Authentication Failed: Invalid PCE URL or API Key Id or API Secret
Symptom: When applying data inputs in Splunk for the Illumio App for Splunk, you receive the following error from the Splunk UI: “Authentication Failed: Invalid PEC URL or API key id or API Secret.”
 |
The error also appears in the /opt/splunk/var/log/TA-Illumio/ta-illumio.log file.
Cause: This error is caused by an authentication issue to the Policy Compute Engine (PCE). When this occurs, data inputs will not be saved until a valid API response is received from the PCE with the correct API Authentication username and API secret.
Fix: To validate an authentication failure, look at the PCE core node haproxy logs, which will show a 401 auth failure HTTP response (highlighted in yellow in the example below):
To see whether the API username/secret is correct, use the cURL command below and validate it with the logs from PCE core nodes:
Copy and paste the curl command below with the correct API username/secret:
- - - Begin copy (change api username/secret) - - -
curl \
-u \
api_1f1ec61c67e853576:2a0bfa6e81965e27a6ce668df8b3022c051b7a6c6b
0868c5df4b94035562f05b
\-H Content-Type:application/json \
-X GET \
'https://pcecore0.domain.com:8443/api/v1//product_version/' \
| python -mjson.tool
- - - End copy - - -
Successful curl request logs from PCE core nodes with 200 http response code:
Mar 11 11:45:44 level=info host=core0.domain.com
program=illumio_pce/agent[23340]: sec=329944.610 sev=INFO
pid=23408 tid=24064620 rid=063accb6-7036-46f0-96a1-8726f14436ea
XStarted GET /api/v1/product_version/ 10.6.7.40
Mar 11 11:45:44 level=info host=core0.domain.com
program=illumio_pce/agent[23340]: sec=329944.734 sev=INFO
pid=23408 tid=24064620 rid=063accb6-7036-46f0-96a1-8726f14436ea
XCompleted 200 GET /api/v1/product_version/ 10.6.7.40
0.124496975
Mar 11 11:45:44 level=info host=core0.domain.com
program=haproxy[2624]: 10.6.7.40:56446
11/Mar/2019:11:45:43.966]
https~ agent/agent0 643/0/0/126/769 200 442 - - ---- 2/2/0/1/0
0/0 {115|keep-alive} "GET /api/v1//product_version/ HTTP/1.1"
On the Splunk server, a successful request will allow the data inputs to be saved without any errors in the PCE web console or the /opt/splunk/var/log/TA-Illumio/ta-illumio.log file. Tail the ta-illumio.log when configuring the data inputs to see the latest logs. Enabling and disabling the data inputs will trigger the request to the PCE, which is a good way to test it.
The data input information should be saved in the location below without the API username/password:
/opt/splunk/etc/apps/IllumioAppforSplunk/local/inputs.conf [illumio://knpce1] api_key_id = api_secret = cnt_port_scan = 10 enable_data_collection = Enabled interval = 3600 pce_url = https://pce.domain.com:8443 port_number = 514 self_signed_cert_path = /opt/splunk/custom_certificate.cer time_interval_port = 60 disabled = 0