidance?  Do I need to somehow enable the API through the "automationAllowed=true in the clients DB table" part of the docs?

Thanks,

Matt

[Matthew McPherrin]

That error message is from `curl`; nothing to do with keywhiz.

Are you on Linux? I think curl needs pem files if it's built with openssl.  If you're on mac, it supports p12 only. 

--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-users+unsubscribe@googlegroups.com.
To post to this group, send email to keywhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/bfd4eb4a-5ab4-45a8-8d2f-00688d4eff44%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matthew Halder]

Ok, I was using OSX but that appears to require adding the p12 to the keystore (haven't done or tested this yet so it's just conjecture).  So moved over to using the working keywhiz-fs w/ a PEM cert on an Ubuntu server.  I'm now getting a "HTTP Error 403; Problem accessing /automation/secrets; Reason: Forbidden" (tried automation/secrets and automation/v2/secrets with the same results).  Is there any specific group or setting I need on do on the server to allow the pem cert access to the API?

Thanks,

Matt

On Tuesday, August 23, 2016 at 10:20:47 AM UTC-6, Matthew McPherrin wrote:

That error message is from `curl`; nothing to do with keywhiz.

Are you on Linux? I think curl needs pem files if it's built with openssl.  If you're on mac, it supports p12 only. 

On Aug 23, 2016 9:05 AM, "'Matthew Halder' via keywhiz-users" <keywhi...@googlegroups.com> wrote:

I can seem to get the example API interaction to succeed.  Creating the "requests.json" file in the docs and then this command:
curl --cert /usr/local/keywhiz//server/src/test/resources/clients/client.p12:ponies -H "Content-Type:application/json" -d @request.json https://localhost:4444/automation/secrets/

as either a normal user or as root yields the same results.  `curl: (58) unable to use client certificate (no key found or wrong pass phrase?)`
I've verified that the password is correct via keytool and that port 4444 is listening on the server.  Went a bit further and tested some of the other API uri's that are listed on https://square.github.io/keywhiz/apidocs/ but it's definitely a cannot find or read the cert issue.  Tried some of the usual suspects such as mailing list, stackoverflow, and linuxquestion.org.  Not having much success in using the API.  Any guidance?  Do I need to somehow enable the API through the "automationAllowed=true in the clients DB table" part of the docs?

Thanks,

Matt

--
You received this message because you are subscribed to the Google Groups "keywhiz-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-user...@googlegroups.com.

[Matthew McPherrin]

The query you want to run is 

update clients set automationallowed=1 where name="client";

(substitute the name of your client as appropriate)

The easiest way to fiddle with H2 by hand is to get the H2 jar and use its web admin page, see http://www.h2database.com/html/quickstart.html

On Tue, Aug 23, 2016 at 12:15 PM, Matthew Halder <mha...@pingidentity.com> wrote:

Do I need to build the api portion with maven?  Any quick ways to add this to a H2 database?  Struggling to view the info in H2 and my sql knowledge pretty weak.

On Tue, Aug 23, 2016 at 12:19 PM, Matthew McPherrin <m...@squareup.com> wrote:

OK.  So a 403 on automation probably means you need to set automationenabled = 1 in Mysql for the client you're using.  I don't think we've got an API exposed for that (There's an open github issue, but it's just been  low priority for us)

To unsubscribe from this group and stop receiving emails from it, send an email to keywhiz-users+unsubscribe@googlegroups.com.

To post to this group, send email to keywhi...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/keywhiz-users/fec972a6-dea2-4486-861c-34a5adf1a445%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

	Matthew Halder Security Operations Engineer mha...@pingidentity.com w: +1 720.390.3421
Connect with us: