daphnissov
Immortal
Immortal

REST call error found inside VRASNRequestUtil.getTemplateViaRest: Method failed: with code: 403 - Forbidden username/password combo

Trying to get ServiceNow integration to work with vRA. It's able to pull in catalog items, services, and other things, but requests always fail with the above message citing the correct ID of the catalog item. SR is open for this (16318323512) but we're looking for engineering assistance here since the configuration steps in the document were followed multiple times, and a test SNOW instance cloned and rebuilt multiple times.

0 Kudos
17 Replies
admin
Immortal
Immortal

Was the request submitted to vRA, or did you get the error without seeing the request in vRA.

0 Kudos
daphnissov
Immortal
Immortal

That is the error message we get (minus the API address with the content ID for the blueprint) inside SNOW when submitting a request for an item. There are no errors found within vRA either in the GUI, or in either the access log or catalina.out. The integration user configured in SNOW has full permissions into this tenant (a user tenant, not default tenant vsphere.local) including business group manager, tenant admin, IaaS admin, and every other role imaginable. The integration user can submit requests fine within vRA directly, and can also make the same API call for a catalog item successfully outside of SNOW. We also see the same type of message (HTTP 403 or 401) when trying to list available actions on an item. All instructions were followed in the documentation as close as possible. I'll also note that SNOW discovers services and catalog items, as well as resources provisioned outside of SNOW, perfectly fine.

0 Kudos
admin
Immortal
Immortal

More questions:

Do you get this error when requesting other catalog items?  I want to understand if the issue is specific to this catalog item or not.  If it is specific to this catalog item, please provide details around the blueprint setup.

As for the actions error, what actions does the user see in vRA on this resource? 

Also can you clarify that you are using 7.2? The SR that was closed was logged with 6.x as the product.

0 Kudos
daphnissov
Immortal
Immortal

This error is seen when requesting *any* catalog items. The user attempting to provision through SNOW and use actions has entitlements to every possible action. There are no restrictions of any sort on what the integration user can do inside vRA. The support engineer must have incorrectly identified this version as 6.x. We are using a minimal install of 7.2.

0 Kudos
admin
Immortal
Immortal

Adding in the steps i provided via email you said you run and has not fixed the errors.  I need to ask around internally what else to try.

I suggest trying the following as the system admin:

Go to Integration - vRealize Automation -> Properties

Click on AuthToken

Clear the Value field and Update

Go to Scheduled Imports and Execute the AuthGenerator scheduled import

If you check the property you will see that it has been updated.

Check if there is any error.

Go back to Properties

Click on ServiceAsCategoriesImportLastRunTime

Clear the Value field and Update

Go to Scheduled Imports and Execute the ImportServicesAsCategories scheduled import

Wait for it to finish processing in Scheduled Import Queues.  If you check the property you will see that it has been updated.

Check if you get the error.

Go back to Properties

Click on CatalogImportLastRuntime

Clear the Value field and Update

Go to Scheduled Imports and Execute the ImportCatalogItems scheduled import

Wait for it to finish processing in Scheduled Import Queues.  If you check the property you will see that it has been updated.

Check if you get the error.

0 Kudos
admin
Immortal
Immortal

We have reproduced this 403 error on resources when no actions are retrieved.  We believe it is related to using a non-default tenant and the redirection to the non-default tenant instead of the tenant specified.  I will update again on Monday once we have done further investigations.

0 Kudos
admin
Immortal
Immortal

We have a fix.  We will provide new fuji and helsinki plugins as this issue will impact all customers using non-default vRA tenants.  Once we have built, tested, and documented the changes, we will upload the new plugins and docs to solutions exchange.  Ill keep updating here on the progress.

daphnissov
Immortal
Immortal

Thanks, Michael. Could you also list any steps as necessary to upgrade from the 1.0 release?

0 Kudos
admin
Immortal
Immortal

Instead of upgrading from the 1.0 release, i recommend starting clean with a new plugin containing this fix.  If you can't start clean and need to upgrade, i will need to work this out with the team.

0 Kudos
daphnissov
Immortal
Immortal

Then can you provide any uninstallation steps if an upgrade isn't possible? I'm not that concerned about us specifically, but more speaking for others who may not have the ability to start clean if they've already installed this in a production SNOW instance.

0 Kudos
admin
Immortal
Immortal

Generally speaking we would upgrade by installing an update set on top of the v1 plugin.  This fix is not a standard fix in that it has required changes to the client registration and user authentication steps for non-default tenants.  Upgrading should be possible, but it's best for us to work on clean installs for this issue before an upgrade path since we are not aware of any customers with this issue in production.  If a customer is in production we would look at the upgrade path.  For this fix, the recommended order would be starting clean before upgrading before uninstalling.

0 Kudos
admin
Immortal
Immortal

We are aiming to have new plugins and an updated install guide on solutions exchange by the end of next week.

0 Kudos
jstander
Enthusiast
Enthusiast

Thank you Michael,

Please let us know the day it gets released.

0 Kudos
jstander
Enthusiast
Enthusiast

Hi Michael,

Any update on the new release?

Regards,

0 Kudos
admin
Immortal
Immortal

We have new plugins with the non-default tenant fix verified as well as a new configuration guide ready to be uploaded to solutions exchange.  I will update you again once uploaded.

0 Kudos
admin
Immortal
Immortal

The new Fuji and Helsinki plugins and an updated Configurations guide are now available on solutions exchange:

https://solutionexchange.vmware.com/store/products/vmware-vrealize-automation-plug-in-for-itsm

The Configurations guide can be downloaded from the Resources tab, or with the plugins after clicking the Try button.  The release date for the new plugins and configuration guide is 2017-01-18.

Thanks for your patience..

0 Kudos
oconnorp
VMware Employee
VMware Employee

Hello, The new Plugin was released on 01/18/2017. https://my.vmware.com/group/vmware/get-download?downloadGroup=VRA_ITSM_PLUGIN_100

The version stayed the same with the only additional change is to support a non-default instead of default tre.

Note this section in the new guide:

To register the plug-in, you must provide user credentials to authenticate to vRealize Automation. If you

plan to use the vsphere.local tenant, you can use the administrator from the vsphere.local tenant. Set

administrator as the username in the Register the Plug-in as a vRealize Automation OAuth 2.0 client dialog.

A second option, described in the procedure that follows, as the system admin, is to set up a user with local

user and tenant admin roles within your tenant and provide these user credentials. This option registers the

ServiceNow plug-in only in the specified tenant. Providing the same tenant is set in Basic Configurations,

this tenant is configured for the end users.