Get information via Poweshell and Icinga Director API

lukas · January 6, 2020, 6:45pm

I try to get information via Icinga director API with Powershell.
Does anyone have any idea how I can solve the problem(s)?

Here my Code:
#API URL
[string]$DirectorUrl = “https://icingaserver.here.local/icingaweb2/director”

$directorUser = “user”
$directorPass = “password”

#Convert Credentials to Base64 for URL Header
$bytes = [System.Text.Encoding]::UTF8.GetBytes((’{0}:{1}’ -f $directorUser , $directorPass))
$authorization = ‘Basic {0}’ -f ([Convert]::ToBase64String($bytes))

#Create a new Header
$headers = New-Object “System.Collections.Generic.Dictionary[[String],[String]]”

#Add converted Authorization
$headers.Add(“Authorization”, “$authorization”)
#Add Application type
$headers.Add(‘Accept’,‘application/json’)

#RestMethod
Invoke-RestMethod -Method GET -Headers $headers -Uri “$DirectorURL/host?name=CLIENT01.here.local”

If I use a non admin powershell I get the following result:
Invoke-RestMethod : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

If I use a powershell with admin privileges I get the following result:
Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.

I have tested the credentials with “RESTED” a Firefox extension.

stevie-sy · January 7, 2020, 7:53am

Hi,
I’m not really familiar with PowerShell so I can’t give you a special hint for this.
But maybe the source code of the “Icinga 2 Powershell Module” helps you to find some ideas for this.

unic · January 7, 2020, 10:45am

add this somewhere before the connection and try again:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

This only allows TLS12 for your script. Microsoft not configured tls1.2 to be enabled by default

Btw. for some reason I needed the “Convert credential” thing on one of my installations. It normally works with Invoke-Restmethod -Credential switch too and without the conversion.

example:
Invoke-RestMethod -Method Get -Headers $headers -Uri “$BaseURL/host`?name=myhostname” -Credential $Credential

lukas · January 8, 2020, 12:44pm

I changed my script and the SSL/TLS Error is not present but i get the Message “Invoke-RestMethod : The remote server returned an error: (401) Unauthorized.”

#Enable TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 #API URL
[string]$DirectorUrl = “https://icingaserver.here.local/icingaweb2/director”

$directorUser = “user”
$directorPass = “password”

#Create Credentials Object
$password = ConvertTo-SecureString $directorPass -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($directorUser, $password)

#Create a new Header
$headers = New-Object “System.Collections.Generic.Dictionary[[String],[String]]”

#Add Application type
$headers.Add(‘Accept’,‘application/json’)

#RestMethod
Invoke-RestMethod -Method GET -Headers $headers -Uri “$DirectorURL/host?name=CLIENT01.here.local” -Credential $Credential

#Output Credential
$credential.GetNetworkCredential()
$credential.GetNetworkCredential().Password

unic · January 8, 2020, 2:24pm

would say that this is correct. Do you used an icingaweb2 user or an api user?

Edit: my fault, havn’t seen that you tested the credentials
Have you tried the same with your first script?
Very special chars in the password?

lukas · January 8, 2020, 3:05pm

I used the user I had created in /etc/icinga2/conf.d/api-users.conf

object ApiUser “user” {
password = “password”
permissions = [ “*” ]
}

I have tried the first script with the additional line.
I try it at our staging envoriment, and have a password with no special chars.

unic · January 8, 2020, 3:09pm

thats an icinga2 api user, you need to use an icingaweb2 user with director/api access

lukas · January 9, 2020, 9:43am

Thanks for your help, that’s what it was.

Solution:
I created a user under IcingaWeb2 → configuration → authentication → user → "Create new user

After that I created a new role under IcingaWeb2 → configuration → authentication → Rollen→ “Create new role” and in the module “director” I added the rights “General Module Access” and “director/*”. I added the user “user” to the role.

This gave me a correctly configured user for working with the Icinga Director API.

Then I wrote a script that creates the BasicAuthToken so that I can use it in the API script and the username and password are not visible in the API script.

#Step 0. Set User and Password
$username = “user”
$password = “pass”

#Step 1. Create a username:password pair
$credPair = “$($username):$($password)”

#Step 2. Encode the pair to Base64 string
$encodedCredentials = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($credPair))

#Step 3. Write.Output BasicAuth String
Write-Output $encodedCredentials

Now that I have a working user I have built a simple script for testing, it looks like this:

#Enable TLS 1.2 - Is disabled by default
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$headers = New-Object “System.Collections.Generic.Dictionary[[String],[String]]”

$headers.Add(“Accept”, “application/json”)

$headers.Add(“Authorization”, “Basic PasteBasicAuthStringhere”)

$response = Invoke-RestMethod ‘https://icingaserver.here.local/icingaweb2/director/host?name=CLIENT01.here.local’ -Method ‘GET’ -Headers $headers

$response | ConvertTo-Json