1 Reply Latest reply on Aug 6, 2018 2:06 PM by gregor

    Connection Problem using PI-Web-API-Python package

    Andrew_Li

      Hi all,

      I am a new user of osisoft pi-server and I'm currently facing a connection problem.

       

      I've tried using PI-Web-API-Python package(GitHub - osimloeff/PI-Web-API-Client-Python: PI Web API client library for Python generated using the Swagger specificat… ) to connect the "https://devdata.osisoft.com/piwebapi" server, and it was success.

      baseUrl="https://devdata.osisoft.com/piwebapi"
      client = PIWebApiClient(
          baseUrl=baseUrl,
          useKerberos=False,
          username=username,
          password=password,
          verifySsl=True
      )
      client.home.get()
      
      
      

       

      However, I couldn't connect my customer's server when I tried to connect my customer's server with the same code on both Windows7 and MacOS.

      There had some result I got such as the following:

       

      • 1.  Couldn't connect the server via ssl verification.

           I got a SSLerror because the self signed certificate on both Windows7 and MacOS operating system.

      client = PIWebApiClient(
          baseUrl=baseUrl,
          useKerberos=False,
          username=username,
          password=password,
          verifySsl=True
      )
      
      

       

      2. Couldn't connect the server when I turn off the ssl verification

          I got the 401 error when I turned off the the ssl verification on both Windows7 and MacOS operating system.

      client = PIWebApiClient(
          baseUrl=baseUrl,
          useKerberos=False,
          username=username,
          password=password,
          verifySsl=False
      )
      
      

       

      3. Got the KerberosExchangeError when I turn on the Kerberos verification on Windows7.

          Finally, I got some different error from the server.

          I got the KerberosExchangeError(as the attachments: windows_error_msg_use_kerberos.txt) which I had no clue on Windows7.

      KerberosExchangeError: authGSSClientStep() failed: ('SSPI: InitializeSecurityContext: �����εL�k�F�쪺���w�ؼ�\r\n',)

      client = PIWebApiClient(
          baseUrl=baseUrl,
          useKerberos=True,
          username=username,
          password=password,
          verifySsl=False
      )
      
      

         P.S. I could connect to the server and be able to get the data from server when I use R package(GitHub - osimloeff/PI-Web-API-Client-R: PI Web API R package which is REST client library to get PI data through PI Web … ) on Windows7.

      useKerberos <- TRUE
      username <- username
      password <- password
      validateSSL <- FALSE
      debug <- TRUE
      piWebApiService <- piwebapi$new(baseUrl, useKerberos, username, password, validateSSL, debug)
      response1 = piWebApiService$home$get()
      
      

       

      4. Got the other KerberosExchangeError when I turn on the Kerberos verification on MacOS.

          I got the KerberosExchangeError(as the attachments: mac_error_msg_use_kerberos.txt) which I had no clue on Windows7.

      KerberosExchangeError: authGSSClientStep() failed: ((' Miscellaneous failure (see text)', 851968), ('No credentials cache file found', -1765328189))

      client = PIWebApiClient(
          baseUrl=baseUrl,
          useKerberos=True,
          username=username,
          password=password,
          verifySsl=False
      )
      
      

       

      Eventually, I will setup a service on CentOS7, and I have to connect my customer's server(as I described previously...) periodically.

       

      May I get some help or hints from anyone?

      Such as How can I connect this server via self-signed ssl or via Kerberos protocol?

      How can I add the certification to my CentOS operating system?

       

      I really want to go through this situation......

        • Re: Connection Problem using PI-Web-API-Python package
          gregor

          Andrew Li wrote:

           

          May I get some help or hints from anyone?

           

          Yes!

           

          Andrew Li wrote:

           

           

          Such as How can I connect this server via self-signed ssl or via Kerberos protocol?

           

          No matter what authentication method you use, the recommendation is to import the self-signed certificate and to trust it. This definitely helps to reduce the trouble you may run into.

          Probably the easiest option which may however not work on all operating systems is to use a browser and to browse the root URL of PI Web API (https://<YourPIWebAPIHost>/piwebapi). Without having the PI Web API's self-signed certificate imported, you will pretty likely see a security warning. Selecting the warning should give you more details including an option to import the certificate. For Windows OS, the recommendation is to import to the Trusted Root Certificate store.

           

          Kerberos authentication is an option within Windows Domains. It may not be a valid option across different Windows domains without domain trusts, if the OS does not support Windows domains and / or Kerberos. In some cases, e.g. if a PI Web API client is not member of the Domain the PI Web API host belongs to, authentication may fall back to NTLM which usually manifests by the user being prompted for credentials like with Basic authentication even the PI Web API instance is configured for Kerberos.

           

          Windows Event Viewer on the PI Web API host can be used to verify which authentication was used or why an attempt may have failed. First make sure "Show Analytic and Debug Logs" is enabled.

           

          Browse Application and Service Logs -> PI Web API and enable the Debug log (You get available options by right-click). Now attempt a query against PI Web API. A successful Kerberos authentication request looks as follows (but with user and Host / Computer information which I removed).

           

          When creating applications against PI Web API, you may also run into issues with Cross Origin Resource Sharing (CORS) Cross-Site Request Forgery (CSRF) Defense. Not only for this reason, you should test GET requests in a browser first. For other HTTP methods like POST, PUT, PATCH  or DELETE, you can use a client tool like Postman.

           

          Andrew Li wrote:

           

           

          How can I add the certification to my CentOS operating system?

           

          Well, you usually find good information in the Internet for questions like "CENTOS7 how to trust a self-signed certificate".

           

          Please consider running through the exercises of the Programming in PI Web API online course before you continue looking into using any PI Web API client library. To avoid misunderstandings, the libraries Marcos created are very useful but you should become familiar with the basics first.

          1 of 1 people found this helpful